CVE-2025-26678
📋 TL;DR
CVE-2025-26678 is an improper access control vulnerability in Windows Defender Application Control (WDAC) that allows local attackers to bypass security restrictions. This affects Windows systems using WDAC policies for application control. Attackers could execute unauthorized code despite WDAC protections.
💻 Affected Systems
- Windows Defender Application Control (WDAC)
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete local privilege escalation leading to full system compromise, persistence establishment, and lateral movement within the network.
Likely Case
Local attackers bypass application control policies to execute malicious software, install unauthorized applications, or evade security monitoring.
If Mitigated
Limited impact with proper network segmentation, least privilege principles, and additional security controls in place.
🎯 Exploit Status
Requires local access and some technical knowledge of WDAC bypass techniques. No public exploit code available at initial disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26678
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft. 2. For WDAC-managed systems, ensure policies are updated after patching. 3. Restart affected systems to complete installation.
🔧 Temporary Workarounds
Temporarily disable WDAC
windowsDisable WDAC policies until patching can be completed (increases risk of other attacks)
Set-ProcessMitigation -Disable WDAC
Implement additional application control layers
windowsUse AppLocker or third-party application control alongside WDAC for defense in depth
🧯 If You Can't Patch
- Implement strict network segmentation to limit lateral movement from compromised systems
- Enforce least privilege access controls and monitor for unusual local privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if WDAC is enabled and verify Windows version against patched versions in Microsoft advisoryCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security update and test WDAC policy enforcement📡 Detection & Monitoring
Log Indicators:
- Windows Security logs showing WDAC policy bypass events
- Event ID 3076/3077 in Application logs indicating policy violations
Network Indicators:
- Unusual outbound connections from systems with WDAC policies after local compromise
SIEM Query:
EventID=3076 OR EventID=3077 | where ProcessName contains suspicious executable names