CVE-2025-61303

CRITICAL

Hatching Triage Sandbox Windows 10 build 2004 and LTSC 2021 - Denial-of-Analysis via Recursive Child Process Spawning

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-61303. PoCs published by adminlove520, eGkritsis.

AI-analyzed exploit summary The repository contains a scanner for CVE-2024-21762, which checks for the presence of the vulnerability in Fortinet SSL VPN interfaces. It includes Python scripts that send crafted HTTP requests to detect if a target is vulnerable.

Description

Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-of-analysis. The vulnerability is triggered when a sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results.

Exploits (2)

github SCANNER 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-61303

View Code ZIP pw:eip

The repository contains a scanner for CVE-2024-21762, which checks for the presence of the vulnerability in Fortinet SSL VPN interfaces. It includes Python scripts that send crafted HTTP requests to detect if a target is vulnerable.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Fortinet SSL VPN

No auth needed

Prerequisites: network access to the target Fortinet SSL VPN interface

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 2 stars

by eGkritsis · poc

https://github.com/eGkritsis/CVE-2025-61303

View Code ZIP pw:eip

This PoC demonstrates a denial-of-analysis vulnerability in RecordedFuture Triage's Windows behavioral analysis engine by recursively spawning child processes to exhaust system resources, leading to incomplete or missing telemetry. The exploit culminates in a PowerShell reverse-shell stage, which is not recorded in vulnerable configurations.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: RecordedFuture Triage (Dynamic Analysis Platform) - Windows Behavioral Analysis Engine

No auth needed

Prerequisites: Access to submit a malware sample to RecordedFuture Triage · A vulnerable Windows 10 sandbox environment (build 2004 or LTSC 2021)

MITRE ATT&CK

T1499 - Endpoint Denial of Service T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://github.com/eGkritsis/CVE-2025-61303

Scores

CVSS v3 9.8

EPSS 0.0038

EPSS Percentile 29.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-400

Status published

Published Oct 20, 2025

Tracked Since Feb 18, 2026