CVE-2025-66575 – CVE-2025-66575 is an unquoted service path vuln... (How to Fix)

Q: What is the severity of CVE-2025-66575?

CVE-2025-66575 has a CVSS score of 7.8 (HIGH). CVE-2025-66575 is an unquoted service path vulnerability in VeeVPN 1.6.1 that allows attackers to execute arbitrary code with LocalSystem privileges during system startup or reboot. This affects all Windows systems running the vulnerable VeeVPN version. Attackers can exploit this by placing malicious executables in service path locations.

📋 TL;DR

CVE-2025-66575 is an unquoted service path vulnerability in VeeVPN 1.6.1 that allows attackers to execute arbitrary code with LocalSystem privileges during system startup or reboot. This affects all Windows systems running the vulnerable VeeVPN version. Attackers can exploit this by placing malicious executables in service path locations.

💻 Affected Systems

Products:

VeeVPN

Versions: 1.6.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of VeeVPN 1.6.1 on Windows are vulnerable. The vulnerability is in the VeePNService component.

📦 What is this software?

Veepn by Veepn

View all CVEs affecting Veepn →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with LocalSystem privileges, allowing installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation leading to full administrative control of the affected system, potentially enabling ransomware deployment or data exfiltration.

🟢

If Mitigated

Limited impact if proper endpoint protection and least privilege principles are enforced, though system integrity may still be compromised.

🌐 Internet-Facing: LOW - Requires local access or ability to write files to the target system's service path directories.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system, they can easily escalate privileges using this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available on Exploit-DB (ID 52088). Attack requires ability to write files to service path directories, typically requiring some level of initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check vendor website for updated version. 2. Uninstall VeeVPN 1.6.1. 3. Install patched version if available. 4. Restart system to ensure service changes take effect.

🔧 Temporary Workarounds

Add quotes to service path

windows

Manually add quotes around the service executable path in Windows Registry

reg add "HKLM\SYSTEM\CurrentControlSet\Services\VeePNService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\VeeVPN\VeePNService.exe\"" /f

Restrict write permissions

windows

Remove write permissions for non-administrative users on service path directories

icacls "C:\Program Files\VeeVPN" /deny Users:(OI)(CI)W
icacls "C:\Program Files (x86)\VeeVPN" /deny Users:(OI)(CI)W

🧯 If You Can't Patch

Uninstall VeeVPN 1.6.1 completely from affected systems
Implement strict endpoint detection and response (EDR) rules to monitor for service path manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check if VeeVPN 1.6.1 is installed and examine the VeePNService ImagePath in Registry Editor (regedit) at HKLM\SYSTEM\CurrentControlSet\Services\VeePNService - look for unquoted paths containing spaces.

Check Version:

wmic product where "name like '%VeeVPN%'" get version

Verify Fix Applied:

Verify the ImagePath registry value has quotes around the full executable path and that write permissions are restricted on service directories.

📡 Detection & Monitoring

Log Indicators:

Windows Event ID 7045: Service installed with unquoted path
Unexpected service creation/modification events
Process creation from unusual service path locations

Network Indicators:

Unusual outbound connections from system processes
Lateral movement attempts following privilege escalation

SIEM Query:

source="windows" (event_id=7045 AND service_name="VeePNService") OR (process_name="*VeePNService*" AND parent_process!="services.exe")

📊 Metadata

CVE ID: CVE-2025-66575

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-428

EPSS Score: 0.13% exploit probability (33.1th percentile)

Published: December 4, 2025

Last Updated: December 30, 2025

🔗 References

https://github.com/veepn/veepn Broken Link
https://veepn.com/ Product
https://www.exploit-db.com/exploits/52088 Exploit
https://www.vulncheck.com/advisories/veevpn-161-unquoted-service-path-remote-code-execution Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/52088 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66575, you might also want to check these: