Vulnerability Description
A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the 'adapterName' parameter of the 'changeMTU' function. Fixed in Windscribe v2.18.3-alpha and v2.18.8.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Windscribe | Windscribe | >= 2.10.1, <= 2.17.10 |
Related Weaknesses (CWE)
References
- https://github.com/Windscribe/Desktop-AppProduct
- https://github.com/Windscribe/Desktop-App/compare/v2.18.2...v2.18.3?diff=unifiedPatch
- https://github.com/Windscribe/Desktop-App/compare/v2.18.2...v2.18.3?diff=unifiedPatch
- https://hackingbydoing.wixsite.com/hackingbydoing/post/windscribe-vpn-local-privExploitPress/Media CoverageThird Party Advisory
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2025-65199Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2025-65199?
CVE-2025-65199 is a vulnerability with a CVSS score of 7.8 (HIGH). A command injection vulnerability exists in Windscribe for Linux Desktop App that allows a local user who is a member of the windscribe group to execute arbitrary commands as root via the 'adapterName...
How severe is CVE-2025-65199?
CVE-2025-65199 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-65199?
Check the references section above for vendor advisories and patch information. Affected products include: Windscribe Windscribe.