CVE-2025-27997 – This vulnerability in Blizzard Battle.net allow... (How to Fix)

📋 TL;DR

This vulnerability in Blizzard Battle.net allows attackers to escalate privileges by placing a malicious script or executable in the C:\ProgramData directory. Attackers could gain elevated system access by exploiting improper permissions. All users running the vulnerable version on Windows are affected.

💻 Affected Systems

Products:

Blizzard Battle.net

Versions: v2.40.0.15267

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Windows OS and vulnerable Battle.net version. Attackers need ability to write to C:\ProgramData directory.

📦 What is this software?

Battle.net by Blizzard

View all CVEs affecting Battle.net →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing installation of persistent malware, data theft, and complete control over the affected system.

🟠

Likely Case

Local privilege escalation leading to unauthorized software installation, system configuration changes, and lateral movement within the network.

🟢

If Mitigated

Limited impact with proper file system permissions and user account controls preventing unauthorized write access to ProgramData.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access or social engineering to execute.

🏢 Internal Only: HIGH - Malicious insiders or compromised user accounts could exploit this to gain elevated privileges on workstations.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit involves placing crafted files in specific directory. Requires some level of initial access to the system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Monitor Blizzard's official channels for security updates. Check for newer Battle.net versions and apply when available.

🔧 Temporary Workarounds

Restrict ProgramData Directory Permissions

windows

Modify NTFS permissions on C:\ProgramData to prevent unauthorized write access

icacls "C:\ProgramData" /deny Users:(OI)(CI)W
icacls "C:\ProgramData" /deny Authenticated Users:(OI)(CI)W

Enable Controlled Folder Access

windows

Use Windows Defender's Controlled Folder Access to protect critical directories

Set-MpPreference -EnableControlledFolderAccess Enabled

🧯 If You Can't Patch

Implement strict file system permissions on C:\ProgramData directory
Use application whitelisting to prevent execution of unauthorized scripts/executables

🔍 How to Verify

Check if Vulnerable:

Check Battle.net version in application settings or via 'Battle.net.exe --version' command. Verify if version is 2.40.0.15267.

Check Version:

"C:\Program Files (x86)\Battle.net\Battle.net.exe" --version

Verify Fix Applied:

Update to a newer version than 2.40.0.15267 and verify permissions on C:\ProgramData directory.

📡 Detection & Monitoring

Log Indicators:

Unexpected file creation in C:\ProgramData directory
Battle.net process spawning unexpected child processes
Privilege escalation events in Windows Security logs

Network Indicators:

Unusual outbound connections from Battle.net process
Command and control traffic following privilege escalation

SIEM Query:

EventID=4688 AND ProcessName LIKE '%Battle.net%' AND NewProcessName NOT IN ('expected_processes')

📊 Metadata

CVE ID: CVE-2025-27997

CVSS v3 Score: 8.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-427

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: May 21, 2025

Last Updated: June 3, 2025

🔗 References

https://gist.github.com/sornram9254/4593dd5eb2bcca50d68dc6ac70e40b24 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27997, you might also want to check these: