Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege

🗓️ 16 Jul 2025 00:00:00Reported by nu11secur1tyType

exploitdb🔗 www.exploit-db.com👁 347 Views

Demonstrates an exploit for CVE-2025-49677 using a Python script on Windows 11 with SYSTEM access.

Reporter	Title	Published	Views	Family All 18
Circl	CVE-2025-49677	8 Jul 202515:56	–	circl
CNNVD	Microsoft Brokering File System 资源管理错误漏洞	8 Jul 202500:00	–	cnnvd
CNVD	Microsoft Brokering File System Resource Management Error Vulnerability (CNVD-2025-16872)	21 Jul 202500:00	–	cnvd
CVE	CVE-2025-49677	8 Jul 202516:57	–	cve
Cvelist	CVE-2025-49677 Microsoft Brokering File System Elevation of Privilege Vulnerability	8 Jul 202516:57	–	cvelist
EUVD	EUVD-2025-20639	3 Oct 202520:07	–	euvd
Microsoft KB	July 8, 2025—KB5062552 (OS Builds 22621.5624 and 22631.5624)	21 Aug 202507:00	–	mskb
Kaspersky	KLA85525 Multiple vulnerabilities in Microsoft Windows	8 Jul 202500:00	–	kaspersky
Microsoft CVE	Microsoft Brokering File System Elevation of Privilege Vulnerability	8 Jul 202514:00	–	mscve
NCSC	Vulnerabilities fixed in Microsoft Windows	8 Jul 202518:23	–	ncsc

# Titles: Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege
# Author: nu11secur1ty
# Date: 07/09/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/windows/windows-11?r=1
# Reference: https://portswigger.net/web-security/access-control
# CVE-2025-49677

## Description
This Proof of Concept (PoC) demonstrates an interactive SYSTEM shell
exploit for CVE-2025-49677.
It leverages scheduled tasks and a looping batch script running as SYSTEM
to execute arbitrary commands
with NT AUTHORITY\SYSTEM privileges and interactively returns command
output.

# [more](https://github.com/advisories/GHSA-69q2-qmcc-6rh3)
# [Reference](
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49677)

## Usage

1. Run the Python script as Administrator on the vulnerable Windows machine.
2. The script creates a scheduled task that runs a batch script as SYSTEM
user.
3. You get an interactive prompt (`SYSTEM>`) in your Python console.
4. Type any Windows command (e.g. `whoami`, `dir`, `net user`) and see the
SYSTEM-level output.
5. Type `exit` to quit and clean up all temporary files and scheduled tasks.

## Files

- `PoC.py`: Python script implementing the exploit and interactive shell.
- `README.md`: This readme file.

## Requirements

- Python 3.x installed on Windows.
- Run the script with Administrator privileges.
- The script uses built-in Windows commands (schtasks, cmd.exe, timeout).

## Disclaimer

Use this PoC only in authorized environments for testing and research
purposes.
Disclosure responsibly. The author and nu11secur1ty are not responsible for
misuse.

---

# Video:
[href](https://www.youtube.com/watch?v=b_TrOtCKPkg)

# Source:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49677)

# Buy me a coffee if you are not ashamed:
[href](https://satoshidisk.com/pay/COp6jB)

# Time spent:
05:35:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

16 Jul 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.17

EPSS0.02888

SSVC