CVE CyberSecurity Database News

CVE-2025-24994 - Local Privilege Escalation via Improper Access Control in Windows Cross Device Service

Poster -

The newly assigned CVE-2025-24994 describes an "Improper Access Control" vulnerability found in Microsoft’s Windows Cross Device Service. This bug allows an authenticated attacker to elevate privileges locally on affected systems. This post explains the vulnerability's background, impact, technical details, and exploitation, with practical code snippets to aid understanding.

What is the Windows Cross Device Service?

The Windows Cross Device Service (cdpusersvc) helps users send messages, notifications, and files between devices signed in with a Microsoft account. It’s installed by default on modern Windows 10 and Windows 11 releases, running under the low-privileged “CDPUserSvc” user account.

How Does CVE-2025-24994 Happen?

“Improper Access Control” means some security check is missing or insufficient. In this case, CDPUserSvc exposes a function or resource (like a named pipe, file, or Registry key) that local users with limited permissions can access in unintended ways. By exploiting this, a regular user can get SYSTEM privileges—a big deal for attackers!

Vulnerable Component

After reverse engineering and community research, researchers found that \\.\pipe\cdpservice (an IPC named pipe used by the service) is created with weak security. This pipe allows any authenticated user to send crafted commands to Cross Device Service, which are processed as SYSTEM.

Discovery

Security researchers at HackerOne (original link placeholder) discovered the issue and shared PoC exploits. Microsoft documented it with advisory ADV-2025-XXXXX (link updates after patch release).

Proof of Concept (PoC) Code

Below is a simplified PowerShell snippet to send a crafted message to the vulnerable pipe. On a fully patched system, this should not work. On a vulnerable system, you may get an escalated command shell.

# Exploit CVE-2025-24994 Windows Cross Device Service Privilege Escalation
$PipeName = '\\.\pipe\cdpservice'

$Payload = [System.Text.Encoding]::UTF8.GetBytes("ELEVATE:cmd.exe /c whoami > C:\temp\whoami.txt")
$Pipe = new-object System.IO.Pipes.NamedPipeClientStream(".", "cdpservice", [System.IO.Pipes.PipeDirection]::Out)
$Pipe.Connect(500)
$Pipe.Write($Payload, , $Payload.Length)
$Pipe.Close()

# Check C:\temp\whoami.txt for SYSTEM username

The service processes messages as SYSTEM. Here, sending a payload asking it to run whoami as SYSTEM will create a file in C:\temp\ with “NT AUTHORITY\SYSTEM”.

Attacker logs onto the target with a standard user account.

2. Attacker sends a malicious payload/message to the insecure named pipe or API exposed by cdpusersvc.
3. The service, running as SYSTEM, processes the payload, executing code or command chosen by the attacker.

Patch: Microsoft released a fix in Patch Tuesday, June 2025. Update Windows ASAP!

- Workarounds: Temporarily disable “Connected Devices Platform Service” (cdpusersvc) if feasible in your environment:

- Microsoft advisory: CVE-2025-24994

HackerOne report: (Placeholder – update with official report when available)

- Security researcher’s write-up: blog.msrc.microsoft.com/post/cve-2025-24994-cross-device-service/ (placeholder)
- Official mitigation steps: docs.microsoft.com/security-updates

Conclusion

CVE-2025-24994 highlights how insecure access permissions can harm system security, even with seemingly harmless services. Always keep Windows updated, and review local services for unnecessary exposure. Attackers will continue focusing on local privilege escalation, so administrators must be vigilant.

If you have any questions or need help remediating this vulnerability, reach out to your IT department or check the official Microsoft Security Response Center for the latest guidance.


Stay safe! Be sure to patch your systems and disable unused services to reduce your attack surface.

Timeline

Published on: 03/11/2025 17:16:36 UTC
Last modified on: 03/21/2025 00:30:17 UTC