CVE-2025-2297 HIGH

CVE-2025-2297: Privilege Management for Windows - Elevation of Privilege

Vendor Beyondtrust
Product Privilege Management for Windows
Weakness CWE-268
Published July 28, 2025
Last update July 28, 2025

CVSS base score

7.2/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to administrator.

Key dates

02Disclosure timeline

July 28, 2025 CVE published
July 28, 2025 Record updated