CVE-2019-25568
Received Received - Intake
Insecure File Permissions in Memu Play Allow Privilege Escalation

Publication date: 2026-03-21

Last updated on: 2026-04-21

Assigner: VulnCheck

Description
Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by replacing the MemuService.exe executable. Attackers can rename and overwrite MemuService.exe in the installation directory with a malicious executable, which executes with system-level privileges when the service restarts after a computer reboot.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-03-21
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25568
EUVD
EUVD-2019-19884
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
microvirt memu to 6.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25568 is a critical privilege escalation vulnerability in Memu Play version 6.0.7 and earlier caused by insecure file permissions on the MemuService.exe executable.

Low-privilege users can rename and overwrite MemuService.exe in the installation directory with a malicious executable. When the system reboots, the service restarts and executes the malicious executable with system-level privileges, allowing attackers to gain full control of the system.

Impact Analysis

This vulnerability allows an attacker with low privileges on the affected system to escalate their privileges to SYSTEM level by replacing a critical service executable with malicious code.

  • Attackers can execute arbitrary code with system-level privileges after a system reboot.
  • The attacker can gain full system control, compromising confidentiality, integrity, and availability of the system.
  • This can lead to unauthorized access, data theft, system manipulation, or persistent backdoors.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the file permissions of the MemuService.exe executable and the service configuration on the affected system.'}, {'type': 'list_item', 'content': 'Use the command `icacls "C:\\Program Files (x86)\\Microvirt\\MEmu\\MemuService.exe"` to inspect the permissions on the executable. If \'Everyone\', \'BUILTIN\\Users\', or \'Authenticated Users\' have modify or full control permissions, the system is vulnerable.'}, {'type': 'list_item', 'content': 'Use the command `sc qc MEmuSVC` to check the service configuration. Confirm that the service runs as a WIN32_OWN_PROCESS, auto-starts (START_TYPE 2), and uses MemuService.exe as its binary path.'}] [3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, you should immediately restrict the file permissions on MemuService.exe and its installation directory to prevent low-privilege users from modifying or replacing the executable.'}, {'type': 'list_item', 'content': "Remove modify or full control permissions for 'Everyone', 'BUILTIN\\Users', and 'Authenticated Users' on the MemuService.exe file and its directory."}, {'type': 'list_item', 'content': 'Ensure that only SYSTEM and Administrators have full control over the service executable and related files.'}, {'type': 'list_item', 'content': 'Consider applying any official patches or updates from Memu Play that address this insecure file permissions issue.'}, {'type': 'list_item', 'content': 'As a temporary measure, monitor and restrict access to the system to trusted users only, and avoid rebooting the system until the permissions are corrected.'}] [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart