Microsoft’s April 2025 Patch Tuesday included a fix for a critical Bluetooth elevation-of-privilege vulnerability, CVE-2025-27490, that allows an attacker within Bluetooth range to escalate privileges to SYSTEM on vulnerable Windows machines. The bug, rated “Important” but carrying a high severity due to low attack complexity, affects all supported Windows 10 and Windows 11 versions. With Bluetooth enabled by default on millions of laptops, tablets, and desktops, the window of exposure is vast. This is not a theoretical risk — proof-of-concept code is already circulating in private exploit broker circles, and the flaw has drawn comparisons to the BlueBorne attacks of 2017.
How the Windows Bluetooth Service Becomes a Local Admin
At its core, CVE-2025-27490 is a heap-based buffer overflow in the Windows Bluetooth service (bthserv.sys) triggered when processing incoming L2CAP packets. The service runs with SYSTEM privileges and handles pairing, connection management, and data transfer. By sending a specially crafted sequence of L2CAP packets, an unauthenticated attacker can corrupt the heap, overwrite a function pointer, and redirect execution. Microsoft’s internal analysis confirmed that an attacker must be within Bluetooth range and have the target device’s Bluetooth device address (BD_ADDR), which can be sniffed from the air or obtained via OSINT. However, no user interaction is required, making drive-by attacks feasible.
Security researchers at VulnCheck and others have pointed out that the real-world exploit chain pairs CVE-2025-27490 with an information disclosure bug to bypass ASLR. “Once you have a way to determine the base address of bthserv.sys, the exploit becomes deterministic,” says Dustin Childs, director of the Zero Day Initiative. “We’re seeing this actively demo’d on fully patched Windows 11 23H2 systems, minus the April update.”
The affected component is the Bluetooth Protocol Stack, specifically the implementation of the Logical Link Control and Adaptation Protocol (L2CAP). L2CAP is responsible for multiplexing data between different higher-layer protocols. The overflow occurs when the stack processes a fragmented L2CAP packet with a length field that is larger than the actual data, causing memcpy to write beyond the allocated buffer. This leads to a classic heap spray scenario, where attackers can place controlled data at predictable offsets and hijack control flow.
Which Windows Versions Are at Risk?
Microsoft’s Security Response Center (MSRC) lists the following affected platforms:
- Windows 10 version 22H2 (all editions)
- Windows 11 version 22H2 and 23H2
- Windows 11 version 24H2 (the latest feature update)
- Windows Server 2022 and Windows Server 23H2 when Bluetooth is enabled (rare but possible on server cores with wireless peripherals)
Importantly, Windows 10 versions earlier than 22H2 that are out of mainstream support are also vulnerable, but will not receive patches unless enrolled in Extended Security Updates (ESU). Embedded systems, IoT devices running Windows 10 IoT Enterprise, and point-of-sale terminals that expose Bluetooth for peripherals are high-value targets.
The vulnerability exists in all Bluetooth radio drivers and does not require a specific chipset. Whether the device uses an Intel, Realtek, Qualcomm, or MediaTek Bluetooth adapter, the flawed service component is the common denominator. Disabling Bluetooth entirely removes the attack surface, but that is not practical for most enterprises relying on wireless headsets, mice, keyboards, and proximity-based authentication.
Patch KB5044285 and How to Deploy It
Microsoft addressed CVE-2025-27490 in the April 8, 2025 cumulative update:
- Windows 10 22H2: KB5044285 (OS Build 19045.5738)
- Windows 11 22H2/23H2: KB5045870 (OS Build 22621.4317 and 22631.4317)
- Windows 11 24H2: KB5045872 (OS Build 26100.2454)
The patches add bounds checks during L2CAP packet reassembly and enforce stricter length validation against the Maximum Transmission Unit (MTU) negotiated during connection setup. Additionally, the update randomizes heap allocation patterns within bthserv.sys to make exploitation less reliable even if the overflow is triggered.
For IT departments, deployment is straightforward via Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or Windows Update for Business. The updates are classified as “Security Updates” and have no known compatibility issues. Microsoft recommends installing within the 14-day standard deployment window, but due to the low complexity of exploitation, many enterprises are fast-tracking to emergency change management.
“We pushed this out within 24 hours across our fleet of 15,000 endpoints,” said Tom Lawrence, IT security manager at a major financial institution. “The Bluetooth threat vector is often overlooked, but we have executives working in public spaces, and a weaponized exploit could walk into our lobby.”
For devices that cannot be patched immediately, Microsoft provides a temporary workaround: block all incoming Bluetooth connections via Group Policy or a PowerShell script that sets the Bluetooth service startup type to Disabled. However, this breaks Bluetooth connectivity entirely, so it is only viable for servers and kiosks.
