关键信息 Advisory ID: BT25-06 CVSSv4 Score: 7.1 Severity: High Issue Date: 2025-07-28 CVE: CVE-2025-6250 CWE: CWE-421 Synopsis: Privilege Management for Windows - Anti-Tamper Bypass Impacted: Privilege Management for Windows Summary A vulnerability has been discovered in Privilege Management for Windows that allows a local authenticated attacker with elevated privileges to bypass anti-tamper protections. Details Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token, the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user can add themselves to the Administrators group and run any process with elevated permissions. Mitigation For versions before 25.4.270.0, a rule can be created to either block the execution completely or allow gated or limited access. Block Create an application block rule with the following properties: Publisher: Microsoft Windows Product Description: WMI Commandline Utility Trusted Ownership: Matches Child Processes: Off Gated or Limited Access Create an application executable rule with the following properties: File Name: wmic.exe Publisher: Microsoft Windows Product Description: WMI Commandline Utility Trusted Ownership: Matches Child Processes: Off Affected Versions Fixed Versions References https://www.cve.org/overrecord?id=CVE-2025-6250 https://nvd.nist.gov/vuln/detail/CVE-2025-6250 https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0022605 Acknowledgements We would like to thank MSG Systems AG for reporting this vulnerability responsibly.