CVE-2025-64721

CRÍTIC (9,8)

CVSS3: 8,8

Sandboxie Plus podria permetre que un atacant remot executés codi arbitrari com a SYSTEM, causat per un desbordament d’enters a SbieIniServer::RC4Crypt.

post:/platform/configuration/security/service-accountsdelete:/platform/configuration/security/service-accounts/{user_id}patch:/platform/configuration/security/service-accounts/{user_id}post:/platform/configuration/security/service-accounts/{user_id}/keysdelete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}patch:/userpost:/userspost:/users/auth/keysdelete:/users/auth/keysdelete:/users/auth/keys/_alldelete:/users/auth/keys/{api_key_id}delete:/users/{user_id}/auth/keysdelete:/users/{user_id}/auth/keys/{api_key_id}delete:/users/{user_name}patch:/users/{user_name}

Sistemes Afectats

• sandboxie-plus Sandboxie Plus – 1.14.0 – 1.16.6

Remediació
 Actualitzeu a la darrera versió de Sandboxie Plus (1.16.7 o posterior), disponible al repositori GIT de Sandboxie Plus. Vegeu-ne les Referències.

Referències

• https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp
• https://github.com/sandboxie-plus/Sandboxie/commit/000492f8c411d24292f1b977a107994347bc7dfa
• https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.7
• https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/64xxx/CVE-2025-64721.json