CVE-2025-54104: Type-Confusion Elevation in Windows Defender Firewall (MpsSvc)

Microsoft’s Security Update Guide records CVE-2025-54104 as an elevation of privilege vulnerability in the Windows Defender Firewall Service caused by an “access of resource using incompatible type (‘type confusion’)” — in short, a type‑confusion bug in a privileged service that an authorized local attacker can abuse to raise privileges on a host. (msrc.microsoft.com)

Background / Overview​

Type confusion is a classic memory‑safety defect in which code treats a value or object as one type while it actually represents another. In privileged components this can be catastrophic: misinterpreted object layouts let attackers influence sizes, offsets, or function pointers the kernel or a service uses, and that in turn can produce out‑of‑bounds reads/writes, function pointer overwrites, or token steals that lead to SYSTEM‑level privileges. Recent months have shown a recurring pattern of these bugs across Windows subsystems; Microsoft’s advisories and third‑party trackers document multiple type‑confusion CVEs in 2025 that share the same high‑level risk profile.
CVE‑2025‑54104 targets the Windows Defender Firewall Service (service name: MpsSvc). The vulnerability is listed by Microsoft as requiring local, authorized attacker access to trigger — i.e., it is not described as a standalone remotely exploitable RCE — but it remains high‑impact in post‑compromise scenarios where an attacker already has a low‑privilege foothold and wants to escalate to system privileges. Administrators must therefore treat this as an urgent patching priority, especially in environments where endpoint malware, phishing or untrusted local accounts are realistic threats. (msrc.microsoft.com)

---

What the advisory actually says (and what it doesn’t)​

• Microsoft classifies CVE‑2025‑54104 as an Elevation of Privilege vulnerability arising from Access of resource using incompatible type (type confusion) in the Windows Defender Firewall Service. The vendor advisory notes it allows an authorized attacker to elevate privileges locally. (msrc.microsoft.com)
• Microsoft’s Security Update Guide pages are authoritative but often delivered by a dynamic UI; the MSRC entry is the canonical source for affected builds, KB numbers and official patch metadata. Administrators should retrieve the exact KB numbers and apply the updates that match their build (Windows 10, Windows 11 and supported Server SKUs) from the Update Catalog or their enterprise patching system. The MSRC page itself may require the Microsoft Update Catalog / WSUS manifests for KB IDs. (msrc.microsoft.com)
• The advisory, as published, does not (and typically will not) include exploit‑level details. Microsoft and the vulnerability‑disclosure community commonly limit technical details when a bug is pragmatic to weaponize. Public proof‑of‑concept (PoC) exploit code for similar Win32/notification/service type‑confusion bugs has appeared quickly following some disclosures in prior months, but for CVE‑2025‑54104 there is limited public technical write‑up or PoC at the time of the advisory. Treat any third‑party technical interpretation as provisional until corroborated.

---

Why Defender Firewall service matters (technical context)​

The Windows Defender Firewall Service (display name: Windows Defender Firewall, service name: MpsSvc) is more than a “simple” packet filter. It integrates with the Windows Filtering Platform and participates in service hardening and network isolation. Because it runs as a privileged service (LocalService / shared svchost instance) and historically mediates kernel‑mode drivers and other security‑sensitive operations, a memory‑safety flaw there can be converted into a full SYSTEM compromise if an attacker can coerce the service into using corrupted object layouts or pointers. The service’s role in enforcing firewall rules and policy means an attacker who reaches SYSTEM can disable protections or open persistent network access. (learn.microsoft.com)
Key facts administrators should keep in mind:

• Service name / management:
• Display name: Windows Defender Firewall
• Service name: MpsSvc (queryable with Get-Service -Name MpsSvc). (learn.microsoft.com, en.wikipedia.org)
• The service logs and rule changes generate distinct security events (see Detection guidance below). Microsoft documents event types for firewall rule additions/modifications and monitoring process creation and service state changes. (learn.microsoft.com)

---

Technical analysis: how a type‑confusion EoP might look in practice​

(High‑level, vendor‑safe sketch — not a step‑by‑step exploit.)

