CVE-2025-61865
📋 TL;DR
This vulnerability allows local attackers with write permissions on the system drive root directory to escalate privileges to SYSTEM level by exploiting unquoted service paths in I-O DATA NAS management applications. Affected users are those running vulnerable versions of I-O DATA software on Windows systems where attackers have local access.
💻 Affected Systems
- I-O DATA NAS management applications
- NarSuS App
- CloneforWindows
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM privilege compromise leading to complete host takeover, data exfiltration, and lateral movement within the network.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, enabling installation of persistent malware or credential harvesting.
If Mitigated
Limited impact if proper access controls prevent unauthorized users from writing to system drive root directories.
🎯 Exploit Status
Requires local access and write permissions on system drive root. Exploitation involves creating malicious executables in path traversal scenarios.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches released in October and December 2025 advisories
Vendor Advisory: https://www.iodata.jp/support/information/2025/10_NarSuS_App/ and https://www.iodata.jp/support/information/2025/12_CloneforWindows/
Restart Required: No
Instructions:
1. Visit I-O DATA support pages for affected applications. 2. Download and install the latest patches. 3. Verify service paths are properly quoted after update.
🔧 Temporary Workarounds
Restrict write permissions on system drive root
WindowsPrevent non-administrative users from writing to C:\ or system drive root directory
icacls C:\ /deny Users:(OI)(CI)W
Manually quote service paths
WindowsEdit vulnerable service paths to include quotes around executable paths
sc config "ServiceName" binPath= "\"C:\Path\To\Executable.exe\""
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from writing to system drive root directories
- Monitor for suspicious service modifications or executable creations in system directories
🔍 How to Verify
Check if Vulnerable:
Check if I-O DATA NAS management services have unquoted paths: sc qc "ServiceName" | findstr BINARY_PATH_NAMECheck Version:
Check application about dialog or installed programs list for version numbersVerify Fix Applied:
Verify service paths are quoted and check application version against patched versions📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4697 (Service installed), 7045 (Service created)
- Unexpected service path modifications
- Executable creation in system drive root
Network Indicators:
- Unusual outbound connections from SYSTEM context following local user activity
SIEM Query:
EventID=4697 OR EventID=7045 | where ServiceName contains "I-O DATA" or "IODATA" | where BinaryPathName !contains '"'