A newly disclosed safety flaw in Microsoft Defender for Endpoint might enable attackers with native entry to raise their privileges to SYSTEM stage, probably gaining full management over affected techniques.
The vulnerability, tracked as CVE-2025-26684, was patched as a part of Microsoft’s Could 2025 Patch Tuesday safety updates launched yesterday.
Safety researchers recognized the vulnerability as an “exterior management of filename or path” weak spot in Microsoft Defender for Endpoint that might be exploited by a licensed attacker to raise privileges regionally.
The vulnerability acquired a CVSS rating of 6.7 out of 10, classifying it as “Essential” severity fairly than “Vital.”
Technical Particulars of CVE-2025-26684
In line with the official Microsoft Safety Response Heart advisory, an attacker who efficiently exploits this vulnerability might achieve SYSTEM privileges, primarily offering them with full management over the compromised system.
This stage of entry would enable malicious actors to put in applications, modify or delete information, and create accounts with full administrative rights.
“The vulnerability stems from improper validation of user-supplied enter when dealing with file paths in Microsoft Defender for Endpoint,” explains cybersecurity professional Wealthy Mirch from Stratascale, one of many researchers credited with discovering the flaw.
“When exploited, it permits attackers to control file operations to entry restricted system sources.”
The vulnerability particularly impacts Microsoft Defender for Endpoint for Linux variations previous to 101.25XXX.
Organizations working this safety resolution ought to guarantee they apply the newest safety replace instantly.
Microsoft has labeled the exploitability evaluation as “Exploitation Unlikely,” indicating that whereas the vulnerability is critical, the corporate believes the probability of widespread exploitation is comparatively low.
The corporate additionally confirmed that there isn’t a proof that this vulnerability was publicly disclosed or exploited within the wild previous to the patch launch.
The vulnerability was found via coordinated vulnerability disclosure, with credit score given to safety researchers astraleureka and Wealthy Mirch from Stratascale.
Danger FactorsDetailsAffected ProductsMicrosoft Defender for Endpoint (Linux) variations previous to 101.25XXXImpactLocal privilege escalation to SYSTEM-level accessExploit Conditions– Native access- Excessive privileges (approved consumer required)CVSS 3.1 Score6.7 (Essential)
Patch Instantly
This vulnerability was one among 78 safety flaws addressed in Microsoft’s Could 2025 Patch Tuesday.
Safety directors can confirm that the replace has been put in by working the MDE Shopper Analyzer on probably affected units.
In line with Microsoft’s advisory Report, “When working the analyzer on a Home windows gadget that doesn’t have the safety replace, the analyzer will current a warning (ID 121035) indicating lacking patch and directing to related on-line articles.”
This flaw highlights the continuing significance of promptly making use of safety patches, particularly for safety merchandise which are designed to guard techniques from different threats.
Whereas Microsoft Defender is supposed to function a defensive instrument, vulnerabilities inside safety merchandise themselves can create vital danger if exploited.
Organizations utilizing Microsoft Defender for Endpoint ought to prioritize putting in the newest safety updates as a part of their common patch administration cycles.
For environments the place rapid patching isn’t attainable, safety groups ought to implement extra monitoring for suspicious privilege escalation makes an attempt and strange system-level actions that might point out exploitation makes an attempt.
Vulnerability Assault Simulation on How Hackers Quickly Probe Web sites for Entry Factors – Free Webinar
