CVE-2025-64699 – This vulnerability allows local attackers to pe... (How to Fix)

Q: What is the severity of CVE-2025-64699?

CVE-2025-64699 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers to perform unauthorized raw disk operations due to an incorrect NULL DACL in SevenCs ORCA G2's regService process running with SYSTEM privileges. Attackers could disrupt systems, expose sensitive data, or escalate privileges locally. Only systems running SevenCs ORCA G2 2.0.1.35 with EC2007 Kernel v5.22 are affected.

📋 TL;DR

This vulnerability allows local attackers to perform unauthorized raw disk operations due to an incorrect NULL DACL in SevenCs ORCA G2's regService process running with SYSTEM privileges. Attackers could disrupt systems, expose sensitive data, or escalate privileges locally. Only systems running SevenCs ORCA G2 2.0.1.35 with EC2007 Kernel v5.22 are affected.

💻 Affected Systems

Products:

SevenCs ORCA G2

Versions: 2.0.1.35

Operating Systems: Windows (EC2007 Kernel v5.22)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to the system. The regService process must be running with SYSTEM privileges.

📦 What is this software?

Ec2007 Kernel by Sevencs

View all CVEs affecting Ec2007 Kernel →

Orca G2 by Sevencs

View all CVEs affecting Orca G2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to SYSTEM, complete system compromise, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Local attackers gaining unauthorized disk access, potentially reading sensitive files or causing system instability through disk manipulation.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, though the vulnerability still exists.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access but is straightforward once access is obtained. The GitHub gist provides technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check with SevenCs for security updates. Monitor their security advisories for patch availability.

🔧 Temporary Workarounds

Restrict Local Access

all

Limit local user access to systems running vulnerable software to trusted personnel only.

Monitor regService Process

windows

Implement process monitoring for regService to detect unauthorized access attempts.

🧯 If You Can't Patch

Isolate affected systems from critical networks and sensitive data.
Implement strict access controls and audit all local user activities on vulnerable systems.

🔍 How to Verify

Check if Vulnerable:

Check if SevenCs ORCA G2 version 2.0.1.35 is installed and running with EC2007 Kernel v5.22. Verify regService process is running with SYSTEM privileges.

Check Version:

Check application version through SevenCs ORCA G2 interface or Windows installed programs list.

Verify Fix Applied:

Verify that a patched version from SevenCs is installed and that regService no longer applies NULL DACLs to device objects.

📡 Detection & Monitoring

Log Indicators:

Unusual disk access patterns by regService process
Failed or successful privilege escalation attempts
Access to device objects without proper DACLs

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Process:regService AND (EventID:4656 OR EventID:4663) AND ObjectType:Device

📊 Metadata

CVE ID: CVE-2025-64699

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-732

EPSS Score: 0.02% exploit probability (2.9th percentile)

Published: December 31, 2025

Last Updated: January 14, 2026

🔗 References

https://gist.github.com/GunP4ng/42b19ee99e94c315173b74a9fb26c2b9 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64699, you might also want to check these: