CVE-2025-24987 is a security vulnerability identified as an out-of-bounds read (CWE-125) in the Windows USB Video Driver component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). This vulnerability allows an authorized attacker with physical access to the affected system to perform a privilege escalation attack. Specifically, the flaw arises when the USB Video Driver improperly handles memory bounds, leading to the reading of memory outside the intended buffer. This can result in the attacker gaining elevated privileges on the system, potentially allowing them to execute arbitrary code with higher permissions or access sensitive information. The attack vector requires physical access (AV:P), low attack complexity (AC:L), and the attacker must already have limited privileges (PR:L) on the system. No user interaction is required (UI:N), and the scope remains unchanged (S:U). The vulnerability impacts confidentiality, integrity, and availability with high potential impact (C:H/I:H/A:H). The CVSS v3.1 base score is 6.6, categorized as medium severity. There are no known exploits in the wild as of the publication date (March 11, 2025), and no patches have been linked yet. Since the vulnerability affects an older Windows 10 version (1809), systems still running this version are at risk. The physical access requirement limits remote exploitation but does not diminish the risk in environments where physical security is weak or where insider threats exist. The vulnerability is significant because USB Video Drivers are commonly used for webcams and video capture devices, which are prevalent in enterprise and personal computing environments. An attacker exploiting this vulnerability could bypass security controls and gain administrative privileges, leading to full system compromise.

For European organizations, the impact of CVE-2025-24987 can be substantial, especially in sectors where Windows 10 Version 1809 remains in use, such as legacy industrial systems, government agencies, or enterprises with slow update cycles. The ability to elevate privileges via a physical attack means that insider threats or attackers with temporary physical access (e.g., in shared office spaces, public terminals, or during device maintenance) could compromise sensitive systems. This could lead to unauthorized access to confidential data, disruption of critical services, or installation of persistent malware. The high impact on confidentiality, integrity, and availability means that critical infrastructure, financial institutions, healthcare providers, and public administration entities could face severe operational and reputational damage if exploited. Additionally, the lack of a patch at the time of disclosure increases the window of exposure. Organizations with strict physical security controls and device management policies may mitigate risk, but those with less stringent controls are more vulnerable. The threat also underscores the importance of updating legacy systems or isolating them from sensitive networks to reduce attack surface.

1. Immediate mitigation should focus on enhancing physical security controls to prevent unauthorized physical access to devices running Windows 10 Version 1809. This includes secure facility access, device locking, and surveillance. 2. Organizations should prioritize upgrading affected systems to a supported and patched version of Windows 10 or later, as Microsoft is expected to release a patch addressing this vulnerability. 3. Implement strict device control policies to limit the use of USB video devices and restrict driver installation privileges to trusted administrators only. 4. Employ endpoint detection and response (EDR) solutions capable of monitoring for unusual privilege escalation attempts or suspicious USB device activity. 5. Conduct regular audits of systems to identify those still running Windows 10 Version 1809 and plan for their timely upgrade or isolation. 6. Educate staff about the risks of physical attacks and enforce policies to prevent unauthorized device access or tampering. 7. Use application whitelisting and least privilege principles to minimize the impact of potential exploitation. 8. Monitor security advisories from Microsoft and apply patches promptly once available.