CVE-2025-24076

HIGH

Windows 11/Server 2022 Privilege Escalation via Cross Device Service

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-24076. PoCs published by Mohammed Idrees Banyamer, mbanyamer.

AI-analyzed exploit summary This exploit demonstrates a local privilege escalation (LPE) vulnerability in Microsoft Windows 11 and Server 2025 by replacing a writable DLL (CrossDevice.Streaming.Source.dll) with a malicious version. It requires user interaction to trigger the DLL load via Windows Settings.

Description

Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally.

Exploits (2)

exploitdb WORKING POC

by Mohammed Idrees Banyamer · pythonlocalwindows

https://www.exploit-db.com/exploits/52320

View Code ZIP pw:eip

This exploit demonstrates a local privilege escalation (LPE) vulnerability in Microsoft Windows 11 and Server 2025 by replacing a writable DLL (CrossDevice.Streaming.Source.dll) with a malicious version. It requires user interaction to trigger the DLL load via Windows Settings.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Microsoft Windows 11 (24H2, 23H2, 22H2) and Windows Server 2025

Auth required

Prerequisites: Low-privileged local access · User interaction to open 'Mobile devices' Settings · gcc (MinGW) for DLL compilation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 14 stars

by mbanyamer · poc

https://github.com/mbanyamer/CVE-2025-24076

View Code ZIP pw:eip

This is a Python-based exploit for CVE-2025-24076, targeting a DLL hijacking vulnerability in the Windows Cross Device Service to achieve local privilege escalation (LPE) to SYSTEM. The exploit compiles a malicious DLL, replaces the legitimate one, and triggers execution via user interaction.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows Cross Device Service (Windows 11, Windows Server 2025, Windows Server 2022 23H2)

Auth required

Prerequisites: Low-privileged local access · User interaction to open 'Mobile devices' Settings page · gcc (MinGW) for DLL compilation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24076

Scores

CVSS v3 7.3

EPSS 0.0279

EPSS Percentile 84.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-284

Status published

Products (5)

microsoft/windows_11_22h2 < 10.0.22621.5039

microsoft/windows_11_23h2 < 10.0.22631.5039

microsoft/windows_11_24h2 < 10.0.26100.3403

microsoft/windows_server_2022_23h2 < 10.0.25398.1486

microsoft/windows_server_2025 < 10.0.26100.3403

Published Mar 11, 2025

Tracked Since Feb 18, 2026