Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66575

CVE-2025-66575: VeeVPN Privilege Escalation Vulnerability

CVE-2025-66575 is a privilege escalation vulnerability in VeeVPN 1.6.1 caused by an unquoted service path. Attackers can execute code as LocalSystem during startup. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-66575 Overview

CVE-2025-66575 is an unquoted service path vulnerability affecting VeeVPN version 1.6.1. The flaw resides in the VeePNService Windows service, which registers its executable path without proper quoting. When Windows parses the unquoted path during service startup, it can execute an attacker-controlled binary placed in a higher-priority directory. Successful exploitation grants code execution as LocalSystem, the highest privilege level on a Windows host. The vulnerability is classified under CWE-428: Unquoted Search Path or Element.

Critical Impact

A local attacker with write access to an exploitable directory along the service path can execute arbitrary code as LocalSystem on every reboot or service restart.

Affected Products

  • VeeVPN 1.6.1 for Windows
  • VeePNService Windows service component
  • Installations using the default unquoted service path configuration

Discovery Timeline

  • 2025-12-04 - CVE-2025-66575 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66575

Vulnerability Analysis

The vulnerability stems from how Windows resolves service binary paths that contain spaces and lack surrounding quotation marks. When the Service Control Manager (SCM) starts VeePNService, it parses the ImagePath registry value from left to right and attempts to execute each tokenized segment as a candidate executable. If an attacker writes a malicious binary into one of these intermediate path locations, the SCM launches it instead of the legitimate VeePN binary. Because Windows services run under the LocalSystem account by default, the attacker's code inherits full system privileges.

Root Cause

The root cause is improper handling of the service binary path during installation. The VeePNService registers its ImagePath without enclosing the full path in quotation marks. Combined with a path that contains space characters, this produces ambiguity that Windows resolves by attempting multiple executable candidates. The defect aligns with CWE-428, which covers unquoted search paths in privileged contexts.

Attack Vector

Exploitation requires local file system access to a directory along the unquoted service path. An attacker places a crafted executable named to match an intermediate path token. On the next reboot or service restart, the SCM executes the planted binary as LocalSystem. User interaction is required only to trigger the reboot, which routine system activity typically supplies. Refer to the VulnCheck advisory on VeeVPN and Exploit-DB entry 52088 for technical reproduction details.

Detection Methods for CVE-2025-66575

Indicators of Compromise

  • Unexpected executables present in directories along the VeePNService installation path, particularly files named to match path tokens preceding the legitimate binary.
  • New LocalSystem processes spawned at boot whose parent is services.exe but whose image path does not resolve to the official VeePN install directory.
  • Modifications to the HKLM\SYSTEM\CurrentControlSet\Services\VeePNService registry key or its ImagePath value.

Detection Strategies

  • Enumerate Windows services and flag any ImagePath value containing spaces without surrounding quotation marks using PowerShell or sc.exe qc.
  • Monitor file creation events in directories that sit along the unquoted service path, especially C:\Program.exe or other root-level executable names.
  • Audit service start events (Event ID 7036) and correlate the resolved binary path with the expected VeePN installation location.

Monitoring Recommendations

  • Enable Sysmon Event ID 1 (Process Create) and alert on services.exe spawning binaries from non-standard directories.
  • Track changes to service registry keys via Event ID 4657 on Windows security logs.
  • Establish a baseline of legitimate VeePNService executable hashes and alert on deviation.

How to Mitigate CVE-2025-66575

Immediate Actions Required

  • Inventory all hosts running VeeVPN 1.6.1 and identify systems where the VeePNServiceImagePath is unquoted.
  • Restrict write permissions on directories along the service path so non-administrative users cannot place executables there.
  • Disable the VeePNService on affected endpoints until a patched version is deployed or the registry path is corrected.

Patch Information

No vendor patch is currently referenced in the NVD entry or vendor advisory pages. Administrators should monitor the VeePN official website and the GitHub repository for VeePN for updated builds. Until a fixed release is available, manual remediation of the service registry path is required.

Workarounds

  • Manually edit the ImagePath value under HKLM\SYSTEM\CurrentControlSet\Services\VeePNService to enclose the full executable path in quotation marks, then restart the service.
  • Apply NTFS access control lists that deny write and create permissions to standard users on C:\ and any other directory in the service path.
  • Remove VeeVPN 1.6.1 from systems where the VPN client is not strictly required.
bash
# Correct an unquoted service path on Windows (run as Administrator)
sc.exe qc VeePNService
reg add "HKLM\SYSTEM\CurrentControlSet\Services\VeePNService" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\VeePN\VeePNService.exe\"" /f
sc.exe stop VeePNService
sc.exe start VeePNService

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.