CVE Alert: CVE-2025-53802 – Microsoft – Windows Server 2022

Risk verdict

High risk of local privilege escalation via the Bluetooth service; exploitation status appears unproven and there is no indication of active exploitation in the wild.

Why this matters

An attacker with a low-privilege account could elevate to higher rights on the same host, potentially bypassing controls and accessing sensitive data or enabling persistence. With multiple Windows editions and device types affected, the potential footprint covers many endpoints and could enable broader lateral movement if initial access is already established.

Most likely attack path

An attacker possessing a local, low-privilege foothold exploits a use-after-free flaw in the Bluetooth subsystem, with no user interaction required. A successful chain would yield higher privileges on the host (local access with elevated rights), though the scope remains limited to the compromised component. Remote exploitation is unlikely due to the local vector and required preconditions.

Who is most exposed

Endpoints with Bluetooth enabled—especially laptops, desktops, and mixed-use workstations across the fleet—are most at risk. Servers and headless devices with Bluetooth or Bluetooth-capable peripherals in use may also be affected, though exposure is lower where Bluetooth is disabled or tightly controlled.

Detection ideas

• Look for elevated-privilege process creation originating from the Bluetooth subsystem (unexpected 4688 events with Privileges: Elevated).
• Monitor for privilege-escalation events (e.g., 4624/4672) linked to Bluetooth services or related processes.
• Detect crashes or memory-corruption indicators (BSODs, memory dump generation) tied to Bluetooth components.
• Unusual (non-admin) initial access attempts followed by rapid privilege jumps on endpoints.
• Security or EDR alerts when Bluetooth services spawn high-privilege child processes.

Mitigation and prioritisation

• Apply the vendor-provided patch or cumulative update that fixes the Bluetooth use-after-free issue as a priority when released.
• If patching is delayed, disable Bluetooth on endpoints unless required; implement device policy to block Bluetooth on servers and high-risk workstations.
• Enforce least privilege for Bluetooth-related services and restrict lateral movement with network segmentation and strict endpoint isolation.
• Strengthen detection with targeted EDR rules for Bluetooth-service processes and privilege-escalation events.
• Plan patch deployment in a controlled window; test in a pilot group before enterprise-wide rollout.