CVE-2025-49659 is a high-severity vulnerability identified in Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The flaw is a buffer over-read issue located in the Windows TDX.sys driver component. A buffer over-read occurs when a program reads more data than the buffer it has allocated, potentially exposing sensitive information or causing system instability. In this case, the vulnerability allows an authorized local attacker—meaning the attacker must have some level of access to the system—to perform a local privilege escalation. This means the attacker can leverage this flaw to gain higher privileges than initially granted, potentially reaching SYSTEM-level access. The CVSS v3.1 base score is 7.8, reflecting high severity, with the vector indicating that the attack requires local access (AV:L), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), and impacts confidentiality, integrity, and availability to a high degree (C:H/I:H/A:H). The scope remains unchanged (S:U), meaning the vulnerability affects resources managed by the same security authority. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is categorized under CWE-126, which is a buffer over-read weakness, often leading to information disclosure or memory corruption. Given that TDX.sys is a kernel-mode driver, exploitation could lead to significant system compromise, including arbitrary code execution or system crashes. The vulnerability requires local access but no user interaction, making it a serious threat for environments where multiple users have local accounts or where attackers can gain initial foothold through other means.

For European organizations, this vulnerability poses a significant risk, especially in enterprises and government agencies still running Windows 10 Version 1809, which is an older but still in-use operating system version in some sectors. Successful exploitation could allow attackers to escalate privileges from a low-privileged user to SYSTEM level, enabling full control over affected machines. This could lead to data breaches, disruption of critical services, and lateral movement within corporate networks. Confidentiality, integrity, and availability of systems are all at high risk. Organizations in sectors such as finance, healthcare, critical infrastructure, and public administration are particularly vulnerable due to the sensitive nature of their data and the potential impact of system compromise. The lack of known exploits in the wild suggests that immediate mass exploitation is unlikely, but the vulnerability's presence in a core system driver and the high CVSS score indicate that attackers with local access could develop exploits rapidly. The threat is exacerbated in environments where endpoint security is weak, or where users have unnecessary local privileges. Additionally, legacy systems and those not regularly updated are at higher risk, which is a common scenario in some European organizations due to operational constraints or compatibility requirements.

1. Immediate mitigation should focus on restricting local access to trusted users only, minimizing the number of accounts with local login capabilities. 2. Implement strict privilege management policies to ensure users operate with the least privileges necessary, reducing the attack surface for privilege escalation. 3. Employ application whitelisting and endpoint detection and response (EDR) solutions capable of detecting anomalous behavior indicative of privilege escalation attempts. 4. Monitor system logs and security event logs for unusual activity related to TDX.sys or kernel driver interactions. 5. Where possible, upgrade affected systems to a newer, supported version of Windows 10 or Windows 11 that does not contain this vulnerability. 6. In environments where upgrading is not immediately feasible, consider isolating vulnerable systems from critical network segments to limit potential lateral movement. 7. Stay alert for official patches or security advisories from Microsoft and apply them promptly once available. 8. Conduct regular vulnerability assessments and penetration testing focusing on privilege escalation vectors to identify and remediate weaknesses proactively.