Cyber Posture

CVE-2019-25568

CriticalPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25568 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Microvirt Memu. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces strict file permissions on critical executables like MemuService.exe to prevent low-privilege users from overwriting them with malicious versions.

CM-5 Access Restrictions for Change good match
prevent

Restricts and authorizes modifications to system components such as service executables, directly mitigating unauthorized overwrites in the installation directory.

SI-7 Software, Firmware, and Information Integrity good match
detect

Monitors the integrity of software executables like MemuService.exe to detect unauthorized alterations or replacements by low-privilege users.

NVD Description

Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by replacing the MemuService.exe executable. Attackers can rename and overwrite MemuService.exe in the installation directory with a malicious executable, which executes with system-level privileges…

more

when the service restarts after a computer reboot.

Deeper analysisAI

CVE-2019-25568 is an insecure file permissions vulnerability (CWE-306) affecting Memu Play version 6.0.7, specifically the MemuService.exe executable in its installation directory. This flaw enables low-privilege users to replace the legitimate executable by renaming and overwriting it with a malicious version due to inadequate permissions protections. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high confidentiality, integrity, and availability impacts.

Local low-privilege users with access to the system can exploit this vulnerability to achieve privilege escalation. By overwriting MemuService.exe with a malicious executable, attackers position their code to execute with system-level privileges upon service restart, typically triggered after a computer reboot. This grants attackers full administrative control over the host system.

Advisories and references, including those from VulnCheck and Exploit-DB (exploit 46437), detail the issue and provide proof-of-concept exploitation steps. The official Memu Play website offers download links for the software, potentially including patched versions for mitigation. Security practitioners should verify file permissions on affected installations and apply updates from the vendor.

Details

CWE(s)
CWE-306

Affected Products

microvirt
memu
≤ 6.0.7

CVEs Like This One

CVE-2026-34732Shared CWE-306
CVE-2025-24865Shared CWE-306
CVE-2025-66049Shared CWE-306
CVE-2026-28458Shared CWE-306
CVE-2026-29132Shared CWE-306
CVE-2026-1453Shared CWE-306
CVE-2026-23693Shared CWE-306
CVE-2026-31882Shared CWE-306
CVE-2026-32041Shared CWE-306
CVE-2025-55222Shared CWE-306

References