CVE-2025-61161
📋 TL;DR
A DLL hijacking vulnerability in Evope Collector 1.1.6.9.0 allows local unprivileged attackers to execute arbitrary code with SYSTEM privileges by placing a malicious wtsapi32.dll in C:\ProgramData\Evope. The vulnerability affects systems running the vulnerable Evope.Service.exe component, which automatically loads the DLL on startup or reboot.
💻 Affected Systems
- Evope Collector
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege escalation leading to complete system compromise, data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation to SYSTEM by authenticated low-privilege users, enabling installation of malware, credential harvesting, or lateral movement.
If Mitigated
Limited impact if proper file permissions prevent DLL placement or if the service runs with reduced privileges.
🎯 Exploit Status
Exploitation requires local access and ability to write to C:\ProgramData\Evope. The referenced blog post demonstrates proof-of-concept.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.evope.tech/
Restart Required: Yes
Instructions:
1. Check vendor website for security updates. 2. If patch available, download and install. 3. Restart system to ensure vulnerable service reloads with fixed version.
🔧 Temporary Workarounds
Restrict directory permissions
windowsSet strict permissions on C:\ProgramData\Evope to prevent unprivileged users from writing DLL files.
icacls "C:\ProgramData\Evope" /inheritance:r
icacls "C:\ProgramData\Evope" /grant "SYSTEM:(OI)(CI)F" /grant "Administrators:(OI)(CI)F"
Remove vulnerable service
windowsUninstall or disable Evope.Service.exe if not required.
sc stop Evope.Service
sc delete Evope.Service
🧯 If You Can't Patch
- Apply strict file permissions to C:\ProgramData\Evope directory to prevent DLL placement by unprivileged users.
- Monitor for suspicious DLL creation in C:\ProgramData\Evope and unauthorized service execution.
🔍 How to Verify
Check if Vulnerable:
Check if C:\ProgramData\Evope directory exists and has weak permissions allowing write access to standard users. Verify Evope.Service.exe version is 1.1.6.9.0.Check Version:
wmic product where "name like 'Evope%'" get versionVerify Fix Applied:
Confirm directory permissions restrict write access to SYSTEM and Administrators only. Verify service no longer loads wtsapi32.dll from uncontrolled path.📡 Detection & Monitoring
Log Indicators:
- Event ID 4688: New process creation for Evope.Service.exe loading wtsapi32.dll from C:\ProgramData\Evope
- Event ID 4663: File creation/modification in C:\ProgramData\Evope\wtsapi32.dll
Network Indicators:
- None - local exploitation only
SIEM Query:
source="Windows Security" EventID=4688 OR EventID=4663 AND (process_name="Evope.Service.exe" OR file_path="C:\\ProgramData\\Evope\\wtsapi32.dll")