CVE-2025-26684
published 2025-05-13CVE-2025-26684: External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
PriorityP431medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
EPSS
0.36%
28.4th percentile
External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | defender_for_endpoint | < 101.25032.0008 | 101.25032.0008 |
| microsoft | microsoft_defender_for_endpoint_for_linux | >= 101.0.0 < 101.25032.0010 | 101.25032.0010 |
| msrc | microsoft_defender_for_endpoint_for_linux | — | — |
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vendor_msrc6.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xrjq-mmx8-72h6: External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally
ghsa_unreviewed·2025-05-13
CVE-2025-26684 [MEDIUM] CWE-610 GHSA-xrjq-mmx8-72h6: External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally
External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
Microsoft
Microsoft Defender Elevation of Privilege Vulnerability
vendor_msrc·2025-05-13·CVSS 6.7
CVE-2025-26684 [MEDIUM] CWE-73 Microsoft Defender Elevation of Privilege Vulnerability
Microsoft Defender Elevation of Privilege Vulnerability
Description: External control of file name or path in Microsoft Defender for Endpoint allows an authorized attacker to elevate privileges locally.
FAQ: How can I verify that the update is installed?
Customers wanting to ensure the client has been updated can run the MDE Client Analyzer on the device. When running the analyzer on a Windows device that does not have the security update, the analyzer will present a warning (ID 121035) indicating missing patch and directing to relevant online article. Additionally, if the update is installed, but the Anti-Spoofing capability is not in a stable state, the analyzer will present warning (ID 121036) indicating an issue and providing additional online guidance or callout to reach out to Micr
No detection rules found.
No public exploits indexed.
2025-05-13
Published