Advisory ID: BT25-01

CVSSv4 score: 7.2

CVSSv4 Vector: AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: High

Issue Date: 2025-02-25

Updated On: 2025-02-24

CVE: CVE-2025-0889

CWE: CWE-268

Synopsis: Privilege Management for Windows – Elevation of Privilege

Impacted Product: Privilege Management for Windows

Summary

A vulnerability has been discovered in Privilege Management for Windows that allows for a local authenticated attacker to elevate privileges.

Details

Prior to 25.2, a local authenticated attacker can elevate privileges via the manipulation of COM objects under certain circumstances where an EPM policy allows for automatic privilege elevation of a user process.

Mitigation

Block Rules based on COM Object Publisher Matching: EPM-W currently supports blocking of COM objects based on publisher matching. However, only the COM objects that require elevation are supported, which means our customers can create a block rule for COM objects that require elevation based on matching/not matching publishers. It is worth noting that this mitigation would not mitigate the abuse attempts against COM objects that do not require elevation.

Setting Process Mitigations for Elevated Processes: If EPM-elevated processes load COM objects, then system admins can enable process mitigations (e.g., Code Integrity Guard) for the applications to be elevated by EPM-W if enabling them will not break the functionality of the application. Enabling the relevant process mitigation can prevent a non-Microsoft signed DLL being loaded into the specified application, hence can mitigate the abuse attempts.

Monitoring / Preventing Users Modifying Registry: As a mitigation, customers can also use Group Policy Objects to prevent users from editing the following registry hives:

HKEY_CURRENT_USER\Software\Classes\CLSID

HKEY_CLASSES_ROOT\CLSID

HKEY_CLASSES_ROOT\WOW6432Node\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID

In addition, customers should also monitor the mentioned registry hives for potential abuse attempts. Note that it is possible for a user to modify those registry hives via tools such as command prompt, PowerShell and PowerShell ISE, Registry Editor, SetX, Reg, and WMIC. Therefore, monitoring the creation of such processes can be useful to detect potential abuse attempts.

Affected Versions

Product	Version
Privilege Management for Windows	Prior to 25.2

Fixed Versions

The installation may be downloaded from our BeyondTrust Customer Support portal>Downloads page. It is also available in your PM Cloud portal once your tenant is updated to 25.2

Product	Version
Privilege Management for Windows	25.2 and later

References

https://www.cve.org/cverecord?id=CVE-2025-0889

https://nvd.nist.gov/vuln/detail/CVE-2025-0889

Acknowledgements

BeyondTrust would like to thank Wilson, Jared and David L. Andrews from Bank of America’s GIS Red Team for reporting this vulnerability.

Watch Product Demos

Buyer's Guide for Complete PAM

Gartner® Magic Quadrant™ for PAM

See what customer success looks like

Find a Partner

Leader in Privilege-Centric Identity Security

Watch Product Demos

BT25-01