CVE-2025-24072 Overview
CVE-2025-24072 is a use after free vulnerability in Microsoft Local Security Authority Server (lsasrv) that allows an authorized attacker to elevate privileges locally. The Local Security Authority Server (LSASS) is a critical Windows component responsible for enforcing security policy, handling user authentication, and managing access tokens. A vulnerability in this component poses significant risks to system integrity and security.
Critical Impact
Successful exploitation of this use after free vulnerability enables local privilege escalation, potentially allowing attackers to gain SYSTEM-level privileges on affected Windows systems.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, 2025
Discovery Timeline
- March 11, 2025 - CVE-2025-24072 published to NVD
- July 7, 2025 - Last updated in NVD database
Technical Details for CVE-2025-24072
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption vulnerability that occurs when a program continues to use a pointer after the memory it references has been freed. In the context of lsasrv.dll, this flaw exists within the Local Security Authority Server component, which is responsible for critical security operations including authentication and access token management.
The use after free condition can be triggered by an authorized local attacker, meaning the attacker must already have some level of access to the target system. Once exploited, the vulnerability allows the attacker to execute arbitrary code with elevated privileges, potentially achieving SYSTEM-level access. This type of privilege escalation is particularly dangerous in enterprise environments where compromised user accounts could lead to full domain compromise.
Root Cause
The root cause is a use after free memory corruption bug in lsasrv.dll. The vulnerability occurs when memory that has been deallocated is subsequently accessed, leading to undefined behavior. In the context of LSASS, this memory mismanagement allows attackers to manipulate freed memory regions to hijack program execution flow and escalate privileges.
Attack Vector
The attack vector requires local access to the target system with low privileges. An attacker who has already gained initial access through phishing, malware, or other means can exploit this vulnerability to escalate their privileges to SYSTEM level. The attack does not require user interaction and can be executed with low complexity once the attacker has authenticated local access.
The exploitation typically involves:
- Triggering the specific code path in lsasrv.dll that leads to the use after free condition
- Manipulating memory allocations to place attacker-controlled data in the freed memory region
- Causing the vulnerable code to use the freed pointer, executing attacker-controlled code with elevated privileges
Detection Methods for CVE-2025-24072
Indicators of Compromise
- Unusual process creation or memory allocation patterns associated with lsass.exe
- Unexpected privilege escalation events or token manipulation in Windows Security logs
- Abnormal behavior in the Local Security Authority Server process
Detection Strategies
- Monitor for suspicious activity targeting lsass.exe including memory access patterns and code injection attempts
- Enable Windows Defender Credential Guard to protect LSASS memory from tampering
- Deploy endpoint detection and response (EDR) solutions capable of detecting use after free exploitation techniques
- Review Windows Event logs for Event ID 4688 (Process Creation) with elevated privileges from unexpected parent processes
Monitoring Recommendations
- Implement real-time monitoring of LSASS process integrity and memory operations
- Configure alerts for privilege escalation attempts and unusual authentication events
- Enable Protected Process Light (PPL) for LSASS to restrict access from unauthorized processes
How to Mitigate CVE-2025-24072
Immediate Actions Required
- Apply Microsoft security updates released in March 2025 to all affected Windows systems immediately
- Prioritize patching domain controllers and other critical infrastructure running affected Windows versions
- Implement network segmentation to limit lateral movement opportunities for attackers
- Enable Windows Defender Credential Guard where supported
Patch Information
Microsoft has released security updates addressing this vulnerability. Administrators should consult the Microsoft Security Update Guide for CVE-2025-24072 for detailed patch information and download links for all affected Windows versions.
Workarounds
- Enable Credential Guard to protect LSASS process memory from exploitation
- Configure LSASS to run as a Protected Process Light (PPL) using registry settings
- Implement strict application control policies to prevent unauthorized code execution
- Apply the principle of least privilege to limit the impact of potential privilege escalation
# Enable LSASS to run as Protected Process Light (PPL)
# Run in elevated PowerShell
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL /t REG_DWORD /d 1 /f
# Verify the setting is applied
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL
# Note: System restart required for changes to take effect
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
