CVE-2025-29975
📋 TL;DR
This vulnerability allows an authorized attacker to exploit improper link resolution in Microsoft PC Manager to elevate privileges locally. Attackers can manipulate symbolic links or junctions to access files they shouldn't, potentially gaining higher system privileges. This affects users running vulnerable versions of Microsoft PC Manager on Windows systems.
💻 Affected Systems
- Microsoft PC Manager
📦 What is this software?
Pc Manager by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains SYSTEM-level privileges, enabling complete system compromise, installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local authenticated user elevates to administrator privileges, allowing installation of unauthorized software, modification of system settings, and access to sensitive data.
If Mitigated
With proper access controls and monitoring, impact limited to isolated system compromise that can be quickly detected and contained.
🎯 Exploit Status
Exploitation requires local authenticated access and knowledge of link following techniques. No public exploit code has been reported as of the advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Update for latest PC Manager version
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29975
Restart Required: Yes
Instructions:
1. Open Microsoft PC Manager. 2. Check for updates in settings. 3. Install available updates. 4. Restart the system. Alternatively, use Windows Update to ensure all Microsoft software is current.
🔧 Temporary Workarounds
Disable Microsoft PC Manager
windowsTemporarily disable Microsoft PC Manager service to prevent exploitation
sc stop "Microsoft PC Manager"
sc config "Microsoft PC Manager" start= disabled
Restrict symbolic link creation
windowsConfigure Windows to restrict who can create symbolic links
secedit /export /cfg secpol.cfg
Edit secpol.cfg to modify 'Create symbolic links' privilege
secedit /configure /db secpol.sdb /cfg secpol.cfg
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit who has local access to systems
- Enable detailed auditing of file system access and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Microsoft PC Manager version in Settings > About. Compare with patched version mentioned in Microsoft advisory.Check Version:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion | Where-Object {$_.DisplayName -like "*PC Manager*"}Verify Fix Applied:
Verify Microsoft PC Manager has been updated to latest version and system has been restarted after update.📡 Detection & Monitoring
Log Indicators:
- Windows Security Event ID 4688 (process creation) showing PC Manager processes with unusual parent processes
- Event ID 4656 (file system access) showing access to sensitive locations via symbolic links
Network Indicators:
- No network indicators - this is a local privilege escalation
SIEM Query:
source="Windows Security" (EventID=4688 AND ProcessName="*PCManager*" AND ParentProcessName NOT IN ("explorer.exe", "svchost.exe")) OR (EventID=4656 AND ObjectName="*\??\*" AND AccessMask="0x100000")