📄 الوصف (الإنجليزية)
Easy-Hide-IP 5.0.0.3 contains an unquoted service path vulnerability in the EasyRedirect service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in 'C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe' to inject malicious executables and escalate privileges.
🤖 ملخص AI
CVE-2019-25273 is a local privilege escalation vulnerability in Easy-Hide-IP 5.0.0.3 affecting the EasyRedirect service through an unquoted service path. Attackers with local access can inject malicious executables into the service path to execute arbitrary code with elevated privileges. While no public exploit is available, the vulnerability poses a significant risk to organizations using this VPN/proxy software, particularly in environments with shared or compromised user accounts.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Apr 27, 2026 00:54
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability primarily impacts Saudi organizations using Easy-Hide-IP for employee privacy or corporate VPN purposes. Most at-risk sectors include: (1) Banking and Financial Services (SAMA-regulated entities) where employees may use such tools; (2) Government agencies and ministries using legacy privacy solutions; (3) Telecommunications companies (STC, Mobily, Zain) with IT infrastructure; (4) Healthcare organizations (MOH facilities) with shared workstations; (5) Energy sector (ARAMCO, SAECO) with contractor access. The local privilege escalation nature makes it particularly dangerous in environments with shared computers or contractor access.
🏢 القطاعات السعودية المتأثرة
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Education
Insurance
🎯 تقنيات MITRE ATT&CK
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.011 - Boot or Logon Autostart Execution: Services
T1134.003 - Access Token Manipulation: Make and Impersonate Token
T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt
T1036.003 - Masquerading: Rename System Utilities
T1574.008 - Hijack Execution Flow: DLL Search Order Hijacking
T1574.010 - Hijack Execution Flow: Services File Permissions Weakness
⚖️ درجة المخاطر السعودية (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all systems running Easy-Hide-IP 5.0.0.3 across the organization using asset management tools
2. Restrict local administrative access and enforce principle of least privilege
3. Implement application whitelisting to prevent unauthorized executable execution in Program Files directories
Patching Guidance:
1. Upgrade Easy-Hide-IP to version 5.0.0.4 or later immediately
2. If upgrade is not immediately possible, uninstall Easy-Hide-IP and use alternative VPN solutions
3. Verify patch installation by checking service path configuration: sc qc EasyRedirect (should show quoted path)
Compensating Controls:
1. Implement file integrity monitoring (FIM) on C:\Program Files\Easy-Hide-IP\ directory
2. Deploy endpoint detection and response (EDR) solutions to monitor service creation and privilege escalation attempts
3. Restrict local logon rights to authorized personnel only
4. Enable Windows Event Log monitoring for service modifications (Event ID 7045)
Detection Rules:
1. Monitor for unquoted service paths: Get-WmiObject win32_service | Where-Object {$_.PathName -notmatch '\"'}
2. Alert on executable creation in Easy-Hide-IP directory with different hash than original
3. Monitor for EasyRedirect service restart or modification events
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل Easy-Hide-IP 5.0.0.3 عبر المنظمة باستخدام أدوات إدارة الأصول
2. تقييد الوصول الإداري المحلي وفرض مبدأ الامتياز الأدنى
3. تنفيذ قائمة بيضاء للتطبيقات لمنع تنفيذ ملفات تنفيذية غير مصرح بها في أدلة Program Files
إرشادات التصحيح:
1. ترقية Easy-Hide-IP إلى الإصدار 5.0.0.4 أو أحدث فوراً
2. إذا لم تكن الترقية ممكنة على الفور، قم بإلغاء تثبيت Easy-Hide-IP واستخدم حلول VPN بديلة
3. التحقق من تثبيت التصحيح بفحص تكوين مسار الخدمة
الضوابط البديلة:
1. تنفيذ مراقبة سلامة الملفات على دليل Easy-Hide-IP
2. نشر حلول الكشف والاستجابة على نقاط النهاية لمراقبة محاولات تصعيد الامتيازات
3. تقييد حقوق تسجيل الدخول المحلي للموظفين المصرح لهم فقط
4. تفعيل مراقبة سجل أحداث Windows لتعديلات الخدمة
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.5.2.1 - User access management
A.5.2.2 - Privileged access rights
A.5.2.3 - User access review
A.8.1.1 - User endpoint devices
A.8.1.3 - Asset management
A.8.2.1 - Classification of information
A.8.3.1 - Handling of removable media
🔵 SAMA CSF
ID.AM-1 - Physical devices and software assets are inventoried
ID.AM-2 - Software platforms and applications are inventoried
PR.AC-1 - Identities and credentials are issued and managed
PR.AC-2 - Physical access is managed
PR.AC-3 - Remote access is managed
PR.AC-4 - Access rights and privileges are managed
DE.CM-1 - The network is monitored for unauthorized connections
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.5.2.1 - User registration and de-registration
A.5.2.2 - User access provisioning
A.5.2.3 - Management of privileged access rights
A.5.2.4 - Management of secret authentication information
A.8.1.1 - Inventory of assets
A.8.1.3 - Asset management
A.8.1.4 - Acceptable use of assets
A.8.3.1 - Handling of removable media