CVE-2025-59033 is a vulnerability affecting the Microsoft Windows vulnerable driver block list implementation, specifically when used without Hypervisor-Protected Code Integrity (HVCI) enabled. The vulnerable driver block list is enforced through Windows Defender Application Control (WDAC) policies. On systems lacking HVCI, entries that specify only the to-be-signed (TBS) portion of the code signer certificate are correctly blocked, preventing potentially malicious drivers from loading. However, entries that specify the signing certificate's TBS hash combined with a 'FileAttribRef' qualifier—such as file name or version—are not effectively blocked. This means that malicious drivers signed with a certificate matching these criteria could bypass the blocklist and load on vulnerable systems. HVCI is a security feature available on Windows 10, Windows 11, and Windows Server 2016 and later, which enforces code integrity protections at the hypervisor level, providing stronger enforcement of driver blocklists. The vendor clarifies that the driver blocklist is intended to be used alongside HVCI, and that systems without HVCI should rely on App Control with a more granular approach to blocklist entries for proper enforcement. This vulnerability affects any Windows system without HVCI enabled or supported, which could include older systems or those with hardware or configuration limitations preventing HVCI activation. No CVSS score has been assigned yet, and no known exploits are reported in the wild as of the publication date.

For European organizations, this vulnerability could allow malicious or unauthorized drivers to load on Windows systems that do not have HVCI enabled, potentially leading to privilege escalation, persistence, or evasion of security controls. Drivers operate at a high privilege level within the operating system, so bypassing the blocklist could enable attackers to execute arbitrary code with kernel-level privileges, compromising system confidentiality, integrity, and availability. This risk is particularly relevant for organizations running legacy Windows versions or hardware that does not support HVCI, including some industrial control systems, enterprise endpoints, or servers. The inability to fully enforce driver blocklists without HVCI could undermine endpoint security strategies, increase the attack surface, and complicate compliance with security standards requiring strict control over kernel-mode code. However, the absence of known exploits and the requirement for specific blocklist configurations reduce the immediate risk. Organizations that have already enabled HVCI or use App Control with granular policies are less impacted. Still, this vulnerability highlights the importance of enabling advanced code integrity protections and carefully managing driver blocklists to prevent kernel-level compromise.

European organizations should prioritize enabling Hypervisor-Protected Code Integrity (HVCI) on all supported Windows 10, Windows 11, and Windows Server 2016+ systems to ensure robust enforcement of the vulnerable driver blocklist. This may require hardware compatibility checks, firmware updates, and configuration changes in group policies or endpoint management tools. For systems where HVCI cannot be enabled, organizations should implement Windows Defender Application Control (App Control) with carefully crafted, granular blocklist entries that do not rely solely on the signing certificate's TBS hash combined with file attribute qualifiers. Regularly review and update blocklist policies to ensure they effectively block unauthorized drivers. Additionally, maintain up-to-date endpoint detection and response (EDR) solutions capable of detecting suspicious driver behavior and kernel-level anomalies. Organizations should also monitor Microsoft security advisories for patches or updates addressing this vulnerability and apply them promptly once available. Conducting thorough inventory and risk assessments of Windows systems lacking HVCI will help prioritize remediation efforts. Finally, educate IT and security teams about the limitations of driver blocklists without HVCI and the importance of layered security controls to mitigate kernel-level threats.