CVE-2025-66374: CyberArk EPM Flaw Allows Local Users to Gain SYSTEM-Level Access

Aegiron 6 mins0

Product: CyberArk Endpoint Privilege Manager
Affected Version: ≤ 25.10.0
Vulnerability Type: Local Privilege Escalation
Impact: Administrative / SYSTEM-level access
CVSS v3.1 Score: 7.8 (High)
Attack Vector: Local
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Exploitability: High (local exploitation with low complexity)
Exploit Availability: No public exploit observed; exploitation feasible in controlled environments

Vulnerability Description

A local privilege escalation vulnerability exists in CyberArk Endpoint Privilege Manager (EPM) due to improper enforcement of elevation logic within the EPM agent. Under affected versions, administrative task elevation requests may be incorrectly validated, allowing a non-administrative local user to execute processes with elevated privileges.

The issue arises from weaknesses in how the EPM agent evaluates policy-based elevation requests. Certain execution paths allow user-initiated actions to be treated as authorized administrative tasks, resulting in elevated execution without the user being a member of the local Administrators group.

Root Cause Analysis

  • Insufficient validation of elevation context during administrative task execution
  • Trust placed in user-controllable execution flows during policy evaluation
  • Inadequate restriction on token inheritance for elevated processes

These conditions together enable a standard user to trigger privileged execution through the EPM agent.

Attack Scenario

  1. A local user with standard (non-admin) privileges accesses an endpoint protected by CyberArk EPM.
  2. An administrative task or policy-controlled action is invoked through the EPM agent.
  3. The agent improperly authorizes the request due to flawed elevation logic.
  4. A new process is spawned with elevated privileges (Administrator or SYSTEM).
  5. The attacker gains full control of the endpoint and performs post-exploitation activities.

Impact

  • Full compromise of the affected endpoint
  • Bypass of enterprise privilege management controls
  • Unauthorized system configuration changes
  • Installation of malicious software or persistence mechanisms
  • Credential theft and potential lateral movement

MITRE ATT&CK Mapping

  • TA0004 – Privilege Escalation
  • T1068 – Exploitation for Privilege Escalation
  • T1548 – Abuse Elevation Control Mechanism
  • T1053 – Scheduled Task/Job (post-exploitation persistence)
  • T1055 – Process Injection (optional post-exploitation technique)

Proof of Concept (Educational)

No public proof-of-concept exploit code is currently available. However, controlled testing has demonstrated that exploitation is achievable by:

  • Triggering EPM-controlled administrative actions from a standard user context
  • Abusing misvalidated policy rules to force elevated execution
  • Leveraging inherited elevated access tokens from spawned processes

These techniques must only be used in authorized laboratory environments for defensive validation and research purposes.

Detection and Monitoring

Relevant Log Sources

  • Windows Security Event Logs
  • Windows System Event Logs
  • CyberArk EPM Agent Logs (endpoint)
  • CyberArk EPM Server / Console Audit Logs
  • EDR / XDR Process Telemetry
  • Sysmon (if deployed)

Detection Rules and Queries

1. Elevated Process Spawned by Non-Admin User

SELECT *
FROM ProcessCreation
WHERE InitiatingUser NOT IN ('Administrator', 'SYSTEM')
AND ProcessIntegrityLevel IN ('High', 'System')

2. Unauthorized Modification of Local Administrators Group

EventID IN (4728, 4732)
AND TargetGroup = 'Administrators'
AND InitiatingUser NOT IN ApprovedAdminUsers

3. Suspicious EPM Elevation Events

SELECT *
FROM EPM_AuditLogs
WHERE ElevationResult = 'Approved'
AND RequestingUser NOT IN ApprovedAdminUsers

4. Scheduled Task Creation by Non-Privileged User

EventID = 4698
AND InitiatingUser NOT IN ('Administrator', 'SYSTEM')

5. New Service Installation from User Context

EventID = 7045
AND ServiceAccount NOT IN ('LocalSystem')
AND InitiatingUser NOT IN ('Administrator')

Indicators of Compromise

  • Administrator or SYSTEM-level processes originating from standard user sessions
  • Unexpected local administrator group membership changes
  • Creation of new services or scheduled tasks without approved change records
  • EPM elevation approvals occurring outside normal operational workflows
  • Post-elevation execution of credential access or system-modifying utilities

Mitigation and Remediation

Official Patch / Upgrade

All affected systems must be upgraded to a fixed release of CyberArk EPM.

Official Patch / Upgrade Link:
https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-whatsnew25-12.htm

Additional Hardening Recommendations

  • Enforce strict Just-In-Time (JIT) elevation policies
  • Limit local administrative access across endpoints
  • Enable full audit logging on EPM agents and management servers
  • Correlate EPM logs with Windows and EDR telemetry
  • Conduct proactive threat hunting for historical privilege escalation attempts

Final Takeaway

Failure to remediate this vulnerability allows any authenticated local user to bypass endpoint privilege controls and obtain full administrative access. This significantly increases the likelihood of endpoint compromise, persistence, and broader enterprise impact.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.