300 Milliseconds to Admin: CVE-2025-24076 & CVE-2025-24994 Explained Simply
Overview
This article by Compass Security explores how two vulnerabilities in Windows 11—CVE-2025-24076 and CVE-2025-24994—can be exploited using DLL hijacking to escalate privileges from a normal user to an administrator. The attack relies on precise timing to trick Windows into loading a malicious DLL.
Original Article: Compass Security - 300 Milliseconds to Admin
What is DLL Hijacking?
DLL (Dynamic Link Library) Hijacking is when an attacker places a malicious DLL in a location where an application expects to find a legitimate one. If the app doesn’t verify the DLL, it will unknowingly load the attacker’s code, potentially granting elevated privileges.
How the Vulnerabilities Were Found
During a penetration test, researchers used PrivescCheck and found that the file:
C:\ProgramData\CrossDevice\CrossDevice.Streaming.Source.dll
…could be modified by any user. This DLL was part of the Mobile Devices feature in Windows 11, which helps sync phones with PCs.
The issue? The DLL is loaded twice:
- First by a user-level process (regular user).
- Then by a system-level process (with elevated/admin privileges).
Because the system didn’t verify the DLL’s authenticity, attackers could replace it with a malicious version and wait for the system process to load it.
CVE Breakdown
CVE-2025-24076
- Type: Privilege Escalation
- What happens: A system-level process loads a DLL from a location writable by users.
- Impact: Malicious DLL runs with admin privileges.
CVE-2025-24994
- Type: User Impersonation
- What happens: A user-level process loads the DLL without checking its signature.
- Impact: Allows user-to-user attacks.
Timing is Everything
The real trick was timing. The researchers had to:
- Watch for the system process that loads the DLL.
- Replace the legit DLL with the malicious one just before the system loads it.
- Restore the original after exploitation to avoid detection.
They used system monitoring tools and scripting to automate this process with sub-second precision—as little as 300 milliseconds.
Mitigation Tips
Microsoft has released patches, but here’s how to stay safe:
- Apply all Windows updates
- Avoid storing DLLs in user-writable directories
- Enforce strict DLL signature verification
Final Thoughts
This exploit demonstrates how small oversights (like not verifying DLLs) can be chained into powerful attacks. Even built-in OS features like Mobile Devices can become attack vectors if not carefully locked down.
Reference: Compass Security - 3 Milliseconds to Admin
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
