CVE-2019-25568
Insecure File Permissions in Memu Play Allow Privilege Escalation
Publication date: 2026-03-21
Last updated on: 2026-04-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microvirt | memu | to 6.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25568 is a critical privilege escalation vulnerability in Memu Play version 6.0.7 and earlier caused by insecure file permissions on the MemuService.exe executable.
Low-privilege users can rename and overwrite MemuService.exe in the installation directory with a malicious executable. When the system reboots, the service restarts and executes the malicious executable with system-level privileges, allowing attackers to gain full control of the system.
How can this vulnerability impact me? :
This vulnerability allows an attacker with low privileges on the affected system to escalate their privileges to SYSTEM level by replacing a critical service executable with malicious code.
- Attackers can execute arbitrary code with system-level privileges after a system reboot.
- The attacker can gain full system control, compromising confidentiality, integrity, and availability of the system.
- This can lead to unauthorized access, data theft, system manipulation, or persistent backdoors.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking the file permissions of the MemuService.exe executable and the service configuration on the affected system.'}, {'type': 'list_item', 'content': 'Use the command `icacls "C:\\Program Files (x86)\\Microvirt\\MEmu\\MemuService.exe"` to inspect the permissions on the executable. If \'Everyone\', \'BUILTIN\\Users\', or \'Authenticated Users\' have modify or full control permissions, the system is vulnerable.'}, {'type': 'list_item', 'content': 'Use the command `sc qc MEmuSVC` to check the service configuration. Confirm that the service runs as a WIN32_OWN_PROCESS, auto-starts (START_TYPE 2), and uses MemuService.exe as its binary path.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, you should immediately restrict the file permissions on MemuService.exe and its installation directory to prevent low-privilege users from modifying or replacing the executable.'}, {'type': 'list_item', 'content': "Remove modify or full control permissions for 'Everyone', 'BUILTIN\\Users', and 'Authenticated Users' on the MemuService.exe file and its directory."}, {'type': 'list_item', 'content': 'Ensure that only SYSTEM and Administrators have full control over the service executable and related files.'}, {'type': 'list_item', 'content': 'Consider applying any official patches or updates from Memu Play that address this insecure file permissions issue.'}, {'type': 'list_item', 'content': 'As a temporary measure, monitor and restrict access to the system to trusted users only, and avoid rebooting the system until the permissions are corrected.'}] [2, 3]