BT25-05

• CVSSv4 Score: 7.2
• CVSSv4 Vector AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
• Severity: High
• Issue Date: 2025-07-28
• Updated On: 2025-07-28
• CVE(s): CVE-2025-2297
• CWE: CWE-268
• Synopsis: Privilege Management for Windows – Elevation of Privilege
• Impacted: Privilege Management for Windows
  

A vulnerability has been discovered in Privilege Management for Windows that allows for a local authenticated attacker to elevate privileges.

Prior to version 25.4, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to administrator. This issue has been fixed in version 25.4.270.0

At the time of posting this advisory, all cloud tenants are upgraded to 25.4. Customers can push version 25.4.270.0 to clients to remediate this vulnerability.

For versions prior to 25.4.270.0,

• Avoid using “forever” challenge response auto elevation permissions.
• Monitor HKEY_USERS\[sid]\Software\Avecto\Privilege Guard Client\ChallengeResponseCache\[sha256sum] for any existing “forever” response entries and make changes to the EPM policy if there are legitimate business needs instead of using forever responses.
  

If you encounter issues with domain account authentication after upgrading to version 25.4, we suggest updating to version 25.4.270.0 or newer.

https://www.cve.org/cverecord?id=CVE-2025-2297

https://nvd.nist.gov/vuln/detail/CVE-2025-2297

https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0022476

We would like to thank Lukasz Piotrowski and Marius Kotlarz for reporting this vulnerability responsibly.