CVE-2025-24994: 
vulnerability analysis and mitigation

Improper access control in Windows Cross Device Service allows an authorized attacker to elevate privileges locally. This vulnerability (CVE-2025-24994) was disclosed on March 11, 2025, affecting various versions of Windows 11, including version 22H2, 22H3, 23H2, and 24H2 (NVD, MITRE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H. The attack vector is Local (AV:L), with Low attack complexity (AC:L), requiring Low privileges (PR:L) and User interaction (UI:R). The scope is Unchanged (S:U), with High impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H). The vulnerability is classified under CWE-284 (Improper Access Control) (NVD).

The vulnerability has high severity implications for system security, potentially allowing an authorized attacker to elevate their privileges on the local system. This could lead to complete compromise of system confidentiality, integrity, and availability (AttackerKB).

Microsoft has released security updates to address this vulnerability. Affected systems include Windows 11 version 22H2 (10.0.22621.5039), Windows 11 version 22H3 (10.0.22631.5039), Windows 11 Version 23H2 (10.0.22631.5039), and Windows 11 Version 24H2 (10.0.26100.3476) (AttackerKB).