Microsoft releases emergency patch for critical vulnerability affecting multiple Windows versions, rated 9.8/10 severity with active exploitation reported.
Microsoft has released an emergency security update addressing CVE-2025-40005, a critical vulnerability affecting Windows operating systems. The flaw, rated 9.8 out of 10 on the CVSS severity scale, allows remote code execution without authentication.
The vulnerability impacts Windows 10 version 1809 and later, Windows 11, and Windows Server 2019/2022. Microsoft reports limited targeted attacks using this vulnerability to deploy ransomware payloads.
Affected Products:
- Windows 10 (1809, 1903, 1909, 2004, 20H2, 21H1, 21H2, 22H2)
- Windows 11 (all versions)
- Windows Server 2019
- Windows Server 2022
CVSS Metrics:
- Base Score: 9.8 (Critical)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
Mitigation Steps:
- Enable automatic updates or manually install the latest security patch
- Verify patch installation through Windows Update history
- Restart systems after installation
- Monitor for unusual network activity
Microsoft recommends immediate patching as proof-of-concept code has been publicly released. Organizations should prioritize systems exposed to the internet or handling sensitive data.
Timeline:
- Vulnerability discovered: March 15, 2025
- Patch released: March 18, 2025
- First exploitation reports: March 17, 2025
The Security Update Guide provides detailed technical information for IT administrators, including registry key modifications and Group Policy settings for enterprise deployments.
Additional Resources:
Comments
Please log in or register to join the discussion