• Attacker foothold: An attacker obtains local code execution or runs a malicious process with normal user privileges on the target machine (via phishing, malicious installer, untrusted app, or sandbox escape).
• Triggering the vulnerable path: The attacker calls or induces a Windows API, service interface, or IPC interaction that exercises the buggy code path inside the Defender Firewall Service. Because the service crosses privileged boundaries and interacts with kernel or driver objects, inputs can be marshalled into internal objects.
• Type confusion: The buggy path misinterprets an object’s type tag or layout. The service acts on an object using the wrong size/offsets or reads/writes fields that don’t match the intended type.
• Memory corruption primitive: The type confusion is transformed into a controlled memory primitive (info leak or kernel/write‑primitive) by techniques such as heap grooming, timing, or repeated operations.
• Privilege escalation: The memory primitive is used to overwrite a security token, function pointer, or callback to execute code as SYSTEM or to duplicate a SYSTEM token into the attacker process.
• Persistence and pivot: With SYSTEM privileges, an attacker can disable protections, persist an implant, exfiltrate data, or move laterally across an environment.

This pattern closely matches prior type‑confusion and Win32/ICOMP advisories observed through 2025; defenders must assume exploitability is plausible even though Microsoft has not published exploit details.
Caveat — weaponization timeline: Historically, local privilege escalation bugs are often included in malware/tooling rapidly after disclosure (days to weeks) because they’re valuable building blocks. However, not every disclosed bug sees immediate public exploitation — exploit complexity, required primitives and environmental constraints affect that cadence. Treat the risk conservatively and patch quickly.

---

Affected systems and severity assessment​

• Scope: Microsoft’s advisory is the authoritative source for the exact list of affected Windows builds and recommended updates. Expect broad coverage across supported Windows 10/11 client builds and supported Windows Server versions because the Defender Firewall Service is widespread. Confirm KB numbers for each build via MSRC or Microsoft Update Catalog. (msrc.microsoft.com)
• Attack vector and severity:
• Attack vector: Local (requires authorized or local attacker).
• Impact: Elevation of Privilege (potential SYSTEM).
• Relative severity: High for hosts where local compromise is plausible (workstations, admin/operator stations, terminal servers, virtual desktop infrastructure). Lower immediate external threat than remote RCEs, but critical in chained attacks. Similar type‑confusion CVEs in 2025 have been rated high across trackers. (bleepingcomputer.com)
• Public scoring: Microsoft’s Update Guide entries sometimes omit CVSS; third‑party aggregators (NVD, Tenable, vendor blogs) will assign or map CVSS scores later. For pattern context, other recent type‑confusion CVEs were assigned high CVSS values in vendor trackers. Use your environment’s risk model to prioritize patch rollout, not just raw score. (nvd.nist.gov, tenable.com)

