CVE-2025-61037: n/a
A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The flaw is a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files without verifying whether the path is an NTFS reparse point. By exploiting this race condition, an attacker can replace the target directory with a junction pointing to a user-controlled path. This causes the SYSTEM-level process to drop binaries in a location fully controlled by the attacker, allowing arbitrary code execution with SYSTEM privileges. The vulnerability can be exploited by any standard user with only a single UAC confirmation, making it highly practical and dangerous in real-world environments.
AI Analysis
Technical Summary
CVE-2025-61037 is a local privilege escalation vulnerability identified in SevenCs ORCA G2 version 2.0.1.35, specifically within the EC2007 Kernel v5.22. The vulnerability arises from a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic of the regService process, which operates with SYSTEM privileges. The regService process creates a fixed directory and writes files to it without verifying whether the directory path is an NTFS reparse point (such as a junction). An attacker with standard user privileges can exploit this flaw by quickly replacing the target directory with a junction pointing to a location under their control. Consequently, the SYSTEM-level regService process writes binaries into attacker-controlled locations, enabling arbitrary code execution with SYSTEM privileges. This attack requires only a single UAC confirmation, making it practical and dangerous in real-world scenarios. The vulnerability is classified under CWE-367 (Time-of-Check Time-of-Use Race Condition) and has a CVSS v3.1 base score of 7.0, reflecting high severity due to its impact on confidentiality, integrity, and availability. No patches or fixes have been published yet, and no known exploits have been reported in the wild. The vulnerability's exploitation could lead to full system compromise, unauthorized data access, and disruption of services on affected systems running this specific version of SevenCs ORCA G2.
Potential Impact
For European organizations, the impact of CVE-2025-61037 can be significant, especially for those relying on SevenCs ORCA G2 2.0.1.35 in critical infrastructure, industrial control systems, or sensitive data environments. Successful exploitation grants attackers SYSTEM-level privileges, enabling them to bypass security controls, access or modify sensitive data, install persistent malware, or disrupt system availability. This could lead to data breaches, operational downtime, and regulatory non-compliance under GDPR and other data protection laws. The ease of exploitation with minimal user interaction increases the risk of insider threats or malware leveraging this vulnerability to escalate privileges. Organizations in sectors such as manufacturing, energy, and healthcare that use this software may face heightened risks of targeted attacks or ransomware campaigns exploiting this flaw.
Mitigation Recommendations
Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict access to systems running SevenCs ORCA G2 2.0.1.35 to trusted users only and enforce the principle of least privilege to limit standard user capabilities. Monitor and audit the creation of NTFS reparse points and directory modifications by the regService process or related services. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts. Disable or tightly control UAC prompts to prevent unauthorized elevation without explicit administrator approval. Network segmentation should isolate critical systems running this software to reduce lateral movement risk. Organizations should also engage with SevenCs for timely patch releases and consider temporary removal or replacement of affected software where feasible. Regularly update incident response plans to include scenarios involving local privilege escalation attacks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy
CVE-2025-61037: n/a
Description
A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The flaw is a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files without verifying whether the path is an NTFS reparse point. By exploiting this race condition, an attacker can replace the target directory with a junction pointing to a user-controlled path. This causes the SYSTEM-level process to drop binaries in a location fully controlled by the attacker, allowing arbitrary code execution with SYSTEM privileges. The vulnerability can be exploited by any standard user with only a single UAC confirmation, making it highly practical and dangerous in real-world environments.
AI-Powered Analysis
Technical Analysis
CVE-2025-61037 is a local privilege escalation vulnerability identified in SevenCs ORCA G2 version 2.0.1.35, specifically within the EC2007 Kernel v5.22. The vulnerability arises from a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic of the regService process, which operates with SYSTEM privileges. The regService process creates a fixed directory and writes files to it without verifying whether the directory path is an NTFS reparse point (such as a junction). An attacker with standard user privileges can exploit this flaw by quickly replacing the target directory with a junction pointing to a location under their control. Consequently, the SYSTEM-level regService process writes binaries into attacker-controlled locations, enabling arbitrary code execution with SYSTEM privileges. This attack requires only a single UAC confirmation, making it practical and dangerous in real-world scenarios. The vulnerability is classified under CWE-367 (Time-of-Check Time-of-Use Race Condition) and has a CVSS v3.1 base score of 7.0, reflecting high severity due to its impact on confidentiality, integrity, and availability. No patches or fixes have been published yet, and no known exploits have been reported in the wild. The vulnerability's exploitation could lead to full system compromise, unauthorized data access, and disruption of services on affected systems running this specific version of SevenCs ORCA G2.
Potential Impact
For European organizations, the impact of CVE-2025-61037 can be significant, especially for those relying on SevenCs ORCA G2 2.0.1.35 in critical infrastructure, industrial control systems, or sensitive data environments. Successful exploitation grants attackers SYSTEM-level privileges, enabling them to bypass security controls, access or modify sensitive data, install persistent malware, or disrupt system availability. This could lead to data breaches, operational downtime, and regulatory non-compliance under GDPR and other data protection laws. The ease of exploitation with minimal user interaction increases the risk of insider threats or malware leveraging this vulnerability to escalate privileges. Organizations in sectors such as manufacturing, energy, and healthcare that use this software may face heightened risks of targeted attacks or ransomware campaigns exploiting this flaw.
Mitigation Recommendations
Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict access to systems running SevenCs ORCA G2 2.0.1.35 to trusted users only and enforce the principle of least privilege to limit standard user capabilities. Monitor and audit the creation of NTFS reparse points and directory modifications by the regService process or related services. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts. Disable or tightly control UAC prompts to prevent unauthorized elevation without explicit administrator approval. Network segmentation should isolate critical systems running this software to reduce lateral movement risk. Organizations should also engage with SevenCs for timely patch releases and consider temporary removal or replacement of affected software where feasible. Regularly update incident response plans to include scenarios involving local privilege escalation attacks.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2025-09-26T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 695544badb813ff03ef0a097
Added to database: 12/31/2025, 3:43:54 PM
Last enriched: 1/7/2026, 8:16:23 PM
Last updated: 2/5/2026, 4:01:18 AM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-10314: CWE-276 Incorrect Default Permissions in Mitsubishi Electric Corporation FREQSHIP-mini for Windows
HighCVE-2025-11730: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Zyxel ATP series firmware
HighCVE-2026-1898: Improper Access Controls in WeKan
MediumCVE-2026-1897: Missing Authorization in WeKan
MediumCVE-2026-1896: Improper Access Controls in WeKan
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.