CVE-2025-60320 identifies an unquoted service path vulnerability in the memoQ Auto Update Service (memoQauhlp101) present in memoQ version 10.1.13.ef1b2b52aae and earlier. The vulnerability stems from the service being installed with a file path containing spaces but lacking surrounding quotation marks. Windows interprets such unquoted paths by parsing the path segments separated by spaces, which can lead to the operating system executing a malicious executable placed in a higher-level directory such as C:\Program.exe instead of the intended service executable. This misconfiguration allows a local attacker, who has limited privileges on the system, to escalate their privileges to SYSTEM by placing a crafted executable at the vulnerable path. The attack does not require user interaction but does require local access with some level of privileges (PR:H). The CVSS 3.1 vector (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates that the attack is local, has low complexity, requires high privileges, no user interaction, affects unchanged scope, and impacts confidentiality, integrity, and availability to a high degree. Although no known exploits are currently reported in the wild, the vulnerability represents a significant risk for environments where memoQ is deployed, especially in multi-user or shared systems. The CWE-428 classification corresponds to unquoted search path vulnerabilities, a common misconfiguration leading to privilege escalation. The lack of immediate patches necessitates interim mitigations to reduce risk.

For European organizations, especially those in the translation, localization, and content management sectors using memoQ, this vulnerability poses a significant risk of local privilege escalation. An attacker with limited local access could gain SYSTEM-level privileges, potentially allowing full control over affected systems, access to sensitive data, and the ability to deploy persistent malware or disrupt services. This could lead to data breaches, operational downtime, and compromise of intellectual property. The impact is heightened in environments with multiple users or where endpoint security is less stringent. Given memoQ's popularity in European language service providers and multinational corporations, the vulnerability could affect critical business processes and client confidentiality. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is public. Organizations with strict regulatory requirements such as GDPR must consider the potential for data exposure and compliance violations resulting from such privilege escalations.

1. Apply official patches or updates from memoQ as soon as they become available to correct the unquoted service path. 2. In the absence of patches, restrict local user permissions to prevent unauthorized file creation in system root directories such as C:\. 3. Use application whitelisting and endpoint protection solutions to detect and block unauthorized executables, especially in critical paths like C:\. 4. Audit existing service paths on affected systems to identify other unquoted service path vulnerabilities and remediate them by adding quotes or correcting the service configuration. 5. Implement strict local user access controls and limit the number of users with administrative privileges. 6. Monitor system logs and file system changes for suspicious activity around the C:\Program.exe path or similar locations. 7. Educate system administrators and users about the risks of unquoted service paths and the importance of secure service configurations. 8. Consider deploying host-based intrusion detection systems (HIDS) to alert on privilege escalation attempts. 9. Regularly review and harden endpoint security policies to reduce the attack surface for local privilege escalation.