CVE-2025-64390: PlayStation 4 BD-J Sandbox Escape Privilege Escalation (Firmware 13.00-13.02)
PlayStation 4 consoles running firmware versions 13.00 through 13.02 are vulnerable to a privilege escalation attack that allows an attacker with local access to escape the Blu-ray Disc Java (BD-J) sandbox environment by crafting a malicious JAR file. Once the sandbox is bypassed, an attacker could gain elevated system privileges on the device, potentially leading to unauthorized access or control of the console.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.4 HIGH · CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-367
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A privilege escalation vulnerability exists in PlayStation 4 firmware versions 13.00 through 13.02. The BD-J (Blu-ray Disc Java) sandbox can be escaped through a malformed JAR file.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-64390 is a privilege escalation vulnerability affecting the BD-J (Blu-ray Disc Java) sandbox implementation in PlayStation 4 firmware versions 13.00 through 13.02. The vulnerability stems from improper handling of malformed JAR files, which can be exploited to escape sandbox restrictions and execute code with elevated privileges. The underlying weakness is classified under CWE-367 (Time-of-check Time-of-use race condition), indicating a potential race condition or validation bypass in the JAR file processing logic. The vulnerability requires local access to the system (AV:L) and involves high complexity exploitation (AC:H), but does not require user interaction or special privileges to trigger. Once successfully exploited, an attacker achieves high-impact compromise of confidentiality, integrity, and availability.
Business impact
This vulnerability poses a direct risk to PlayStation 4 console owners and enterprises that manage PS4 deployments for media, entertainment, or development purposes. Exploitation could result in unauthorized access to user data stored on the console, modification of system settings or games, or complete control of the device. For organizations using PS4 systems in production environments, this represents a local privilege escalation vector that could be chained with other exploits or misconfigurations to expand attack scope. The vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the latest update, but the technical mechanics and local-access requirement mean exploitation is feasible within controlled environments.
Affected systems
PlayStation 4 consoles running firmware version 13.00, 13.01, or 13.02 are affected. Users running earlier firmware versions or those who have updated to version 13.03 or later are not vulnerable to this specific issue. The vulnerability is local-only and requires either physical console access or prior compromise of a user account on the system to deliver the malicious JAR file.
Exploitability
While this vulnerability carries a HIGH CVSS score of 7.4, exploitation requires local system access and is not remotely exploitable over the network. An attacker must either have physical access to the PS4 or already have authenticated access to deliver and execute a malformed JAR file. The high complexity factor (AC:H) suggests that successful exploitation requires specific conditions or precise timing, potentially making ad-hoc attacks more difficult. However, motivated attackers with local access—such as a console owner or someone with brief physical access—could potentially weaponize this vector. The absence of user interaction requirements (UI:N) means no social engineering is necessary once local access is achieved.
Remediation
Sony has addressed this vulnerability in PlayStation 4 firmware versions released after 13.02. The primary remediation is to update the PS4 system to the latest available firmware. Users should enable automatic system updates in their console settings to ensure they receive security patches promptly. For organizations managing multiple PS4 systems, firmware updates should be deployed through centralized management tools or manual updates on an expedited schedule. Until patched, restrict physical and logical access to affected consoles, particularly in multi-user or shared environments.
Patch guidance
Verify the current firmware version of your PlayStation 4 by navigating to System Software Update in the console's settings. Any version 13.03 or later addresses this vulnerability; versions 13.00 through 13.02 remain at risk. To update: connect the PS4 to the internet, access Settings > System Software Update, and follow the on-screen prompts. Ensure the console remains powered and connected throughout the update process. For organizations, confirm the deployment of patched firmware across all managed devices and maintain an inventory of PS4 systems to track patch compliance.
Detection guidance
Monitor PlayStation 4 console logs and system events for unusual BD-J or Blu-ray application activity, particularly failed or abnormal JAR file loads. Review access logs for unauthorized privilege escalation events or unexpected process executions with elevated privileges. Network-level detection is limited due to the local-only attack vector, but organizations should monitor for anomalous behavior on PS4 systems, such as unexpected outbound connections or file system modifications. Firmware version audits across managed devices will confirm exposure. Consider implementing endpoint detection and response (EDR) tools if available for gaming console management in your environment.
Why prioritize this
This vulnerability warrants prompt attention due to its HIGH severity rating and the complete privilege escalation impact it enables. Although local access is required, PlayStation 4 systems are often used in shared household or office environments where physical access may be possible. The vulnerability affects currently supported firmware versions, and the absence of widespread public exploit code should not reduce urgency—the technical mechanics are straightforward enough that exploitation could be demonstrated by capable attackers. Organizations should prioritize patching as part of routine security maintenance, and consumers should enable automatic updates to receive fixes proactively.
Risk score, explained
The CVSS 3.1 score of 7.4 (HIGH) reflects a vulnerability with significant impact but limited attack scope. The local attack vector (AV:L) prevents widespread remote exploitation, lowering the score relative to network-exploitable flaws. However, the absence of privilege requirements (PR:N) and user interaction (UI:N), combined with high complexity (AC:H) and complete impact on confidentiality, integrity, and availability (C:H/I:H/A:H), positions this as a serious local privilege escalation. The score appropriately captures the risk: a motivated attacker with local access can achieve complete system compromise, making this a priority for patch management and access control policies.
Frequently asked questions
Can this vulnerability be exploited remotely over the internet?
No. The vulnerability requires local access to the PlayStation 4 console. An attacker must either have physical access to the device or already have authenticated user access to deliver and execute the malicious JAR file. It is not exploitable via network-based attacks.
What should I do if I own a PlayStation 4 running affected firmware?
Update your PS4 to the latest firmware version immediately. Go to Settings > System Software Update and connect to the internet to retrieve and install the latest patch. We recommend enabling automatic system updates to receive future security patches without manual intervention. There is no workaround for this vulnerability prior to patching.
Is there a public exploit available for this vulnerability?
As of the published vulnerability date, there is no indication that this flaw appears on CISA's Known Exploited Vulnerabilities catalog, and no widespread public exploit code has been disclosed. However, organizations and individuals should not rely on obscurity; patching remains the appropriate response.
Are other Sony gaming consoles affected?
Based on the available information, this vulnerability is specific to PlayStation 4 firmware versions 13.00 through 13.02. Other PlayStation platforms may have different vulnerability profiles and should be checked against vendor advisories independently.
This analysis is provided for informational purposes only and does not constitute professional security advice. Verify all version numbers, patch information, and remediation steps against official Sony PlayStation security advisories before taking action. SEC.co makes no warranty regarding the completeness or accuracy of derived recommendations. Organizations should conduct their own risk assessment based on their specific environment, data sensitivity, and exposure profile. This vulnerability does not appear on the CISA KEV catalog and is not confirmed to be actively exploited in the wild; however, local privilege escalation vulnerabilities should be treated as high priority in any vulnerability management program. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-25260HIGHQualcomm Firmware Memory Corruption Vulnerability
- CVE-2025-59610MEDIUMQualcomm Memory Corruption via IOCTL API Version Mismatch – Patch Guidance
- CVE-2026-20454MEDIUMMediaTek geniezone Race Condition Privilege Escalation (CVSS 6.4)
- CVE-2026-46159MEDIUMLinux btrfs TOCTOU Race Condition Information Disclosure
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface