Skip to content
Threat Feed
high advisory

MEmu Android Emulator 9.2.7.0 Local Privilege Escalation

A local privilege escalation vulnerability (CVE-2026-36213) in MEmu Android Emulator 9.2.7.0 allows a low-privileged user to replace the 'MemuService.exe' binary due to insecure NTFS permissions, leading to arbitrary code execution with NT AUTHORITY\SYSTEM privileges upon service restart.

A critical local privilege escalation (LPE) vulnerability, tracked as CVE-2026-36213, has been identified and publicly disclosed in MEmu Android Emulator version 9.2.7.0. The flaw stems from insecure NTFS permissions applied to the MemuService.exe binary, located at C:\Program Files\Microvirt\MEmu\MemuService.exe. This Windows service, named "MEmuSVC", operates with NT AUTHORITY\SYSTEM privileges. Due to FullControl permissions granted to low-privileged groups such as BUILTIN\Users and Everyone on the service binary, any local user can replace it with a malicious executable. Once replaced, restarting the "MEmuSVC" service will trigger the execution of the attacker's code with SYSTEM-level privileges, enabling full system compromise. The availability of a public exploit on Exploit-DB (EDB-52615) significantly increases the urgency for remediation for all users of the affected software.

Attack Chain

  1. Initial Access: A low-privileged attacker gains local access to a Windows system running MEmu Android Emulator 9.2.7.0.
  2. Vulnerability Identification: The attacker identifies the MEmuSVC service running with NT AUTHORITY\SYSTEM privileges and its associated binary C:\Program Files\Microvirt\MEmu\MemuService.exe.
  3. Permission Check: The attacker verifies the insecure NTFS permissions on MemuService.exe (e.g., using icacls), confirming that BUILTIN\Users or Everyone have FullControl access.
  4. Payload Creation: The attacker crafts a malicious executable (e.g., payload.exe) designed to perform actions like creating a new administrative user or establishing persistence.
  5. Binary Replacement: The attacker exploits the insecure permissions to replace the legitimate C:\Program Files\Microvirt\MEmu\MemuService.exe with their payload.exe.
  6. Service Control: The attacker stops the MEmuSVC service using sc stop MEmuSVC.
  7. Privilege Escalation: The attacker starts the MEmuSVC service using sc start MEmuSVC, which executes the malicious payload.exe with NT AUTHORITY\SYSTEM privileges.
  8. Impact: The malicious payload successfully executes, granting the attacker SYSTEM-level control over the compromised system.

Impact

Successful exploitation of CVE-2026-36213 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM, granting complete control over the compromised Windows system. This level of access enables attackers to install malware, modify system configurations, access sensitive data, create new administrative accounts, and potentially move laterally within the network. While the source does not specify victim counts or targeted sectors, any organization or individual using the vulnerable MEmu Android Emulator is at risk of full system compromise if an attacker gains initial local access.

Recommendation

  • Patch Immediately: Update MEmu Android Emulator to a patched version that addresses CVE-2026-36213 as soon as one is available from Microvirt.
  • File Integrity Monitoring: Deploy file integrity monitoring (FIM) on C:\Program Files\Microvirt\MEmu\MemuService.exe to detect unauthorized modifications.
  • Endpoint Detection: Deploy the Sigma rules provided in this brief to your SIEM/EDR to detect attempts to replace the service binary or manipulate the MEmuSVC service.
  • Sysmon Logging: Enable Sysmon process creation (Event ID 1) and file creation/modification (Event ID 11) logging to activate the detection rules.

Detection coverage 2

Detects CVE-2026-36213 Exploitation — MEmuSVC Service Control

high

Detects CVE-2026-36213 exploitation — attempts to stop and start the 'MEmuSVC' service using 'sc.exe' which may indicate an attempt to trigger a malicious service binary.

sigma tactics: execution, privilege_escalation techniques: T1059.003, T1543.003 sources: process_creation, windows

Detects CVE-2026-36213 Exploitation — MEmuService.exe Binary Modification

high

Detects CVE-2026-36213 exploitation — unauthorized modification of the 'MemuService.exe' binary, indicating an attempt to replace the legitimate service executable with a malicious payload.

sigma tactics: persistence, privilege_escalation techniques: T1543.003 sources: file_event, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

domain

1

file_path

2

url

TypeValue
domainmemuplay.com
urlhttps://www.memuplay.com/download.html
file_pathC:\Program Files\Microvirt\MEmu\MemuService.exe
urlhttps://github.com/sec-zone/Hijack-service-binaries