Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege

EDB-ID:

52360

CVE:

2025-49677

EDB Verified:

Author:

nu11secur1ty

Type:

local

Exploit: /

Platform:

Windows

Date:

2025-07-16

Vulnerable App:

# Titles: Microsoft Brokering File System Windows 11 Version 22H2 - Elevation of Privilege
# Author: nu11secur1ty
# Date: 07/09/2025
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/windows/windows-11?r=1
# Reference: https://portswigger.net/web-security/access-control
# CVE-2025-49677

## Description
This Proof of Concept (PoC) demonstrates an interactive SYSTEM shell
exploit for CVE-2025-49677.
It leverages scheduled tasks and a looping batch script running as SYSTEM
to execute arbitrary commands
with NT AUTHORITY\SYSTEM privileges and interactively returns command
output.

# [more](https://github.com/advisories/GHSA-69q2-qmcc-6rh3)
# [Reference](
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49677)

## Usage

1. Run the Python script as Administrator on the vulnerable Windows machine.
2. The script creates a scheduled task that runs a batch script as SYSTEM
user.
3. You get an interactive prompt (`SYSTEM>`) in your Python console.
4. Type any Windows command (e.g. `whoami`, `dir`, `net user`) and see the
SYSTEM-level output.
5. Type `exit` to quit and clean up all temporary files and scheduled tasks.

## Files

- `PoC.py`: Python script implementing the exploit and interactive shell.
- `README.md`: This readme file.

## Requirements

- Python 3.x installed on Windows.
- Run the script with Administrator privileges.
- The script uses built-in Windows commands (schtasks, cmd.exe, timeout).

## Disclaimer

Use this PoC only in authorized environments for testing and research
purposes.
Disclosure responsibly. The author and nu11secur1ty are not responsible for
misuse.

---

# Video:
[href](https://www.youtube.com/watch?v=b_TrOtCKPkg)

# Source:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49677)

# Buy me a coffee if you are not ashamed:
[href](https://satoshidisk.com/pay/COp6jB)

# Time spent:
05:35:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

-- 

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services