CVE-2025-61037
TOCTOU Race Condition in SevenCs ORCA G2 Enables SYSTEM Code Execution
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sevencs | ec2007_kernel | 5.22 |
| sevencs | orca_g2 | 2.0.1.35 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61037 is a local privilege escalation vulnerability in SevenCs ORCA G2 2.0.1.35 and EC2007 Kernel v5.22 caused by a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management service (regService) that runs with SYSTEM privileges. The service creates directories and copies files without verifying if the target path is an NTFS reparse point (like a junction). An attacker can exploit this by replacing the target directory with a junction to a user-controlled path, causing the SYSTEM-level process to drop binaries in a location controlled by the attacker. This allows arbitrary code execution with SYSTEM privileges after only a single UAC confirmation, making it highly practical and dangerous. [1]
How can this vulnerability impact me? :
This vulnerability allows a local standard user to escalate their privileges to SYSTEM level by exploiting a race condition in the license management service. This can lead to arbitrary code execution with SYSTEM privileges, enabling attackers to install persistent backdoors, disable security controls, and compromise the overall system integrity and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking whether the fixed directory used by regService (C:\ProgramFiles(x86)\Common Files\SevenCs\EC2007) has been replaced by an NTFS reparse point such as a junction or symbolic link. You can use Windows commands like 'dir /AL "C:\ProgramFiles(x86)\Common Files\SevenCs\EC2007"' to list if the directory is a junction or symbolic link. Additionally, PowerShell commands like 'Get-Item "C:\ProgramFiles(x86)\Common Files\SevenCs\EC2007" | Format-List Attributes, LinkType' can help identify reparse points. Monitoring for unexpected creation or modification of files in this directory by SYSTEM processes may also indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include hardening directory permissions on the affected path to deny DELETE and WRITE access to standard users, minimizing SYSTEM-level filesystem operations on predictable paths, and avoiding TOCTOU patterns by ensuring atomic file operations. Specifically, ensure that the regService process or similar SYSTEM processes do not perform existence checks and file writes separately, explicitly check for reparse points before directory creation or file copying, and open directories with FILE_FLAG_OPEN_REPARSE_POINT. Applying these mitigations reduces the risk of an attacker exploiting the race condition to gain SYSTEM privileges. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows local privilege escalation to SYSTEM level, enabling attackers to execute arbitrary code with high privileges. This can lead to persistent backdoors, disabling security controls, and compromising system integrity, which may result in unauthorized access to sensitive data. Such unauthorized access and potential data breaches could negatively impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information. Therefore, exploitation of this vulnerability could cause non-compliance with these regulations due to failure to maintain adequate security controls and protect data confidentiality and integrity. [1]