A critical security vulnerability has been discovered in BeyondTrust’s Privilege Management for Windows software that enables local authenticated attackers to escalate their privileges to administrator level.
The vulnerability, assigned CVE-2025-2297 and carrying a CVSSv4 score of 7.2, affects all versions prior to 25.4.270.0 and has prompted an immediate security advisory from BeyondTrust on July 28, 2025.
The vulnerability stems from improper privilege management controls that allow local authenticated users to manipulate their user profile files under specific conditions.
Security researchers discovered that attackers can exploit this weakness to inject illegitimate challenge response codes into the Windows registry, specifically targeting the local user registry locations.
This manipulation occurs through the HKEY_USERSsid]\Software\Avecto\PrivilegeGuardClient\ChallengeResponseCachesid]\Software\Avecto\Privilege Guard Client\ChallengeResponseCachesid]\Software\Avecto\PrivilegeGuardClient\ChallengeResponseCachesha256sum] registry path, where malicious entries can be inserted.
The attack vector requires local access to the system and authenticated user credentials, but once these prerequisites are met, the exploitation process becomes relatively straightforward.
The vulnerability is particularly concerning because it affects the core privilege management functionality that organizations rely on to maintain security boundaries between standard users and administrative accounts.
The vulnerability represents a significant breakdown in the software’s primary security mission of preventing unauthorized privilege escalation.
BeyondTrust has classified this as a CWE-268 vulnerability, indicating issues with privilege management controls.
The attack complexity is rated as high, requiring specific conditions to be met, but the potential impact on confidentiality and integrity is severe, as successful exploitation grants full administrative access to affected systems.
Organizations using BeyondTrust Privilege Management for Windows face immediate security risks, as the vulnerability affects a fundamental security control mechanism.
The most significant concern involves environments where “forever” challenge response auto elevation permissions are configured, as these settings create persistent pathways for privilege escalation that attackers can exploit.
The vulnerability particularly threatens organizations that have implemented privilege management solutions to comply with zero-trust security models or regulatory requirements.
Since the affected software is commonly deployed in enterprise environments to manage administrative access, a successful exploitation could lead to widespread compromise of critical systems and sensitive data.
Threat actors with initial access to corporate networks could leverage this vulnerability to escalate privileges on multiple workstations and servers running the affected software.
The local authentication requirement means that attackers who have already gained user-level access through phishing, malware, or other attack vectors can potentially escalate to administrative privileges without requiring additional credentials or social engineering tactics.
BeyondTrust has released version 25.4.270.0 to address this vulnerability, and all cloud tenants have been automatically upgraded to version 25.4.
Organizations operating on-premises deployments must immediately prioritize updating to the fixed version to eliminate the security risk.
For organizations unable to immediately upgrade, BeyondTrust recommends implementing several critical mitigation strategies.
The most important step involves avoiding the use of “forever” challenge response auto elevation permissions, which create the conditions necessary for successful exploitation.
System administrators should conduct thorough audits of their current privilege management policies to identify and remove any forever response entries.
Organizations should also implement enhanced monitoring of the specific registry locations where malicious entries can be inserted.
Regular audits of HKEY_USERS registry paths for unauthorized challenge response cache entries will help detect potential exploitation attempts.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…