CVE-2025-10541
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-25

Last updated on: 2025-11-03

Assigner: SEC Consult Vulnerability Lab

Description
iMonitor EAM 9.6394 installs a system service (eamusbsrv64.exe) that runs with NT AUTHORITY\SYSTEM privileges. This service includes an insecure update mechanism that automatically loads files placed in the C:\sysupdate\ directory during startup. Because any local user can create and write to this directory, an attacker can place malicious DLLs or executables in it. Upon service restart, the files are moved to the application’s installation path and executed with SYSTEM privileges, leading to privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-25
Last Modified
2025-11-03
Generated
2026-05-07
AI Q&A
2025-09-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10541
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
imonitorsoft eam 9.6394
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in iMonitor EAM 9.6394 where a system service (eamusbsrv64.exe) runs with high privileges (NT AUTHORITY\SYSTEM). The service automatically loads files from the C:\sysupdate\ directory during startup. Since any local user can write to this directory, an attacker can place malicious files there. When the service restarts, it moves and executes these files with SYSTEM privileges, allowing the attacker to escalate their privileges on the system.


How can this vulnerability impact me? :

An attacker with local access can exploit this vulnerability to execute malicious code with SYSTEM-level privileges. This means they can gain full control over the affected system, potentially installing malware, stealing data, or disrupting system operations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking for the presence of the eamusbsrv64.exe service running with SYSTEM privileges and inspecting the C:\sysupdate\ directory for any unauthorized or suspicious files. Commands to help detect this include: 1) To check the service: 'sc query eamusbsrv64' or 'Get-Service -Name eamusbsrv64' (PowerShell). 2) To list files in the update directory: 'dir C:\sysupdate\' or 'Get-ChildItem C:\sysupdate\' (PowerShell). 3) To check file ownership and permissions in that directory to see if non-administrative users have write access. Monitoring for unexpected files or changes in this directory can indicate exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting write permissions on the C:\sysupdate\ directory to prevent unprivileged users from placing files there, stopping and disabling the eamusbsrv64.exe service if it is not required, and monitoring the directory for unauthorized files. Additionally, consider applying any available patches or updates from the vendor that address this insecure update mechanism.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart