{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/microvirt/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-36213"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MEmu Android Emulator 9.2.7.0"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","emulator","lpe"],"_cs_type":"advisory","_cs_vendors":["Microvirt"],"content_html":"\u003cp\u003eA critical local privilege escalation (LPE) vulnerability, tracked as CVE-2026-36213, has been identified and publicly disclosed in MEmu Android Emulator version 9.2.7.0. The flaw stems from insecure NTFS permissions applied to the \u003ccode\u003eMemuService.exe\u003c/code\u003e binary, located at \u003ccode\u003eC:\\Program Files\\Microvirt\\MEmu\\MemuService.exe\u003c/code\u003e. This Windows service, named \u0026quot;MEmuSVC\u0026quot;, operates with \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e privileges. Due to FullControl permissions granted to low-privileged groups such as \u003ccode\u003eBUILTIN\\Users\u003c/code\u003e and \u003ccode\u003eEveryone\u003c/code\u003e on the service binary, any local user can replace it with a malicious executable. Once replaced, restarting the \u0026quot;MEmuSVC\u0026quot; service will trigger the execution of the attacker's code with SYSTEM-level privileges, enabling full system compromise. The availability of a public exploit on Exploit-DB (\u003ca href=\"https://www.exploit-db.com/exploits/52615\"\u003eEDB-52615\u003c/a\u003e) significantly increases the urgency for remediation for all users of the affected software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A low-privileged attacker gains local access to a Windows system running MEmu Android Emulator 9.2.7.0.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker identifies the \u003ccode\u003eMEmuSVC\u003c/code\u003e service running with \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e privileges and its associated binary \u003ccode\u003eC:\\Program Files\\Microvirt\\MEmu\\MemuService.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePermission Check\u003c/strong\u003e: The attacker verifies the insecure NTFS permissions on \u003ccode\u003eMemuService.exe\u003c/code\u003e (e.g., using \u003ccode\u003eicacls\u003c/code\u003e), confirming that \u003ccode\u003eBUILTIN\\Users\u003c/code\u003e or \u003ccode\u003eEveryone\u003c/code\u003e have FullControl access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Creation\u003c/strong\u003e: The attacker crafts a malicious executable (e.g., \u003ccode\u003epayload.exe\u003c/code\u003e) designed to perform actions like creating a new administrative user or establishing persistence.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBinary Replacement\u003c/strong\u003e: The attacker exploits the insecure permissions to replace the legitimate \u003ccode\u003eC:\\Program Files\\Microvirt\\MEmu\\MemuService.exe\u003c/code\u003e with their \u003ccode\u003epayload.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Control\u003c/strong\u003e: The attacker stops the \u003ccode\u003eMEmuSVC\u003c/code\u003e service using \u003ccode\u003esc stop MEmuSVC\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: The attacker starts the \u003ccode\u003eMEmuSVC\u003c/code\u003e service using \u003ccode\u003esc start MEmuSVC\u003c/code\u003e, which executes the malicious \u003ccode\u003epayload.exe\u003c/code\u003e with \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The malicious payload successfully executes, granting the attacker SYSTEM-level control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-36213 allows a local attacker to escalate privileges to \u003ccode\u003eNT AUTHORITY\\SYSTEM\u003c/code\u003e, granting complete control over the compromised Windows system. This level of access enables attackers to install malware, modify system configurations, access sensitive data, create new administrative accounts, and potentially move laterally within the network. While the source does not specify victim counts or targeted sectors, any organization or individual using the vulnerable MEmu Android Emulator is at risk of full system compromise if an attacker gains initial local access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Immediately\u003c/strong\u003e: Update MEmu Android Emulator to a patched version that addresses CVE-2026-36213 as soon as one is available from Microvirt.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFile Integrity Monitoring\u003c/strong\u003e: Deploy file integrity monitoring (FIM) on \u003ccode\u003eC:\\Program Files\\Microvirt\\MEmu\\MemuService.exe\u003c/code\u003e to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEndpoint Detection\u003c/strong\u003e: Deploy the Sigma rules provided in this brief to your SIEM/EDR to detect attempts to replace the service binary or manipulate the \u003ccode\u003eMEmuSVC\u003c/code\u003e service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSysmon Logging\u003c/strong\u003e: Enable Sysmon process creation (Event ID 1) and file creation/modification (Event ID 11) logging to activate the detection rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T13:33:45Z","date_published":"2026-07-06T13:33:45Z","id":"https://feed.craftedsignal.io/briefs/2026-07-memu-lpe/","summary":"A local privilege escalation vulnerability (CVE-2026-36213) in MEmu Android Emulator 9.2.7.0 allows a low-privileged user to replace the 'MemuService.exe' binary due to insecure NTFS permissions, leading to arbitrary code execution with NT AUTHORITY\\SYSTEM privileges upon service restart.","title":"MEmu Android Emulator 9.2.7.0 Local Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-memu-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed - Microvirt","version":"https://jsonfeed.org/version/1.1"}