A critical privilege escalation vulnerability in Memu Play allows local users with minimal permissions to gain full system-level control by replacing a core service executable.

This vulnerability stems from insecure file system permissions within the application's installation directory. A local, authenticated attacker with low privileges can rename or overwrite the MemuService.exe file with a malicious payload, which is subsequently executed with SYSTEM-level authority upon the next service restart or system reboot.

A successful exploit results in a total compromise of the affected workstation's integrity and confidentiality. By achieving SYSTEM privileges, an attacker can install persistent malware, bypass security controls, and access sensitive data stored on the machine. The CVSS score of 9.8 reflects the critical nature of this flaw, as it provides a reliable path for local lateral movement and complete system takeover.

Immediate Action: Update Memu Play to the latest available version immediately to ensure file permissions are correctly hardened.

Proactive Monitoring: Monitor for unauthorized modifications to files within the C:\Program Files\Microvirt\MEmu (or equivalent) directory and audit service restart events for unexpected binary execution.

Compensating Controls: Implement Endpoint Detection and Response (EDR) solutions to detect and block the execution of unsigned or suspicious binaries originating from service-related directories.

Public Exploit Available: false

The severity of this privilege escalation vulnerability necessitates immediate remediation. Organizations should prioritize updating all Memu Play installations to the latest version. Failure to address this flaw allows any user on a multi-user system to gain administrative control, significantly increasing the risk of ransomware deployment and internal data theft.