CVE-2025-47962 ‒ Improper Access Control in Windows SDK
Description
The service IpOverUsbSvc installed with the Windows SDK had weak permissions on it’s installation folder, which allowed low privileged users to escalate their privileges to SYSTEM.
Vulnerability
We found that the directory under which the service IpOverUsbSvc is installed — C:\Microsoft Shared\Phone Tools\CoreCon\11.0\bin — is writable for the Authenticated Users Group.
The service is automatically initiated from this directory upon system startup and runs under the SYSTEM account.
To exploit this issue, a low-privileged user could, for example, place their own DLL file under: C:\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\cryptsp.dll.
This DLL then gets loaded by the service running as NT Authority\SYSTEM, which allows low-privileged user to execute code as SYSTEM and leads to privilege escalation.
This issue only impacts systems that have the Windows SDK installed.
Mitigations
Update to the latest release.
Timeline
| Date | Action |
|---|---|
| 25.01.2025 | Initial contact with vendor about the vulnerability |
| 27.01.2025 | Microsoft closes ticket as non applicable |
| 28.01.2025 | Neodyme reopens ticket with further comments |
| 05.02.2025 | Microsoft confirms that they could replicate the issue |
| 10.06.2025 | Public acknowledgement by Microsoft |