CVE-2025-54894

Q: What is the severity of CVE-2025-54894?

CVE-2025-54894 has a CVSS score of 7.8 (HIGH). This vulnerability allows a local authenticated attacker to elevate privileges on Windows systems by exploiting a heap-based buffer overflow in the Local Security Authority Subsystem Service (LSASS). Attackers could gain SYSTEM-level privileges, potentially compromising the entire system. Only Windows systems with LSASS running are affected.

7.8 HIGH

Buffer Overflow

📋 TL;DR

This vulnerability allows a local authenticated attacker to elevate privileges on Windows systems by exploiting a heap-based buffer overflow in the Local Security Authority Subsystem Service (LSASS). Attackers could gain SYSTEM-level privileges, potentially compromising the entire system. Only Windows systems with LSASS running are affected.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022 (specific builds affected - check Microsoft advisory)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All systems running LSASS (which is standard on Windows) are vulnerable. The vulnerability is in the LSASS process itself.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement across the network, and disabling of security controls.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security restrictions, install backdoors, or access sensitive system resources.

🟢

If Mitigated

Limited impact if proper endpoint protection, least privilege principles, and network segmentation are in place, though local compromise of the affected system would still occur.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a Windows system (through phishing, credential theft, etc.), they can exploit this to gain full control of that system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local authenticated access and knowledge of exploitation techniques for heap-based buffer overflows. No public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft's monthly security updates for the specific KB number addressing CVE-2025-54894

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54894

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. For enterprise environments, deploy through WSUS, Microsoft Endpoint Configuration Manager, or Intune. 3. Restart affected systems to complete the patch installation.

🔧 Temporary Workarounds

Restrict local access

windows

Limit who has local login rights to Windows systems through Group Policy or local security policy

Enable LSASS protection

windows

Enable Credential Guard and other LSASS protection features where supported

🧯 If You Can't Patch

Implement strict least privilege principles - ensure users only have necessary permissions
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for the specific KB patch addressing CVE-2025-54894 or use Microsoft's Security Update Guide

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify the patch KB number is installed via 'Get-Hotfix' in PowerShell or check Windows Update history

📡 Detection & Monitoring

Log Indicators:

Event ID 4688: A new process has been created (look for LSASS spawning unusual child processes)
Event ID 4672: Special privileges assigned to new logon
Unexpected LSASS crashes or memory access violations

Network Indicators:

Unusual authentication attempts from compromised systems
Lateral movement following local privilege escalation

SIEM Query:

source="windows" event_id=4688 OR event_id=4672 | where process_name="lsass.exe" OR parent_process_name="lsass.exe"

📊 Metadata

CVE ID: CVE-2025-54894

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.07% exploit probability (20th percentile)

Published: September 9, 2025

Last Updated: October 2, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54894 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Enable LSASS protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities