CVE Alert: CVE-2025-50174 - Microsoft - Windows 11 Version 25H2

CVE-2025-50174

HIGHNo exploitation known

Use after free in Windows Device Association Broker service allows an authorized attacker to elevate privileges locally.

CVSS v3.1 (7)

Vendor

Microsoft, Microsoft, Microsoft, Microsoft

Product

Windows 11 Version 25H2, Windows Server 2025 (Server Core installation), Windows 11 Version 24H2, Windows Server 2025

Versions

10.0.26200.0 lt 10.0.26200.6899 | 10.0.26100.0 lt 10.0.26100.6899 | 10.0.26100.0 lt 10.0.26100.6899 | 10.0.26100.0 lt 10.0.26100.6899

CWE

CWE-416, CWE-416: Use After Free

Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Published

2025-10-14T17:00:07.552Z

Updated

2025-10-14T18:47:40.429Z

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-50174

AI Summary Analysis

Risk verdict

High risk of local privilege escalation with potential for system-level compromise on affected Windows 11 25H2 / Windows Server 2025 deployments; urgency depends on exploit activity which is not confirmed here.

Why this matters

An attacker who already has local access can exploit a use-after-free in the Device Association Broker service to elevate privileges. This could enable persistence, access to restricted data, and broader host compromise, undermining endpoint security controls and facilitating lateral movement within the network.

Most likely attack path

An attacker with local access (no UI interaction required) triggers the vulnerability to breach the Broker service, exploiting a use-after-free condition. With Privilege Required at Low, they may ascend to higher rights on the same host (Scope: Unchanged), potentially enabling execution as SYSTEM and subsequent on-host propagation.

Who is most exposed

Devices running affected Windows 11/Server 2025 builds, including Server Core and ARM64 variants, are at risk. Enterprises with standard local accounts or elevated privileges on endpoints and servers are most exposed if they remain unpatched.

Detection ideas

Unusual service or process activity linked to the Device Association Broker service.
Privilege-escalation attempts or creation of high-privilege processes from a low-privilege context.
Unexpected crashes or memory/dump artifacts associated with the broker service.
Alarming increases in event log entries around local authorization failures or service access anomalies.
Anomalous memory corruption indicators flagged by EDR/telemetry during service operation.

Mitigation and prioritisation

Apply the latest Windows updates for the affected builds; treat as priority 1 if KEV or EPSS indicates active exploitation.
Enforce least privilege: remove unnecessary local admin rights; implement strong application control.
Enable/strengthen endpoint detection, ASR rules, and EDR monitoring for privilege-escalation indicators.
Harden service permissions and review access to the Device Association Broker service; consider temporary disablement if feasible without breaking functionality.
Plan patch rollout in a controlled window; verify successful remediation before broad deployment.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-50174, microsoft, OSINT, threatintel, windows-11-version-24h2, windows-11-version-25h2, windows-server-2025, windows-server-2025-server-core-installation