CVE-2025-66461
📋 TL;DR
CVE-2025-66461 is an unquoted service path vulnerability in GS Yuasa's FULLBACK Manager Pro software that allows local users with write permissions to the installation directory to execute arbitrary code with SYSTEM privileges. This affects organizations using the vulnerable FULLBACK Manager Pro software on Windows systems. Attackers could escalate privileges from a lower-privileged account to full system control.
💻 Affected Systems
- FULLBACK Manager Pro
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls and maintain persistence on compromised systems.
If Mitigated
Limited impact if proper access controls restrict write permissions to installation directories and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires local access and write permissions to the installation directory. The technique is well-known and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version with fix applied (check vendor advisory)
Vendor Advisory: https://ps.gs-yuasa.com/technicalinfo/pdf/failure/FMP_info20251201_TEX48214-993.pdf
Restart Required: Yes
Instructions:
1. Download the updated version from GS Yuasa's official website. 2. Install the update following vendor instructions. 3. Restart affected systems to ensure services use the corrected paths.
🔧 Temporary Workarounds
Add quotes to service paths
windowsManually add quotes around the service executable paths in Windows Registry
sc config "ServiceName" binPath= "\"C:\Path\To\Executable.exe\"" arguments
Restrict directory permissions
windowsRemove write permissions for non-administrative users from the installation directory and parent directories
icacls "C:\Program Files\FULLBACK Manager Pro" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement strict access controls to prevent non-administrative users from writing to the installation directory and its parent paths.
- Monitor for unauthorized service modifications and privilege escalation attempts using endpoint detection tools.
🔍 How to Verify
Check if Vulnerable:
Check Windows services for FULLBACK Manager Pro entries with unquoted paths containing spaces: sc qc "ServiceName" | findstr BINARY_PATH_NAMECheck Version:
Check the software version in the application interface or via the vendor's version verification tool.Verify Fix Applied:
Verify service paths are quoted and check that no unauthorized executables exist in installation directory parent paths.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing service path modifications (Event ID 7040)
- Unexpected service creation or modification events
- Process creation from unusual locations in the installation directory path
Network Indicators:
- Unusual outbound connections from SYSTEM-level processes
- Lateral movement attempts from previously compromised systems
SIEM Query:
EventID=7040 AND (ServiceName="*FULLBACK*" OR ServiceName contains "Manager") OR ProcessCreation WHERE ParentImage LIKE "%services.exe%" AND CommandLine CONTAINS "C:\\Program Files\\FULLBACK"