A high-severity vulnerability has been identified in the Windows Bluetooth Service, designated CVE-2025-58728. This flaw, a "use-after-free" condition, can be exploited by an attacker who already has basic access to a system to gain full administrative control. Successful exploitation could lead to a complete system compromise, allowing the attacker to steal data, install malware, or disrupt operations.

This is a use-after-free vulnerability within the Windows Bluetooth Service. The flaw occurs when the service fails to properly manage memory after an object is freed (or deallocated). An authenticated attacker with local access can send a specially crafted series of requests to the Bluetooth service, causing it to reference this freed memory. By carefully manipulating the system's memory state prior to the exploit, the attacker can control the data at the freed memory location, leading to the execution of arbitrary code with the elevated privileges of the Bluetooth Service, which typically runs as SYSTEM.

This vulnerability is rated as High severity with a CVSS score of 7.8. A successful exploit would result in a local privilege escalation (LPE), allowing a low-privileged user to gain full SYSTEM-level control over the affected machine. This effectively grants the attacker complete administrative access, enabling them to bypass all security controls, install persistent malware or ransomware, exfiltrate sensitive data, create new administrative accounts, and pivot to other systems on the network. This vulnerability poses a significant risk to workstations and servers, as it can be a critical step in an attack chain following an initial compromise.

Immediate Action: Apply the security updates provided by the vendor across all affected systems immediately. Prioritize patching for critical servers and workstations with sensitive data access. Following patching, monitor system and security logs for any signs of exploitation attempts or anomalous behavior related to the Bluetooth service.

Proactive Monitoring:

• Log Analysis: Monitor Windows Event Logs for crashes or unexpected restarts of the Bluetooth Service (bthserv). Look for error events associated with Bluetooth drivers.
• Endpoint Detection and Response (EDR): Ensure EDR solutions are configured to detect common privilege escalation techniques. Specifically, monitor for suspicious processes being spawned by the Bluetooth service or any unusual module loads.
• System Behavior: Watch for the creation of unauthorized user accounts, especially those with administrative privileges, and any unexpected modification of system files or security configurations.

Compensating Controls:

• Disable Bluetooth Service: If patching is not immediately feasible and Bluetooth functionality is not a business requirement, disable the Windows Bluetooth Service on endpoints and servers to remove the attack surface.
• Principle of Least Privilege: Enforce strict adherence to the principle of least privilege for all user accounts to limit the initial foothold an attacker can gain.
• Application Control: Implement application whitelisting solutions like AppLocker to prevent unauthorized executables from running on the system, which would block the payload of a successful exploit.

Public Exploit Available: false

Given the high CVSS score of 7.8 and the critical impact of a successful privilege escalation, this vulnerability requires immediate attention. An attacker can leverage this flaw to turn minor system access into a full compromise. Although this CVE is not currently on the CISA KEV list, its nature makes it a prime candidate for future inclusion. We strongly recommend that organizations prioritize the deployment of vendor security updates to all affected assets without delay. For systems where patching cannot be immediately applied, implement compensating controls, particularly disabling the Bluetooth service where it is non-essential.