Skip to main content

BT25-01 advisory for EPM for Windows

  • February 28, 2025
  • 4 replies
  • 178 views
P
BeyondTrust Employee
  • PAC
  • BeyondTrust Employee

Regarding CVE-2025-0889

https://nvd.nist.gov/vuln/detail/CVE-2025-0889

A vulnerability has been discovered in Privilege Management for Windows that allows for a local authenticated attacker to elevate privileges.

Prior to 25.2, a local authenticated attacker can elevate privileges via the manipulation of COM objects under certain circumstances where an EPM policy allows for automatic privilege elevation of a user process.

 

Further details about this CVE can be found here:

https://www.beyondtrust.com/trust-center/security-advisories/bt25-01

 

There is also a Support KB, How can the BT25-01 advisory for EPM-W be addressed?, here:
https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0022083

 

    4 replies

    N
    Forum|alt.badge.img
    • nova24
    • Apprentice
    • March 4, 2025

    Hi, what process and reg value changes should we be looking out for to monitor these reg hives? 

    P
    BeyondTrust Employee
    • PAC
    • Author
    • BeyondTrust Employee
    • March 5, 2025

    Hello ​@nova24 , the hives to monitor are as follows:

    HKEY_CURRENT_USER\Software\Classes\CLSID

    HKEY_CLASSES_ROOT\CLSID

    HKEY_CLASSES_ROOT\WOW6432Node\CLSID

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Classes\CLSID

    At to processes, multiple tools such as command prompt, PowerShell and PowerShell ISE, Registry Editor, SetX, Reg, and WMIC can be used to modify them.

    N
    Forum|alt.badge.img
    • nova24
    • Apprentice
    • March 5, 2025

    Hi ​@PAC, these reg hives are too noisy to be monitored properly. Any advice on how to further narrow them down? We’ve already used the processes to focus on modifications however, it’s still too noisy. 

    P
    BeyondTrust Employee
    • PAC
    • Author
    • BeyondTrust Employee
    • March 7, 2025

    Hi ​@nova24, if monitoring these hives is too noisy then BeyondTrust would recommend using Group Policy to control access to who can modify them. 

    However, please remember that our primary recommendation regarding this CVE is to ensure that you are running EPM-W 25.2 or above on your endpoints.

    Badge Earners

    • BCA: Password Safe
      HoMosanYhas earned the badge BCA: Password Safe
    • BCIE: Password Safe
      HoMosanYhas earned the badge BCIE: Password Safe
    • BCIE: Password Safe
      lucasmobilehas earned the badge BCIE: Password Safe
    • BCA: Endpoint Privilege Management - Windows
      Drew Hollingshas earned the badge BCA: Endpoint Privilege Management - Windows
    • BCA: Password Safe
      Richas2513has earned the badge BCA: Password Safe
    Show all badges
    Terms & ConditionsCookie settingsAccessibility statement