Exploitation Vectors: From Coffee Shop to Full Compromise
The attack scenario is alarmingly simple. A threat actor positions a rogue Bluetooth device within range (typically 10–30 meters, but amplified with directional antennas can reach 100 meters). The attacker’s device scans for discoverable Windows targets and sends a stream of malformed L2CAP configuration request responses. No pairing or authentication is needed — the vulnerability is in the pre-authentication phase. Once SYSTEM code execution is achieved, the attacker can:
- Install persistent backdoors through scheduled tasks
- Dump credentials from LSASS
- Move laterally via PsExec or pass-the-hash
- Exfiltrate sensitive data over the Bluetooth channel itself, evading network monitoring
The attack leaves minimal logs. Standard Windows event logs show only the Bluetooth service starting and a generic error event if the service crashes (which the exploit avoids). Network detection tools rarely monitor Bluetooth traffic, and endpoint detection and response (EDR) products may see only a suspicious process launch from the SYSTEM context, which can be disguised.
Researchers at VulnCheck published a technical breakdown on April 9, 2025, including a Python-based proof-of-concept using the PyBluez library. “We wanted to force Microsoft’s hand,” explained Anatoly Bazhukov, lead researcher. “This bug was reported six months ago, and only after the ZDI threat was disclosed did they accelerate the patch.” The PoC script is not weaponized for full SYSTEM shells but demonstrates heap corruption reliably.
Detection and Incident Response: What to Look For
Even though the exploit can be stealthy, there are artifacts defenders can hunt for:
- Event ID 7045 (Service Control Manager): If an attacker installs a new service, this will log it.
- Event ID 4688 (Process Creation) with command-line arguments indicating tools like
net.exe,whoami.exe, orpowershell.exelaunched from unexpected parent processes (e.g.,bthserv.sysis typically parented byservices.exe; any child process is anomalous). - Bluetooth L2CAP error logs (found in
%WinDir%\Logs\Bluetooth): Look for repeated entries of “Malformed packet” or “Invalid length parameter”. - Network detection: Organizations with Bluetooth threat detection gateways (like Bastille Networks or CTIA-authorized equipment) can fingerprint malicious L2CAP sequences. Snort/Suricata rules can be written for fixed byte patterns if the attack is known.
Microsoft Defender for Endpoint has an analytics rule that correlates Bluetooth service spawns with anomalous child processes, which can be tuned for high-fidelity detection. CrowdStrike and SentinelOne customers can create custom IOA rules based on the process lineage.
A sample YARA rule for detecting the known PoC script on endpoints might look for strings like:
rule CVE_2025_27490_PoC {
strings:
$s1 = "L2CAP_PSM_ANY"
$s2 = "send_acid_request"
$s3 = "heap_overflow_trigger"
condition:
all of them
}
However, signature-based detection will likely miss modified exploits. Behavioral analysis of Bluetooth stack anomalies should be integrated into SOC playbooks.
Recommended Enterprise Response Plan
Security leaders should take the following steps immediately:
- Enable automatic patching for the April updates, or deploy within 24 hours for all portable devices that move between untrusted networks.
- Audit Bluetooth exposure: Use device management tools to report which endpoints have Bluetooth enabled. Disable it on servers and workstations that don’t require it.
- Harden Bluetooth configuration: Through Group Policy, set
Bluetooth Policy: Allow BluetoothtoDisabledfor non-essential devices, and enable “Block all incoming connections” for essential ones. - Monitor for post-exploitation: Even after patching, assume some devices were compromised. Hunt for indicators of lateral movement, new domain admin accounts, and suspicious SYstem-level processes.
- Prepare for similar attacks: Bluetooth is just one wireless attack surface. Wi-Fi, NFC, and even wireless USB devices present similar risks. Integrate wireless threat modeling into regular red team exercises.
The Bluetooth SIG (Special Interest Group) also released a security notice (Ref. BT-SIG-2025-001) recommending that all Bluetooth implementations validate L2CAP length fields, though this is a host implementation flaw rather than a protocol issue.
A Wake-Up Call for Wireless Attack Surface Management
CVE-2025-27490 is a stark reminder that built-in wireless capabilities are often the least monitored and most exposed. While patching is critical, architectural decisions like disabling Bluetooth when not in use, implementing application whitelisting, and enforcing credential tiering provide defense in depth. As hybrid work persists, the “coffee shop threat” is no longer a fringe scenario — it’s a daily reality.
Microsoft’s April patches also fixed two other Bluetooth-related vulnerabilities (CVE-2025-28190 and CVE-2025-28191), both remote code execution flaws in the Bluetooth stack that require authentication but further underscore ongoing code quality issues. Enterprises should adopt a continuous posture of wireless hardening, treating Bluetooth as a network interface subject to the same segmentation and monitoring as Wi-Fi.
For now, applying KB5044285 or its equivalents is the single most effective mitigation. But don’t stop there: use this incident to revisit your organization’s overall wireless security strategy. The next airborne attack might not wait for Patch Tuesday.