The vulnerability, tracked as CVE-2025-24076, exploits a weakness in Windows 11’s “Mobile devices” feature through a sophisticated DLL hijacking technique.
The security flaw, discovered in September 2024 and publicly disclosed on April 15, 2025, targets a DLL file loaded by Windows 11’s camera functionality.
Researchers found that the file CrossDevice.Streaming.Source.dll, located in the user-modifiable %PROGRAMDATA%CrossDevice directory, is loaded first by a regular user process and then by a high-privileged system process.
“This vulnerability represents a classic DLL hijacking scenario with a challenging timing element,” John Ostrowski of Compass Security said to Cyber Security News. “The window of opportunity is incredibly small just 300 milliseconds, but we developed techniques to make exploitation reliable.”
The exploitation involves multiple technical challenges. Initial automated scans using the PrivescCheck tool revealed that unprivileged users had modification rights to the COM server module file:
To overcome the narrow time window, researchers employed Opportunistic Locks to halt program execution at the precise moment needed.
Using Microsoft’s Detours library, they intercepted Windows API calls specifically targeting GetFileVersionInfoExW to identify when the file could be replaced reliably.
The researchers created a malicious DLL that maintains the expected functionality while adding unauthorized commands:
This code executes with SYSTEM privileges when loaded by the high-privileged process. To ensure the replaced DLL maintained functionality, researchers implemented a proxy that forwards function calls to the original DLL:
The vulnerability affects Windows 11 systems with the “Mobile devices” feature, which allows users to link their phones to use the phone’s camera as a webcam. Microsoft released a patch in their March 2025 security updates.
This discovery highlights the importance of tight file access controls and signature verification in privileged processes.
Endpoint Detection and Response (EDR) solutions could detect such attacks through behavioral monitoring, even before available patches.
“While keeping your system up to date is crucial, there are additional steps you can take to safeguard your machine,” researchers said. “By using an EDR solution, you can proactively detect unusual behavior and identify irregular activity.”
Microsoft has assigned CVE-2025-24076 to the primary system-level privilege escalation and CVE-2025-24994 to a related user-to-user attack vector within the same functionality.
Users are strongly encouraged to apply the latest Windows security updates to mitigate these vulnerabilities.
The exploit demonstrates how even modern operating systems can be vulnerable to long-established attack techniques when implemented in new features, especially when skilled attackers leverage timing and race conditions.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Windows 11 Escalation Vulnerability Let Attackers Gain Admin Access Within 300 Milliseconds appeared first on Cyber Security News.
Anthropic’s frontier AI model, Claude Opus 4.6, successfully identified 22 novel vulnerabilities in Mozilla Firefox…
Duane Ford has managed budgets for the Bow and Dunbarton school districts for more than…
When it comes to the war in Iran, Joni Ernst told a crowd in Concord,…
Twenty-three position eliminations, cuts to alternative education programs, furniture and supplies, and paying only interest…
The DJI Romo robot vacuums. | Image: DJI On Valentine's Day, I brought you a…
Magic: The Gathering’s crossovers get harder to predict, and the second set of the year…
This website uses cookies.