CVE-2025-10541
📋 TL;DR
This vulnerability allows local users to escalate privileges to SYSTEM level by placing malicious files in an insecure directory. Any local user on systems running iMonitor EAM 9.6394 can exploit this to gain full system control. The service automatically executes files from a directory with weak permissions during startup.
💻 Affected Systems
- iMonitor EAM
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and control the entire system.
Likely Case
Local privilege escalation from any user account to SYSTEM, enabling installation of backdoors, credential dumping, and lateral movement within the network.
If Mitigated
Limited impact if proper access controls are implemented on the C:\sysupdate\ directory and service restart is controlled.
🎯 Exploit Status
Exploitation requires local user access but no special privileges. The attack involves simple file operations and service restart. Public disclosure includes technical details sufficient for weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-imonitorsoft-eam/
Restart Required: Yes
Instructions:
1. Check vendor website for updated version. 2. Uninstall current version. 3. Install patched version if available. 4. Restart system to ensure vulnerable service is replaced.
🔧 Temporary Workarounds
Restrict directory permissions
windowsRemove write permissions for non-administrative users on the vulnerable directory
icacls C:\sysupdate\ /inheritance:r
icacls C:\sysupdate\ /grant Administrators:(OI)(CI)F
icacls C:\sysupdate\ /deny Users:(OI)(CI)W
Disable vulnerable service
windowsPrevent the eamusbsrv64.exe service from running automatically
sc config eamusbsrv64 start= disabled
sc stop eamusbsrv64
🧯 If You Can't Patch
- Monitor the C:\sysupdate\ directory for unauthorized file creation using file integrity monitoring
- Implement strict access controls and audit all local user activities on affected systems
🔍 How to Verify
Check if Vulnerable:
Check if C:\sysupdate\ directory exists and has weak permissions: icacls C:\sysupdate\Check Version:
Check installed programs in Control Panel or run: wmic product where name="iMonitor EAM" get versionVerify Fix Applied:
Verify directory permissions restrict write access to non-administrators and service is disabled or removed📡 Detection & Monitoring
Log Indicators:
- File creation events in C:\sysupdate\ directory
- Service control events for eamusbsrv64.exe
- Process creation events for files from C:\sysupdate\
Network Indicators:
- Unusual outbound connections from SYSTEM-level processes following service restart
SIEM Query:
EventID=4663 OR EventID=4688 AND (TargetObject="C:\\sysupdate\\*" OR NewProcessName="C:\\sysupdate\\*")