CVE-2025-60320
📋 TL;DR
This CVE describes an unquoted service path vulnerability in memoQ's Auto Update Service that allows local users to escalate privileges to SYSTEM level. Attackers can exploit this by placing a malicious executable named Program.exe in the C:\ directory, which the service will execute with elevated privileges. This affects all users running vulnerable versions of memoQ on Windows systems.
💻 Affected Systems
- memoQ
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege escalation leading to complete system compromise, data theft, persistence establishment, and lateral movement capabilities.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, or access restricted system resources.
If Mitigated
Limited impact if proper endpoint protection, application whitelisting, and least privilege principles are enforced.
🎯 Exploit Status
Requires local access and ability to write to C:\ directory. Exploitation involves creating a malicious executable at a specific location.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 10.1.13.ef1b2b52aae
Vendor Advisory: https://docs.memoq.com/helpcenter/
Restart Required: No
Instructions:
1. Update memoQ to the latest version. 2. Verify the memoQ Auto Update Service path is properly quoted in Windows Services. 3. Restart the service if necessary.
🔧 Temporary Workarounds
Manually quote service path
WindowsManually add quotes around the service executable path in Windows Services configuration
sc config memoQauhlp101 binPath= "\"C:\Program Files\memoQ\memoQ 10.1\memoQauhlp101.exe\""
Restrict write access to C:\
WindowsPrevent non-administrative users from creating files in the root C:\ directory
icacls C:\ /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized executables from C:\
- Monitor for file creation events in C:\ root directory and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Windows Services (services.msc) for memoQauhlp101 service and verify if the path contains spaces without quotes. Also check if C:\Program.exe exists.Check Version:
Check memoQ About dialog or examine installed programs in Control PanelVerify Fix Applied:
Verify the service path is quoted in Windows Services and that memoQ version is updated beyond 10.1.13.ef1b2b52aae.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing file creation in C:\ root directory
- Process creation events for C:\Program.exe
Network Indicators:
- No network indicators as this is a local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName="C:\\Program.exe" OR EventID=4663 AND ObjectName="C:\\Program.exe"