CVE-2025-26665

Q: What is the severity of CVE-2025-26665?

CVE-2025-26665 has a CVSS score of 7.0 (HIGH). This vulnerability in Windows upnphost.dll allows local attackers with valid credentials to access improperly locked memory containing sensitive data, enabling privilege escalation. It affects Windows systems with the Universal Plug and Play service enabled. Attackers must already have some level of access to the system to exploit this flaw.

7.0 HIGH

📋 TL;DR

This vulnerability in Windows upnphost.dll allows local attackers with valid credentials to access improperly locked memory containing sensitive data, enabling privilege escalation. It affects Windows systems with the Universal Plug and Play service enabled. Attackers must already have some level of access to the system to exploit this flaw.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Universal Plug and Play (UPnP) service to be enabled. Many enterprise environments may have this disabled by policy.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains SYSTEM-level privileges, allowing complete system compromise, data theft, persistence establishment, and lateral movement across the network.

🟠

Likely Case

An attacker with standard user privileges elevates to administrative rights, enabling installation of malware, configuration changes, and access to sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, exploitation attempts are detected and contained before significant damage occurs.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Internal attackers with valid credentials can exploit this to gain elevated privileges on Windows workstations and servers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local authenticated access and knowledge of memory manipulation techniques. No public exploits available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26665

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Restart affected systems to complete installation.

🔧 Temporary Workarounds

Disable Universal Plug and Play Service

windows

Disables the vulnerable service to prevent exploitation

sc config upnphost start= disabled
sc stop upnphost

Restrict Service Permissions

windows

Limit who can interact with the UPnP service

sc sdset upnphost D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

🧯 If You Can't Patch

Disable Universal Plug and Play service on all affected systems
Implement strict access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if upnphost service is running: sc query upnphost

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security patch and upnphost service is either patched or disabled

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with upnphost.exe parent process
Unexpected privilege escalation events
Access violations in upnphost.dll

Network Indicators:

Unusual UPnP service activity from non-standard sources

SIEM Query:

source="windows" AND (process_name="upnphost.exe" AND (event_id=4688 OR event_id=4672))

📊 Metadata

CVE ID: CVE-2025-26665

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-591

EPSS Score: 0.2% exploit probability (42.3th percentile)

Published: April 8, 2025

Last Updated: July 9, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26665 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Universal Plug and Play Service

Restrict Service Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities