CVE-2025-6250

Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user can add themselves to Administrators group and run any process with elevated permissions.

CVSS v3 6.7 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.beyondtrust.com/trust-center/security-advisories/bt25-06	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:beyondtrust:privilege_management_for_windows:*:*:*:*:*:*:*:*

History

04 Aug 2025, 13:45

Type	Values Removed	Values Added
First Time		Beyondtrust privilege Management For Windows Beyondtrust
References	~~() https://www.beyondtrust.com/trust-center/security-advisories/bt25-06 -~~	() https://www.beyondtrust.com/trust-center/security-advisories/bt25-06 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.7
CPE		cpe:2.3:a:beyondtrust:privilege_management_for_windows::::::::

29 Jul 2025, 14:14

Type	Values Removed	Values Added
Summary		(es) Antes de la versión 25.4.270.0, al elevar wmic.exe con un token de administrador completo, el usuario podía detener el servicio Defendpoint, omitiendo así las protecciones antimanipulación. Una vez deshabilitado el servicio, el usuario malintencionado podía agregarse al grupo de administradores y ejecutar cualquier proceso con permisos elevados.

28 Jul 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-28 16:15

Updated : 2025-08-04 13:45

NVD link : CVE-2025-6250

Mitre link : CVE-2025-6250

CVE.ORG link : CVE-2025-6250

JSON object : View

Products Affected

beyondtrust

privilege_management_for_windows

CWE

CWE-424

Improper Protection of Alternate Path

{"id": "CVE-2025-6250", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}], "cvssMetricV40": [{"type": "Secondary", "source": "13061848-ea10-403d-bd75-c83a022c2891", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-28T16:15:24.947", "references": [{"url": "https://www.beyondtrust.com/trust-center/security-advisories/bt25-06", "tags": ["Vendor Advisory"], "source": "13061848-ea10-403d-bd75-c83a022c2891"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "13061848-ea10-403d-bd75-c83a022c2891", "description": [{"lang": "en", "value": "CWE-424"}]}], "descriptions": [{"lang": "en", "value": "Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user can add themselves to Administrators group and run any process with elevated permissions."}, {"lang": "es", "value": "Antes de la versi\u00f3n 25.4.270.0, al elevar wmic.exe con un token de administrador completo, el usuario pod\u00eda detener el servicio Defendpoint, omitiendo as\u00ed las protecciones antimanipulaci\u00f3n. Una vez deshabilitado el servicio, el usuario malintencionado pod\u00eda agregarse al grupo de administradores y ejecutar cualquier proceso con permisos elevados."}], "lastModified": "2025-08-04T13:45:22.730", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:beyondtrust:privilege_management_for_windows:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CACA5CC9-5E12-47FC-B648-72565C004484", "versionEndExcluding": "25.4.270"}], "operator": "OR"}]}], "sourceIdentifier": "13061848-ea10-403d-bd75-c83a022c2891"}