Login Sign Up

CVE-2025-50174

7.0 HIGH

📋 TL;DR

CVE-2025-50174 is a use-after-free vulnerability in the Windows Device Association Broker service that allows an authenticated attacker to execute arbitrary code with elevated privileges. This affects Windows systems where an attacker already has local access. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:
  • Windows Device Association Broker service
Versions: Specific Windows versions as detailed in Microsoft advisory
Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Windows Device Association Broker service to be running (default on most Windows installations).

📦 What is this software?

Windows 11 24h2 by Microsoft

View all CVEs affecting Windows 11 24h2 →

Windows 11 25h2 by Microsoft

View all CVEs affecting Windows 11 25h2 →

Windows Server 2025 by Microsoft

View all CVEs affecting Windows Server 2025 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM privileges, enabling installation of malware, data theft, and persistence mechanisms.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM or administrator level, allowing lateral movement and further compromise.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and endpoint protection are in place.

🌐 Internet-Facing: LOW - Requires local access and authentication, not directly exploitable over network.
🏢 Internal Only: HIGH - Any authenticated user on a vulnerable system could potentially exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local authenticated access and specific conditions to trigger the use-after-free condition.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50174

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Microsoft Update. 2. Restart system if required. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Disable Device Association Broker service

windows

Disables the vulnerable service to prevent exploitation

sc config DeviceAssociationBrokerSvc start= disabled
sc stop DeviceAssociationBrokerSvc

Restrict service permissions

windows

Limit who can interact with the service

sc sdset DeviceAssociationBrokerSvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

🧯 If You Can't Patch

  • Implement strict access controls and least privilege principles
  • Deploy endpoint detection and response (EDR) solutions to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for missing security patches related to CVE-2025-50174

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB patch is installed via 'wmic qfe list' or PowerShell 'Get-HotFix'

📡 Detection & Monitoring

Log Indicators:

  • Unusual service crashes in Event Viewer (Event ID 1000, 1001)
  • Suspicious process creation from DeviceAssociationBrokerSvc

Network Indicators:

  • Local privilege escalation attempts

SIEM Query:

EventID=4688 AND NewProcessName="*" AND ParentProcessName="*DeviceAssociationBroker*"

📊 Metadata

CVE ID: CVE-2025-50174
CVSS v3 Score: 7.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.1% exploit probability (27th percentile)
Published: October 14, 2025
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-50174, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)