Title: Incorrect NULL DACL Applied to Device Object Allows Unauthorized Raw Disk Access
Affected Product: ORCA G2 (Version 2.0.1.35 – EC2007 Kernel v5.22)
Vendor: SevenCs
Vulnerability Type: Incorrect Access Control / NULL DACL
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low (Authenticated local user)
User Interaction: None
Severity Overview
| Field | Value |
|---|---|
| CVE ID | CVE-2025-64699 |
| CVSS v3.1 Score | 8.4 (High) |
| Severity | High |
| Exploitability | High |
| Exploit Availability | No public exploit at time of writing |
| Impact | Privilege Escalation, Data Exposure, Denial of Service |
| Patch Available | Yes (vendor advisory released) |
Executive Summary
CVE-2025-64699 is a serious local privilege escalation vulnerability caused by an incorrectly applied NULL DACL on a Windows device object created by the regService process in ORCA G2.
Because regService runs as SYSTEM, any security mistake it makes is automatically high-impact. In this case, it assigns a Security Descriptor with no explicitly defined DACL, which Windows interprets as full access for everyone.
This allows any local user, even one with minimal privileges, to interact directly with the device object and perform raw disk operations. The result ranges from system crashes to unauthorized reading of sensitive data, and in certain scenarios, full SYSTEM-level code execution.
Technical Root Cause
What Went Wrong
- The regService component creates a kernel-mode device object
- The device object is assigned a Security Descriptor
- The DACL is NULL, not empty but non-existent
- Windows security model treats a NULL DACL as: “Allow all access to everyone”
This is not a misconfiguration, but a programming flaw in how access control was implemented.
Why NULL DACLs Are Dangerous
| DACL Type | Result |
|---|---|
| Explicit restrictive DACL | Controlled access |
| Empty DACL | No access |
| NULL DACL | Full access to all users |
In this vulnerability:
- No access restrictions exist
- Any local process can open a handle to the device
- Kernel-level I/O control requests (IOCTLs) can be sent freely
Attack Scenarios
1. Unauthorized Raw Disk Access
A low-privileged attacker can:
- Open the exposed device
- Read raw disk sectors
- Extract credentials, registry hives, or application data
- Bypass file system permissions entirely
2. Local Privilege Escalation
By abusing IOCTL handlers:
- Crafted input can trigger privileged operations
- Attackers can execute actions as SYSTEM
- Persistence mechanisms can be planted
3. Denial of Service
Malformed or abusive disk operations may:
- Corrupt file system structures
- Crash the kernel (BSOD)
- Render the system unbootable
How Exploitation Works (High-Level)
- Attacker logs in as a standard user
- Enumerates available device objects
- Identifies ORCA G2 device with permissive access
- Opens a handle without restriction
- Sends raw disk read/write IOCTL requests
- Gains unauthorized access or escalates privileges
No user interaction or special timing is required.
MITRE ATT&CK Mapping
| Tactic | Technique |
|---|---|
| Privilege Escalation | Exploitation for Privilege Escalation |
| Defense Evasion | Abuse Elevation Control Mechanism |
| Credential Access | OS Credential Dumping (via disk access) |
| Impact | Data Destruction / Service Stop |
Indicators of Compromise (IoCs)
While no exploit payload is public, defenders should watch for:
- Unexpected access to raw disk devices
- Non-admin processes opening handles to kernel devices
- IOCTL calls originating from user-mode binaries
- Sudden system instability or unexplained crashes
Detection Guidance
Log Sources to Monitor
- Windows Security Logs
- Kernel Object Access Auditing
- Sysmon (if deployed)
- EDR telemetry
Suspicious Behaviors
- Device objects accessed by non-SYSTEM users
- Repeated raw disk reads from user-space applications
- Unusual service interaction with regService-related components
Sample Detection Logic (Conceptual)
Alert when a non-SYSTEM process opens a handle to a kernel device associated with ORCA G2 and performs IOCTL operations related to disk access.
Why This Matters in Operational Environments
ORCA G2 is often deployed in operational, navigation, or industrial contexts, meaning:
- Downtime has real-world safety impact
- Data integrity is mission-critical
- SYSTEM-level compromise may affect connected systems
This vulnerability breaks the trust boundary between user mode and kernel mode, which is one of the most critical security boundaries in Windows.
Remediation
Official Fix (Recommended)
SevenCs has released an official patch correcting the Security Descriptor handling by:
- Defining an explicit restrictive DACL
- Limiting access to SYSTEM and trusted service accounts
- Preventing raw device access from user-mode processes
Official Patch Link:
👉 Obtain the update directly from the SevenCs customer support or official update portal.
Temporary Mitigations (If Patch Cannot Be Applied Immediately)
- Restrict local user access on affected systems
- Monitor for unauthorized device access
- Use EDR rules to block raw disk IO from user processes
- Disable unnecessary ORCA G2 services if operationally possible
Current Exploit Status
- No public PoC available
- No known exploitation in the wild
- High likelihood of weaponization due to simplicity
Given the low complexity and high impact, this vulnerability should be considered high-risk even without a public exploit.
Final Assessment
CVE-2025-64699 is a textbook example of why access control mistakes in SYSTEM-level services are dangerous. A single missing DACL transforms a trusted kernel interface into an open door for attackers.
Patch immediately. Monitor aggressively. Treat as a priority issue.
