CVE-2025-66265 – CMService.exe creates the C:\usr directory with... (How to Fix)

📋 TL;DR

CMService.exe creates the C:\usr directory with insecure permissions, granting write access to all authenticated users. This allows attackers to replace configuration files or hijack DLLs to escalate privileges. Affects systems running vulnerable versions of CMService software.

💻 Affected Systems

Products:

CMService software from Megatec

Versions: Unknown specific versions; appears to be current as of CVE-2025 publication

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation; requires CMService.exe to create the insecure directory structure.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through privilege escalation to SYSTEM/Administrator via DLL hijacking or malicious configuration file execution.

🟠

Likely Case

Local authenticated users gain elevated privileges by planting malicious files in the insecure directory structure.

🟢

If Mitigated

Limited to authenticated users with local access; proper permissions would prevent unauthorized writes.

🌐 Internet-Facing: LOW - Requires local authenticated access; not directly exploitable over network.

🏢 Internal Only: HIGH - Any authenticated user on the system can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of directory structure; trivial for local attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.megatec.com.tw/software-download/

Restart Required: No

Instructions:

1. Check vendor website for updated version
2. Install any available patches
3. Verify directory permissions are corrected

🔧 Temporary Workarounds

Secure Directory Permissions

windows

Manually set proper permissions on C:\usr directory to remove write access for authenticated users

icacls C:\usr /remove "Authenticated Users" /T
icacls C:\usr /inheritance:r
icacls C:\usr /grant "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"

🧯 If You Can't Patch

Monitor C:\usr directory for unauthorized file modifications
Restrict local user access to systems running CMService

🔍 How to Verify

Check if Vulnerable:

Check if C:\usr directory exists and has write permissions for Authenticated Users: icacls C:\usr

Check Version:

Check CMService version through installed programs or vendor documentation

Verify Fix Applied:

Verify Authenticated Users group has no write permissions: icacls C:\usr | findstr "Authenticated Users"

📡 Detection & Monitoring

Log Indicators:

File creation/modification events in C:\usr directory by non-admin users
Process execution from C:\usr directory

Network Indicators:

No direct network indicators - local privilege escalation

SIEM Query:

EventID=4663 OR EventID=4656 AND ObjectName LIKE 'C:\\usr%' AND SubjectUserName NOT IN ('SYSTEM', 'Administrators')

📊 Metadata

CVE ID: CVE-2025-66265

CVSS v3 Score: N/A (Unknown)

CWE: CWE-269

EPSS Score: 0.02% exploit probability (3.1th percentile)

Published: November 26, 2025

Last Updated: December 1, 2025

🔗 References

https://www.megatec.com.tw/software-download/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66265, you might also want to check these: