CVE-2025-65199
📋 TL;DR
A local privilege escalation vulnerability in Windscribe VPN for Linux allows users in the windscribe group to execute arbitrary commands as root via command injection in the changeMTU function. This affects Linux desktop installations where users have been added to the windscribe group. The vulnerability enables complete system compromise from a limited local user account.
💻 Affected Systems
- Windscribe VPN Desktop App
📦 What is this software?
Windscribe by Windscribe
Windscribe by Windscribe
Windscribe by Windscribe
Windscribe by Windscribe
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover by any local user in windscribe group, allowing installation of persistent backdoors, data exfiltration, and lateral movement across the network.
Likely Case
Local privilege escalation to root by malicious or compromised user accounts, enabling privilege abuse, credential harvesting, and persistence establishment.
If Mitigated
Limited impact if proper access controls restrict windscribe group membership and network segmentation limits lateral movement.
🎯 Exploit Status
Exploit requires local user access and windscribe group membership. Public technical details and proof-of-concept are available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.18.3-alpha or v2.18.8
Vendor Advisory: https://github.com/Windscribe/Desktop-App
Restart Required: Yes
Instructions:
1. Update Windscribe to v2.18.8 or later. 2. Restart the Windscribe service. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Remove users from windscribe group
linuxTemporarily remove non-essential users from the windscribe group to limit attack surface
sudo gpasswd -d username windscribe
Restrict sudo privileges
linuxEnsure windscribe group does not have unnecessary sudo privileges
sudo visudo
Review and remove any windscribe group entries in sudoers
🧯 If You Can't Patch
- Implement strict access controls to limit windscribe group membership to essential users only
- Monitor for suspicious command execution patterns and root privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windscribe version and verify if users are in windscribe group: windscribe --version && groups | grep windscribeCheck Version:
windscribe --versionVerify Fix Applied:
Confirm version is v2.18.8 or later: windscribe --version📡 Detection & Monitoring
Log Indicators:
- Unusual command execution by windscribe process
- Root privilege escalation from windscribe user context
- Suspicious MTU change operations
Network Indicators:
- Unexpected outbound connections from windscribe process
- Command and control traffic originating from VPN interface
SIEM Query:
process_name:"windscribe" AND (command_line:"adapterName" OR command_line:"changeMTU")🔗 References
- https://github.com/Windscribe/Desktop-App
- https://github.com/Windscribe/Desktop-App/compare/v2.18.2...v2.18.3?diff=unified&w#diff-57e27ab201a1a612609087b839e03bf87a5a063ffcc3f465a6245469bc102754
- https://github.com/Windscribe/Desktop-App/compare/v2.18.2...v2.18.3?diff=unified&w#diff-cfc5df17057ed92112ae70a42c81c57c79f434429210ff881fb0771cf8e39b4c
- https://hackingbydoing.wixsite.com/hackingbydoing/post/windscribe-vpn-local-privilege-escalation
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-343-01.json
- https://www.cve.org/CVERecord?id=CVE-2025-65199
