Execució de codi de Sandboxie Plus
17/12/2025
CVE-2025-64721
CRÍTIC (9,8)
CVSS3: 8,8
Sandboxie Plus podria permetre que un atacant remot executés codi arbitrari com a SYSTEM, causat per un desbordament d’enters a SbieIniServer::RC4Crypt.
post:/platform/configuration/security/service-accountsdelete:/platform/configuration/security/service-accounts/{user_id}patch:/platform/configuration/security/service-accounts/{user_id}post:/platform/configuration/security/service-accounts/{user_id}/keysdelete:/platform/configuration/security/service-accounts/{user_id}/keys/{api_key_id}patch:/userpost:/userspost:/users/auth/keysdelete:/users/auth/keysdelete:/users/auth/keys/_alldelete:/users/auth/keys/{api_key_id}delete:/users/{user_id}/auth/keysdelete:/users/{user_id}/auth/keys/{api_key_id}delete:/users/{user_name}patch:/users/{user_name}
Sistemes Afectats
- sandboxie-plus Sandboxie Plus – 1.14.0 – 1.16.6
Remediació
Actualitzeu a la darrera versió de Sandboxie Plus (1.16.7 o posterior), disponible al repositori GIT de Sandboxie Plus. Vegeu-ne les Referències.
Referències
- https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w476-j57g-96vp
- https://github.com/sandboxie-plus/Sandboxie/commit/000492f8c411d24292f1b977a107994347bc7dfa
- https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.16.7
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/64xxx/CVE-2025-64721.json
