CVE-2025-27736 is a vulnerability identified in Microsoft Windows 10 Version 1607, specifically within the Windows Power Dependency Coordinator component. The flaw is categorized under CWE-200, indicating an exposure of sensitive information to unauthorized actors. The vulnerability allows an attacker who already has local access and low-level privileges (PR:L) to disclose sensitive information without requiring user interaction (UI:N). The attack vector is local (AV:L), meaning the attacker must have physical or remote desktop access to the affected machine. The vulnerability does not impact the integrity or availability of the system but compromises confidentiality (C:H). The CVSS 3.1 base score is 5.5, reflecting a medium severity level. The scope is unchanged (S:U), meaning the vulnerability affects only the vulnerable component and does not extend privileges or impact other system components. The vulnerability was reserved in early March 2025 and published in April 2025, with no known exploits in the wild and no patches currently linked. The Windows Power Dependency Coordinator is responsible for managing power dependencies between system components, and improper handling of sensitive information within this service can lead to unauthorized disclosure. Since exploitation requires local privileges, the threat is limited to environments where attackers can gain local access, such as compromised user accounts or insider threats. This vulnerability is particularly relevant for organizations still running the legacy Windows 10 Version 1607, which is an older release and may no longer be supported with security updates.

For European organizations, the primary impact of CVE-2025-27736 is the potential unauthorized disclosure of sensitive information on systems running Windows 10 Version 1607. This could include exposure of configuration details, credentials, or other sensitive data managed by the Power Dependency Coordinator. While the vulnerability does not allow remote exploitation or system compromise, it poses a risk in environments where local access controls are weak or where insider threats exist. Organizations in sectors such as government, critical infrastructure, finance, and healthcare that may still operate legacy Windows 10 systems could face increased risk of data leakage. The confidentiality breach could lead to further targeted attacks if sensitive information is leveraged by attackers. However, the lack of impact on integrity and availability limits the potential for direct operational disruption. The medium severity rating reflects this moderate risk profile. The absence of known exploits reduces immediate threat but does not eliminate the need for proactive mitigation, especially in regulated environments with strict data protection requirements under GDPR.

To mitigate CVE-2025-27736, European organizations should prioritize upgrading affected systems from Windows 10 Version 1607 to a currently supported Windows version that receives security updates. If immediate upgrade is not feasible, organizations should enforce strict local access controls, ensuring that only trusted users have local login privileges. Implementing robust endpoint security solutions that monitor for unusual local activity can help detect potential exploitation attempts. Network segmentation and limiting administrative privileges reduce the attack surface. Additionally, organizations should audit and harden configurations related to the Windows Power Dependency Coordinator service to minimize sensitive data exposure. Regularly reviewing and applying any forthcoming patches from Microsoft is critical once available. User education about the risks of local credential compromise and insider threats will further reduce exploitation likelihood. Finally, maintaining comprehensive logging and monitoring on affected systems will aid in early detection and response to any suspicious activity related to this vulnerability.