CVE-2025-49664: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Microsoft Windows 10 Version 1809
Exposure of sensitive information to an unauthorized actor in Windows User-Mode Driver Framework Host allows an authorized attacker to disclose information locally.
AI Analysis
Technical Summary
CVE-2025-49664 is a medium-severity vulnerability identified in Microsoft Windows 10 Version 1809 (build 10.0.17763.0) specifically affecting the Windows User-Mode Driver Framework Host component. The vulnerability is categorized under CWE-200, which involves the exposure of sensitive information to unauthorized actors. In this case, an authorized attacker with local access and low privileges (PR:L) can exploit the vulnerability to disclose sensitive information without requiring any user interaction (UI:N). The attack vector is local (AV:L), meaning the attacker must have some level of access to the affected system. The vulnerability does not affect integrity or availability but has a high impact on confidentiality (C:H, I:N, A:N). The CVSS v3.1 base score is 5.5, reflecting a medium severity rating. The vulnerability is exploitable without user interaction and requires low privileges, which increases the risk in environments where multiple users have local access or where privilege escalation paths exist. No known exploits are currently reported in the wild, and no patches or mitigation links have been published yet. The vulnerability could allow attackers to access sensitive information from the User-Mode Driver Framework Host process, potentially exposing system or user data that should remain confidential. This could include driver-related information or other sensitive runtime data handled by this Windows component. Since the vulnerability requires local access, it is most relevant in scenarios where attackers have gained initial footholds or where insider threats exist. The lack of user interaction requirement means automated or scripted local attacks are feasible once access is obtained.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments where Windows 10 Version 1809 is still in use, especially in sectors with shared or multi-user systems such as corporate desktops, public access terminals, or industrial control systems using legacy Windows 10 installations. Exposure of sensitive information could lead to leakage of confidential business data, intellectual property, or personally identifiable information (PII), which could have regulatory and reputational consequences under GDPR and other data protection laws. The local attack vector limits remote exploitation but does not eliminate risk in cases of insider threats, compromised user accounts, or lateral movement by attackers within a network. Organizations with strict access controls and endpoint security may reduce risk, but those with legacy systems or insufficient segmentation could be vulnerable to data leaks. The vulnerability’s impact on confidentiality without affecting integrity or availability suggests attackers could silently gather information without detection, complicating incident response and forensic analysis. This could facilitate further attacks or data exfiltration. Given the medium severity and local access requirement, the threat is moderate but should not be ignored, especially in critical infrastructure, government, finance, and healthcare sectors prevalent in Europe, where sensitive data protection is paramount.
Mitigation Recommendations
1. Upgrade and Patch: Although no patch links are currently available, organizations should monitor Microsoft’s official channels for updates addressing CVE-2025-49664 and apply them promptly once released. 2. Limit Local Access: Restrict local user accounts and enforce the principle of least privilege to minimize the number of users who can access vulnerable systems. 3. Endpoint Security Controls: Deploy endpoint detection and response (EDR) solutions capable of monitoring unusual local access or process behavior related to the User-Mode Driver Framework Host. 4. Network Segmentation: Isolate legacy Windows 10 Version 1809 systems from critical network segments to reduce the risk of lateral movement by attackers. 5. User Account Management: Implement strong authentication and session management policies to prevent unauthorized local access. 6. System Inventory and Upgrade Planning: Identify all systems running Windows 10 Version 1809 and plan upgrades to supported Windows versions with ongoing security updates. 7. Audit and Monitoring: Enable detailed logging of local access and driver framework activities to detect potential exploitation attempts. 8. Insider Threat Programs: Enhance monitoring and controls to detect and prevent malicious insider activities that could exploit this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2025-49664: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Microsoft Windows 10 Version 1809
Description
Exposure of sensitive information to an unauthorized actor in Windows User-Mode Driver Framework Host allows an authorized attacker to disclose information locally.
AI-Powered Analysis
Technical Analysis
CVE-2025-49664 is a medium-severity vulnerability identified in Microsoft Windows 10 Version 1809 (build 10.0.17763.0) specifically affecting the Windows User-Mode Driver Framework Host component. The vulnerability is categorized under CWE-200, which involves the exposure of sensitive information to unauthorized actors. In this case, an authorized attacker with local access and low privileges (PR:L) can exploit the vulnerability to disclose sensitive information without requiring any user interaction (UI:N). The attack vector is local (AV:L), meaning the attacker must have some level of access to the affected system. The vulnerability does not affect integrity or availability but has a high impact on confidentiality (C:H, I:N, A:N). The CVSS v3.1 base score is 5.5, reflecting a medium severity rating. The vulnerability is exploitable without user interaction and requires low privileges, which increases the risk in environments where multiple users have local access or where privilege escalation paths exist. No known exploits are currently reported in the wild, and no patches or mitigation links have been published yet. The vulnerability could allow attackers to access sensitive information from the User-Mode Driver Framework Host process, potentially exposing system or user data that should remain confidential. This could include driver-related information or other sensitive runtime data handled by this Windows component. Since the vulnerability requires local access, it is most relevant in scenarios where attackers have gained initial footholds or where insider threats exist. The lack of user interaction requirement means automated or scripted local attacks are feasible once access is obtained.
Potential Impact
For European organizations, this vulnerability poses a risk primarily in environments where Windows 10 Version 1809 is still in use, especially in sectors with shared or multi-user systems such as corporate desktops, public access terminals, or industrial control systems using legacy Windows 10 installations. Exposure of sensitive information could lead to leakage of confidential business data, intellectual property, or personally identifiable information (PII), which could have regulatory and reputational consequences under GDPR and other data protection laws. The local attack vector limits remote exploitation but does not eliminate risk in cases of insider threats, compromised user accounts, or lateral movement by attackers within a network. Organizations with strict access controls and endpoint security may reduce risk, but those with legacy systems or insufficient segmentation could be vulnerable to data leaks. The vulnerability’s impact on confidentiality without affecting integrity or availability suggests attackers could silently gather information without detection, complicating incident response and forensic analysis. This could facilitate further attacks or data exfiltration. Given the medium severity and local access requirement, the threat is moderate but should not be ignored, especially in critical infrastructure, government, finance, and healthcare sectors prevalent in Europe, where sensitive data protection is paramount.
Mitigation Recommendations
1. Upgrade and Patch: Although no patch links are currently available, organizations should monitor Microsoft’s official channels for updates addressing CVE-2025-49664 and apply them promptly once released. 2. Limit Local Access: Restrict local user accounts and enforce the principle of least privilege to minimize the number of users who can access vulnerable systems. 3. Endpoint Security Controls: Deploy endpoint detection and response (EDR) solutions capable of monitoring unusual local access or process behavior related to the User-Mode Driver Framework Host. 4. Network Segmentation: Isolate legacy Windows 10 Version 1809 systems from critical network segments to reduce the risk of lateral movement by attackers. 5. User Account Management: Implement strong authentication and session management policies to prevent unauthorized local access. 6. System Inventory and Upgrade Planning: Identify all systems running Windows 10 Version 1809 and plan upgrades to supported Windows versions with ongoing security updates. 7. Audit and Monitoring: Enable detailed logging of local access and driver framework activities to detect potential exploitation attempts. 8. Insider Threat Programs: Enhance monitoring and controls to detect and prevent malicious insider activities that could exploit this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- microsoft
- Date Reserved
- 2025-06-09T17:28:52.663Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686d50d56f40f0eb72f91bc3
Added to database: 7/8/2025, 5:09:41 PM
Last enriched: 8/19/2025, 12:52:01 AM
Last updated: 8/19/2025, 12:52:01 AM
Views: 15
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.