CVE-2025-21293

HIGH

Windows 10 1507-24H2 and Windows Server 2012-2016 - Active Directory Domain Services Elevation of Privilege

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-21293. PoCs published by ahmedumarehman, scriptjunkie, Spencer McIntyre, itm4n, including Metasploit module exploits/windows/local/service_permissions.

AI-analyzed exploit summary This repository contains a README describing CVE-2025-21293, an elevation of privilege vulnerability in Active Directory Domain Services affecting Windows 10, 11, and Server. The vulnerability allows 'Network Configuration Operators' to execute code with SYSTEM privileges via Windows Performance Counters.

Description

Active Directory Domain Services Elevation of Privilege Vulnerability

Exploits (2)

nomisec WRITEUP 1 stars

by ahmedumarehman · poc

https://github.com/ahmedumarehman/CVE-2025-21293

View Code ZIP pw:eip

This repository contains a README describing CVE-2025-21293, an elevation of privilege vulnerability in Active Directory Domain Services affecting Windows 10, 11, and Server. The vulnerability allows 'Network Configuration Operators' to execute code with SYSTEM privileges via Windows Performance Counters.

Classification

Writeup 90%

Attack Type

Lpe

Complexity

Moderate

Reliability

Theoretical

Target: Active Directory Domain Services on Windows 10, 11, and Server

Auth required

Prerequisites: Network Configuration Operators group membership · Access to Windows Performance Counters

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC GREAT

by scriptjunkie, Spencer McIntyre, itm4n · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/service_permissions.rb

View Code ZIP pw:eip

This Metasploit module exploits weak service permissions in Windows to escalate privileges to SYSTEM by either creating a new service, modifying an existing service's configuration, or hijacking a service's executable or registry permissions. It includes multiple techniques such as service creation, file permission manipulation, and registry key modification to achieve local privilege escalation.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows (various versions)

Auth required

Prerequisites: Administrative privileges · Weak service permissions

MITRE ATT&CK

T1543.003 - Windows Service T1574.001 - DLL

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21293

Scores

CVSS v3 8.8

EPSS 0.1819

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-284

Status published

Products (36)

Microsoft/Windows 10 Version 1507 10.0.10240.0 - 10.0.10240.20890

Microsoft/Windows 10 Version 1607 10.0.14393.0 - 10.0.14393.7699

Microsoft/Windows 10 Version 1809 10.0.17763.0 - 10.0.17763.6775

Microsoft/Windows 10 Version 21H2 10.0.19044.0 - 10.0.19044.5371

Microsoft/Windows 10 Version 22H2 10.0.19045.0 - 10.0.19045.5371

Microsoft/Windows 11 version 22H2 10.0.22621.0 - 10.0.22621.4751

Microsoft/Windows 11 version 22H3 10.0.22631.0 - 10.0.22631.4751

Microsoft/Windows 11 Version 23H2 10.0.22631.0 - 10.0.22631.4751

Microsoft/Windows 11 Version 24H2 10.0.26100.0 - 10.0.26100.6584

Microsoft/Windows Server 2012 6.2.9200.0 - 6.2.9200.25273

... and 26 more

Published Jan 14, 2025

Tracked Since Feb 18, 2026