CVE-2025-13905 Overview
CVE-2025-13905 is an Incorrect Default Permissions vulnerability (CWE-276) that enables local privilege escalation through reverse shell execution. The vulnerability exists due to improperly configured file permissions in the installation folder, allowing a local user with normal privileges to modify one or more executable service binaries. Upon service restart, the modified binaries execute with elevated privileges, effectively granting the attacker higher-level system access.
Critical Impact
Local attackers can achieve privilege escalation by replacing legitimate service binaries with malicious executables, gaining elevated system access upon service restart.
Affected Products
- Schneider Electric software products (specific product names not disclosed in advisory)
Discovery Timeline
- 2026-01-29 - CVE-2025-13905 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2025-13905
Vulnerability Analysis
This vulnerability stems from a classic insecure permissions misconfiguration affecting service executable binaries. When software is installed with overly permissive file system access controls, local users who should only have read/execute access may instead have write permissions to critical executable files. This creates an opportunity for a privilege escalation attack known as "binary planting" or "service hijacking."
The attack exploits the privilege disparity between the local user context and the service execution context. Windows services typically run under privileged accounts such as SYSTEM, LocalService, or NetworkService. When a lower-privileged user can modify these service binaries, they can inject malicious code that executes with the service's elevated privileges upon restart.
Root Cause
The root cause is the assignment of incorrect default permissions (CWE-276) during the software installation process. Instead of restricting write access to administrative users only, the installation folder and its executable binaries are configured with permissions that allow modification by standard local users. This violates the principle of least privilege and creates a direct path to privilege escalation.
Proper installation should set permissions on service executables to allow only administrators or the SYSTEM account to modify these files, while standard users should have read and execute permissions only.
Attack Vector
The attack requires local access to the target system with standard user privileges. The attacker must identify writable service executables in the installation directory, then replace or modify these binaries with malicious code designed to establish a reverse shell or execute arbitrary commands. The payload executes with elevated privileges when the service is restarted, either manually by an administrator, automatically after a system reboot, or through service recovery mechanisms.
The attack chain typically involves:
- Enumerating services and their executable paths
- Checking file permissions on service binaries
- Replacing the legitimate binary with a malicious payload
- Waiting for or triggering a service restart
- Achieving code execution with elevated privileges
Detection Methods for CVE-2025-13905
Indicators of Compromise
- Unexpected modifications to service executable files in installation directories
- File hash mismatches for known-good service binaries
- New or unexpected outbound network connections from service processes
- Anomalous service restart patterns or failures followed by successful restarts
Detection Strategies
- Monitor file integrity of service executables using hash-based verification tools
- Audit file permission changes on installation directories and service binaries
- Implement behavioral detection for services establishing unexpected network connections
- Alert on service binary modifications outside of approved maintenance windows
Monitoring Recommendations
- Enable Windows Security Event logging for object access (Event ID 4663) on service executable directories
- Configure Sysmon to log file creation and modification events in program installation paths
- Establish baselines for legitimate service binary hashes and monitor for deviations
- Review service account activity for unusual process execution or network connections
How to Mitigate CVE-2025-13905
Immediate Actions Required
- Audit file permissions on all Schneider Electric software installation directories
- Remove write permissions for non-administrative users from service executable folders
- Verify integrity of service binaries against known-good hashes
- Review system logs for evidence of unauthorized binary modifications
Patch Information
Schneider Electric has released a security notice addressing this vulnerability. Organizations should review the Schneider Electric Security Notice for specific remediation guidance and updated software versions that address the incorrect default permissions issue.
Workarounds
- Manually correct file permissions on installation directories to restrict write access to administrators only
- Implement application whitelisting to prevent execution of unauthorized binaries
- Use Software Restriction Policies or AppLocker to control which executables can run as services
- Deploy file integrity monitoring to detect unauthorized modifications to service binaries
# Example: Restricting permissions on Windows installation folder
# Run in elevated PowerShell to remove write access for standard users
icacls "C:\Program Files\[Application]\*" /inheritance:r /grant:r Administrators:F /grant:r SYSTEM:F /grant:r Users:RX
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
