CVE-2025-63685 – Quark Cloud Drive v3.23.2 has a DLL hijacking v... (How to Fix)

📋 TL;DR

Quark Cloud Drive v3.23.2 has a DLL hijacking vulnerability where attackers can place malicious DLLs in the application directory that get executed when the program launches. This allows arbitrary code execution with the privileges of the user running the application. All users of this specific version are affected.

💻 Affected Systems

Products:

Quark Cloud Drive

Versions: v3.23.2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to place DLL in application directory or ability to influence DLL search path.

📦 What is this software?

Quark Cloud Drive by Quark

View all CVEs affecting Quark Cloud Drive →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution with user privileges, potentially leading to privilege escalation, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation leading to malware installation, credential theft, or lateral movement within the network.

🟢

If Mitigated

Limited impact if application runs with minimal privileges and proper endpoint protection blocks malicious DLL execution.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to place malicious DLL. The GitHub reference shows proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Monitor vendor website for security updates
2. Apply patch when available
3. Verify DLL loading uses secure paths

🔧 Temporary Workarounds

Restrict application directory permissions

windows

Prevent unauthorized users from writing DLLs to the Quark Cloud Drive installation directory

icacls "C:\Program Files\Quark Cloud Drive\*" /deny Users:(W)

Use application whitelisting

windows

Configure Windows Defender Application Control or similar to only allow signed DLLs

🧯 If You Can't Patch

Run application with minimal user privileges (not as administrator)
Monitor for suspicious DLL creation in application directories using file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check if Quark Cloud Drive v3.23.2 is installed and if regsvr32.exe loads DLLs from insecure paths

Check Version:

Check application properties or registry: HKEY_LOCAL_MACHINE\SOFTWARE\Quark\Cloud Drive

Verify Fix Applied:

Verify updated version or test if malicious DLL placed in application directory fails to execute

📡 Detection & Monitoring

Log Indicators:

Process creation of regsvr32.exe from Quark Cloud Drive directory
DLL loading from unusual locations

Network Indicators:

Unexpected outbound connections after application launch

SIEM Query:

Process Creation where (Image contains 'regsvr32.exe' AND ParentImage contains 'Quark') OR (DllLoaded contains malicious.dll)

📊 Metadata

CVE ID: CVE-2025-63685

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-491

EPSS Score: 0.08% exploit probability (22.7th percentile)

Published: November 20, 2025

Last Updated: December 16, 2025

🔗 References

https://github.com/QIU-DIE/CVE/issues/5 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63685, you might also want to check these: