Windows 11 Let Hackers Gain Admin in 300ms.

Written By Noel Bradford

Some days, you just have to laugh to keep from crying.

Imagine spending billions developing the "most secure Windows ever," only to get taken down by the oldest trick in the book: DLL hijacking. Well done, Microsoft. Seriously.

In today's tour through "how did this even happen," we are diving into CVE-2025-24076 — a spicy Windows 11 privilege escalation bug that let attackers gain full administrator rights in about 300 milliseconds. Yes, less time than it takes you to curse when your laptop freezes.

Let us unpack what went wrong, why you should care, and what you need to fix it before someone else "fixes" your systems permanently.

What Happened? A Quick Explainer

The bug lives inside the Windows Cross Device Service. You know, that handy feature that lets you link your phone to your PC? Turns out it also helpfully linked low-level attackers to SYSTEM-level privileges.

How? Improper access control.

The Cross Device Service loaded a DLL file — CrossDevice.Streaming.Source.dll — from a location that any standard user could modify. No signature checks. No validation. Nothing.

Just sitting there like a chocolate cake in a public park with a "please eat me" sign.

If an attacker replaced that DLL with a malicious one, the service would happily load it — as SYSTEM. That is game over. Full admin rights. No special tools needed. No advanced skills. Just timing and a little nerve.

But It Gets Worse

Exploiting this was not even that hard.

According to the researchers at Compass Security who found it, all you had to do was:

  1. Trigger the vulnerable service (say, by opening the Phone Link camera feature)

  2. Wait for the legitimate DLL to be released

  3. Swap it with your malicious DLL in a 300-millisecond window

And boom — you are now the ruler of the box.

You might be wondering: "Wait, does that tiny window not make it hard to exploit?"

Normally, yes. But the researchers used an Opportunistic Lock (oplock) to precisely time the DLL swap. They even intercepted specific Windows file operations to make it more reliable.

In their tests, it worked like a charm.

The Technical Meat (for Those Who Like Their Steak Bloody)

  • Vulnerable File: %PROGRAMDATA%\CrossDevice\CrossDevice.Streaming.Source.dll

  • Loaded by: CrossDevice.Service.exe

  • Privilege: SYSTEM

  • Root Cause: World-writable file location + no integrity checking

  • Technique: DLL Hijacking + Race Condition + Opportunistic Lock

  • CVSS Score: 7.3 (High)

Microsoft assigned it CWE-284: Improper Access Control.

If you thought DLL hijacking was a thing of the past, welcome to Windows 11, where every security best practice is optional.

Which Versions Are Affected?

Pretty much every major release of Windows 11 until March 2025:

Version Build Affected
Windows 11 22H2 and 23H2 Up to 10.0.22631.5039
Windows 11 24H2 (Insider) Up to 10.0.26100.3403
Windows Server 2022 Up to 10.0.25398.1486
Windows Server 2025 (vNext) Up to 10.0.26100.3403

If you are running one of these builds and have not patched, you should put down your coffee and update. Fast.

Patch Status

Microsoft fixed the issue in the March 2025 Patch Tuesday updates.

If you have installed those or anything newer, you are safe. If not, you are one dodgy click away from having a new, unwanted "co-admin".

Microsoft rated it "Important," not "Critical." Because apparently someone still thinks that local privilege escalation is just a "nice to have" for attackers.

How Bad Is This Really?

You might be thinking: "It is only local. They need access first, right?"

Yes — but think about how attackers operate today. Malware rarely goes for SYSTEM straight away. It lands as a normal user. Then it needs to escalate.

Thanks to CVE-2025-24076, it could.

In the real world, this could be chained with phishing attacks, browser exploits, drive-by downloads — you name it. Land low, escalate high. Classic attack playbook.

Worse, this vulnerability leaves almost no trace. Unless you are actively monitoring for weird file replacement behaviour (are you?), you might not even know someone used it.

And if they get SYSTEM, they own the machine.

Own the machine, they own the domain.

Own the domain... you are about to have a really bad day.

What Microsoft Did (and Did Not Do)

Microsoft patched it — eventually.

The researchers reported the bug in September 2024. Microsoft took until March 2025 to push the fix.

Six months.

Six months where the "most secure Windows ever" shipped a service that handed out SYSTEM access like sweets at Halloween.

No special disclosure announcement. No blog post highlighting it. Just a dry line in the Patch Tuesday notes.

Look, credit where it is due: at least they fixed it.

But you have to wonder — how many more ticking time bombs are hiding inside Windows 11’s "helpful" new features?

What Should You Do?

You have two immediate action items:

  1. Patch everything. Install the March 2025 (or later) Windows Updates.

  2. Harden your systems. Just patching is not enough. Assume compromise is inevitable. Implement:

    • Principle of least privilege (users should not be admins)

    • Behavioural monitoring (EDR solutions)

    • App whitelisting

    • Vulnerability scanning

Are you doing all that? Or are you still trusting "Patch Tuesday" alone to save you?

(Spoiler: it won't.)

Longer term, demand better from your vendors. Microsoft included.

We cannot keep accepting "oops" moments that open SYSTEM access because someone forgot to lock down a DLL.

Final Thoughts: Same Old, Same Old

DLL hijacking is not new. It has been a problem since Windows NT.

There is no excuse for it to still happen — especially inside core system services.

If your newest operating system can be undone by a writable folder and a swapped DLL, it is not secure. It is a papier-mâché fortress.

Maybe the next version of Windows should come with a free fire extinguisher. Because the way things are going, we are all going to need it.

Patch up. Harden your environment. Watch for the next "oops."

Because if history teaches us anything, it is that there is always a next one.

Are you ready?

Source Link
Compass Security Advisory View Here
Microsoft CVE-2025-24076 View Here
Cybersecurity News Summary View Here
Zero Day Initiative March 2025 Report View Here
SecurityOnline Report View Here
Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Cybersecurity Is Not Optional: How a £60K Fine Just Woke Up Small Law Firms
Next

Why Your Android Phone Will Now Reboot Itself Every 3 Days (And Why That’s a Good Thing)