<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Emulator - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/emulator/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 13:33:45 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/emulator/feed.xml" rel="self" type="application/rss+xml"/><item><title>MEmu Android Emulator 9.2.7.0 Local Privilege Escalation</title><link>https://feed.craftedsignal.io/briefs/2026-07-memu-lpe/</link><pubDate>Mon, 06 Jul 2026 13:33:45 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-memu-lpe/</guid><description>A local privilege escalation vulnerability (CVE-2026-36213) in MEmu Android Emulator 9.2.7.0 allows a low-privileged user to replace the 'MemuService.exe' binary due to insecure NTFS permissions, leading to arbitrary code execution with NT AUTHORITY\SYSTEM privileges upon service restart.</description><content:encoded><![CDATA[<p>A critical local privilege escalation (LPE) vulnerability, tracked as CVE-2026-36213, has been identified and publicly disclosed in MEmu Android Emulator version 9.2.7.0. The flaw stems from insecure NTFS permissions applied to the <code>MemuService.exe</code> binary, located at <code>C:\Program Files\Microvirt\MEmu\MemuService.exe</code>. This Windows service, named &quot;MEmuSVC&quot;, operates with <code>NT AUTHORITY\SYSTEM</code> privileges. Due to FullControl permissions granted to low-privileged groups such as <code>BUILTIN\Users</code> and <code>Everyone</code> on the service binary, any local user can replace it with a malicious executable. Once replaced, restarting the &quot;MEmuSVC&quot; service will trigger the execution of the attacker's code with SYSTEM-level privileges, enabling full system compromise. The availability of a public exploit on Exploit-DB (<a href="https://www.exploit-db.com/exploits/52615">EDB-52615</a>) significantly increases the urgency for remediation for all users of the affected software.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: A low-privileged attacker gains local access to a Windows system running MEmu Android Emulator 9.2.7.0.</li>
<li><strong>Vulnerability Identification</strong>: The attacker identifies the <code>MEmuSVC</code> service running with <code>NT AUTHORITY\SYSTEM</code> privileges and its associated binary <code>C:\Program Files\Microvirt\MEmu\MemuService.exe</code>.</li>
<li><strong>Permission Check</strong>: The attacker verifies the insecure NTFS permissions on <code>MemuService.exe</code> (e.g., using <code>icacls</code>), confirming that <code>BUILTIN\Users</code> or <code>Everyone</code> have FullControl access.</li>
<li><strong>Payload Creation</strong>: The attacker crafts a malicious executable (e.g., <code>payload.exe</code>) designed to perform actions like creating a new administrative user or establishing persistence.</li>
<li><strong>Binary Replacement</strong>: The attacker exploits the insecure permissions to replace the legitimate <code>C:\Program Files\Microvirt\MEmu\MemuService.exe</code> with their <code>payload.exe</code>.</li>
<li><strong>Service Control</strong>: The attacker stops the <code>MEmuSVC</code> service using <code>sc stop MEmuSVC</code>.</li>
<li><strong>Privilege Escalation</strong>: The attacker starts the <code>MEmuSVC</code> service using <code>sc start MEmuSVC</code>, which executes the malicious <code>payload.exe</code> with <code>NT AUTHORITY\SYSTEM</code> privileges.</li>
<li><strong>Impact</strong>: The malicious payload successfully executes, granting the attacker SYSTEM-level control over the compromised system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-36213 allows a local attacker to escalate privileges to <code>NT AUTHORITY\SYSTEM</code>, granting complete control over the compromised Windows system. This level of access enables attackers to install malware, modify system configurations, access sensitive data, create new administrative accounts, and potentially move laterally within the network. While the source does not specify victim counts or targeted sectors, any organization or individual using the vulnerable MEmu Android Emulator is at risk of full system compromise if an attacker gains initial local access.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch Immediately</strong>: Update MEmu Android Emulator to a patched version that addresses CVE-2026-36213 as soon as one is available from Microvirt.</li>
<li><strong>File Integrity Monitoring</strong>: Deploy file integrity monitoring (FIM) on <code>C:\Program Files\Microvirt\MEmu\MemuService.exe</code> to detect unauthorized modifications.</li>
<li><strong>Endpoint Detection</strong>: Deploy the Sigma rules provided in this brief to your SIEM/EDR to detect attempts to replace the service binary or manipulate the <code>MEmuSVC</code> service.</li>
<li><strong>Sysmon Logging</strong>: Enable Sysmon process creation (Event ID 1) and file creation/modification (Event ID 11) logging to activate the detection rules.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>privilege-escalation</category><category>windows</category><category>emulator</category><category>lpe</category></item></channel></rss>