CVE-2025-66575 HIGH

CVE-2025-66575: VeeVPN 1.6.1 - Unquoted Service Path Remote Code Execution

Vendor Veepn
Product VeeVPN
Weakness CWE-428
Published December 4, 2025
Last update December 5, 2025

CVSS base score

8.5/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P

What the vulnerability does

01Description

VeeVPN 1.6.1 contains an unquoted service path vulnerability in the VeePNService that allows remote attackers to execute code during startup or reboot with escalated privileges. Attackers can exploit this by providing a malicious service name, allowing them to inject commands and run as LocalSystem.

Key dates

02Disclosure timeline

December 4, 2025 CVE published
December 5, 2025 Record updated