CVE-2025-61865 in NarSuS App
Summary
by MITRE • 10/23/2025
Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/10/2025
This vulnerability exists in multiple Network Attached Storage management applications developed by I-O DATA DEVICE, INC. The flaw stems from improper service registration practices where Windows services are configured with unquoted file paths in the service configuration. When Windows attempts to start these services, it follows a specific search order that can be exploited by malicious actors who have write permissions to the root directory of the system drive. The vulnerability is classified under CWE-16 as "Improper Handling of Canonical vs. Physical Pathname' and represents a classic privilege escalation vector that can be leveraged by attackers with limited system access.
The technical implementation of this vulnerability occurs because the service installation process does not properly quote the executable file paths when registering Windows services. This creates a path traversal opportunity where Windows searches for executables in the following order: the exact path specified, then searches each directory component of the path individually. For example, if a service is registered with a path like "C:\Program Files\IOData\service.exe", Windows will first look for "C:\Program Files\IOData\service.exe" and then if not found, will search "C:\Program.exe" and "C:\Program Files\IOData\service.exe" in sequence. An attacker with write permissions to the root directory can place a malicious executable named "Program.exe" which will be executed with SYSTEM privileges when the service starts.
The operational impact of this vulnerability is significant as it allows a low-privilege user to achieve SYSTEM-level code execution on affected systems. This represents a critical privilege escalation vulnerability that can be exploited in various attack scenarios including lateral movement within networks and persistence establishment. The attack requires only write permissions to the system drive root directory, which may be accessible through various attack vectors such as unpatched applications, weak access controls, or compromised user accounts. The vulnerability affects multiple NAS management applications from I-O DATA DEVICE, INC., indicating a widespread exposure across their product line.
Mitigation strategies for this vulnerability should focus on immediate service path hardening and access control improvements. System administrators should ensure that all Windows services are registered with properly quoted file paths to prevent the path traversal behavior. This can be achieved by modifying service installation scripts to include double quotes around executable paths during service registration. Additionally, implementing strict access controls on system drive root directories and applying the principle of least privilege can significantly reduce the attack surface. Network segmentation and monitoring for suspicious file creation in system directories should also be implemented to detect potential exploitation attempts. This vulnerability aligns with ATT&CK technique T1068 which covers 'Local Privilege Escalation' and specifically addresses the path hijacking attack pattern where adversaries leverage poorly configured service paths to gain elevated privileges.
The exploitation of this vulnerability demonstrates the importance of secure coding practices and service configuration management in enterprise environments. Organizations should conduct comprehensive audits of all installed services to identify similar path configuration issues and implement automated scanning tools to detect unquoted service paths. Regular security assessments and vulnerability management programs should include checks for this specific class of vulnerability to prevent attackers from leveraging weak service configurations for privilege escalation. The vulnerability also highlights the need for robust application hardening practices and adherence to security baseline configurations for all networked devices including NAS appliances and management applications.