CVE-2025-54422 is a medium-severity vulnerability affecting Sandboxie, a sandbox-based isolation software used on 32-bit and 64-bit Windows NT operating systems. The vulnerability exists in versions prior to 1.16.2 and relates to insecure handling of user passwords during sandbox creation and modification. Specifically, during encrypted sandbox creation, user passwords are transmitted via shared memory without adequate protection, making them susceptible to interception by other processes running in the same user session. More critically, during password modification operations, both the old and new passwords are passed as plaintext command-line arguments to the Imbox process. Since command-line arguments are accessible to any process within the user session, including unprivileged ones, this flaw allows attackers to bypass privilege boundaries and retrieve sensitive credentials without authentication or user interaction. The vulnerability encompasses multiple CWE categories: CWE-312 (Cleartext Storage of Sensitive Information), CWE-322 (Key Exchange without Encryption), CWE-497 (Exposure of Sensitive Information to an Unauthorized Actor), and CWE-522 (Insufficiently Protected Credentials). Although no known exploits are reported in the wild, the vulnerability poses a significant risk of credential exposure and potential lateral movement within affected systems. The issue is resolved in Sandboxie version 1.16.2 by implementing proper encryption and obfuscation mechanisms for password handling.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive credentials used to protect sandbox environments. Since Sandboxie is often employed to isolate potentially unsafe applications and prevent malware from affecting the host system, compromise of sandbox passwords could allow attackers to escape sandbox restrictions or gain elevated access within user sessions. This could facilitate lateral movement, data exfiltration, or deployment of persistent malware. The risk is heightened in environments where multiple users share the same workstation or where unprivileged processes are common, such as in enterprise desktops or development environments. Although the vulnerability requires local access to the user session, the ease of exploitation without authentication or user interaction increases the threat level. European organizations relying on Sandboxie for endpoint security or application isolation should consider this vulnerability a significant risk to confidentiality and integrity of their systems.

European organizations should immediately upgrade all Sandboxie installations to version 1.16.2 or later to ensure the vulnerability is patched. Until upgrades are complete, restrict access to user sessions and limit the execution of untrusted or unprivileged processes that could attempt to read command-line arguments or shared memory. Employ endpoint detection and response (EDR) solutions to monitor for suspicious process behavior indicative of credential harvesting. Additionally, implement strict user session isolation policies and consider using alternative sandboxing solutions with stronger credential handling if immediate patching is not feasible. Regularly audit sandbox configurations and password management practices to ensure no plaintext credentials are exposed. Finally, educate users and administrators about the risks of running untrusted code within sandbox environments and the importance of timely patching.