Windows 11 DLL Flaws Open Doors to Privilege Escalation!
Summary
Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.
DLL hijacking is a technique that exploits how Windows applications load DLLs.
| OEM | Windows |
| Severity | HIGH |
| CVSS Score | 7.3 |
| CVEs | CVE-2025-24994, CVE-2025-24076 |
| No. of Vulnerabilities Patched | 02 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Cross Device Service Elevation of Privilege Vulnerability | CVE-2025-24076 | Windows | HIGH | 7.3 |
| Windows Cross Device Service Elevation of Privilege Vulnerability | CVE-2025-24994 | Windows | HIGH | 7.3 |
Technical Summary
The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24076 | Windows 11 Version 22H2, 22H3, 23H2, 24H2. | Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window. | Allows SYSTEM-level privilege escalation |
| CVE-2025-24994 | Windows 11 Version 22H2, 22H3, 23H2, 24H2 | Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable. | Allows user-to-user privilege escalation |
Remediation:
- Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems.
- Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities.
- Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes.
- Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges.
- Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files.
Conclusion:
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.
The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.
While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.
This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.
References: