Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-62215

Published 2025-11-11
Updated 6 months ago
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.17763.8027
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7
/ 10
High
Severity Details
Base score
7 High
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2025-62215 is a High-severity race condition in the Windows Kernel allowing local privilege escalation. Actively exploited in the wild.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1809 * 10.0.17763.8027 vulnerable
windows_10_1809 * 10.0.17763.8027 vulnerable
windows_10_21h2 * 10.0.19044.6575 vulnerable
windows_10_22h2 * 10.0.19045.6575 vulnerable
windows_11_23h2 * 10.0.22631.6199 vulnerable
windows_11_24h2 * 10.0.26100.7092 vulnerable
windows_11_25h2 * 10.0.26200.7092 vulnerable
windows_server_2019 * 10.0.17763.8027 vulnerable
windows_server_2022 * 10.0.20348.4346 vulnerable
windows_server_2022_23h2 * 10.0.25398.1965 vulnerable
windows_server_2025 * 10.0.26100.7092 vulnerable

Related weakness (CWE)

CWE-362, CWE-415

Remediation plan

1

Apply official patches

Download and install the latest Microsoft security updates released for the Windows Kernel to address the improper synchronization flaw.

2

Update affected systems

Ensure Windows systems are updated beyond vulnerable builds, including Windows 10 22H2 (10.0.19045.6575), Windows 11 24H2 (10.0.26100.7092), and Windows Server 2022 (10.0.20348.4346).

3

Restrict access

Limit local interactive login access to sensitive systems and enforce the principle of least privilege (PoLP) to minimize the risk of local attackers executing exploit code.

4

Monitor for exploitation

Use EDR and SIEM tools to monitor for suspicious kernel-mode activity, unexpected privilege changes (Event ID 4672), or system processes spawning unusual child processes.

Detection Guidance

Detecting this vulnerability requires monitoring for indicators of local privilege escalation. Security teams should look for Event ID 4672 (Special privileges assigned to new logon) associated with non-admin accounts. Additionally, monitor for kernel-level anomalies or repeated service crashes that may indicate failed race condition attempts. Network signatures are less effective here due to the local attack vector, so focus on endpoint telemetry and unauthorized SYSTEM-level process execution.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62215 Vendor Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-62215 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial