CVE-2025-2297

Published Jul 28, 2025

Last updated 7 months ago

CVSS high 7.2

Beyondtrust

Overview

Description: Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to administrator.
Source: 13061848-ea10-403d-bd75-c83a022c2891
NVD status: Analyzed
Products: privilege_management_for_windows

Risk scores

CVSS 4.0

Type: Secondary
Base score: 7.2
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: HIGH

CVSS 3.1

Type: Primary
Base score: 7.8
Impact score: 5.9
Exploitability score: 1.8
Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

13061848-ea10-403d-bd75-c83a022c2891: CWE-268

Hype score: Not currently trending

CVE-2025-2297 Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry … https://t.co/U1UaB8jdcl
@CVEnew
28 Jul 2025
222 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:beyondtrust:privilege_management_for_windows:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "CACA5CC9-5E12-47FC-B648-72565C004484",
            "versionEndExcluding": "25.4.270",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 4.0

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References