Cyber Posture

CVE-2025-22890

HighLPE

Published: 06 February 2025

Published
06 February 2025
Modified
04 February 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0004 12.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22890 is a high-severity Execution with Unnecessary Privileges (CWE-250) vulnerability in Hummingheads Defense Platform. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-6 Least Privilege good match
prevent

Directly mitigates execution with unnecessary privileges by ensuring the Defense Platform software and associated processes operate with the minimum privileges required, preventing escalation to SYSTEM level.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation through patching the specific privilege escalation vulnerability in Defense Platform Home Edition Ver.3.9.51.x and earlier.

AC-3 Access Enforcement good match
prevent

Enforces access control policies to block the specific local operation that allows low-privileged attackers to obtain SYSTEM privileges on the Windows host.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The CVE describes a local privilege escalation vulnerability (CWE-250) allowing low-privileged attackers to gain SYSTEM access on Windows, directly enabling Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Execution with unnecessary privileges issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. If an attacker performs a specific operation, SYSTEM privilege of the Windows system where the product is running may be obtained.

Deeper analysisAI

CVE-2025-22890 is an execution with unnecessary privileges vulnerability, classified under CWE-250, affecting Defense Platform Home Edition versions 3.9.51.x and earlier. This issue resides in the software running on Windows systems, where it allows escalation beyond intended privilege levels. The vulnerability was published on 2025-02-06 and carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), highlighting its high severity due to local attack vector, low complexity, and significant impacts.

A local attacker with low privileges can exploit the vulnerability by performing a specific operation, requiring no user interaction. Successful exploitation grants the attacker SYSTEM privileges on the Windows host where the product is installed, enabling high-impact compromise of confidentiality, integrity, and availability with a scope change to the system.

Advisories providing further details, including potential mitigations and patches, are available at https://jvn.jp/en/jp/JVN66673020/ and https://www.hummingheads.co.jp/dep/storelist/.

Details

CWE(s)
CWE-250

Affected Products

hummingheads
defense platform
≤ 3.9.51.0

CVEs Like This One

CVE-2025-22894Same product: Hummingheads Defense Platform
CVE-2026-0870Shared CWE-250
CVE-2025-58383Shared CWE-250
CVE-2024-48013Shared CWE-250
CVE-2025-57119Shared CWE-250
CVE-2026-1680Shared CWE-250
CVE-2026-25908Shared CWE-250
CVE-2025-40942Shared CWE-250
CVE-2025-13506Shared CWE-250
CVE-2025-36184Shared CWE-250

References