CVE-2025-61303
Published: 20 October 2025
Description
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).
Security Summary
CVE-2025-61303, published on 2025-10-20, is a vulnerability in the Windows behavioral analysis engine of Hatching Triage Sandbox running on Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021 (2025-08-14). The issue, tied to CWE-400 (Uncontrolled Resource Consumption), enables a submitted malware sample to evade detection and induce a denial-of-analysis condition. This occurs when the sample recursively spawns a large number of child processes, producing excessive log volume and depleting system resources, which prevents key malicious behaviors—such as PowerShell execution and reverse shell activity—from being recorded or reported, thereby undermining the reliability of sandbox analysis.
Any unauthenticated attacker with network access to the sandbox can exploit this vulnerability, given its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting and submitting a malware sample that triggers rapid, recursive process creation, the attacker causes resource exhaustion in the analysis engine. This results in incomplete behavioral logging, evasion of detection for subsequent malicious actions, and denial of service for analysis operations, potentially misleading security analysts and allowing threats to go unnoticed.
Mitigation details are available in the referenced advisory at https://github.com/eGkritsis/CVE-2025-61303.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is exploited by spawning excessive child processes to deplete resources and overwhelm the sandbox analysis engine (CWE-400), directly enabling T1499.001 (OS Exhaustion Flood) and T1211 (Exploitation for Defense Evasion) to mask malicious behaviors.