CVE-2025-47962 ‒ Improper Access Control in Windows SDK

Authored by:
Metrics: cve.org

Description

The service IpOverUsbSvc installed with the Windows SDK had weak permissions on it’s installation folder, which allowed low privileged users to escalate their privileges to SYSTEM.

Vulnerability

We found that the directory under which the service IpOverUsbSvc is installed — C:\Microsoft Shared\Phone Tools\CoreCon\11.0\bin — is writable for the Authenticated Users Group. The service is automatically initiated from this directory upon system startup and runs under the SYSTEM account.

To exploit this issue, a low-privileged user could, for example, place their own DLL file under: C:\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\cryptsp.dll. This DLL then gets loaded by the service running as NT Authority\SYSTEM, which allows low-privileged user to execute code as SYSTEM and leads to privilege escalation.

This issue only impacts systems that have the Windows SDK installed.

Mitigations

Update to the latest release.

Timeline

DateAction
25.01.2025Initial contact with vendor about the vulnerability
27.01.2025Microsoft closes ticket as non applicable
28.01.2025Neodyme reopens ticket with further comments
05.02.2025Microsoft confirms that they could replicate the issue
10.06.2025Public acknowledgement by Microsoft

References

Share: