CVE-2025-25598
Published: 13 March 2025
Description
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code.
Security Summary
CVE-2025-25598, published on 2025-03-13, is an incorrect access control vulnerability (CWE-284) in the scheduled tasks console of Inova Logic CUSTOMER MONITOR (CM) version 3.1.757.1. The flaw allows attackers to escalate privileges by placing a crafted executable into a scheduled task. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact across confidentiality, integrity, and availability.
Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). By leveraging the flawed access controls in the scheduled tasks console, they can insert a malicious executable that executes with elevated privileges upon scheduling, enabling privilege escalation and potentially full system compromise.
Mitigation details are available in the referenced advisory at https://github.com/quriusfox/vulnerability-research/tree/main/CVE-2025-25598.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Incorrect access control in the scheduled tasks console enables privilege escalation by placing crafted executables into scheduled tasks (T1068) and facilitates abuse of scheduled tasks for execution/persistence (T1053.005).