CVE-2025-27743: Microsoft System Center Elevation of Privilege Vulnerability

Overview

Severity
High (CVSS 7.8)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category
Elevation of Privilege
Exploit Status
Not Exploited
Exploitation Likelihood
Less Likely
Patch Tuesday
2025-Apr
Released
2025-04-08
EPSS Score
1.12% (percentile: 78.2%)

Description

Untrusted search path in System Center allows an authorized attacker to elevate privileges locally.

FAQ

What Microsoft System Center Products are affected by this vulnerability? This vulnerability affects the following products under the Microsoft System Center: System Center Operations Manager System Center Service Manager System Center Orchestrator System Center Data protection Manager System Center Virtual Machine Manager For more information about these products see System Center documentation. Will the product version change with the new installation media? No. The RTM version of all System Center products remain unchanged. There's no change in the product version. What existing System Center deployments are affected by this vulnerability? There are no existing System Center deployments impacted by this vulnerability. However, it is recommended that users delete the existing installer setup files (.exe) and then download the latest version of their System Center product (.ZIP) found in the following table. Product Download System Center Virtual Machine Manager 2022 https://go.microsoft.com/fwlink/p/?LinkID=2195845 System Center Virtual Machine Manager 2019 https://go.microsoft.com/fwlink/p/?LinkID=2195725 System Center Virtual Machine Manager 2025 https://go.microsoft.com/fwlink/?linkid=2292412 System Center Data Protection Manager 2025 https://go.microsoft.com/fwlink/?linkid=2292311 System Center Data Protection Manager 2022 https://go.microsoft.com/fwlink/p/?LinkID=2195847 System Center Data Protection Manager 2019 https://go.microsoft.com/fwlink/p/?LinkID=2195851 System Center Orchestrator 2019 https://go.microsoft.com/fwlink/p/?LinkID=2195848 System Center Orchestrator 2022 https://go.microsoft.com/fwlink/p/?LinkID=2195531 System Center Orchestrator 2025 https://go.microsoft.com/fwlink/?linkid=2292411 System Center Service Manager 2019 https://go.microsoft.com/fwlink/p/?LinkID=2195849 System Center Service Manager 2022 https://go.microsoft.com/fwlink/p/?LinkID=2195846 System Center Service Manager 2025 https://go.microsoft.com/f

Affected Products (15)

System Center

  • System Center Virtual Machine Manager 2022
  • System Center Virtual Machine Manager 2019
  • System Center Virtual Machine Manager 2025
  • System Center Data Protection Manager 2025
  • System Center Data Protection Manager 2022
  • System Center Data Protection Manager 2019
  • System Center Orchestrator 2019
  • System Center Orchestrator 2022
  • System Center Orchestrator 2025
  • System Center Service Manager 2019
  • System Center Service Manager 2022
  • System Center Service Manager 2025
  • System Center Operations Manager 2019
  • System Center Operations Manager 2022
  • System Center Operations Manager 2025

Acknowledgments

<a href="https://medium.com/@spoppi">Sandro Poppi</a>

Revision History

  • 2025-04-08: Information published.