A significant security flaw in Windows 11, identified as CVE-2025-24076, has been discovered, enabling attackers to escalate their privileges from a standard user to a system administrator in a mere 300 milliseconds. This vulnerability exploits the Mobile devices feature through a sophisticated DLL hijacking technique, posing a substantial risk to system security.
Discovery and Disclosure
The vulnerability was first identified in September 2024 and publicly disclosed on April 15, 2025. It specifically targets a DLL file associated with Windows 11’s camera functionality. Researchers found that the file `CrossDevice.Streaming.Source.dll`, located in the user-modifiable `%PROGRAMDATA%\CrossDevice\` directory, is loaded initially by a regular user process and subsequently by a high-privileged system process.
Technical Details
This security flaw represents a classic DLL hijacking scenario with a challenging timing element. The window of opportunity for exploitation is incredibly narrow—just 300 milliseconds. To overcome this, researchers employed Opportunistic Locks to halt program execution at the precise moment needed. Utilizing Microsoft’s Detours library, they intercepted Windows API calls, specifically targeting `GetFileVersionInfoExW`, to identify when the file could be replaced reliably.
The researchers created a malicious DLL that maintains the expected functionality while adding unauthorized commands. This code executes with SYSTEM privileges when loaded by the high-privileged process. To ensure the replaced DLL maintained functionality, researchers implemented a proxy that forwards function calls to the original DLL.
Mitigation Measures
The vulnerability affects Windows 11 systems with the Mobile devices feature, which allows users to link their phones to use the phone’s camera as a webcam. Microsoft released a patch in their March 2025 security updates to address this issue.
This discovery underscores the importance of tight file access controls and signature verification in privileged processes. Endpoint Detection and Response (EDR) solutions can detect such attacks through behavioral monitoring, even before patches are available.
Microsoft has assigned CVE-2025-24076 to the primary system-level privilege escalation and CVE-2025-24994 to a related user-to-user attack vector within the same functionality. Users are strongly encouraged to apply the latest Windows security updates to mitigate these vulnerabilities.
This exploit demonstrates how even modern operating systems can be vulnerable to long-established attack techniques when implemented in new features, especially when skilled attackers leverage timing and race conditions.
