CVE CyberSecurity Database News

CVE-2025-24789 - Privilege Escalation in Snowflake JDBC Driver on Windows (EXTERNALBROWSER Auth Vulnerability Explained)

Poster -

---

Summary

A major vulnerability (CVE-2025-24789) was found in the Snowflake JDBC Driver, affecting Windows systems where the EXTERNALBROWSER authentication method is used. This post explains what happened, how attackers could exploit it, and what you should do to keep your systems safe.

What is the Snowflake JDBC Driver?

Snowflake provides a Java Database Connectivity (JDBC) Type 4 driver, allowing Java-based apps to connect and interact with a Snowflake data warehouse. Many organizations use JDBC drivers to build data pipelines and perform analytics.

Official Documentation:
https://docs.snowflake.com/en/developer-guide/jdbc

What’s the Vulnerability?

CVE-2025-24789 is a privilege escalation bug. When you use the EXTERNALBROWSER authentication mode on Windows, the JDBC driver relies on the Windows %PATH% environment paths to find and run programs.

If a bad actor can write to a directory listed *early* in %PATH%, they can put a malicious executable there with a name matching a system utility (for example, cmd.exe, curl.exe, or anything the JDBC driver might call). When the JDBC driver runs, it’ll pick up—and run—the attacker’s executable with the privileges of the user who started the Java process.

Vulnerable Versions:

Snowflake JDBC Driver versions 3.2.3 through 3.21. on Windows

Fixed Version:

Technical Details

When using EXTERNALBROWSER authentication, the JDBC driver launches the system’s browser to log in, sometimes using Windows system utilities to assist this process. The issue:

*It does not* use full, secure paths to these utilities, depending on %PATH% order.

- *If* an attacker controls a directory earlier in %PATH%, and places a trojan .exe, the driver may run it by mistake.

Suppose %PATH% looks like

C:\Python39\Scripts;C:\Tools;C:\Windows\System32;...

Create a file called cmd.exe with this content

// Save as C:\Tools\cmd.c
#include <windows.h>
int main() {
    MessageBox(NULL, "Exploit ran!", "CVE-2025-24789", );
    // Add malicious code here
    return ;
}

Compile

cl cmd.c /Fe:C:\Tools\cmd.exe

3. Launch Snowflake JDBC client

When the Java JDBC driver is used (maybe via a data sync script), and tries to use EXTERNALBROWSER authentication, it might attempt to run cmd.exe and pick your trojan version instead of the system one. This code then executes with the privileges of the calling user.

Why is This Dangerous?

- Privilege Escalation: Attackers with write access to a directory used in %PATH% (not uncommon on shared systems or misconfigured developer machines) can trick the Snowflake JDBC driver into running their code.
- Persistence: The attacker’s code could launch additional payloads, create new user accounts, or implant backdoors.

Snowflake patched this in JDBC Driver 3.22.. Download from

- https://docs.snowflake.com/en/developer-guide/jdbc/download

2. Check Directory Permissions

Review all directories listed in your %PATH% variable.
NO non-admin or low-privilege user should be able to write to any directory in %PATH%.

To check

$env:Path -split ';' | ForEach-Object { Get-Acl $_ | Select-Object Path, Access }

3. Avoid EXTERNALBROWSER When Possible

If practical, use other authentication methods not needing browser launch on the local system.

- Snowflake JDBC Documentation
- NIST NVD CVE-2025-24789 Entry (pending publication)
- Official Security Advisory (if available)

Conclusion

CVE-2025-24789 is a reminder that dependencies—even something as simple as a database driver—can present privilege escalation issues, especially with shared or misconfigured systems. If you use Snowflake JDBC on Windows, update now and check your system’s %PATH% permissions.

Timeline

Published on: 01/29/2025 18:15:47 UTC