############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Windows Cross Device Service # Vendor: Microsoft # CSNC ID: CSNC-2025-007 # CVE ID: CVE-2025-24076 # Subject: Local Privilege Escalation # Risk: High # Effect: Locally exploitable # Researcher: John Ostrowski # Date: 15.04.2025 # ############################################################# Introduction ------------ Windows 11 ships with the Phone Link feature, which allows a user to link their mobile phone to their Windows computer to send messages. The Windows Cross Device Service that handles this functionality was vulnerable to DLL highjacking, allowing a user with low privileges to gain system privileges. Affected -------- Vulnerable: * Windows 11 24H2 before 10.0.26100.3403 * Windows 11 23H2 before 10.0.22631.5039 * Windows 11 22H2 before 10.0.22631.5039 * Windows Server 2025 before 10.0.26100.3403 * Windows Server 2022 before 10.0.25398.1486 Technical Description --------------------- Improper access control in the Windows Cross Device Service allows an attacker to elevate privileges locally. The CrossDevice.Streaming.Source.dll was stored in the user-modifiable location C:\ProgramData\CrossDevice and loaded by a service running with system privileges. The DLL was not signed and no signature verification was performed by the service. Workaround / Fix ---------------- Update to the most recent version of Windows 11 and Windows Server. Timeline -------- 2024-09-20: Discovery 2024-10-07: Initial vendor notification 2024-10-08: Initial vendor response 2025-03-11: Release of fixed Version / Patch 2025-04-15: Coordinated public disclosure date References ---------- [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24076 [2] https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/