Critical Security Flaw in Windows App Control Bypassed by Attackers

A recently disclosed vulnerability, CVE-2025-33069, in Windows App Control for Business (WDAC) allows attackers with local access to bypass critical security features, potentially leading to unauthorized application execution and system compromise. Microsoft has released a patch for this medium-severity flaw as part of its June 2025 security updates.

Windows App Control for Business, formerly known as Windows Defender Application Control (WDAC), is a cornerstone of enterprise security in the Windows ecosystem. It provides granular control over which applications and drivers are permitted to run on a system, operating on a principle of application whitelisting to significantly reduce the attack surface. By ensuring only trusted and approved software can execute, WDAC is a crucial defense against malware and unauthorized code.

The Vulnerability: CVE-2025-33069

The security of WDAC relies heavily on the proper verification of cryptographic signatures to validate the authenticity and integrity of applications. However, CVE-2025-33069 exposes a weakness in this process. The vulnerability is categorized as an "Improper Verification of Cryptographic Signature" (CWE-347), which allows an attacker to circumvent WDAC's enforcement.

An attacker who has already gained local access to a target system can exploit this flaw. While the attack complexity is considered low, the requirement for local access means the initial breach must be achieved through other means. Upon successful exploitation, an attacker can bypass the security policies enforced by App Control, which could permit the execution of malicious or unauthorized software.

The vulnerability has been assigned a CVSS v3.1 base score of 5.1, classifying it as a medium-severity threat. The vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N indicates a local attack vector, low attack complexity, no privileges required, and no user interaction needed for exploitation.

Impact of the Bypass

A successful exploit of CVE-2025-33069 could have significant consequences for an organization's security posture. By bypassing WDAC, an attacker could:

  • Execute unauthorized applications: This could include malware, ransomware, or other malicious tools that would otherwise be blocked.
  • Evade security controls: The bypass undermines the very purpose of application whitelisting, rendering a key defensive layer ineffective.
  • Elevate privileges: While the vulnerability itself doesn't directly grant elevated privileges, the ability to run arbitrary code could be a stepping stone to further system compromise and privilege escalation.

Mitigation and the June 2025 Security Updates

Microsoft has addressed this vulnerability in its June 2025 security updates. System administrators are strongly urged to apply these patches to all affected systems to mitigate the risk. The updates are available through the Microsoft Update Catalog and are included in the cumulative updates for Windows 10 and Windows 11.

In addition to applying the patch, organizations are advised to:

  • Ensure their Windows App Control for Business policies are current.
  • Monitor systems for any signs of unauthorized application execution.
  • Implement complementary application whitelisting controls.
  • Restrict local administrator privileges to minimize the potential impact of any local exploit.

The June 2025 security update from Microsoft was substantial, addressing a total of 66 vulnerabilities. These included fixes for one actively exploited zero-day vulnerability and nine critical vulnerabilities, spanning remote code execution, information disclosure, and elevation of privilege flaws. This broader context underscores the importance of timely patch management to defend against a constantly evolving threat landscape.