CVE Alert: CVE-2025-55328 - Microsoft - Windows 11 Version 25H2

CVE-2025-55328

HIGHNo exploitation known

Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Hyper-V allows an authorized attacker to elevate privileges locally.

CVSS v3.1 (7.8)

Vendor

Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft

Product

Windows 11 Version 25H2, Windows 10 Version 1809, Windows Server 2019, Windows Server 2019 (Server Core installation), Windows Server 2022, Windows 10 Version 21H2, Windows 11 version 22H2, Windows 10 Version 22H2, Windows Server 2025 (Server Core installation), Windows 11 version 22H3, Windows 11 Version 23H2, Windows Server 2022, 23H2 Edition (Server Core installation), Windows 11 Version 24H2, Windows Server 2025, Windows 10 Version 1507, Windows 10 Version 1607, Windows Server 2016, Windows Server 2016 (Server Core installation)

Versions

10.0.26200.0 lt 10.0.26200.6899 | 10.0.17763.0 lt 10.0.17763.7919 | 10.0.17763.0 lt 10.0.17763.7919 | 10.0.17763.0 lt 10.0.17763.7919 | 10.0.20348.0 lt 10.0.20348.4294 | 10.0.19044.0 lt 10.0.19044.6456 | 10.0.22621.0 lt 10.0.22621.6060 | 10.0.19045.0 lt 10.0.19045.6456 | 10.0.26100.0 lt 10.0.26100.6899 | 10.0.22631.0 lt 10.0.22631.6060 | 10.0.22631.0 lt 10.0.22631.6060 | 10.0.25398.0 lt 10.0.25398.1913 | 10.0.26100.0 lt 10.0.26100.6899 | 10.0.26100.0 lt 10.0.26100.6899 | 10.0.10240.0 lt 10.0.10240.21161 | 10.0.14393.0 lt 10.0.14393.8519 | 10.0.14393.0 lt 10.0.14393.8519 | 10.0.14393.0 lt 10.0.14393.8519

CWE

CWE-362, CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Published

2025-10-14T17:01:00.396Z

Updated

2025-10-14T23:55:54.317Z

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55328

AI Summary Analysis

Risk verdict

High risk of local privilege escalation via a race condition in Hyper-V; patching should be urgent once updates are available.

Why this matters

An authenticated attacker could elevate to SYSTEM on a host or within a VM, enabling installation of persistent backdoors, data compromise, or spread to other virtualised resources. The impact is broad across host and guest environments where Hyper-V is present.

Most likely attack path

Exploitation requires local access with at least low privileges and no user interaction (PR:L, UI:N). The vulnerability arises from concurrent execution on shared Hyper-V resources, enabling a privilege escalation with full impact (C, I, A high). Because the vector is local, the attacker’s initial foothold must already exist on the host; remote or external exploitation is unlikely unless combined with another compromise or misconfiguration. Lateral movement is possible within the host and guest boundary if administrator actions are compromised.

Who is most exposed

Hosts and clusters running Hyper-V on Windows 10/11 workstations or Windows Server editions, especially in dev/test labs or production environments with administrative access to virtualization components.

Detection ideas

Spikes or anomalies in Hyper-V worker threads and kernel memory usage.
Kernel or hypervisor crash dumps linked to virtualization components.
Unusual processes gaining SYSTEM privileges without justification.
Repeated or suspicious attempts to access privileged Hyper-V resources or management interfaces.
Unexpected VM state changes following user logon or small-time window.

Mitigation and prioritisation

Apply Microsoft patches as soon as released; perform testing in a lab prior to production rollout; schedule a controlled reboot if required.
If patching is pending, enforce strongest local authentication controls on hosts, restrict Hyper-V management access, segment virtualization hosts from untrusted networks, and enable strict EDR/monitoring for hypervisor activity.
Validate backups and test recovery procedures; implement change-control for patch deployment.
If KEV is confirmed or EPSS ≥ 0.5, treat as priority 1; otherwise treat as high-priority 2 with close monitoring.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-55328, microsoft, OSINT, threatintel, windows-10-version-1507, windows-10-version-1607, windows-10-version-1809, windows-10-version-21h2, windows-10-version-22h2, windows-11-version-22h2, windows-11-version-22h3, windows-11-version-23h2, windows-11-version-24h2, windows-11-version-25h2, windows-server-2016, windows-server-2016-server-core-installation, windows-server-2019, windows-server-2019-server-core-installation, windows-server-2022, windows-server-2022-23h2-edition-server-core-installation, windows-server-2025, windows-server-2025-server-core-installation