CVE-2025-64699
Incorrect NULL DACL in SevenCs ORCA G2 Enables Privilege Escalation
Publication date: 2025-12-31
Last updated on: 2025-12-31
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sevencs | ec2007_kernel | 5.22 |
| sevencs | orca_g2 | 2.0.1.35 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying the permissions on the volume device object (e.g., \\.\C:) to check for a NULL DACL state. Tools like Sysinternals accesschk can be used to demonstrate if the volume device object permissions are overly permissive, such as Everyone having read/write access. Additionally, Windows security APIs can be used to confirm the NULL DACL state by checking if bDaclPresent=TRUE and pDacl=NULL. Non-administrative users being able to open raw disk handles without destructive actions also indicates the vulnerability. Commands to check permissions include using Sysinternals accesschk on the device object. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding applying permissive ACLs to critical device objects like \\.\C: unless absolutely necessary. If modification is required, explicitly set a least-privilege DACL restricting access to SYSTEM and Administrators only. Ensure the final security descriptor is not a NULL DACL and does not grant broad access to Everyone, Users, or Authenticated Users. Programmatically validate the security descriptor after changes using functions like GetSecurityDescriptorDacl and implement regression tests. Consider redesigning workflows to avoid modifying raw device object ACLs for system identification purposes. [1]
Can you explain this vulnerability to me?
This vulnerability is due to an incorrect NULL Discretionary Access Control List (DACL) applied by the regService process in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The regService, running with SYSTEM privileges, sets a security descriptor on a device object (like the raw disk volume) without explicitly configuring the DACL. This results in a NULL DACL, effectively removing all access controls and allowing any local non-administrative authenticated user to access the raw disk device. This unauthorized access enables attackers to perform raw disk operations that can disrupt the system, expose sensitive data, or escalate privileges. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthorized users to perform raw disk operations, which can lead to: 1) Denial of Service (DoS) through corruption of critical disk structures like boot records, causing system disruption; 2) Information Disclosure by bypassing file-level protections and exposing sensitive data; and 3) Potential local privilege escalation by enabling offline extraction of credential material, which may lead to administrative compromise. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could lead to exposure of sensitive data due to unauthorized raw disk reads bypassing file-level protections, which may result in non-compliance with data protection regulations such as GDPR and HIPAA that require safeguarding sensitive information. Additionally, the potential for local privilege escalation and system disruption could impact the integrity and availability requirements mandated by these standards. [1]