CVE-2025-60320 identifies an unquoted service path vulnerability in the memoQ Auto Update Service (memoQauhlp101) present in memoQ version 10.1.13.ef1b2b52aae and earlier. The vulnerability arises because the service is installed with a file path that contains spaces but is not enclosed in quotation marks. In Windows environments, unquoted service paths with spaces can be exploited by placing a malicious executable in a higher priority path segment. Specifically, an attacker with local user privileges can place a malicious executable named Program.exe directly in the C:\ root directory. When the service starts, Windows may mistakenly execute this malicious Program.exe instead of the intended service binary, resulting in privilege escalation to SYSTEM level. This type of vulnerability is well-known and allows attackers to gain full control over the affected system without requiring network access or user interaction beyond local access. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to affected systems. memoQ is a popular translation management software used globally, including in Europe, for managing localization projects. The Auto Update Service runs with elevated privileges, making this vulnerability particularly dangerous. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. Given the ability to escalate privileges to SYSTEM, the vulnerability is considered high severity. Organizations using memoQ should verify their installed versions and apply any vendor-provided patches or workarounds. In the absence of patches, restricting write permissions to the root of the system drive and monitoring for unauthorized executables named Program.exe are critical mitigations.

The primary impact of CVE-2025-60320 is local privilege escalation, allowing a low-privileged user to gain SYSTEM-level access on affected Windows systems running vulnerable versions of memoQ. This can lead to complete compromise of the host, including unauthorized access to sensitive translation data, modification or deletion of files, installation of persistent malware, and lateral movement within the network. For European organizations, especially those in sectors relying heavily on translation and localization services such as legal, financial, governmental, and multinational corporations, this vulnerability could expose critical intellectual property and confidential communications. The compromise of SYSTEM privileges undermines system integrity and confidentiality, potentially leading to data breaches and operational disruption. Since memoQ is widely used in Europe, the vulnerability could affect many organizations if exploited. Although exploitation requires local access, insider threats or attackers leveraging other footholds could use this vulnerability to escalate privileges and deepen their control. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as proof-of-concept or weaponized exploits could emerge. The impact on availability is moderate, as attackers could disrupt services or delete files, but the main concern is confidentiality and integrity loss.

To mitigate CVE-2025-60320, European organizations using memoQ should take the following specific actions: 1) Immediately verify the memoQ version in use and upgrade to a patched version once available from the vendor. 2) Until patches are released, restrict write permissions to the root of the system drive (C:\) to prevent unauthorized creation of executables like Program.exe. 3) Implement file integrity monitoring on critical system directories to detect suspicious files named Program.exe or similar. 4) Audit and limit local user permissions to reduce the number of accounts capable of writing to system directories. 5) Use application whitelisting to prevent execution of unauthorized binaries. 6) Educate system administrators and users about the risks of unquoted service path vulnerabilities and the importance of local account security. 7) Regularly review Windows service configurations to ensure service paths are properly quoted, and report any misconfigurations to the vendor. 8) Employ endpoint detection and response (EDR) tools to monitor for unusual process executions and privilege escalation attempts. 9) Isolate critical translation servers and restrict access to trusted personnel only. 10) Maintain up-to-date backups to recover from potential compromise. These targeted mitigations go beyond generic advice by focusing on controlling local write access, monitoring for specific attack vectors, and hardening service configurations.