CVE-2025-22890

High

Published: 06 February 2025

Published

06 February 2025

Modified

04 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0004 12.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Execution with unnecessary privileges issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. If an attacker performs a specific operation, SYSTEM privilege of the Windows system where the product is running may be obtained.

Security Summary

CVE-2025-22890 is an execution with unnecessary privileges vulnerability, classified under CWE-250, affecting Defense Platform Home Edition versions 3.9.51.x and earlier. This issue resides in the software running on Windows systems, where it allows escalation beyond intended privilege levels. The vulnerability was published on 2025-02-06 and carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), highlighting its high severity due to local attack vector, low complexity, and significant impacts.

A local attacker with low privileges can exploit the vulnerability by performing a specific operation, requiring no user interaction. Successful exploitation grants the attacker SYSTEM privileges on the Windows host where the product is installed, enabling high-impact compromise of confidentiality, integrity, and availability with a scope change to the system.

Advisories providing further details, including potential mitigations and patches, are available at https://jvn.jp/en/jp/JVN66673020/ and https://www.hummingheads.co.jp/dep/storelist/.

Details

CWE(s): CWE-250

Affected Products

hummingheads

defense platform

≤ 3.9.51.0

References

https://jvn.jp/en/jp/JVN66673020/
Third Party Advisory · vultures@jpcert.or.jp
https://www.hummingheads.co.jp/dep/storelist/
Product · vultures@jpcert.or.jp