BeyondTrust Privilege Management Flaw Lets Hackers Escalate System Access

BeyondTrust has disclosed a critical privilege escalation vulnerability in its Privilege Management for Windows solution that could allow local authenticated attackers to gain administrator-level access to compromised systems.

The security flaw, tracked as CVE-2025-2297, affects versions before 25.4.270.0 and carries a CVSSv4 score of 7.2, classified as high severity.

Vulnerability Details and Impact

The vulnerability stems from improper privilege management controls that allow local authenticated users to manipulate their user profile files under specific conditions.

By exploiting this weakness, attackers can inject illegitimate challenge response codes into the local user registry, effectively bypassing security controls designed to prevent unauthorized privilege escalation.

This security flaw represents a significant risk to enterprise environments where BeyondTrust’s Privilege Management solution is deployed to control and monitor administrative access.

The vulnerability could enable insider threats or attackers who have already gained initial access to a system to escalate their privileges without proper authorization.

According to BeyondTrust’s security advisory BT25-05, published on July 28, 2025, the vulnerability exploits the challenge response mechanism used by the Privilege Management system.

Attackers can manipulate registry entries under HKEY_USERS$$sid]\Software\Avecto\Privilege Guard Client\ChallengeResponseCache$$sha256sum] to insert unauthorized “forever” response entries that grant persistent administrative privileges.

The vulnerability is classified under CWE-268 (Privilege Chaining), indicating that it involves the improper management of privileges that can be chained together to achieve unauthorized access levels.

The attack vector requires local access and high attack complexity, but does not require user interaction once the initial manipulation is performed.

BeyondTrust has addressed the vulnerability in version 25.4.270.0 and has already upgraded all cloud tenants to the fixed version.

Enterprise customers using on-premises deployments should immediately update their installations to the latest version to mitigate this security risk.

For organizations unable to immediately upgrade, BeyondTrust recommends avoiding “forever” challenge response auto elevation permissions and implementing monitoring for suspicious registry modifications.

Administrators should review their Endpoint Privilege Management (EPM) policies to ensure legitimate business needs are addressed through proper policy configurations rather than persistent response entries.

The vulnerability was responsibly disclosed by security researchers Lukasz Piotrowski and Marius Kotlarz, highlighting the importance of coordinated vulnerability disclosure in maintaining enterprise security.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!