CVE Alert: CVE-2025-54093 – Microsoft – Windows 10 Version 1809

Risk verdict

High-severity local privilege escalation in the Windows TCP/IP driver; exploitation not currently observed in available indicators, but patching should be prioritised when feasible.

Why this matters

The TOCTOU race can let an authorised local user elevate to SYSTEM, enabling full control, potential data exposure, and persistence. With a high impact on confidentiality, integrity and availability, an attacker could weaponise this as a foothold for broader compromise across hosts.

Most likely attack path

Requires local access (AV:L) and low privileges (PR:L) with no user interaction (UI:N). An attacker would trigger a race in tcpip.sys to obtain elevated rights, then attempt post-exploitation actions. Lateral movement remains possible once SYSTEM is reached, subject to existing network and credential hygiene.

Who is most exposed

Widespread across enterprise endpoints and servers running the affected Windows versions (desktop and Server editions listed), particularly where local accounts or remote management interfaces are present and patch levels are lagging.

Detection ideas

• Look for Privilege Escalation events (e.g., 4672) from non-admin processes.
• Monitor unusual process creations or token changes (4688 with elevated tokens).
• Track tcpip.sys driver load/crash events or abnormal kernel-mode abnormalities.
• Correlate spikes in CPU or memory activity tied to network stack moments.

Mitigation and prioritisation

• Apply the Microsoft fix to all affected Windows versions; verify deployment across devices.
• Enforce least privilege and reduce local admin rights; review group memberships.
• Strengthen endpoint security monitoring (EDR) for privilege escalations and kernel faults.
• Enable driver integrity checks and consider WDAC/Code Integrity where feasible.
• Schedule patching in a coordinated maintenance window with rollback and testing.