CVE Alert: CVE-2025-49734 – Microsoft – Windows 10 Version 1809

Risk verdict

High risk of local privilege escalation; patching should be prioritised, subject to exploitation indicators.

Why this matters

An attacker with local access can elevate privileges to gain full control of the host, enabling persistence, credential access, and potential lateral movement to connected systems. The impact is particularly acute for endpoints hosting sensitive data or privileged tooling, and for virtualised environments where PowerShell Direct is used to manage guests.

Most likely attack path

An attacker with an initial foothold on a host leverages PowerShell Direct to trigger elevation with minimal user interaction. With local access, the exploit requires low pre-existing privileges and can rapidly grant high/ SYSTEM-level rights on the same machine, facilitating further compromise without remote access in the initial stage.

Who is most exposed

Windows endpoints commonly deployed in enterprises (Windows 10/11, Windows Server 2019/2022 and equivalents) where PowerShell Direct and local admin privileges are present. Environments with broad local admin groups or VM management workflows are particularly at risk.

Detection ideas

• Unusual PowerShell Direct sessions/processes on hosts
• Privilege escalation attempts flagged by local security monitoring (unexpected token impersonation, privilege changes)
• Surges in 4688 process creation events tied to PowerShell activity
• Unexplained credential access patterns or Kerberos/service ticket anomalies
• Endpoint anomalies shortly after user authentication events

Mitigation and prioritisation

• Apply the official vendor security update for the vulnerability; verify coverage across affected Windows versions.
• Restrict PowerShell Direct usage; implement application control (WDAC/AppLocker) and disable or tightly constrain PS-centric tasks on non-admin workstations.
• Harden local privileges: minimise local admin groups, enforce LAPS, and enable Credential Guard where feasible.
• Improve monitoring: deploy targeted detections for local privilege escalation and PowerShell abuse; correlate with authentication and process trees.
• Change-management: schedule patching in a controlled window; test in a representative environment before full rollout. Note: If KEV is true or EPSS ≥ 0.5, treat as priority 1. If data is missing, confirm KEV/EPSS and exploitation state to re-evaluate urgency.