CVE-2025-61303
Published: 20 October 2025
Summary
CVE-2025-61303 is a critical-severity Uncontrolled Resource Consumption (CWE-400) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates uncontrolled resource consumption (CWE-400) by protecting against exhaustion from recursive child process spawning in the sandbox analysis engine.
Enforces denial-of-service protections to prevent the malware-induced denial-of-analysis condition caused by excessive process creation and resource depletion.
Ensures adequate audit log storage capacity to handle high log volumes generated by rapid process spawning, avoiding logging failures that contribute to incomplete behavioral analysis.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is exploited by spawning excessive child processes to deplete resources and overwhelm the sandbox analysis engine (CWE-400), directly enabling T1499.001 (OS Exhaustion Flood) and T1211 (Exploitation for Defense Evasion) to mask malicious behaviors.
NVD Description
Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-of-analysis. The vulnerability is triggered when a…
more
sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results.
Deeper analysisAI
CVE-2025-61303, published on 2025-10-20, is a vulnerability in the Windows behavioral analysis engine of Hatching Triage Sandbox running on Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021 (2025-08-14). The issue, tied to CWE-400 (Uncontrolled Resource Consumption), enables a submitted malware sample to evade detection and induce a denial-of-analysis condition. This occurs when the sample recursively spawns a large number of child processes, producing excessive log volume and depleting system resources, which prevents key malicious behaviors—such as PowerShell execution and reverse shell activity—from being recorded or reported, thereby undermining the reliability of sandbox analysis.
Any unauthenticated attacker with network access to the sandbox can exploit this vulnerability, given its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting and submitting a malware sample that triggers rapid, recursive process creation, the attacker causes resource exhaustion in the analysis engine. This results in incomplete behavioral logging, evasion of detection for subsequent malicious actions, and denial of service for analysis operations, potentially misleading security analysts and allowing threats to go unnoticed.
Mitigation details are available in the referenced advisory at https://github.com/eGkritsis/CVE-2025-61303.
Details
- CWE(s)