CVE-2025-54104

Q: What is the severity of CVE-2025-54104?

CVE-2025-54104 has a CVSS score of 6.7 (MEDIUM). A type confusion vulnerability in Windows Defender Firewall Service allows authenticated attackers to execute arbitrary code with elevated SYSTEM privileges. This affects Windows systems with the vulnerable firewall service component. Attackers must already have local access and some privileges to exploit this vulnerability.

6.7 MEDIUM

📋 TL;DR

A type confusion vulnerability in Windows Defender Firewall Service allows authenticated attackers to execute arbitrary code with elevated SYSTEM privileges. This affects Windows systems with the vulnerable firewall service component. Attackers must already have local access and some privileges to exploit this vulnerability.

💻 Affected Systems

Products:

Windows Defender Firewall Service

Versions: Specific versions not yet detailed in public advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Windows versions are vulnerable. The firewall service runs with SYSTEM privileges by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected system, data theft, and lateral movement capabilities.

🟠

Likely Case

Privilege escalation from a lower privileged account to SYSTEM, allowing installation of malware, persistence mechanisms, or credential harvesting.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, with potential detection of privilege escalation attempts.

🌐 Internet-Facing: LOW - This vulnerability requires local access and cannot be exploited remotely over the internet.

🏢 Internal Only: HIGH - This is a local privilege escalation vulnerability that can be exploited by authenticated attackers within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and some initial privileges. Type confusion vulnerabilities typically require specific memory manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific patch versions

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54104

Restart Required: No

Instructions:

1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Verify the update installed successfully.

🔧 Temporary Workarounds

Restrict local access

all

Limit local user accounts and implement strict access controls to reduce attack surface

Enable Windows Defender Exploit Protection

all

Configure exploit protection settings to mitigate memory corruption attacks

🧯 If You Can't Patch

Implement strict least privilege access controls and monitor for privilege escalation attempts
Deploy application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for missing security patches related to CVE-2025-54104

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify the security update is installed via Windows Update history or systeminfo command

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 with parent process as firewall service
Unexpected privilege escalation events
Firewall service crash or unexpected behavior

Network Indicators:

Unusual outbound connections from firewall service
Internal lateral movement attempts

SIEM Query:

EventID=4688 AND ParentProcessName="svchost.exe" AND CommandLine CONTAINS "mpssvc"

📊 Metadata

CVE ID: CVE-2025-54104

CVSS v3 Score: 6.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-843

EPSS Score: 0.19% exploit probability (40.1th percentile)

Published: September 9, 2025

Last Updated: October 2, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54104 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Enable Windows Defender Exploit Protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities