Feb 19, 2026 EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969) See how SafeBreach Labs researchers discovered a critical remote code execution vulnerability in the MS-EVEN RPC protocol that allowed low-privileged users to bypass share limitations and write arbitrary files on Windows 11 and Windows Server 2025 systems . While attackers often find low-privileged credentials after creating a process dump of LSASS or harvesting hashes with a tool like Responder, they are rarely able to do anything with those credentials (RDP aside). We set out to discover how malicious actors might exploit Microsoft Windows remote procedure call (RPC) protocols to gather data remotely as a low-privileged user using RPC as an attack surface. After a bit of exploration, we focused on the Microsoft Windows MS-EVEN protocol, which enables users to read, backup, and report events remotely. The protocol is enabled by default on most Windows variants and provides significant remote functionality regarding event log files. Because this protocol is enabled by default, we were interested to see if we could use it to perform information gathering. Spoiler alert: we were able to do that and much more with our discovery of CVE-2025-29969 , a remote code execution (RCE) vulnerability in Active Directory domain networks. In the article below, we first present the key findings from my discovery and analysis of CVE-2025-29969. Then, we dive into the research process, explaining how we explored potential RPC services and established parameters that would identify those ideal for exploitation. Next, we share how we uncovered a process to write arbitrary files remotely as a low-privilege user using the Eventlog service in the MS-EVEN protocol. Finally, we explain how we are sharing this information with the broader security community to help organizations and end-users leveraging affected Microsoft Windows versions better understand the risks associated with these vulnerabilities and take steps to protect themselves. Key Findings The SafeBreach Labs research team discovered a method to write arbitrary files remotely over the MS-EVEN RPC service of Windows using a low-privileged set of credentials. The vulnerability exists in the MS-EVEN service, which is enabled by default on both Windows 11 and its server variant Windows Server 2025. The issue enables an attacker to use a set of low-privileged credentials in order to write files remotely, effectively bypassing the default C$ share limitations. The attack is effective in both domain and workgroup networks. When considered within a domain network, the potential implications are pretty severe. In line with SafeBreach’s responsible disclosure policy, we reported the vulnerability to Microsoft in February 2025. As an RCE vulnerability in Active Directory domain networks, it was assigned CVE-2025-29969 and was patched in May 2025. The Research Process for CVE-2025-29969 Exploring Available RPC Services We began our research by exploring which RPC services were remotely available to low-privileged users using RPCView, a tool that lists all the RPC servers on a machine. As we scanned the list of services, it was helpful to understand how each service was being “exported.” Each service exposes its functionality through one or more endpoints that can be accessed over PIPE, TCP or ALPC. We wanted to examine those available in TCP and PIPE, because both can be accessed remotely. Also, each service may have a single RPC interface or multiple RPC interfaces, and each one of those has multiple functions that can be called. In order to call a function, you first need to “bind” the interface that exports it. Binding an interface simply means we get a handle to the interface, and this handle can be used to call functions that the interface exports. NOTE: The fact that a service exposes a TCP endpoint does not necessarily mean that we can bind to all of its interfaces remotely. Interfaces can be configured to disallow remote connections regardless of the service’s endpoints. Here is a simple diagram that represents the explanation above: Finding the Ideal RPC Service In order to find good candidates for remote RPC calling, there were few requirements that we wanted to keep in mind. First, the interface we accessed must NOT have the flag “RPC_IF_ALLOW_LOCAL_ONLY” set, as this flag would block remote access to the interface. We were able to check this by using RPCView and clicking on the interface we wanted to use. This information could be found on the RPC tab of the Interface Properties window: Second, we would need to pass the security callback of each interface. Each interface has a function called “security callback,” which is responsible for authorizing the user that wants to use the interface. The security callback may not exist at all. Finally, we would need to pass the optional checks that each function may perform internally to check if the user ...