CVE-2025-50505 is a local privilege escalation vulnerability affecting Clash Verge software versions through 2.2.3, resolved in version 2.3.0. Clash Verge installs a system-level service named clash-verge-service by default, which exposes an unauthorized HTTP API endpoint `/start_clash` accessible only locally. This endpoint accepts a parameter called bin_path, which specifies a binary path that the service executes without sufficient validation or sanitization. Because the service runs with elevated privileges, a local attacker can exploit this flaw by submitting a crafted bin_path to execute arbitrary code with higher privileges. This vulnerability is categorized under CWE-250 (Execution with Unnecessary Privileges), highlighting improper privilege management. The CVSS 3.1 base score of 7.8 reflects high severity due to the combination of local attack vector, low complexity, no user interaction, and high impact on confidentiality, integrity, and availability. While no public exploits have been reported, the vulnerability poses a significant risk in environments where local user accounts are not tightly controlled. The flaw underscores the risk of exposing powerful service APIs without authentication or input validation, enabling privilege escalation on affected systems.

For European organizations, this vulnerability could lead to unauthorized privilege escalation on systems running vulnerable versions of Clash Verge, potentially allowing attackers to gain administrative control. This can result in data breaches, unauthorized system modifications, and disruption of critical services. Organizations in sectors such as finance, healthcare, and critical infrastructure that rely on Clash Verge for network or application management may face increased risk of insider threats or lateral movement by attackers who have gained local access. The vulnerability’s local nature limits remote exploitation but does not eliminate risk in environments with multiple users or where attackers can gain initial footholds through other means. The high impact on confidentiality, integrity, and availability means that exploitation could compromise sensitive data, disrupt operations, and undermine trust in affected systems. European entities with less stringent local user controls or legacy deployments of Clash Verge are particularly vulnerable.

European organizations should immediately upgrade Clash Verge to version 2.3.0 or later, where this vulnerability is fixed. Until upgrading, restrict local user access to systems running vulnerable versions to trusted personnel only. Disable or firewall local HTTP API endpoints such as `/start_clash` to prevent unauthorized local access. Implement strict application whitelisting and monitoring to detect unusual execution of binaries initiated by the clash-verge-service. Conduct regular audits of installed services and their exposed interfaces to identify unauthorized or insecure configurations. Employ endpoint detection and response (EDR) solutions to monitor for suspicious privilege escalation attempts. Additionally, enforce the principle of least privilege for all local accounts and consider using containerization or sandboxing to limit the impact of potential exploits. Finally, maintain up-to-date asset inventories to quickly identify and remediate vulnerable installations.