CVE Alert: CVE-2025-54112 – Microsoft – Windows 10 Version 1809
CVE-2025-54112
Use after free in Microsoft Virtual Hard Drive allows an authorized attacker to elevate privileges locally.
AI Summary Analysis
Risk verdict
High risk of local privilege escalation; exploitation state is not confirmed in the provided data.
Why this matters
An attacker who already has local access can elevate privileges to SYSTEM, potentially owning the host and accessing connected resources. This undermines confidentiality and integrity of the endpoint and can enable further network compromise if credentials or trust relationships are exposed through the VHD workflow.
Most likely attack path
Preconditions: a valid local user account is required; no user interaction is needed. An attacker would exploit the use-after-free flaw in Microsoft Virtual Hard Disk to gain higher privileges on a compromised host. With local access, the vulnerable path allows privilege escalation without authentication or external code execution, increasing the risk of host-level takeover and subsequent lateral movement if credentials or trust contexts are exposed.
Who is most exposed
Likely exposed in organisations with Windows endpoints and servers that actively use Virtual Hard Disk features (desktop and server deployments across Windows 10/11 and Windows Server 2019–2025). Environments with broad user privilege scopes and shared VHD workflows are particularly impacted.
Detection ideas
- Monitor for privilege-escalation events linked to VHD-related processes or services.
- Look for memory/heap corruption indicators or crash events in the VHD/virtualisation stack.
- Correlate anomalous process spawning or service restarts following VHD mount/unmount actions.
- Identify unusual local account privilege changes without corresponding user action.
- Flag repeated failed/successful escalation attempts on affected builds.
Mitigation and prioritisation
- Apply the official Microsoft patch across all affected Windows versions as a priority.
- If patching is delayed, restrict VHD usage by untrusted processes and enable application whitelisting; limit mounting of VHDs where feasible.
- Enforce least-privilege for local accounts; monitor for escalation attempts with EDR/XDR sensors.
- Validate remediation with asset inventory and vulnerability scanning; phase patch deployment through change control.
- Note: If KEV is present or EPSS ≥ 0.5, escalate to priority 1 when applicable.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
