Login Sign Up

CVE-2025-64721

10.0 CRITICAL

📋 TL;DR

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the SbieSvc.exe service, leading to heap overflow and arbitrary code execution with SYSTEM privileges. It affects all users running Sandboxie versions 1.16.6 and below on Windows NT-based systems. Successful exploitation completely compromises the host system.

💻 Affected Systems

Products:
  • Sandboxie
Versions: 1.16.6 and below
Operating Systems: Windows NT-based systems (32-bit and 64-bit)
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. The vulnerability exists in the SbieSvc.exe service running as SYSTEM.

📦 What is this software?

Sandboxie by Sandboxie Plus

View all CVEs affecting Sandboxie →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, and pivot to other systems.

🟠

Likely Case

Local privilege escalation from sandboxed processes to SYSTEM, enabling full control of the host machine.

🟢

If Mitigated

Limited impact if proper network segmentation and least privilege principles are enforced, though local compromise remains possible.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.
🏢 Internal Only: HIGH - Any user with access to run sandboxed processes can potentially exploit this to gain SYSTEM privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to run sandboxed processes. The vulnerability is in a SYSTEM service, making exploitation straightforward once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.16.7

Vendor Advisory: https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp

Restart Required: Yes

Instructions:

1. Download Sandboxie version 1.16.7 or later from the official repository. 2. Close all sandboxed applications. 3. Run the installer to upgrade. 4. Restart the system to ensure the service update takes effect.

🔧 Temporary Workarounds

Disable Sandboxie Service

windows

Temporarily disable the SbieSvc.exe service to prevent exploitation

sc stop SbieSvc
sc config SbieSvc start= disabled

🧯 If You Can't Patch

  • Restrict user access to systems running vulnerable Sandboxie versions
  • Implement application whitelisting to prevent execution of unauthorized processes

🔍 How to Verify

Check if Vulnerable:

Check Sandboxie version in About dialog or verify SbieSvc.exe version is below 1.16.7

Check Version:

wmic product where name="Sandboxie" get version

Verify Fix Applied:

Confirm Sandboxie version is 1.16.7 or higher in About dialog

📡 Detection & Monitoring

Log Indicators:

  • Unusual process creation from SbieSvc.exe
  • Heap corruption events in Windows Event Logs
  • Sandboxie service crashes

Network Indicators:

  • None - this is a local privilege escalation vulnerability

SIEM Query:

EventID=4688 AND ProcessName="SbieSvc.exe" AND ParentProcessName contains "sandboxed"

📊 Metadata

CVE ID: CVE-2025-64721
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-190
EPSS Score: 0.1% exploit probability (28.1th percentile)
Published: December 11, 2025
Last Updated: December 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64721, you might also want to check these:

CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)
CVE-2021-31571 9.8

CVE-2021-31571 is an integer overflow vulnerability in Amazon Web Services FreeRTOS kernel's queue c...

Same vulnerability type (CWE-190)