CVE-2025-23385
📋 TL;DR
This vulnerability allows local privilege escalation via the ETW Host Service in JetBrains development tools. Attackers with initial access to a system could elevate privileges to gain higher-level permissions. Users of affected JetBrains products on Windows systems are at risk.
💻 Affected Systems
- JetBrains ReSharper
- JetBrains Rider
- JetBrains dotTrace
- ETW Host Service
📦 What is this software?
Dottrace by Jetbrains
Dottrace by Jetbrains
Dottrace by Jetbrains
Resharper by Jetbrains
Resharper by Jetbrains
Resharper by Jetbrains
Rider by Jetbrains
Rider by Jetbrains
Rider by Jetbrains
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could gain SYSTEM/administrator privileges, enabling complete system compromise, data theft, and persistence establishment.
Likely Case
Malicious users or malware with initial foothold could escalate privileges to bypass security controls and install additional payloads.
If Mitigated
With proper privilege separation and endpoint protection, exploitation attempts would be detected or blocked, limiting impact to isolated processes.
🎯 Exploit Status
Requires local access and knowledge of the vulnerability. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ReSharper 2024.3.4/2024.2.8/2024.1.7; Rider 2024.3.4/2024.2.8/2024.1.7; dotTrace 2024.3.4/2024.2.8/2024.1.7; ETW Host Service 16.43
Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/
Restart Required: No
Instructions:
1. Open affected JetBrains IDE. 2. Navigate to Help > Check for Updates. 3. Install available updates. 4. For ETW Host Service, update through JetBrains Toolbox or download from vendor site.
🔧 Temporary Workarounds
Disable ETW Host Service
WindowsTemporarily disable the vulnerable ETW Host Service component
sc stop "JetBrains ETW Host Service"
sc config "JetBrains ETW Host Service" start= disabled
Restrict Service Permissions
WindowsModify service permissions to prevent unauthorized access
sc sdset "JetBrains ETW Host Service" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict endpoint privilege management to limit local user rights
- Deploy application control policies to restrict execution of unauthorized processes
🔍 How to Verify
Check if Vulnerable:
Check installed versions of JetBrains products and ETW Host Service against affected versions listCheck Version:
For ReSharper/Rider/dotTrace: Check About dialog in IDE. For ETW Host Service: sc qc "JetBrains ETW Host Service"Verify Fix Applied:
Verify product versions show patched versions and ETW Host Service version is 16.43 or higher📡 Detection & Monitoring
Log Indicators:
- Unexpected service starts/stops of JetBrains ETW Host Service
- Privilege escalation attempts in Windows Security logs
- Unusual process creation from JetBrains components
Network Indicators:
- Local service communication anomalies
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '%JetBrains%' OR ParentProcessName LIKE '%JetBrains%') AND IntegrityLevelChanged