---

Immediate mitigation and remediation (practical, prioritized)​

• Patch immediately
• Deploy Microsoft’s security update that addresses CVE‑2025‑54104 to all affected systems. Use Windows Update, WSUS, SCCM / Microsoft Endpoint Manager (Intune), or the Microsoft Update Catalog to obtain the appropriate KB for each Windows build and test in a staging ring before broad rollout. MSRC is the canonical advisory; extract KB IDs and cumulative update names there. (msrc.microsoft.com)
• If immediate patching is impractical
• Limit local access: Restrict interactive logon rights and remove unnecessary local admin privileges. Prioritize systems that are shared, accessible to contractors, or used as staging points.
• Apply least privilege: Harden endpoints by revoking local admin rights for everyday user accounts and using privileged access workstations for administrative tasks.
• Network segmentation: Separate vulnerable endpoints from high‑value targets and control remote management paths.
• Disable unnecessary services and remove legacy features that increase attack surface where feasible.
• Increase monitoring while rolling patches
• Enable auditing for:
• Process creation events (Windows Security Event ID 4688) to detect suspicious process spawning. (learn.microsoft.com)
• Windows Firewall rule changes (Event IDs 4946, 4947) — rule additions/modifications that were not pushed via Group Policy. (learn.microsoft.com)
• Service start/stop events (Event ID 7036 in the System channel) to capture unusual MpsSvc restarts.
• Deploy Endpoint Detection & Response (EDR) hunting queries for anomalous token elevations, svchost memory anomalies, or processes performing rights escalations.
• Use Sysmon (where available) to collect richer process and network telemetry for hunts.
• Use existing security controls
• Ensure Defender Tamper Protection is enabled and Endpoint Protection clients are up to date.
• Enforce application allow‑listing (WDAC/AppLocker) on high‑value hosts.
• Use Controlled Folder Access, Credential Guard, and other Microsoft security features as part of layered defenses.
• Patch management playbook (recommended short runbook)
• Identify all affected SKUs and builds from MSRC advisory.
• Pull KB IDs from Microsoft Update Catalog for each build.
• Stage the update on test hosts with representative software.
• Validate critical business workflows and EDR telemetry.
• Schedule phased rollout — prioritized by exposure and role.
• Monitor for post‑patch regressions; apply Known Issue Rollback if required for critical business continuity.

Note: Do not disable the Windows Defender Firewall service as a workaround — that destabilizes a broad set of platform features and is unsupported. Instead, isolate hosts via network controls if you must temporarily block exposure. (learn.microsoft.com)

---

Detection guidance and SIEM indicators​

High‑value detection points you can implement immediately:

• Event‑driven alerts
• Alert on Windows Security Event ID 4688 when a low‑privileged user’s process spawns an unexpected high‑privilege process or when command lines contain service‑control utilities (sc.exe, net.exe) used in suspicious contexts. (learn.microsoft.com)
• Alert on Windows Firewall MPSSVC rule additions/modifications (Event IDs 4946/4947) where the change did not come from Group Policy. Unexplained new “Allow All” or remote‑management rules should generate immediate investigation. (learn.microsoft.com)
• Alert on System Event ID 7036 where MpsSvc unexpectedly stops/starts more than once in a short window. Correlate these service changes with process and network events. (System logs: service state changes.)
• EDR hunts / behavioral indicators
• Monitor for token duplication or process injection patterns.
• Look for svchost hosting unusual DLL loads or abnormal memory writes in Defender‑related svchost instances.
• Search for recent privilege changes, creation of scheduled tasks by non‑admin users, or sudden Service Control Manager (SCM) activity from untrusted accounts.
• Forensics triage
• Capture volatile memory and collect EDR snapshots when a suspected exploit is observed.
• Capture a copy of the relevant event logs (Security, System, Application) and Sysmon streams if enabled.
• Preserve the suspect host for root cause analysis (avoid reimaging until data is captured).

These detection patterns are consistent with Microsoft’s guidance to monitor both system/service events and process creation artifacts; they are general detection best practices for EoP bugs in privileged services. (learn.microsoft.com)

---

Why this family of vulnerabilities keeps appearing — and what it means for defenders​

• Recurring root cause: Windows contains many long‑lived subsystems (Win32K, ICOMP, Push Notification stacks, and core services) that expose complex object marshalling and driver/IOCTL paths. Type confusion and other memory‑safety bugs (use‑after‑free, OOB writes) often arise where user‑space inputs are converted to privileged objects. Several advisories through 2025 show a cluster of similar memory‑safety CVEs across different Windows components — not necessarily the same code, but the same class of risk. (bleepingcomputer.com)
• Rapid exploitation potential: Privilege‑escalation building blocks are highly prized by attackers. When paired with a separate remote code execution or initial foothold, these EoP bugs let adversaries escalate rapidly. That makes patching and minimizing local footholds a critical defensive priority. Community and vendor write‑ups for other CVEs in 2025 show PoCs and weaponization can follow quickly for the easiest‑to‑exploit bugs.
• Operational implication: Treat local EoP CVEs as part of your incident‑response planning, even if they are not remotely exploitable by themselves. Assume chained attacks and prioritize endpoints where a malicious user can run code or where users have administrative or elevated rights. Community posts, advisory rollups and vendor feeds all recommend quick identification and remediation via standard patch‑management paths. (cisa.gov)

