CVE-2025-64699 is a vulnerability identified in SevenCs ORCA G2 version 2.0.1.35, specifically within the EC2007 Kernel version 5.22. The root cause is an incorrect NULL Discretionary Access Control List (DACL) applied by the regService process, which runs with SYSTEM-level privileges. The regService process sets a Security Descriptor on a device object without explicitly configuring a DACL, effectively leaving the object unprotected. This misconfiguration allows local attackers with limited privileges to gain unauthorized access to raw disk operations. Such access can lead to multiple severe consequences: denial of service (system disruption), unauthorized exposure of sensitive data stored on the disk, and potentially local privilege escalation by manipulating disk contents or system state. The vulnerability is classified under CWE-732, which relates to insecure permissions on objects, highlighting the risk of improper access control. The CVSS v3.1 base score is 7.8, reflecting high severity due to high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and limited privilege requirements. Exploitation requires local access and privileges but no user interaction, meaning an attacker must already have some foothold on the system. Currently, there are no known public exploits or patches available, increasing the urgency for affected organizations to implement interim mitigations. This vulnerability is particularly critical in environments where SevenCs ORCA G2 is deployed, often in embedded or industrial control systems, where kernel-level access and disk integrity are paramount.

For European organizations, the impact of CVE-2025-64699 can be substantial, especially in sectors such as manufacturing, critical infrastructure, telecommunications, and any industry relying on embedded systems running the affected kernel. Unauthorized raw disk access can lead to data breaches involving sensitive or regulated information, causing compliance violations under GDPR and other data protection laws. Denial of service conditions could disrupt operational technology (OT) environments, leading to production downtime and financial losses. Local privilege escalation could allow attackers to gain full control over affected systems, facilitating further lateral movement and persistent threats within networks. The lack of available patches increases the window of exposure, and the high severity score underscores the critical need for immediate attention. Organizations with remote or local access to affected systems must consider this vulnerability a priority due to the potential for significant confidentiality, integrity, and availability impacts.

1. Immediately audit and restrict local user privileges on systems running SevenCs ORCA G2 2.0.1.35 to the minimum necessary, preventing untrusted users from gaining local access. 2. Implement strict monitoring and alerting for unusual access patterns to device objects and raw disk operations, leveraging endpoint detection and response (EDR) tools capable of kernel-level monitoring. 3. Use application whitelisting and process control to limit execution of unauthorized code that could exploit this vulnerability. 4. Network segmentation should be enforced to isolate critical systems running the affected kernel from general user environments, reducing the risk of local exploitation. 5. Engage with SevenCs or authorized vendors to obtain patches or updates as soon as they become available, and plan for rapid deployment. 6. Consider deploying host-based firewalls and access control mechanisms to limit access to the regService process and related system components. 7. Conduct regular security assessments and penetration testing focused on local privilege escalation vectors to identify and remediate similar weaknesses. 8. Maintain comprehensive backups and recovery plans to mitigate the impact of potential denial of service or data corruption attacks.