MEmu Android Emulator 9.2.7.0 Local Privilege Escalation
A local privilege escalation vulnerability (CVE-2026-36213) in MEmu Android Emulator 9.2.7.0 allows a low-privileged user to replace the 'MemuService.exe' binary due to insecure NTFS permissions, leading to arbitrary code execution with NT AUTHORITY\SYSTEM privileges upon service restart.
A critical local privilege escalation (LPE) vulnerability, tracked as CVE-2026-36213, has been identified and publicly disclosed in MEmu Android Emulator version 9.2.7.0. The flaw stems from insecure NTFS permissions applied to the MemuService.exe binary, located at C:\Program Files\Microvirt\MEmu\MemuService.exe. This Windows service, named "MEmuSVC", operates with NT AUTHORITY\SYSTEM privileges. Due to FullControl permissions granted to low-privileged groups such as BUILTIN\Users and Everyone on the service binary, any local user can replace it with a malicious executable. Once replaced, restarting the "MEmuSVC" service will trigger the execution of the attacker's code with SYSTEM-level privileges, enabling full system compromise. The availability of a public exploit on Exploit-DB (EDB-52615) significantly increases the urgency for remediation for all users of the affected software.
Attack Chain
- Initial Access: A low-privileged attacker gains local access to a Windows system running MEmu Android Emulator 9.2.7.0.
- Vulnerability Identification: The attacker identifies the
MEmuSVCservice running withNT AUTHORITY\SYSTEMprivileges and its associated binaryC:\Program Files\Microvirt\MEmu\MemuService.exe. - Permission Check: The attacker verifies the insecure NTFS permissions on
MemuService.exe(e.g., usingicacls), confirming thatBUILTIN\UsersorEveryonehave FullControl access. - Payload Creation: The attacker crafts a malicious executable (e.g.,
payload.exe) designed to perform actions like creating a new administrative user or establishing persistence. - Binary Replacement: The attacker exploits the insecure permissions to replace the legitimate
C:\Program Files\Microvirt\MEmu\MemuService.exewith theirpayload.exe. - Service Control: The attacker stops the
MEmuSVCservice usingsc stop MEmuSVC. - Privilege Escalation: The attacker starts the
MEmuSVCservice usingsc start MEmuSVC, which executes the maliciouspayload.exewithNT AUTHORITY\SYSTEMprivileges. - Impact: The malicious payload successfully executes, granting the attacker SYSTEM-level control over the compromised system.
Impact
Successful exploitation of CVE-2026-36213 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM, granting complete control over the compromised Windows system. This level of access enables attackers to install malware, modify system configurations, access sensitive data, create new administrative accounts, and potentially move laterally within the network. While the source does not specify victim counts or targeted sectors, any organization or individual using the vulnerable MEmu Android Emulator is at risk of full system compromise if an attacker gains initial local access.
Recommendation
- Patch Immediately: Update MEmu Android Emulator to a patched version that addresses CVE-2026-36213 as soon as one is available from Microvirt.
- File Integrity Monitoring: Deploy file integrity monitoring (FIM) on
C:\Program Files\Microvirt\MEmu\MemuService.exeto detect unauthorized modifications. - Endpoint Detection: Deploy the Sigma rules provided in this brief to your SIEM/EDR to detect attempts to replace the service binary or manipulate the
MEmuSVCservice. - Sysmon Logging: Enable Sysmon process creation (Event ID 1) and file creation/modification (Event ID 11) logging to activate the detection rules.
Detection coverage 2
Detects CVE-2026-36213 Exploitation — MEmuSVC Service Control
highDetects CVE-2026-36213 exploitation — attempts to stop and start the 'MEmuSVC' service using 'sc.exe' which may indicate an attempt to trigger a malicious service binary.
Detects CVE-2026-36213 Exploitation — MEmuService.exe Binary Modification
highDetects CVE-2026-36213 exploitation — unauthorized modification of the 'MemuService.exe' binary, indicating an attempt to replace the legitimate service executable with a malicious payload.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
1
domain
1
file_path
2
url
| Type | Value |
|---|---|
| domain | memuplay.com |
| url | https://www.memuplay.com/download.html |
| file_path | C:\Program Files\Microvirt\MEmu\MemuService.exe |
| url | https://github.com/sec-zone/Hijack-service-binaries |