Cyber Resilience

CVE-2019-25568

CriticalPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2019-25568 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microvirt Memu. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2019-25568 is an insecure file permissions vulnerability (CWE-306) affecting Memu Play version 6.0.7, specifically the MemuService.exe executable in its installation directory. This flaw enables low-privilege users to replace the legitimate executable by renaming and overwriting it with a malicious version due to inadequate permissions protections. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high confidentiality, integrity, and availability impacts.

Local low-privilege users with access to the system can exploit this vulnerability to achieve privilege escalation. By overwriting MemuService.exe with a malicious executable, attackers position their code to execute with system-level privileges upon service restart, typically triggered after a computer reboot. This grants attackers full administrative control over the host system.

Advisories and references, including those from VulnCheck and Exploit-DB (exploit 46437), detail the issue and provide proof-of-concept exploitation steps. The official Memu Play website offers download links for the software, potentially including patched versions for mitigation. Security practitioners should verify file permissions on affected installations and apply updates from the vendor.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by replacing the MemuService.exe executable. Attackers can rename and overwrite MemuService.exe in the installation directory with a malicious executable, which executes with system-level privileges…

more

when the service restarts after a computer reboot.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Why these techniques?

Weak permissions on MemuService.exe directly enable binary replacement for service hijack/privilege escalation on restart.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4810Shared CWE-306
CVE-2025-59695Shared CWE-306
CVE-2025-25224Shared CWE-306
CVE-2023-53968Shared CWE-306
CVE-2026-27843Shared CWE-306
CVE-2025-13030Shared CWE-306
CVE-2026-34731Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-55222Shared CWE-306

Affected Assets

microvirt
memu
≤ 6.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces strict file permissions on critical executables like MemuService.exe to prevent low-privilege users from overwriting them with malicious versions.

prevent

Restricts and authorizes modifications to system components such as service executables, directly mitigating unauthorized overwrites in the installation directory.

detect

Monitors the integrity of software executables like MemuService.exe to detect unauthorized alterations or replacements by low-privilege users.

References