CVE-2025-57625 is a high-severity vulnerability affecting CYRISMA Sensor versions prior to 444 on Windows platforms. The core issue stems from insecure folder and file permissions that allow a low-privileged user to escalate their privileges to SYSTEM level. Specifically, the vulnerability arises because critical binaries such as DataSpotliteAgent.exe, or other executables invoked by the Cyrisma_Agent service during startup, reside in locations with improperly set permissions. This misconfiguration enables an attacker with limited access to replace or modify these binaries. Upon service startup, the maliciously replaced executable runs with NT AUTHORITY\SYSTEM privileges, granting the attacker full control over the affected system. The vulnerability is categorized under CWE-276 (Incorrect Default Permissions), highlighting the root cause as improper permission settings. The CVSS v3.1 base score of 8.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, with an attack vector that is network accessible, requires low privileges, and no user interaction. Although no known exploits are currently reported in the wild, the ease of exploitation and potential for full system compromise make this a critical concern for organizations using CYRISMA Sensor on Windows.

For European organizations, the impact of CVE-2025-57625 could be severe. CYRISMA Sensor is typically deployed in enterprise environments for endpoint detection and response, meaning it often runs with elevated privileges and monitors critical systems. Exploitation of this vulnerability would allow attackers to gain SYSTEM-level access, enabling them to execute arbitrary code, move laterally within networks, exfiltrate sensitive data, or disrupt operations. This could lead to breaches of personal data protected under GDPR, resulting in regulatory fines and reputational damage. Additionally, critical infrastructure sectors such as finance, healthcare, and manufacturing that rely on CYRISMA Sensor for security monitoring could face operational disruptions or targeted attacks. The vulnerability's network attack vector and lack of required user interaction increase the risk of automated or remote exploitation, potentially affecting large numbers of systems rapidly.

To mitigate CVE-2025-57625, organizations should immediately audit and correct the permissions on folders and files associated with CYRISMA Sensor, especially those containing DataSpotliteAgent.exe and other binaries executed by the Cyrisma_Agent service. Permissions should be restricted to trusted system accounts only, removing write access from low-privileged users. If a patch or updated version (444 or later) is available, organizations must prioritize deploying it to remediate the underlying permission issues. In the absence of a patch, implementing application whitelisting and monitoring for unauthorized changes to the relevant executables can help detect exploitation attempts. Additionally, employing endpoint detection rules to alert on unexpected service restarts or binary modifications related to Cyrisma_Agent can provide early warning. Network segmentation and limiting access to systems running CYRISMA Sensor can reduce the attack surface. Finally, conducting regular privilege audits and enforcing the principle of least privilege across endpoints will minimize the risk posed by similar vulnerabilities.