CVE-2025-50505 is a vulnerability identified in Clash Verge Rev versions up to 2.2.3. Clash Verge installs a system service named clash-verge-service by default, which exposes an HTTP API endpoint `/start_clash` without proper authorization controls. This API accepts a parameter called bin_path, which local users can manipulate to specify arbitrary executable binaries. The service then executes these binaries with elevated system privileges, effectively allowing local users to escalate their privileges beyond their intended access level. This flaw arises from insufficient access control and improper validation of input parameters in the service’s API. Since the API is accessible only locally, exploitation requires local user access, but no user interaction beyond invoking the API is necessary. The vulnerability does not currently have a CVSS score and no public exploits have been reported, but the potential for privilege escalation makes it a significant security risk. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps. The vulnerability affects all installations of Clash Verge Rev through 2.2.3, regardless of configuration, due to the default installation of the vulnerable service. This issue could be leveraged by malicious insiders or attackers who have gained limited local access to escalate privileges and compromise the entire system.

For European organizations, this vulnerability poses a serious risk of local privilege escalation, which can lead to full system compromise if exploited. Organizations using Clash Verge in development, testing, or production environments could see attackers gain administrative control, bypassing security controls and potentially accessing sensitive data or disrupting operations. The impact is heightened in environments where multiple users share systems or where local access controls are weak. Critical infrastructure, government agencies, and enterprises relying on Clash Verge for network or service management could face operational disruptions or data breaches. The absence of public exploits reduces immediate risk but does not eliminate it, as attackers could develop exploits once the vulnerability details are widely known. The vulnerability’s local nature limits remote exploitation but does not reduce the severity for insider threats or attackers who have already compromised lower-privileged accounts.

European organizations should immediately audit systems for the presence of Clash Verge Rev through 2.2.3 and the clash-verge-service. If the service is not required, disable or uninstall it to eliminate the attack surface. Restrict local user permissions to prevent unauthorized access to the service’s API endpoint. Employ host-based firewall rules or local access controls to block HTTP requests to the `/start_clash` endpoint. Monitor system logs for suspicious invocations of the service or unexpected execution of binaries. Implement strict user account management and limit local user privileges to reduce the risk of exploitation. Stay alert for official patches or updates from the vendor and apply them promptly once available. Consider deploying application whitelisting to prevent execution of unauthorized binaries. Conduct regular security awareness training to mitigate insider threats. Finally, incorporate this vulnerability into incident response plans to ensure rapid containment if exploitation is detected.