CVE-2025-0834

HighLPE

Published: 30 January 2025

Published

30 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0834 is a high-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Services File Permissions Weakness (T1574.010); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-34 (Non-modifiable Executable Programs).

Threat & Defense at a Glance

What attackers do: exploitation maps to Services File Permissions Weakness (T1574.010) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-34 Non-modifiable Executable Programs good match

prevent

Prevents low-privilege attackers from replacing the ElevationService.exe binary by enforcing non-modifiability of critical executables.

AC-6 Least Privilege good match

prevent

Enforces least privilege to block low-privilege users (PR:L) from writing to the ProgramData path containing the vulnerable ElevationService.exe.

SI-7 Software, Firmware, and Information Integrity good match

detect

Provides software integrity verification to detect unauthorized replacement of the ElevationService.exe binary through file hashing or similar mechanisms.

MITRE ATT&CK Enterprise TechniquesAI

T1574.010 Services File Permissions Weakness Stealth

Adversaries may execute their own malicious payloads by hijacking the binaries used by services.

attack.mitre.org →

T1543.003 Windows Service Persistence

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.

attack.mitre.org →

Why these techniques?

Vulnerability enables direct replacement of ElevationService.exe service binary (due to improper privilege management/weak file permissions) that auto-executes as SYSTEM, mapping to service binary hijacking for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Privilege escalation vulnerability has been found in Wondershare Dr.Fone version 13.5.21. This vulnerability could allow an attacker to escalate privileges by replacing the binary ‘C:\ProgramData\Wondershare\wsServices\ElevationService.exe’ with a malicious binary. This binary will be executed by SYSTEM automatically.

Deeper analysisAI

CVE-2025-0834 is a privilege escalation vulnerability in Wondershare Dr.Fone version 13.5.21, published on 2025-01-30. The flaw, tied to CWE-269 (Improper Privilege Management), enables an attacker to replace the binary at C:\ProgramData\Wondershare\wsServices\ElevationService.exe with a malicious version. This binary is automatically executed with SYSTEM privileges, allowing unauthorized elevation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. By overwriting the ElevationService.exe binary in the ProgramData directory, the attacker tricks the software into running their malicious code as SYSTEM. This achieves high impacts on confidentiality, integrity, and availability, potentially granting full administrative control over the affected system.

For mitigation guidance, refer to the INCIBE-CERT advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/wondershare-drfone-privilege-scalation-vulnerability.