CVE-2025-66575

HIGH

VeeVPN 1.6.1 - Code Injection

Title source: llm

Description

VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. Attackers can exploit this by providing a malicious service name, allowing them to inject commands and run as LocalSystem.

Exploits (1)

exploitdb WRITEUP

by Doğukan Orhan · textlocalwindows

https://www.exploit-db.com/exploits/52088

View Code ZIP pw:eip

References (4)

[Broken Link] https://github.com/veepn/veepn

[Product] https://veepn.com/

[Exploit] https://www.exploit-db.com/exploits/52088

[Third Party Advisory, VDB Entry] https://www.vulncheck.com/advisories/veevpn-161-unquoted-service-path-remote-code-execution

Scores

CVSS v3 7.8

EPSS 0.0019

EPSS Percentile 40.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-428

Status published

Products (1)

veepn/veepn 1.6.1

Published Dec 04, 2025

Tracked Since Feb 18, 2026