CVE-2025-27713
📋 TL;DR
This vulnerability is an out-of-bounds write in Intel QAT Windows software that allows authenticated local attackers to escalate privileges. It affects systems running vulnerable versions of Intel QAT software on Windows. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Intel QuickAssist Technology (QAT) Windows software
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, allowing data theft, system modification, and persistence.
Likely Case
Local privilege escalation enabling attackers to bypass security controls and access sensitive resources.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though privilege escalation remains possible.
🎯 Exploit Status
Intel describes this as a high complexity attack requiring authenticated user access and local system access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.0 or later
Vendor Advisory: https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01373.html
Restart Required: Yes
Instructions:
1. Download Intel QAT software version 2.6.0 or later from Intel's website
2. Run the installer with administrative privileges
3. Follow installation prompts
4. Restart the system when prompted
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local access to systems with vulnerable Intel QAT software to trusted users only
Disable QAT if Not Required
windowsUninstall or disable Intel QAT software if not actively needed for system functionality
Control Panel > Programs > Uninstall a program > Select Intel QAT > Uninstall
🧯 If You Can't Patch
- Implement strict access controls to limit local system access to trusted users only
- Monitor for unusual privilege escalation attempts and system modifications
🔍 How to Verify
Check if Vulnerable:
Check Intel QAT software version in Control Panel > Programs and Features or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Intel*QAT*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Intel*QAT*'} | Select-Object Name, VersionVerify Fix Applied:
Verify installed version is 2.6.0 or higher using the same version check command📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Process creation with elevated privileges from non-admin users
- Intel QAT service crashes or unusual behavior
Network Indicators:
- Local privilege escalation typically doesn't generate network indicators
SIEM Query:
EventID=4688 AND NewProcessName LIKE '%*' AND SubjectUserName NOT IN (admin_users_list) AND TokenElevationType=%%1938