Cyber Resilience

CVE-2025-57625

High

Published: 16 September 2025

Published
16 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57625 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Gitbook (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-57625 is an Insecure Folder and File Permissions vulnerability (CWE-276) affecting CYRISMA Sensor versions before 444 on Windows. The issue stems from inadequate permissions on folders and files associated with the Cyrisma_Agent service, enabling unauthorized modifications to critical binaries such as DataSpotliteAgent.exe. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

A low-privileged user with access to the affected system can exploit this vulnerability by replacing DataSpotliteAgent.exe or other binaries invoked by the Cyrisma_Agent service upon startup. This allows privilege escalation to NT AUTHORITY\SYSTEM context, enabling arbitrary code execution with full administrative rights. The network vector (AV:N) suggests exploitation may be feasible in scenarios where low-privileged access is gained remotely, though initial low privileges are required.

Advisories detailing the vulnerability are available in disclosures such as the blog post at https://msry1.gitbook.io/thegoldenrecord/blog/vulnerability-and-bug-disclosures/cyrsma-sensor-version-less-than-2.5 (listed twice in references) and a related video at https://youtu.be/2DScqXPtrWw, which cover CYRISMA Sensor versions less than 2.5. Mitigation specifics, including patches, are referenced in these sources for affected deployments.

EU & UK References

Vulnerability details

CYRISMA Sensor before 444 for Windows has an Insecure Folder and File Permissions vulnerability. A low-privileged user can abuse these issues to escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM by replacing DataSpotliteAgent.exe or any other…

more

binaries called by the Cyrisma_Agent service when it starts

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Insecure service binary permissions (CWE-276) directly enable binary replacement for SYSTEM-level privilege escalation via the Cyrisma_Agent service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-10314Shared CWE-276
CVE-2021-47761Shared CWE-276
CVE-2020-37129Shared CWE-276
CVE-2025-21532Shared CWE-276
CVE-2025-24176Shared CWE-276
CVE-2025-1789Shared CWE-276
CVE-2024-43769Shared CWE-276
CVE-2025-0543Shared CWE-276
CVE-2025-7024Shared CWE-276
CVE-2025-24267Shared CWE-276

Affected Assets

Gitbook
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access authorizations on folders and files, preventing low-privileged users from replacing critical service binaries like DataSpotliteAgent.exe.

prevent

Establishes and maintains secure baseline configuration settings, including restrictive permissions on Cyrisma_Agent service folders and binaries to block unauthorized modifications.

detect

Monitors the integrity of software and binaries executed by the Cyrisma_Agent service to identify unauthorized replacements or tampering.

References