CVE-2025-50505 is a vulnerability affecting Clash Verge Rev versions up to 2.2.3, where the software forcibly installs a system service named clash-verge-service by default. This service exposes an unauthorized HTTP API endpoint `/start_clash` that allows local users to submit arbitrary `bin_path` parameters. These parameters are passed directly to the service process for execution without proper validation or authorization checks, leading to local privilege escalation. The vulnerability stems from improper access control and unsafe handling of input parameters (classified under CWE-250: Execution with Unnecessary Privileges). The CVSS 3.1 base score is 7.8, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality, integrity, and availability (C:H/I:H/A:H). Exploiting this flaw allows a local attacker to execute arbitrary binaries with elevated privileges, potentially compromising the entire system. Although no public exploits have been reported, the lack of patches and the default enabling of the vulnerable service increase the risk. This vulnerability is particularly critical in environments where multiple users have local access or where the service runs on shared or multi-tenant systems.

For European organizations, this vulnerability poses significant risks, especially in sectors where Clash Verge is deployed on multi-user systems or critical infrastructure. Successful exploitation can lead to full system compromise, data breaches, unauthorized access to sensitive information, and disruption of services. The ability to escalate privileges locally can facilitate lateral movement within networks and undermine endpoint security. Organizations in finance, healthcare, government, and industrial control systems could face severe operational and reputational damage. Additionally, the vulnerability could be leveraged in targeted attacks or insider threat scenarios. The absence of a patch and the default installation of the vulnerable service increase the urgency for mitigation. Given the high confidentiality, integrity, and availability impact, European entities must assess their exposure and implement controls promptly.

1. Immediately audit all systems running Clash Verge Rev up to version 2.2.3 to identify vulnerable installations. 2. Disable or uninstall the clash-verge-service system service if it is not essential for operations. 3. Restrict local user permissions to prevent unauthorized access to the HTTP API endpoint `/start_clash`. 4. Employ application whitelisting to control which binaries can be executed by the service process. 5. Monitor local system logs and network traffic for suspicious activity related to the `/start_clash` endpoint or unexpected binary executions. 6. Implement strict local user access controls and limit the number of users with local access rights. 7. Engage with the vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 8. Consider deploying endpoint detection and response (EDR) solutions capable of detecting privilege escalation attempts. 9. Conduct user awareness training to reduce insider threat risks. 10. For critical environments, consider isolating vulnerable systems until remediation is complete.