A local privilege escalation vulnerability exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The flaw is a Time-of-Check Time-of-Use (TOCTOU) race condition in the license management logic. The regService process, which runs with SYSTEM privileges, creates a fixed directory and writes files without verifying whether the path is an NTFS reparse point. By exploiting this race condition, an attacker can replace the target directory with a junction pointing to a user-controlled path. This causes the SYSTEM-level process to drop binaries in a location fully controlled by the attacker, allowing arbitrary code execution with SYSTEM privileges. The vulnerability can be exploited by any standard user with only a single UAC confirmation, making it highly practical and dangerous in real-world environments.
References
| Link | Resource |
|---|---|
| https://gist.github.com/jc0818/233462416579661e4e2795f96457a6bf | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
14 Jan 2026, 20:29
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://gist.github.com/jc0818/233462416579661e4e2795f96457a6bf - Exploit, Third Party Advisory | |
| First Time |
Sevencs orca G2
Sevencs Sevencs ec2007 Kernel |
|
| CPE | cpe:2.3:a:sevencs:orca_g2:2.0.1.35:*:*:*:*:*:*:* cpe:2.3:a:sevencs:ec2007_kernel:5.22:*:*:*:*:*:*:* |
02 Jan 2026, 18:15
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-367 | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.0 |
31 Dec 2025, 16:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-31 16:15
Updated : 2026-01-14 20:29
NVD link : CVE-2025-61037
Mitre link : CVE-2025-61037
CVE.ORG link : CVE-2025-61037
JSON object : View
Products Affected
sevencs
- ec2007_kernel
- orca_g2
CWE
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition