PoC Exploit Disclosed: Researcher Unveils Windows MS-EVEN RPC Vulnerability

The SafeBreach Labs research team has pulled back the curtain on a significant security weakness in the Windows MS-EVEN RPC service, revealing how even low-privileged credentials can be used to compromise a system. The vulnerability, tracked as CVE-2025-29969, allows an attacker to remotely write arbitrary files to a target machine—effectively bypassing the standard protections and limitations of the default C$ share.

Perhaps most importantly for security teams, the researchers have publicly disclosed the full analysis and proof-of-concept (PoC) exploit code for this flaw, making the technical details available to both defenders and potential attackers.

The exploit, dubbed EventLogin, is a classic Time-of-check time-of-use (TOCTOU) vulnerability. To successfully compromise a system, an attacker must “win” a specific race condition.

The attack works by abusing the MS-EVEN protocol—a service enabled by default on Windows 11 and Windows Server 2025. By exploiting this protocol, an actor with only low-privileged code execution can perform actions typically reserved for an Administrator account, such as writing files to restricted remote directories.

In a move to ensure transparency and aid remediation, SafeBreach Labs has published the EventLogin PoC code on GitHub. The repository contains two distinct scripts that demonstrate the vulnerability’s power:

• write_file_remotely.py: A script that weaponizes the vulnerability to place arbitrary files on a remote machine.
• A File-Check Primitive: A script used to verify if a specific file exists on a remote machine. This is particularly dangerous for reconnaissance, as it allows a low-privileged user to map out installed programs across other computers in a domain.

The vulnerability is effective in both workgroup and domain-based networks, though the implications for Active Directory environments are described as “pretty severe”. Because it facilitates Remote Code Execution (RCE) within a domain, it poses a direct threat to centralized identity and resource management.

While the public disclosure of the exploit code increases the risk of the flaw being utilized in the wild, Microsoft did issue a patch for this specific RCE vulnerability in May 2025.