Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-of-analysis. The vulnerability is triggered when a sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results.
The vulnerability (CWE-400 — uncontrolled resource consumption) is triggered when an uploaded sample recursively creates a large number of child processes. This generates an extremely high volume of logs, which leads to exhaustion of the sandbox system resources. As a result, the behavioral analysis engine is unable to register or report all relevant events, resulting in an incomplete or misleading analysis report.
An attacker can deliver a malware sample that effectively hides its key activities (e.g., PowerShell execution, reverse shell activity) from security analysts, compromising the integrity and availability of sandbox analysis results. This leads to a false sense of security and may enable further malware propagation.
Apply patches available from the vendor according to the references. As a temporary measure, it is recommended to introduce limits on the number of child processes created in analyzed samples and monitor the volume of logs generated during analysis sessions.
Hatching Triage Sandbox in versions: Windows 10 build 2004 (update 2025-08-14) and Windows 10 LTSC 2021 (update 2025-08-14).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H