CVE-2025-27743

FAQ

What Microsoft System Center Products are affected by this vulnerability?

This vulnerability affects the following products under the Microsoft System Center:

• System Center Operations Manager
• System Center Service Manager
• System Center Orchestrator
• System Center Data protection Manager
• System Center Virtual Machine Manager

For more information about these products see System Center documentation.

Will the product version change with the new installation media?

No. The RTM version of all System Center products remain unchanged. There's no change in the product version.

What existing System Center deployments are affected by this vulnerability?

There are no existing System Center deployments impacted by this vulnerability. However, it is recommended that users delete the existing installer setup files (.exe) and then download the latest version of their System Center product (.ZIP) found in the table below.

What actions do customers need to take to protect themselves from this vulnerability?

Only customers who re-use existing System Center installer files (.exe) files to deploy new instances in their environment are affected by this vulnerability. Customers performing installations in this manner must delete the existing installer setup files (.exe) and then download the latest version of their System Center product linked in the following table.

Customers who download new versions of the setup files (.ZIP) for new deployments are not affected and do not need to perform any action to mitigate the vulnerability.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

According to the CVSS metric, the attack vector is local (AV:L). What does this mean for this vulnerability?

To successfully exploit this vulnerability, an attacker must have access to the device to access the System Center Windows installer packages and then utilize DLL hijacking.

According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to have access to the location where the target file will be run. They would then need to plant a specific file that would be used as part of the exploitation.