CVE-2025-30518 is a vulnerability identified in Intel(R) PresentMon, a performance monitoring tool that operates in user space (Ring 3). The issue stems from incorrect default permissions assigned to certain components of PresentMon before version 2.3.1. This misconfiguration allows an unprivileged, authenticated local user to escalate their privileges on the system. The attack complexity is high, meaning that exploitation requires significant effort and skill, and it also requires active user interaction, such as executing or triggering a specific action. No special internal knowledge of the system is needed, which lowers the barrier somewhat. The vulnerability affects confidentiality, integrity, and availability of the system at a high level, potentially allowing attackers to gain unauthorized access or control. However, the scope is limited to local access, and no remote exploitation vector is indicated. The CVSS 4.0 vector (AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H) confirms that the attack requires local access, high complexity, privileges, and user interaction, with high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild, and no patches or exploit code links are currently provided. The vulnerability was reserved in April 2025 and published in November 2025.

The vulnerability allows a local authenticated user with limited privileges to escalate their privileges on systems running vulnerable versions of Intel PresentMon. This can lead to unauthorized access to sensitive data (confidentiality impact), unauthorized modification of system or application data (integrity impact), and disruption or denial of service (availability impact). For organizations, this could mean compromised system security, potential lateral movement within networks, and increased risk of insider threats or malware persistence. Since PresentMon is used primarily for performance monitoring on Intel platforms, environments relying on this tool for diagnostics or performance analysis are at risk. The impact is localized to systems where the vulnerable software is installed and used, but could be significant in environments with sensitive data or critical infrastructure. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk from insider threats or compromised user accounts.

Organizations should upgrade Intel PresentMon to version 2.3.1 or later, where the permission issues have been corrected. Until patching is possible, restrict local access to systems running vulnerable versions to trusted users only. Implement strict user privilege management and monitor for unusual local activity that could indicate attempts to exploit this vulnerability. Employ application whitelisting to prevent unauthorized execution of untrusted software. Regularly audit file and process permissions related to PresentMon to ensure they conform to least privilege principles. Additionally, educate users about the risks of executing unknown or suspicious actions that could trigger exploitation. Consider isolating systems running PresentMon in segmented network zones to limit lateral movement if compromise occurs. Maintain up-to-date endpoint detection and response (EDR) solutions to detect potential privilege escalation attempts.