Analysis Summary

Three Windows Defender Firewall elevation-of-privilege flaws and a fourth related service EoP (tracked as CVE-2025-54104, CVE-2025-54109, CVE-2025-54915 and CVE-2025-53808) were fixed in Microsoft’s September 9, 2025 security updates. Microsoft rates all four as Important and describes them as local elevation-of-privilege vulnerabilities that could let an authenticated, low-privileged user gain higher service-level rights on an affected host.

Three of the issues (CVE-2025-54104, CVE-2025-54109, CVE-2025-54915) are caused by a type-confusion bug in the Windows Defender Firewall service a memory-safety problem where the service misinterprets an object’s type, enabling unexpected behavior that an authorized local user could abuse. The fourth (CVE-2025-53808) is also an elevation-of-privilege in the same service but Microsoft’s advisory does not label it a type-confusion error. Technical databases and vendor pages list these as CWE-843 (type confusion) with the same general attack class and impact.

Exploitation requires significant preconditions: the attacker must already have an authenticated account on the target machine and that account must belong to a specific, restricted user group reflected in the CVSS Privileges Required metric of PR:H. If exploited successfully, an attacker can escalate from a Medium integrity level to the Local Service account; that’s not full SYSTEM/administrator control but still permits broad access to system resources and the ability to persist or stage further compromise. Microsoft reported that none of these vulnerabilities were publicly disclosed or observed in active exploitation at the time of release.

Microsoft’s exploitability assessments label three (CVE-2025-53808, CVE-2025-54104, CVE-2025-54109) as “Less Likely” and CVE-2025-54915 as “Exploitation Unlikely,” largely because of the high privilege and local access requirements. Nevertheless, the fixes were included in the September 2025 Patch Tuesday set and administrators should apply the supplied security updates promptly across affected Windows versions to remove the attack vector standard mitigation is to install Microsoft’s updates rather than rely on workarounds.

Impact

• Privilege Escalation
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-53808

• CVE-2025-54104

• CVE-2025-54109

• CVE-2025-54915

Affected Vendors

Remediation

• Apply Microsoft’s September 2025 Security Updates for CVE-2025-53808, CVE-2025-54104, CVE-2025-54109, and CVE-2025-54915 across all affected Windows versions.
• Ensure Windows Defender Firewall service is patched and enforce endpoint compliance checks.
• Review and minimize membership in the restricted user group required for exploitation to reduce exposure.
• Enable event logging and SIEM alerts to detect unusual activity or privilege escalation attempts.
• Enforce least-privilege access by limiting user account rights and avoiding unnecessary Local Service–level permissions.
• Run vulnerability scans and confirm the firewall service version matches patched releases after updates are deployed.