CVE-2025-64721 is a critical integer overflow vulnerability in Sandboxie, a sandbox-based isolation software for Windows NT-based operating systems. The vulnerability exists in versions 1.16.6 and earlier within the SYSTEM-level service SbieSvc.exe, specifically in the SbieIniServer::RC4Crypt handler exposed to sandboxed processes. This handler adds a fixed header size to a caller-controlled parameter value_len without performing overflow checks. When a malicious sandboxed process supplies a large value_len (e.g., 0xFFFFFFF0), the addition causes an integer overflow that wraps the allocation size to a much smaller value. Consequently, when attacker-controlled data is copied into this undersized buffer, a heap overflow occurs. This memory corruption allows the attacker to execute arbitrary code with SYSTEM privileges, effectively escaping the sandbox and fully compromising the host system. The vulnerability requires no prior authentication or user interaction, making it trivially exploitable remotely if sandboxed processes can be controlled. The flaw is classified under CWE-190 (Integer Overflow or Wraparound) and has been assigned a CVSS 4.0 base score of 9.9, indicating critical severity. The vendor fixed this issue in Sandboxie version 1.16.7. While no public exploits are currently reported, the nature of the vulnerability and its impact make it a high-risk threat to any environment using vulnerable Sandboxie versions on Windows platforms.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Sandboxie for application sandboxing and isolation on Windows systems. Exploitation allows attackers to escalate privileges from a sandboxed process to SYSTEM level, leading to full host compromise. This can result in unauthorized access to sensitive data, disruption of critical services, deployment of ransomware or other malware, and lateral movement within corporate networks. Organizations relying on Sandboxie for endpoint security or containment of untrusted code are particularly vulnerable. The lack of required authentication or user interaction means attackers can exploit this flaw remotely if they can run code inside the sandbox. This elevates the threat to critical infrastructure, financial institutions, healthcare providers, and government agencies across Europe, where Windows environments and sandboxing solutions are common. The potential for complete system takeover could lead to severe operational, financial, and reputational damage.

European organizations should immediately verify their Sandboxie version and upgrade to version 1.16.7 or later, where this vulnerability is patched. If upgrading is not immediately feasible, organizations should consider disabling Sandboxie or restricting its use to trusted applications only. Network segmentation and strict application whitelisting can limit exposure by preventing untrusted code from running inside sandboxed environments. Monitoring for unusual behavior or privilege escalation attempts originating from sandboxed processes can provide early detection. Additionally, applying Windows security best practices such as least privilege principles, endpoint detection and response (EDR) solutions, and regular patch management will reduce the attack surface. Organizations should also review their incident response plans to address potential exploitation scenarios involving sandbox escapes. Vendor communication channels should be monitored for any emerging exploit reports or additional patches.