Microsoft has fixed two serious elevation-of-privilege vulnerabilities in the Windows Bluetooth Service that could be chained with other exploits to hand an attacker full control of an unpatched PC. The flaws, tracked as CVE-2025-27490 and CVE-2025-53802, were addressed in the April and September 2025 Patch Tuesday releases respectively, and every user with Bluetooth enabled should treat them as a high priority.

What Actually Changed

The vulnerabilities live in the Windows Bluetooth Service, a core component that runs with SYSTEM privileges and handles pairing, connections, and data exchange with Bluetooth devices. Both flaws allow a local attacker who has already gained low-level access to a machine—via malware, a compromised user account, or physical access—to elevate their rights to the highest possible level on the system.

CVE-2025-27490, disclosed on April 8, 2025, is a heap-based buffer overflow. It occurs when the service mishandles specially crafted Bluetooth packets, which can crash the service or, with precision, allow an attacker to overwrite memory and execute arbitrary code in the privileged context of the service. Public trackers list the base CVSS score as 7.8 (High).

CVE-2025-53802, published on September 9, 2025, is a use-after-free (UAF) bug. In this case, the service fails to properly manage memory objects after they are freed, creating a dangling pointer that an attacker can manipulate to corrupt memory or redirect execution flow. The result is the same: local privilege escalation to SYSTEM.

Microsoft rated both vulnerabilities as “Important” in its own severity taxonomy, but the combination of wide Bluetooth adoption and the ever-present risk of chaining elevation flaws with remote code execution exploits makes them more than routine patches.

What It Means for You

For Home Users

If you use a laptop, tablet, or desktop with Bluetooth—even if you rarely connect Bluetooth devices—you are exposed. As long as the Windows Bluetooth Service is running, the flaw is present. Attackers cannot exploit these vulnerabilities remotely over the air; they need an initial foothold on your PC. But that foothold can come from a malicious email attachment, a drive-by download, or even a shared machine. Once inside, an attacker can run a specially crafted program that interacts with the Bluetooth service to escalate privileges and install ransomware, keyloggers, or backdoors without being limited by standard user restrictions.

For IT Administrators and Enterprise Users

The stakes are higher in managed environments. A single compromised user account on a workstation or server could turn into a domain-wide disaster if the attacker uses the Bluetooth elevation bug to pivot to more sensitive systems. Critical infrastructure, financial services, and healthcare machines that have Bluetooth adapters—even unused ones—are at risk. The fact that the Bluetooth service runs by default on most Windows 10 and 11 installations means the attack surface is broad.

Moreover, both CVEs are “local” attacks, meaning traditional network intrusion detection systems won’t see them. The only reliable defense is patching. If you’ve delayed deploying April’s updates, CVE-2025-27490 remains a gaping hole; September’s update adds CVE-2025-53802 to the list.

How We Got Here

Windows’ Bluetooth stack has been a magnet for security research since the BlueBorne attack was revealed in 2017. That remote-code-execution vulnerability shook the industry, but subsequent disclosures have often centered on elevation of privilege—bugs that assume an attacker is already on the machine. Microsoft has steadily hardened the stack, but the sheer complexity of handling asynchronous I/O, memory allocation, and state management in kernel or kernel-adjacent services means new flaws surface regularly.

The April 2025 Patch Tuesday addressed dozens of vulnerabilities, but CVE-2025-27490 stood out because heap overflows in a service as privileged as the Bluetooth Service can be turned into reliable exploits. Five months later, the discovery of CVE-2025-53802 underscored that the codebase still hides memory corruption risks. While no public proof-of-concept code was available at the time of disclosure, history shows that determined attackers can reverse-engineer patches to develop exploits within days.

Microsoft has not attributed either flaw to a specific researcher or external group in its initial advisories, a common practice when vulnerabilities are discovered internally or during routine code audits. The NVD entries for both CVEs point to an “unspecified” attack vector and complexity, which is typical when the vendor releases limited technical details to protect customers during the early patching phase.

What to Do Now

Apply the patches immediately

For most users, the fix is straightforward: run Windows Update and install all pending security updates. The April 2025 cumulative updates addressed CVE-2025-27490, and the September 2025 updates address CVE-2025-53802. Both are rolled into the standard monthly quality updates, so if you are up to date, you’re already protected.

Enterprises relying on WSUS, Microsoft Endpoint Configuration Manager, or Windows Update for Business should validate that the latest cumulative updates have been approved and deployed across all endpoints. Specific KB numbers vary by platform and build; consult the Microsoft Security Update Guide for your exact version. As of this writing, the guide does not list CVE-2025-59220, which has appeared in some reports—stick to the verified IDs CVE-2025-27490 and CVE-2025-53802.

Verify Bluetooth service status

If you don’t use Bluetooth on a particular machine, consider disabling the service entirely. Navigate to Services.msc, find “Bluetooth Support Service” and set its startup type to Disabled. This reduces attack surface but may break functionality for Bluetooth peripherals and some modern wireless features.

Hunt for signs of exploitation

Since no in-the-wild reports have linked active attacks to these CVEs as of this writing, proactive detection is speculative. However, defenders can look for anomalies:
- Abnormal termination or restarts of the Bluetooth Support Service (Event ID 7034 in the System log).
- Unexpected child processes spawned under the service’s process (typically BthServ.dll hosted by svchost.exe).
- Suspicious registry modifications under HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters.

For advanced environments, endpoint detection platforms can be tuned to flag unusual API calls from Bluetooth-related processes, but this is a noisy approach. Focus on patching first, then tune detection over the following weeks as you observe normal behavior.

Plan for the next Bluetooth vulnerability

Bluetooth security will remain a moving target. As an admin, build a policy that treats Bluetooth as a potential threat vector: disable it on servers and kiosks by default; require justification on workstations; and monitor for outdated drivers. The Windows Update for Business reports can help identify systems that consistently fall behind on patches.

Outlook

Microsoft has not signaled that these vulnerabilities are being actively exploited, but that can change quickly. Both flaws offer a clean path from low-privilege code execution to SYSTEM, making them valuable for ransomware operators and advanced persistent threats. Given the public disclosure cycle, it’s only a matter of time before proof-of-concept exploits appear—if they haven’t already. Staying current on monthly security updates remains the simplest, strongest defense. Watch the MSRC portal for any updates to severity or exploitation status, and treat Bluetooth as a privileged service that deserves the same scrutiny as any other high-value target.