CVE-2025-47962 ‒ Improper Access Control in Windows SDK
Description
The service IpOverUsbSvc
installed with the Windows SDK had weak permissions on it’s installation folder, which allowed low privileged users to escalate their privileges to SYSTEM
.
Vulnerability
We found that the directory under which the service IpOverUsbSvc
is installed — C:\Microsoft Shared\Phone Tools\CoreCon\11.0\bin
— is writable for the Authenticated Users Group.
The service is automatically initiated from this directory upon system startup and runs under the SYSTEM
account.
To exploit this issue, a low-privileged user could, for example, place their own DLL file under: C:\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\cryptsp.dll
.
This DLL then gets loaded by the service running as NT Authority\SYSTEM
, which allows low-privileged user to execute code as SYSTEM
and leads to privilege escalation.
This issue only impacts systems that have the Windows SDK installed.
Mitigations
Update to the latest release.
Timeline
Date | Action |
---|---|
25.01.2025 | Initial contact with vendor about the vulnerability |
27.01.2025 | Microsoft closes ticket as non applicable |
28.01.2025 | Neodyme reopens ticket with further comments |
05.02.2025 | Microsoft confirms that they could replicate the issue |
10.06.2025 | Public acknowledgement by Microsoft |