---

Strengths and limitations of Microsoft’s advisory and ecosystem response​

Strengths:

• Microsoft’s Security Update Guide is the authoritative registry for CVE metadata and targeted KB updates; enterprise patch systems (WSUS / MEM / SCCM) can integrate those updates directly for managed rollouts. The vendor provides the updates and often a recommended mitigation path for urgent issues. (msrc.microsoft.com)
• The Windows platform includes many built‑in controls (EDR, Tamper Protection, WDAC) that reduce exploitation impact when properly configured — these are effective complements while patches are deployed. (learn.microsoft.com)

Limitations / risks:

• Dynamic advisory UI and partial disclosure: Microsoft’s Update Guide pages are dynamic and sometimes omit exploit details. Community writes‑ups fill gaps but can be speculative; defenders must not depend solely on third‑party interpretations. Cross‑verify KB numbers and applicability via the Microsoft Update Catalog and test patches before broad deployment. (msrc.microsoft.com)
• Patching lag: In complex environments, operational constraints delay full patch rollouts. These delays leave windows of exposure where adversaries can chain attacks, especially in environments where users have local admin or where legacy services remain enabled. The pragmatic mitigation is segmentation, least privilege, and heightened monitoring while a patch window is scheduled.
• Public PoC availability: When and whether a full exploit appears in the wild is unpredictable. Past patterns show a short window from disclosure to weaponization for some classes of bugs; defenders should assume the worst case and act accordingly. Flag any public PoC as a high‑priority indicator to accelerate patch rollout and hunts.

---

Recommended checklist for Windows administrators (actionable)​

• Immediately review MSRC advisory for CVE‑2025‑54104 and identify the KB update(s) that apply to your Windows builds. Pull these into your test ring. (msrc.microsoft.com)
• Test updates on a small set of endpoints representing critical line‑of‑business apps.
• Deploy patch widely via your standard patch management system (WSUS/SCCM/Intune) with phased rollout and monitoring.
• While patching:
• Revoke local admin rights where possible.
• Harden privileged access workstations.
• Restrict remote management and RDP exposure.
• Turn on or verify logging for:
• Process creation (Event ID 4688).
• Firewall rule additions/modifications (Event IDs 4946/4947).
• Service state changes (System events for MpsSvc).
• Implement SIEM/EDR alerts correlating unexpected MpsSvc restarts with firewall rule changes and anomalous process creations.
• Maintain an incident‑response ready playbook that includes forensic capture steps (memory, EDR snapshot, event logs) should exploitation be suspected.

Commands to check critical pieces (example):

• Check firewall service status:
• Get‑Service -Name MpsSvc
• Inspect Windows update status and applied KBs:
• wmic qfe get HotFixID,Description,InstalledOn
• or use the Microsoft Update Catalog / WSUS console for KB matching.

(Always test commands in your environment before mass execution.)

---

Conclusion​

CVE‑2025‑54104 is a serious local elevation‑of‑privilege vulnerability in the Windows Defender Firewall Service caused by a type‑confusion condition. While exploitation requires local access, its potential as a post‑compromise escalation mechanism makes it high‑priority for remediation in nearly all environments. Administrators should treat Microsoft’s MSRC advisory as the authoritative starting point, extract the applicable KB updates for their builds, and accelerate testing and rollout. In parallel, harden local privileges, increase monitoring for process and firewall‑rule anomalies, and be prepared to perform rapid incident response if suspicious activity is observed. The recurring pattern of type‑confusion issues across different Windows components in 2025 underscores that memory‑safety defects remain a systemic risk — one that is best handled through fast patching, layered defenses, and vigilant detection. (msrc.microsoft.com, learn.microsoft.com)

---

Source: MSRC Security Update Guide - Microsoft Security Response Center