Microsoft has released security advisories for four newly discovered vulnerabilities in its Windows Defender Firewall Service that could enable attackers to elevate privileges on affected Windows systems.
The flaws, tracked as CVE-2025-53808, CVE-2025-54104, CVE-2025-54109, and CVE-2025-54915, were all disclosed on September 9, 2025, and share similar characteristics.
While exploitation requires local access, successful attacks could allow threat actors to execute code at SYSTEM level, bypassing normal security boundaries.
Details of the Vulnerabilities
Each vulnerability involves Type Confusion (CWE-843), a weakness where the firewall service misinterprets the type of a resource, leading to unauthorized operations.
All four flaws are classified as Important severity and carry a CVSS 3.1 base score of 6.7 with a temporal score of 5.8.
The attack vector is local (AV:L), with low complexity (AC:L), high privileges required (PR:H), and no user interaction needed (UI:N).
| CVE Identifier | Impact | Max Severity | CVSS 3.1 Score (Base/Temporal) |
| CVE-2025-53808 | Elevation of Privilege | Important | 6.7 / 5.8 |
| CVE-2025-54104 | Elevation of Privilege | Important | 6.7 / 5.8 |
| CVE-2025-54109 | Elevation of Privilege | Important | 6.7 / 5.8 |
| CVE-2025-54915 | Elevation of Privilege | Important | 6.7 / 5.8 |
Confidentiality, integrity, and availability impacts are all high (C:H/I:H/A:H). Microsoft rates the exploit maturity as unproven (E:U) with official fixes already released (RL:O) and confirmed reports (RC:C).
These vulnerabilities reside in the Windows Defender Firewall Service executable running with elevated privileges.
An attacker who can log on locally to a target machine could leverage one of these flaws to execute arbitrary code as SYSTEM.
This could serve as a stepping stone for full compromise, especially in environments where local user accounts are poorly controlled.
Mitigation and Recommendations
Microsoft has provided patches for all affected Windows versions through its September 2025 security updates. System administrators are urged to:
- Deploy the September security update immediately to ensure the firewall service is patched.
- Restrict local account logins to trusted personnel only.
- Monitor system event logs for unusual firewall service behavior or crash events that could indicate attempts to exploit these flaws.
- Implement least-privilege policies to minimize the impact if local account credentials are compromised.
Although these vulnerabilities require local access, they pose a significant risk in corporate environments where employees have administrative privileges or where laptops may be physically accessed by unauthorized individuals.
Once an attacker gains SYSTEM privileges, they can disable security controls, install persistent malware, or move laterally within a network.
Addressing these issues promptly reduces the window of opportunity for threat actors to exploit them.
Windows Defender Firewall has long been a core component of Microsoft’s defense-in-depth strategy.
These elevation of privilege vulnerabilities highlight the importance of regular patching and stringent access controls.
By applying the available updates and enforcing robust security policies, organizations can safeguard against potential privilege escalation attacks targeting the firewall service.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
