CVE-2025-27475 is a vulnerability classified under CWE-591, which concerns sensitive data storage in improperly locked memory. Specifically, this flaw exists in the Windows Update Stack of Microsoft Windows 11 version 22H2 (build 10.0.22621.0). The vulnerability allows an attacker who already has local authorized access with low privileges to elevate their privileges on the system. The root cause is that sensitive data is stored in memory regions that are not properly locked, potentially allowing unauthorized access or leakage of this data. This can lead to compromise of confidentiality, integrity, and availability of the system. The CVSS 3.1 base score is 7.0, indicating high severity, with vector AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, meaning the attack requires local access, high attack complexity, low privileges, no user interaction, unchanged scope, and impacts confidentiality, integrity, and availability to a high degree. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and patched status is pending. The issue is significant because Windows Update is a critical component, and exploitation could allow attackers to gain elevated privileges and potentially control the system or bypass security controls. The vulnerability was reserved in February 2025 and published in April 2025.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Windows 11 version 22H2 in enterprise environments. Successful exploitation could allow attackers with local access—such as malicious insiders or attackers who have gained initial footholds via other means—to escalate privileges and gain administrative control. This could lead to data breaches, disruption of critical services, and compromise of sensitive information. The impact is particularly severe for sectors with high-value targets like finance, healthcare, government, and critical infrastructure. The vulnerability affects confidentiality, integrity, and availability, potentially enabling attackers to install persistent malware, exfiltrate data, or disrupt operations. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly following disclosure. European organizations must consider the threat in the context of local regulatory requirements for data protection and incident response.

1. Apply official patches from Microsoft immediately once they become available to remediate the vulnerability in the Windows Update Stack. 2. Until patches are deployed, restrict local access to systems running Windows 11 22H2 by enforcing strict access controls and monitoring for unauthorized logins. 3. Implement robust endpoint detection and response (EDR) solutions to detect suspicious privilege escalation attempts. 4. Use application whitelisting and least privilege principles to limit the ability of attackers to execute unauthorized code. 5. Conduct regular audits of local user accounts and remove or disable unnecessary accounts to reduce attack surface. 6. Employ memory protection and hardening techniques where possible, such as enabling Windows Defender Credential Guard and other built-in security features. 7. Educate IT staff and users about the risks of local privilege escalation and the importance of reporting unusual system behavior. 8. Monitor Windows Update logs and system event logs for anomalies that may indicate exploitation attempts.