BeyondTrust Privilege Management for Windows: Two High-Severity Flaws Allow Local Privilege Escalation

BeyondTrust, a global leader in intelligent identity and access security, has issued two advisories addressing two local privilege escalation vulnerabilities in its Privilege Management for Windows product. These vulnerabilities, identified as CVE-2025-2297 and CVE-2025-6250, have been fixed in version 25.4.270.0, and customers are urged to update immediately.

CVE-2025-2297: Local Elevation via User Profile Manipulation

This vulnerability, rated CVSS 7.2, allows a local authenticated attacker to escalate their privileges by tampering with user profile files.

“A local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions,” the advisory explains.

This manipulation enables attackers to inject unauthorized “challenge response” entries into the Windows registry, granting them administrator privileges if the system is configured to auto-approve such challenges.

Mitigation Guidance (Pre-25.4.270.0):

• Avoid using “forever” challenge response auto-elevation permissions.
• Monitor registry entries at:
  Pastacode

  Provider: Write code
  Syntax: HTML

  HKEY_USERS\[sid]\Software\Avecto\Privilege Guard Client\ChallengeResponseCache\[sha256sum]

• Adjust the Endpoint Privilege Management (EPM) policy to limit or disable such entries unless they are strictly required for business operations.

CVE-2025-6250: Anti-Tamper Bypass via WMIC Exploit

Rated CVSS 7.1, this second vulnerability lets attackers with elevated privileges bypass anti-tamper mechanisms by exploiting the WMIC utility (wmic.exe).

“When wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections,” the advisory writes.

Once the Defendpoint service is disabled, the attacker can add themselves to the Administrators group and execute any process with elevated permissions—effectively disabling endpoint protections.

Mitigation Recommendations (Pre-25.4.270.0):

Admins can prevent or limit WMIC abuse with two approaches:

• Block Execution:
  • Application block rule properties:
    • Publisher: Microsoft Windows
    • Product Description: WMI Commandline Utility
    • Child Processes: Off
• Gated/Limited Access:
  • Application executable rule:
    • File Name: wmic.exe
    • Publisher: Microsoft Windows
    • Product Description: WMI Commandline Utility
    • Child Processes: Off

If you’re encountering issues with domain account authentication after upgrading, BeyondTrust recommends updating to 25.4.270.0 or newer, as known issues have been addressed in this release.

Related Posts:

• Unauthenticated RCE in BeyondTrust Tools: Chat Feature Opens Door to Server Takeover
• BeyondTrust Privilege Management for Windows Vulnerability Allows Local Privilege Escalation
• CISA Warns of Active Exploitation of Critical Flaws in BeyondTrust and Qlik Sense
• BeyondTrust PRA Vulnerability (CVE-2025-0217) Enables Session Hijacking via Authentication Bypass
• Search Engine Manipulation Leads to Backdoored App Downloads