CVE-2025-24072

Q: What is the severity of CVE-2025-24072?

CVE-2025-24072 has a CVSS score of 7.8 (HIGH). CVE-2025-24072 is a use-after-free vulnerability in Microsoft's Local Security Authority Server (lsasrv) that allows authenticated attackers to elevate privileges locally. This affects Windows systems where an attacker with valid credentials can exploit the flaw to gain SYSTEM-level access. The vulnerability requires local access and authentication to exploit.

7.8 HIGH

📋 TL;DR

CVE-2025-24072 is a use-after-free vulnerability in Microsoft's Local Security Authority Server (lsasrv) that allows authenticated attackers to elevate privileges locally. This affects Windows systems where an attacker with valid credentials can exploit the flaw to gain SYSTEM-level access. The vulnerability requires local access and authentication to exploit.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows Server, Windows Client

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Local Security Authority Server running. Exact Windows versions will be specified in Microsoft's security update.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains SYSTEM privileges, enabling complete system compromise, credential theft, persistence establishment, and lateral movement across the network.

🟠

Likely Case

An authenticated user with standard privileges escalates to SYSTEM to install malware, disable security controls, or access sensitive data on the compromised system.

🟢

If Mitigated

With proper privilege separation and endpoint protection, exploitation may be detected and blocked, limiting damage to the initial system.

🌐 Internet-Facing: LOW - This vulnerability requires local authentication and cannot be exploited remotely over the internet.

🏢 Internal Only: HIGH - Internal attackers with valid credentials can exploit this to gain complete control of Windows systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and understanding of Windows security subsystem internals. No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: To be determined from Microsoft's monthly security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24072

Restart Required: No

Instructions:

1. Check Microsoft's security update guide for CVE-2025-24072. 2. Apply the corresponding Windows security update through Windows Update or WSUS. 3. Verify the update installed successfully.

🔧 Temporary Workarounds

Restrict local administrative access

all

Limit the number of users with local administrative privileges to reduce attack surface

🧯 If You Can't Patch

Implement strict least privilege access controls and monitor for privilege escalation attempts
Deploy endpoint detection and response (EDR) solutions configured to alert on lsass.exe anomalies

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for the specific KB number associated with CVE-2025-24072 or use Microsoft's security update guide

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify the security update is installed via 'Get-Hotfix' in PowerShell or check Windows Update history

📡 Detection & Monitoring

Log Indicators:

Unusual lsass.exe process behavior in Windows Security logs
Event ID 4688 showing unexpected process creation from lsass
Privilege escalation attempts in security audit logs

Network Indicators:

Not applicable - local exploitation only

SIEM Query:

source="WinEventLog:Security" (EventCode=4688 AND NewProcessName="*lsass.exe*") OR (EventCode=4672 AND PrivilegeList="SeDebugPrivilege")

📊 Metadata

CVE ID: CVE-2025-24072

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.24% exploit probability (46.5th percentile)

Published: March 11, 2025

Last Updated: July 7, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24072 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local administrative access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities