Clément LabroFeb 24

It's a blog post I should have published months ago, but here we finally are.

"CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP"

Credit goes to t0zhang (on X) for the discovery.

👉 https://itm4n.github.io/cve-2025-59201-ncsi-eop/

I'd like to write more of those but it's so time-consuming. 😔

#cve #windows

CVE-2025-59201 - Network Connection Status Indicator (NCSI) EoP

It’s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2025 one seemed like a good opportunity to get back at it. The one I ended up investigating in depth was CVE-2025-59201, an elevation of privilege in the “Network Connection Status Indicator”.

itm4n’s blog
Show threadCravateRouge
@itm4n I tried to exploit it but I'm stuck at the last step, I don't see how it is possible to do code execution by putting a 1..\..\C:foo.dll in HKLM\SYSTEM\CurrentControlSet\Services\TPM\WMI
Mar 6 at 1:57pmWeb
Show threadClément LabroMar 6
@CravateRouge Yes, I know, me neither. As I wrote an the end of the blog post, I didn't go any further than that.
Show threadCravateRougeMar 6
@itm4n I guess he has another trick under his sleeves that he doesn't want to reveal to the world 🥲