CVE-2025-1804 in Battle.Net
Summary
by MITRE • 03/01/2025
A vulnerability was found in Blizzard Battle.Net up to 2.39.0.15212 on Windows and classified as critical. Affected by this issue is some unknown functionality in the library profapi.dll. The manipulation leads to uncontrolled search path. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/07/2025
The vulnerability identified as CVE-2025-1804 represents a critical security flaw within Blizzard Battle.Net software version 2.39.0.15212 and earlier on Windows platforms. This issue specifically affects the profapi.dll library component, which serves as a critical system interface for profile management and user data handling within the Battle.Net ecosystem. The vulnerability stems from improper handling of dynamic library loading mechanisms that allow for arbitrary code execution through manipulated search paths. The affected functionality within profapi.dll demonstrates a classic path traversal vulnerability where the system fails to properly validate or sanitize the library search order, creating opportunities for malicious actors to inject unauthorized code into the execution flow.
The technical exploitation of this vulnerability requires local system access and involves sophisticated manipulation of the Windows dynamic link library loading process. Attackers must leverage the uncontrolled search path to place malicious DLL files in locations that will be loaded before the legitimate profapi.dll component. This type of vulnerability falls under CWE-427 Uncontrolled Search Path Element, which is classified as a path manipulation issue that allows attackers to influence the execution flow by controlling which libraries are loaded. The attack complexity is elevated due to the requirement for local system access and the need to understand and manipulate the specific Windows library loading behavior, making it less accessible than remote exploitation vectors but still highly dangerous in compromised environments.
The operational impact of this vulnerability extends beyond simple privilege escalation as it represents a potential entry point for broader system compromise within the Battle.Net ecosystem. The profapi.dll library handles sensitive user profile data and authentication information, making successful exploitation potentially devastating for user accounts and system integrity. The vulnerability's classification as critical indicates that it can be leveraged to achieve complete system compromise, particularly when combined with other local exploitation techniques or when the target system already has compromised user credentials. This type of vulnerability is particularly concerning in enterprise environments where Battle.Net clients may be used for gaming or other entertainment purposes while maintaining access to corporate resources.
Mitigation strategies for CVE-2025-1804 should focus on immediate software updates from Blizzard to address the underlying library loading issue in profapi.dll. System administrators should implement strict library loading policies and monitor for unauthorized DLL placement in system directories. The vulnerability's local attack requirement means that network-based protections alone are insufficient, but endpoint detection and response solutions should be configured to monitor for suspicious library loading behaviors. Organizations should also consider implementing application whitelisting policies to prevent unauthorized DLL execution and ensure that only trusted code can be loaded by the Battle.Net client. The ATT&CK framework categorizes this vulnerability under T1059 Command and Scripting Interpreter and T1574 Hijacking Execution Flow, highlighting the need for both endpoint protection and behavioral monitoring to detect and prevent exploitation attempts.