CVE-2025-61037 is a local privilege escalation vulnerability identified in SevenCs ORCA G2 version 2.0.1.35, specifically within the EC2007 Kernel v5.22. The vulnerability arises from a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic handled by the regService process, which operates with SYSTEM-level privileges. This process creates a fixed directory and writes files without verifying if the target path is an NTFS reparse point (such as a junction). An attacker with standard user privileges can exploit this by quickly replacing the intended directory with a junction pointing to a path they control. Consequently, the SYSTEM-privileged process writes binaries into locations controlled by the attacker, enabling arbitrary code execution at SYSTEM privilege level. Exploitation requires only a single User Account Control (UAC) confirmation, making it feasible in many real-world environments where users may accept prompts without suspicion. The vulnerability does not require network access and is local to the machine, but the impact is severe due to the privilege escalation to SYSTEM. No CVSS score has been assigned yet, and no public exploits are currently known. The vulnerability highlights a critical flaw in handling NTFS reparse points and race conditions in privileged processes, emphasizing the need for secure path validation and atomic operations in security-sensitive code.

For European organizations, the impact of CVE-2025-61037 can be significant, especially in sectors relying on SevenCs ORCA G2 software, such as maritime navigation, logistics, or other industries using this specialized software. Successful exploitation allows attackers to gain SYSTEM-level privileges from a standard user account, potentially leading to full system compromise, data theft, installation of persistent malware, or lateral movement within enterprise networks. Given the low exploitation barrier (only one UAC prompt), insider threats or malware that can execute with user privileges could leverage this vulnerability to escalate privileges rapidly. This could disrupt critical operations, compromise sensitive data, and damage organizational reputation. The lack of a patch at the time of disclosure increases the urgency for mitigating controls. Additionally, organizations with strict regulatory requirements (e.g., GDPR) may face compliance risks if breaches occur due to this vulnerability.

1. Immediate mitigation should focus on restricting standard user permissions to prevent unauthorized creation or modification of NTFS junction points in directories used by regService. 2. Implement monitoring and alerting for suspicious creation or modification of NTFS reparse points and unusual file writes by the regService process. 3. Enforce strict UAC policies and user training to reduce the likelihood of users approving unexpected elevation prompts. 4. Apply application whitelisting to prevent unauthorized binaries from executing, especially in directories writable by SYSTEM processes. 5. Network segmentation and endpoint detection and response (EDR) solutions can help detect and contain exploitation attempts. 6. Coordinate with SevenCs for timely patch deployment once available, and test patches in controlled environments before production rollout. 7. Consider temporary disabling or restricting the regService process if feasible without disrupting critical operations. 8. Conduct regular security audits focusing on privilege escalation vectors and race condition vulnerabilities in critical software components.