Threat intellegence

Windows 11 DLL Flaws Open Doors to Privilege Escalation! 

Summary 

Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.

DLL hijacking is a technique that exploits how Windows applications load DLLs.

OEM Windows 
Severity HIGH 
CVSS Score 7.3 
CVEs CVE-2025-24994, CVE-2025-24076 
No. of Vulnerabilities Patched 02 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Windows Cross Device Service Elevation of Privilege Vulnerability  CVE-2025-24076 Windows  HIGH  7.3 
​Windows Cross Device Service Elevation of Privilege Vulnerability CVE-2025-24994 Windows HIGH 7.3 

Technical Summary 

The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24076  Windows 11 Version 22H2, 22H3, 23H2, 24H2.  Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window.   Allows SYSTEM-level privilege escalation 
CVE-2025-24994 Windows 11 Version 22H2, 22H3, 23H2, 24H2 Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable.  Allows user-to-user privilege escalation 

Remediation

  • Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems. 
  • Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities. 
  • Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes. 
  • Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges. 
  • Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files. 

Conclusion: 
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.

The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.  

While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.

This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.

References


 

Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately 

Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.

Continue Reading

Authentication Bypass Vulnerability in FortiOS & FortiProxy 

Summary 

A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.

OEM Fortinet 
Severity Critical 
CVSS 9.6 
CVEs CVE-2025-24472 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Authentication Bypass Vulnerability CVE-2025-24472 FortiOS FortiProxy Critical  FortiOS v7.0 – v7.0.16   FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 

Technical Summary 

CVE ID Vulnerability Details Impact 
  CVE-2025-24472   An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests.   Execute unauthorized code or commands 

Recommendations

  • Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below 
Version Fixes and Releases 
FortiOS 7.0 – 7.0.16 Upgrade to 7.0.17 or latest version 
FortiProxy 7.0 – 7.0.19 Upgrade to 7.0.20 or latest version 
FortiProxy 7.2 – 7.2.12 Upgrade to 7.2.13 or latest version 

Workarounds: 

Below are some workarounds provided by the Fortinet team. 

  • Disable HTTP/HTTPS administrative interface 
  • Limit IP addresses that can reach the administrative interface via local-in policies 

According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”

References: 

Scroll to top