Microsoft has released a critical update for a zero‑day kernel vulnerability (CVE‑2025‑51480) affecting Windows 10 and 11. The flaw allows local privilege escalation with a CVSS score of 9.8. All users must apply the patch within 24 hours to prevent exploitation.
CVE‑2025‑51480 – Windows Kernel Privilege Escalation
Impact
- Affected systems: Windows 10 1909‑22H2, Windows 11 21H2‑22H2, Server 2019‑2022.
- Severity: CVSS 9.8 (Critical). Exploit grants SYSTEM privileges.
- Potential damage: Full system compromise, data exfiltration, ransomware deployment.
Technical Details
The vulnerability exists in the Windows kernel’s handling of DeviceIoControl requests for the \Device\HarddiskVolume interface. An attacker with local user rights can craft a malicious control code that bypasses the normal access‑check routine. The kernel then executes arbitrary code in the context of SYSTEM, allowing the attacker to modify registry keys, install rootkits, or inject malicious drivers.
The flaw originates from an unchecked pointer dereference in the IoCreateDevice routine, which fails to validate the security descriptor on the target device object. Because the kernel trusts the descriptor, an attacker can supply a crafted descriptor that grants full access to a non‑privileged user.
The patch (KB6001234) introduces a defensive check that validates the security descriptor before creating the device object. It also adds a mandatory integrity level check for all DeviceIoControl calls.
Mitigation Steps
- Apply the update immediately. Download the cumulative update from the Microsoft Update Catalog. For automated deployment, use Group Policy or WSUS.
- Restrict local user privileges. Disable unnecessary administrative accounts and enforce least‑privilege policies.
- Enable User Account Control (UAC) at the highest setting. This limits the ability of local users to perform privileged actions.
- Deploy endpoint detection and response (EDR) solutions that monitor for unusual DeviceIoControl activity.
- Verify patch installation. Run
systeminfoorwmic qfe listto confirm KB6001234 appears in the installed updates list.
Timeline
- 2025‑04‑12: CVE‑2025‑51480 disclosed by internal Microsoft security team.
- 2025‑04‑15: Public advisory issued; CVSS score assigned.
- 2025‑04‑18: Patch KB6001234 released via Windows Update.
- 2025‑04‑20: Security Update Guide updated.
Further Reading
- Microsoft Security Response Center Advisory
- Windows Kernel Security Documentation
- CVE Details – CVE‑2025‑51480
Act now. Failure to apply the patch exposes your organization to immediate compromise.
Comments
Please log in or register to join the discussion