CVE-2025-57625
Published: 16 September 2025
Summary
CVE-2025-57625 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Gitbook (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved access authorizations on folders and files, preventing low-privileged users from replacing critical service binaries like DataSpotliteAgent.exe.
Establishes and maintains secure baseline configuration settings, including restrictive permissions on Cyrisma_Agent service folders and binaries to block unauthorized modifications.
Monitors the integrity of software and binaries executed by the Cyrisma_Agent service to identify unauthorized replacements or tampering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure service binary permissions (CWE-276) directly enable binary replacement for SYSTEM-level privilege escalation via the Cyrisma_Agent service.
NVD Description
CYRISMA Sensor before 444 for Windows has an Insecure Folder and File Permissions vulnerability. A low-privileged user can abuse these issues to escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM by replacing DataSpotliteAgent.exe or any other…
more
binaries called by the Cyrisma_Agent service when it starts
Deeper analysisAI
CVE-2025-57625 is an Insecure Folder and File Permissions vulnerability (CWE-276) affecting CYRISMA Sensor versions before 444 on Windows. The issue stems from inadequate permissions on folders and files associated with the Cyrisma_Agent service, enabling unauthorized modifications to critical binaries such as DataSpotliteAgent.exe. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
A low-privileged user with access to the affected system can exploit this vulnerability by replacing DataSpotliteAgent.exe or other binaries invoked by the Cyrisma_Agent service upon startup. This allows privilege escalation to NT AUTHORITY\SYSTEM context, enabling arbitrary code execution with full administrative rights. The network vector (AV:N) suggests exploitation may be feasible in scenarios where low-privileged access is gained remotely, though initial low privileges are required.
Advisories detailing the vulnerability are available in disclosures such as the blog post at https://msry1.gitbook.io/thegoldenrecord/blog/vulnerability-and-bug-disclosures/cyrsma-sensor-version-less-than-2.5 (listed twice in references) and a related video at https://youtu.be/2DScqXPtrWw, which cover CYRISMA Sensor versions less than 2.5. Mitigation specifics, including patches, are referenced in these sources for affected deployments.
Details
- CWE(s)