CVE-2025-20094

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code with SYSTEM privileges by sending specially crafted messages to a specific Windows process in Defense Platform Home Edition. It affects all users running version 3.9.51.x or earlier on Windows systems. The unprotected Windows messaging channel ('Shatter') enables privilege escalation to the highest system level.

💻 Affected Systems

Products:

• Defense Platform Home Edition

Versions: 3.9.51.x and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to the Windows system where the software is installed. The specific vulnerable process must be running.

📦 What is this software?

Defense Platform by Hummingheads

View all CVEs affecting Defense Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, allowing complete control over the Windows system, data theft, persistence installation, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from a lower-privileged user account to SYSTEM, enabling installation of malware, credential harvesting, and disabling security controls.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege principles, and endpoint protection are in place, though local exploitation risk remains.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to send messages to the vulnerable process. The 'Shatter' attack technique is well-documented in Windows security literature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.9.52 or later

Vendor Advisory: https://www.hummingheads.co.jp/dep/storelist/

Restart Required: Yes

Instructions:

1. Download the latest version from the vendor website. 2. Uninstall the current version. 3. Install the updated version. 4. Restart the system.

🔧 Temporary Workarounds

Disable vulnerable service

windows

Stop and disable the specific Defense Platform process that handles Windows messages

Copy

sc stop "DefensePlatformService"
sc config "DefensePlatformService" start= disabled

Apply Windows message filtering

windows

Use Windows security policies or third-party tools to filter messages to the vulnerable process

🧯 If You Can't Patch

• Implement strict least privilege principles to limit local user access
• Deploy endpoint detection and response (EDR) solutions to monitor for suspicious process behavior

🔍 How to Verify

Check if Vulnerable:

Copy

Check the installed version of Defense Platform Home Edition in Control Panel > Programs and Features

Check Version:

Copy

wmic product where name="Defense Platform Home Edition" get version

Verify Fix Applied:

Copy

Verify the version is 3.9.52 or later and test message handling functionality

📡 Detection & Monitoring

Log Indicators:

• Unusual process creation with SYSTEM privileges
• Suspicious Windows message sending events in application logs

Network Indicators:

• Local inter-process communication anomalies

SIEM Query:

Copy

Process Creation where Parent Process contains "Defense" AND Integrity Level="System"

📊 Metadata

CVE ID: CVE-2025-20094

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-422

EPSS Score: 0.02% exploit probability (6.1th percentile)

Published: February 6, 2025

Last Updated: February 4, 2026

🔗 References

• https://jvn.jp/en/jp/JVN66673020/ Third Party Advisory
• https://www.hummingheads.co.jp/dep/storelist/ Product

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20094, you might also want to check these:

CVE-2025-22894 8.8

This vulnerability allows attackers to send specially crafted Windows messages to Defense Platform H...

Same vulnerability type (CWE-422)