CVE-2025-2230
Published: 13 March 2025
Description
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Security Summary
CVE-2025-2230 is a vulnerability in the Windows login flow that allows an AuthContext token to be exploited for replay attacks and authentication bypass. Published on 2025-03-13, it has a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-287 (Improper Authentication).
A local attacker with low-complexity access and no privileges or user interaction required can exploit this flaw. Successful exploitation enables high-impact confidentiality and integrity violations, such as bypassing authentication via token replay to gain unauthorized access during the login process.
Mitigation details are available in advisories from CISA (ICSMA-25-072-01) and Philips security bulletins.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables replay attacks on AuthContext tokens for authentication bypass in the Windows login flow, directly facilitating T1550.001 (use of application access tokens to bypass authentication) and T1068 (exploitation of the local vuln for privilege escalation, given no privileges required and high C/I impact).