CVE-2025-57625 is a privilege escalation vulnerability affecting CYRISMA Sensor versions prior to build 444 on Windows platforms. The root cause of this vulnerability lies in insecure folder and file permissions within the CYRISMA Sensor installation directory. Specifically, low-privileged users can exploit these misconfigurations to replace critical executable binaries such as DataSpotliteAgent.exe or other binaries invoked by the Cyrisma_Agent service during its startup. Because the Cyrisma_Agent service runs under the NT AUTHORITY\SYSTEM account, any replaced binary executed by this service will run with SYSTEM-level privileges, effectively allowing an attacker to execute arbitrary code with the highest level of privileges on the affected system. This type of vulnerability is particularly dangerous because it does not require the attacker to have administrative privileges initially; a low-privileged user account is sufficient to carry out the attack. The vulnerability is classified as an insecure permissions issue, which is a common vector for local privilege escalation attacks. No CVSS score has been assigned yet, and there are no known exploits in the wild at the time of publication. The vulnerability was reserved in August 2025 and published in September 2025. No patches or mitigation links have been provided yet, indicating that organizations using CYRISMA Sensor should urgently assess their exposure and implement compensating controls until a patch is available.

For European organizations, this vulnerability poses a significant risk to endpoint security and overall network integrity. CYRISMA Sensor is a security monitoring tool, and compromise of its agent with SYSTEM privileges could allow attackers to disable security monitoring, manipulate logs, or deploy persistent malware undetected. This could lead to broader network compromise, data exfiltration, or disruption of critical services. Given that the attack requires only low-privileged user access, insider threats or attackers who have gained limited footholds could escalate privileges rapidly. This is particularly concerning for organizations in regulated sectors such as finance, healthcare, and critical infrastructure, where data confidentiality and system availability are paramount. The lack of a patch and known exploits means organizations must proactively mitigate risk. Additionally, since CYRISMA Sensor runs on Windows, which is widely used in European enterprises, the potential attack surface is substantial. The ability to execute arbitrary code as SYSTEM could also facilitate lateral movement within networks, increasing the scope and impact of an attack.

1. Immediate review and hardening of folder and file permissions related to CYRISMA Sensor installation directories to ensure that only authorized administrative accounts have write access. 2. Implement application whitelisting or code integrity policies (e.g., Windows Defender Application Control) to prevent unauthorized binaries from executing, especially those replacing critical agent executables. 3. Restrict local user permissions to the minimum necessary, and monitor for unusual file modifications or replacements in the CYRISMA Sensor directories. 4. Employ endpoint detection and response (EDR) solutions to detect anomalous behaviors such as unexpected service restarts or binary replacements. 5. Until an official patch is released, consider isolating or limiting the use of CYRISMA Sensor on endpoints where possible, or running the agent with reduced privileges if supported. 6. Conduct regular audits of service binaries and their hashes to detect unauthorized changes. 7. Educate system administrators and security teams about this vulnerability to ensure rapid response and monitoring. 8. Engage with CYRISMA vendor support channels for updates and patches as they become available.