Advisory ID: BT25-06
CVSSv4 Score: 7.1
CVSSv4 Vector: AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Severity: High
Issue Date: 2025-07-28
Updated On: 2025-07-28
CVE(s): CVE-2025-6250
CWE: CWE-424
Synopsis: Privilege Management for Windows – Anti-Tamper Bypass
Impacted: Privilege Management for Windows
Summary
A vulnerability has been discovered in Privilege Management for Windows that allows for a local authenticated attacker with elevated privileges to bypass anti-tamper protections.
Details
Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user can add themselves to Administrators group and run any process with elevated permissions.
Mitigation
For versions before 25.4.270.0 a rule can be created to either block the execution completely, or allow gated or limited access. Follow the relevant steps for the type of action that will be used.
Block
Create an application block rule with the following properties:
• Publisher (exact match): Microsoft Windows
• Product Description (exact match): WMI Commandline Utility
• Trusted Ownership: Matches
• Child Processes: Off
Gated or limited access
Create an application executable rule with the following properties:
• File Name (exact match): wmic.exe
• Publisher (exact match): Microsoft Windows
• Product Description (exact match): WMI Commandline Utility
• Trusted Ownership: Matches
• Child Processes: Off
Affected Versions
Product | Version |
|---|---|
Privilege Management for Windows | Prior to 25.4.270.0 |
Fixed Versions
Product | Version |
|---|---|
Privilege Management for Windows | 25.4.270.0 and later |
Acknowledgements
We would like to thank MSG Systems AG for reporting this vulnerability responsibly.