CVE-2025-1804
📋 TL;DR
This vulnerability in Blizzard Battle.Net client involves an uncontrolled search path (DLL hijacking) in profapi.dll, allowing local attackers to execute arbitrary code by placing a malicious DLL in a location the application searches. It affects Windows users running Battle.Net client versions up to 2.39.0.15212. The vendor considers this low risk due to the local attack requirement and high exploitation complexity.
💻 Affected Systems
- Blizzard Battle.Net client
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM-level privileges and executes arbitrary code on the vulnerable system, potentially leading to full system compromise.
Likely Case
Local attacker with existing access elevates privileges or executes malicious code in the context of the Battle.Net client user.
If Mitigated
Attack fails due to proper file permissions, application sandboxing, or lack of local access to place malicious DLL.
🎯 Exploit Status
Exploitation requires local access and knowledge of DLL search order. No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not provided in references
Restart Required: No
Instructions:
Check for updates in Battle.Net client settings or Blizzard's official security advisories.
🔧 Temporary Workarounds
Restrict DLL search path
windowsUse application control policies to restrict where Battle.Net can load DLLs from
Using Group Policy or AppLocker: Create rule to block DLL execution from user-writable directories
File system permissions hardening
windowsRestrict write permissions to directories in Battle.Net's DLL search path
icacls "C:\Program Files (x86)\Battle.net" /deny Users:(OI)(CI)W
icacls "%APPDATA%\Battle.net" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Implement least privilege - ensure Battle.Net runs with minimal necessary permissions
- Monitor for suspicious DLL loading events using Windows Event Log or EDR solutions
🔍 How to Verify
Check if Vulnerable:
Check Battle.Net client version in Settings > About. If version is 2.39.0.15212 or earlier, system is vulnerable.Check Version:
Check Battle.Net client UI: Settings > About, or examine Battle.net.exe file propertiesVerify Fix Applied:
Verify Battle.Net client version is higher than 2.39.0.15212 after update.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) for Battle.net.exe loading DLLs from unusual locations
- Sysmon Event ID 7 (Image loaded) showing profapi.dll loaded from non-standard paths
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="Windows Security" EventID=4688 AND ProcessName="Battle.net.exe" AND CommandLine="*profapi.dll*"