Login Sign Up

CVE-2025-54422

5.5 MEDIUM

📋 TL;DR

This vulnerability in Sandboxie exposes user passwords during encrypted sandbox creation and modification. Passwords are transmitted via shared memory and appear as plaintext command-line arguments, allowing any process within the user session to intercept them. All users of Sandboxie versions 1.16.1 and below on Windows NT-based systems are affected.

💻 Affected Systems

Products:
  • Sandboxie
Versions: 1.16.1 and below
Operating Systems: Windows NT-based systems (32-bit and 64-bit)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who create or modify encrypted sandboxes with passwords.

📦 What is this software?

Sandboxie by Sandboxie Plus

View all CVEs affecting Sandboxie →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with local access can capture passwords for encrypted sandboxes, potentially accessing sensitive data or bypassing sandbox isolation.

🟠

Likely Case

Malware or other local processes could harvest passwords from command-line arguments, compromising sandbox security.

🟢

If Mitigated

With proper access controls and monitoring, unauthorized process creation can be detected, limiting exposure.

🌐 Internet-Facing: LOW - This is a local privilege issue requiring access to the user session.
🏢 Internal Only: HIGH - Any process running in the same user session can exploit this without special privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but no special privileges; simple process monitoring can capture passwords.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.16.2

Vendor Advisory: https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-jp7r-vgv9-43p7

Restart Required: Yes

Instructions:

1. Download Sandboxie version 1.16.2 or later from the official repository. 2. Close all sandboxed applications. 3. Run the installer to update. 4. Restart the system to ensure changes take effect.

🔧 Temporary Workarounds

Avoid encrypted sandboxes

windows

Temporarily stop using password-protected encrypted sandboxes until patched.

Restrict process creation

windows

Use application control policies to limit which processes can run in user sessions.

🧯 If You Can't Patch

  • Monitor for suspicious process creation and command-line arguments using security tools.
  • Limit user privileges and isolate high-risk systems to reduce attack surface.

🔍 How to Verify

Check if Vulnerable:

Check Sandboxie version in Settings > About; if version is 1.16.1 or below, it is vulnerable.

Check Version:

wmic product where name="Sandboxie" get version

Verify Fix Applied:

After updating, confirm version is 1.16.2 or higher in Settings > About.

📡 Detection & Monitoring

Log Indicators:

  • Process creation events for Imbox.exe with command-line arguments containing plaintext passwords

Network Indicators:

  • Not applicable - this is a local vulnerability

SIEM Query:

ProcessName="Imbox.exe" AND CommandLine CONTAINS "password"

📊 Metadata

CVE ID: CVE-2025-54422
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-312
EPSS Score: 0.01% exploit probability (0.3th percentile)
Published: July 29, 2025
Last Updated: August 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54422, you might also want to check these:

CVE-2022-43757 9.9

CVE-2022-43757 is a cleartext storage vulnerability in SUSE Rancher that allows users on managed clu...

Same vulnerability type (CWE-312)
CVE-2021-29954 9.8

This vulnerability in Hubs Cloud's Reticulum software allowed attackers to use the proxy functionali...

Same vulnerability type (CWE-312)
CVE-2022-26148 9.8

This vulnerability exposes Zabbix account passwords in Grafana's HTML source code when integrated wi...

Same vulnerability type (CWE-312)