CVE-2025-61037
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in SevenCs ORCA G2 software where a TOCTOU race condition allows standard users to gain SYSTEM privileges. The flaw exists in the license management logic where the SYSTEM-level regService process creates directories without verifying NTFS reparse points. Any user with standard privileges and a single UAC confirmation can exploit this to execute arbitrary code with SYSTEM privileges.
💻 Affected Systems
- SevenCs ORCA G2
📦 What is this software?
Orca G2 by Sevencs
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full SYSTEM privileges on the affected machine, enabling complete system compromise, persistence, lateral movement, and data exfiltration.
Likely Case
Local attacker escalates privileges to SYSTEM level, installs malware, creates backdoors, or accesses sensitive system resources.
If Mitigated
With proper privilege separation and monitoring, impact limited to isolated system compromise with detection of privilege escalation attempts.
🎯 Exploit Status
Exploit requires local access and race condition timing, but public proof-of-concept exists making weaponization likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: No
Instructions:
Check vendor website for security updates. If patch available, download and install following vendor instructions.
🔧 Temporary Workarounds
Restrict regService permissions
windowsModify permissions on the regService process or its directories to prevent unauthorized users from creating junction points.
icacls "C:\Program Files\SevenCs\ORCA G2" /deny Users:(OI)(CI)(DE,DC)
Disable or remove ORCA G2
windowsIf software is not required, uninstall it to eliminate the vulnerability.
appwiz.cpl
🧯 If You Can't Patch
- Implement strict privilege separation and limit user access to systems running ORCA G2.
- Monitor for privilege escalation attempts and unusual SYSTEM process behavior.
🔍 How to Verify
Check if Vulnerable:
Check if SevenCs ORCA G2 version 2.0.1.35 is installed. Verify if regService process runs with SYSTEM privileges and creates directories without reparse point validation.Check Version:
Check program files directory or registry for version information: HKEY_LOCAL_MACHINE\SOFTWARE\SevenCs\ORCA G2Verify Fix Applied:
After applying vendor patch or workaround, test if standard users can still escalate privileges via the described method.📡 Detection & Monitoring
Log Indicators:
- Unusual regService process behavior
- Creation of junction points by standard users
- Privilege escalation events in Windows Security logs
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND NewProcessName="*regService*" AND SubjectUserName!="SYSTEM"