CVE-2025-33069: Windows App Control for Business Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 5.1)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Jun

Released

2025-06-10

Last Updated

2025-07-09

EPSS Score

0.65% (percentile: 70.7%)

Description

Improper verification of cryptographic signature in App Control for Business (WDAC) allows an unauthorized attacker to bypass a security feature locally.

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker can spoof the signature to get it to bypass App Control policy. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L), and integrity (I:L) but lead to no loss of availability (A:N). What is the impact of this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), make changes to disclosed information (Integrity), but cannot limit access to the resource (Availability).

Affected Products (4)

Windows

• Windows Server 2025 (Server Core installation)
• Windows 11 Version 24H2 for ARM64-based Systems
• Windows 11 Version 24H2 for x64-based Systems
• Windows Server 2025

Security Updates (2)

• 5060842
• 5060841

Acknowledgments

Christopher Whipp with Services Australia, <a href="https://www.linkedin.com/in/mingda-li-470b7b90">Mingda Li</a> with <a href="https://www.dow.com/en-us">Dow</a>

Revision History

• 2025-06-10: Information published.
• 2025-07-09: Added acknowledgements. This is an informational change only.