Microsoft Brokering File System Windows 11 Version 22H2 – Elevation of Privilege

July 16, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title Microsoft Brokering File System Windows 11 Version 22H2 – Elevation of Privilege
Exploit ID EDB-ID:52360
Type exploitdb
Published 2025-07-16T00:00:00
Modified 2025-07-16T00:00:00

CVSS Information

CVSS Score 7.0
Severity HIGH
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE Information

  • CVE-2025-49677

Exploit Description

Titles: Microsoft Brokering…

Exploit Code

# Titles: Microsoft Brokering File System Windows 11 Version 22H2 – Elevation of Privilege

# Author: nu11secur1ty

# Date: 07/09/2025

# Vendor: Microsoft

# Software: https://www.microsoft.com/en-us/windows/windows-11?r=1

# Reference: https://portswigger.net/web-security/access-control

# CVE-2025-49677

## Description

This Proof of Concept (PoC) demonstrates an interactive SYSTEM shell

exploit for CVE-2025-49677.

It leverages scheduled tasks and a looping batch script running as SYSTEM

to execute arbitrary commands

with NT AUTHORITY\SYSTEM privileges and interactively returns command

output.

# [more](https://github.com/advisories/GHSA-69q2-qmcc-6rh3)

# [Reference](

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49677)

## Usage

1. Run the Python script as Administrator on the vulnerable Windows machine.

2. The script creates a scheduled task that runs a batch script as SYSTEM

user.

3. You get an interactive prompt (`SYSTEM>`) in your Python console.

4. Type any Windows command (e.g. `whoami`, `dir`, `net user`) and see the

SYSTEM-level output.

5. Type `exit` to quit and clean up all temporary files and scheduled tasks.

## Files

– `PoC.py`: Python script implementing the exploit and interactive shell.

– `README.md`: This readme file.

## Requirements

– Python 3.x installed on Windows.

– Run the script with Administrator privileges.

– The script uses built-in Windows commands (schtasks, cmd.exe, timeout).

## Disclaimer

Use this PoC only in authorized environments for testing and research

purposes.

Disclosure responsibly. The author and nu11secur1ty are not responsible for

misuse.

# Video:

[href](https://www.youtube.com/watch?v=b_TrOtCKPkg)

# Source:

[href](

https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-49677)

# Buy me a coffee if you are not ashamed:

[href](https://satoshidisk.com/pay/COp6jB)

# Time spent:

05:35:00



System Administrator – Infrastructure Engineer

Penetration Testing Engineer

Exploit developer at https://packetstormsecurity.com/

https://cve.mitre.org/index.html

https://cxsecurity.com/ and https://www.exploit-db.com/

0day Exploit DataBase https://0day.today/

home page: https://www.nu11secur1ty.com/

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

nu11secur1ty

System Administrator – Infrastructure Engineer

Penetration Testing Engineer

Exploit developer at https://packetstorm.news/

https://cve.mitre.org/index.html

https://cxsecurity.com/ and https://www.exploit-db.com/

0day Exploit DataBase https://0day.today/

home page: https://www.nu11secur1ty.com/

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=

nu11secur1ty

View Full Exploit Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.