BT25-06

• CVSSv4 Score: 7.1
• CVSSv4 Vector: AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
• Severity: High
• Issue Date: 2025-07-28
• Updated On: 2025-07-28
• CVE(s): CVE-2025-6250
• CWE: CWE-424
• Synopsis: Privilege Management for Windows – Anti-Tamper Bypass
• Impacted: Privilege Management for Windows
  

A vulnerability has been discovered in Privilege Management for Windows that allows for a local authenticated attacker with elevated privileges to bypass anti-tamper protections.

Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user can add themselves to Administrators group and run any process with elevated permissions.

For versions before 25.4.270.0 a rule can be created to either block the execution completely, or allow gated or limited access. Follow the relevant steps for the type of action that will be used.

Block

Create an application block rule with the following properties:

• Publisher (exact match): Microsoft Windows

• Product Description (exact match): WMI Commandline Utility

• Trusted Ownership: Matches

• Child Processes: Off

Gated or limited access

Create an application executable rule with the following properties:

• File Name (exact match): wmic.exe

• Publisher (exact match): Microsoft Windows

• Product Description (exact match): WMI Commandline Utility

• Trusted Ownership: Matches

• Child Processes: Off

https://www.cve.org/cverecord?id=CVE-2025-6250

https://nvd.nist.gov/vuln/detail/CVE-2025-6250

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0022605

We would like to thank MSG Systems AG for reporting this vulnerability responsibly.