CVE-2025-61161 is a local privilege escalation vulnerability caused by DLL hijacking in Evope Collector version 1.1.6.9.0 and related components. The vulnerable executable, Evope.Service.exe, runs with SYSTEM privileges and loads the wtsapi32.dll library from the directory C:\ProgramData\Evope, which is an uncontrolled search path. Because this directory is writable by unprivileged users, an attacker with local access can place a crafted malicious DLL named wtsapi32.dll in this location. Upon service startup or system reboot, the service loads the attacker's DLL instead of the legitimate system DLL, resulting in arbitrary code execution with SYSTEM privileges. This vulnerability does not require user interaction beyond local access and can be exploited without authentication escalation steps. The lack of a secure DLL search path or explicit full path loading of system DLLs is the root cause. Although no public exploits are currently known, the vulnerability is critical due to the high privilege level of the affected service and the straightforward exploitation method. The vulnerability affects all installations of Evope Collector 1.1.6.9.0 and potentially related components that use the same DLL loading mechanism. No patches or mitigations have been officially published yet, increasing the urgency for organizations to implement compensating controls.

For European organizations, this vulnerability presents a significant risk, especially in environments where Evope Collector is deployed for monitoring or data collection purposes. An attacker with local access—such as a compromised user account or insider threat—can escalate privileges to SYSTEM, gaining full control over affected machines. This can lead to unauthorized access to sensitive data, disruption of services, and lateral movement within networks. The ability to execute arbitrary code as SYSTEM can also facilitate deployment of ransomware or other malware, severely impacting confidentiality, integrity, and availability. Organizations in sectors with high regulatory requirements, such as finance, healthcare, and critical infrastructure, face increased compliance risks and potential legal consequences if exploited. The vulnerability's exploitation does not require user interaction, making it easier for attackers to automate attacks once local access is obtained. The lack of a patch increases exposure time, emphasizing the need for immediate mitigation.

1. Restrict write permissions on the C:\ProgramData\Evope directory to prevent unprivileged users from placing DLLs there. Use NTFS permissions to limit access strictly to administrators and the service account. 2. Implement application whitelisting or code integrity policies (e.g., Windows Defender Application Control) to prevent unauthorized DLLs from loading. 3. Monitor the C:\ProgramData\Evope directory for unexpected files or changes using file integrity monitoring tools. 4. If possible, configure Evope.Service.exe or the system to load DLLs using fully qualified paths or secure DLL search order to avoid loading from insecure locations. 5. Isolate systems running Evope Collector to reduce the risk of local attacker access, including limiting physical and remote access. 6. Regularly audit user accounts and privileges to minimize the number of users with local access. 7. Engage with the vendor for patches or updates addressing this vulnerability and apply them promptly once available. 8. Consider deploying endpoint detection and response (EDR) solutions to detect suspicious DLL loading or privilege escalation attempts.