BeyondTrust Privilege Management for Windows Vulnerability Let Attackers Escalate Privileges
A significant security vulnerability has been discovered in BeyondTrust’s Privilege Management for Windows solution, allowing local authenticated attackers to escalate their privileges to the administrator level.
The flaw, designated as CVE-2025-2297 with a CVSSv4 score of 7.2, affects all versions before 25.4.270.0 and has been classified as high severity.
The vulnerability stems from improper handling of user profile files and challenge response codes, enabling attackers to manipulate the Windows registry to gain unauthorized administrative access.
Key Takeaways
1. CVE-2025-2297 enables local privilege escalation in BeyondTrust Privilege Management for Windows
2. Update the fix immediately.
3. Disable "forever" challenge responses until patched.
BeyondTrust Privilege Management for Windows Vulnerability
The vulnerability, categorized under CWE-268 (Privilege Chaining), exploits a weakness in how Privilege Management for Windows processes challenge response codes within user profiles.
According to the technical analysis, local authenticated attackers can manipulate user profile files to inject illegitimate challenge response codes into the local user registry under specific conditions.
The attack vector involves targeting the registry path HKEY_USERS$$sid]SoftwareAvectoPrivilege Guard ClientChallengeResponseCache$$sha256sum], where attackers can insert malicious “forever” response entries.
This exploitation method is particularly concerning because it requires only local access and basic user privileges to execute.
The CVSSv4 vector AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N indicates that while the attack complexity is high and requires some attack prerequisites, it can result in complete compromise of confidentiality and integrity at the vulnerable component level.
The vulnerability affects users who can edit their user profile files, making it a significant concern for organizations where users have local file modification permissions.
The vulnerability was responsibly disclosed by security researchers Lukasz Piotrowski and Marius Kotlarz.
| Risk Factors | Details |
| Affected Products | BeyondTrust Privilege Management for Windows (versions prior to 25.4.270.0) |
| Impact | Elevation of Privilege |
| Exploit Prerequisites | – Local system access- Low-level user authentication- Ability to edit user profile files- High attack complexity conditions |
| CVSSv4 score | 7.2 (High) |
Mitigations
BeyondTrust has addressed this security flaw in version 25.4.270.0 and later releases.
All cloud tenants have been automatically upgraded to version 25.4, while on-premises customers must manually deploy version 25.4.270.0 to client systems to remediate the vulnerability.
For organizations unable to immediately upgrade, BeyondTrust recommends avoiding the use of “forever” challenge response auto-elevation permissions as a temporary mitigation strategy.
System administrators should actively monitor the affected registry location for any existing “forever” response entries and review their EPM (Endpoint Privilege Management) policies accordingly.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
