Skip to main content

Regarding CVE-2025-0889

https://nvd.nist.gov/vuln/detail/CVE-2025-0889

A vulnerability has been discovered in Privilege Management for Windows that allows for a local authenticated attacker to elevate privileges.

Prior to 25.2, a local authenticated attacker can elevate privileges via the manipulation of COM objects under certain circumstances where an EPM policy allows for automatic privilege elevation of a user process.

 

Further details about this CVE can be found here:

https://www.beyondtrust.com/trust-center/security-advisories/bt25-01

 

There is also a Support KB, How can the BT25-01 advisory for EPM-W be addressed?, here:
https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0022083

 

Hi, what process and reg value changes should we be looking out for to monitor these reg hives? 


Hello ​@nova24 , the hives to monitor are as follows:

HKEY_CURRENT_USER\Software\Classes\CLSID

HKEY_CLASSES_ROOT\CLSID

HKEY_CLASSES_ROOT\WOW6432Node\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID

At to processes, multiple tools such as command prompt, PowerShell and PowerShell ISE, Registry Editor, SetX, Reg, and WMIC can be used to modify them.


Hi ​@PAC, these reg hives are too noisy to be monitored properly. Any advice on how to further narrow them down? We’ve already used the processes to focus on modifications however, it’s still too noisy. 


Hi ​@nova24, if monitoring these hives is too noisy then BeyondTrust would recommend using Group Policy to control access to who can modify them. 

However, please remember that our primary recommendation regarding this CVE is to ensure that you are running EPM-W 25.2 or above on your endpoints.


Reply