CVE-2025-59033 is a vulnerability classified under CWE-420 (Unprotected Alternate Channel) and CWE-693, affecting Microsoft Windows 10 and later versions that do not have Hypervisor-Protected Code Integrity (HVCI) enabled or supported. The vulnerability stems from the implementation of the vulnerable driver blocklist as part of the Windows Defender Application Control (WDAC) policy. On systems without HVCI, blocklist entries that specify only the to-be-signed (TBS) portion of the code signer certificate are correctly blocked. However, entries that specify the signing certificate's TBS hash combined with a 'FileAttribRef' qualifier—such as file name or version—are not effectively blocked. This creates an unprotected alternate channel that attackers could exploit to load malicious or unauthorized drivers, bypassing the intended security controls. HVCI, available in Windows 10, Windows 11, and Windows Server 2016 and later, provides enhanced kernel-mode code integrity protection using virtualization-based security. The vendor notes that the driver blocklist is intended for use with HVCI, and systems without HVCI should rely on App Control with granular blocklist entries for proper enforcement. The vulnerability has a CVSS v3.1 base score of 7.4, reflecting high severity with a vector indicating local attack complexity is high, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability. No public exploits or active exploitation have been reported to date.

For European organizations, this vulnerability poses a significant risk, particularly for those running Windows 10 or later without HVCI enabled. Exploitation could allow attackers to load malicious drivers, leading to full system compromise, data theft, or disruption of critical services. This is especially concerning for sectors with high security requirements such as government, finance, healthcare, and critical infrastructure. The ability to bypass driver blocklists undermines trust in kernel-mode code integrity, potentially enabling persistent malware, rootkits, or advanced persistent threats (APTs). The impact extends to confidentiality, integrity, and availability of systems and data. Organizations relying on custom blocklists without HVCI may have a false sense of security, increasing their exposure. Given the widespread use of Windows in Europe, the vulnerability could affect a broad range of enterprises and public sector entities.

European organizations should prioritize enabling Hypervisor-Protected Code Integrity (HVCI) on all supported Windows 10, Windows 11, and Windows Server 2016+ systems to ensure proper enforcement of the vulnerable driver blocklist. Where HVCI is not supported or cannot be enabled, administrators must use Windows Defender Application Control (WDAC) with carefully crafted, granular blocklist entries avoiding reliance on the signing certificate's TBS hash combined with 'FileAttribRef' qualifiers. Regularly review and audit custom blocklists to ensure they do not include vulnerable entry types. Employ comprehensive endpoint detection and response (EDR) solutions to monitor for unauthorized driver loads and suspicious kernel activity. Maintain up-to-date system patches and security baselines. Additionally, implement strict access controls to limit local attack vectors, as the vulnerability requires local access with high attack complexity. Educate IT staff on the limitations of blocklist enforcement without HVCI and encourage migration to supported hardware and OS configurations that enable virtualization-based security features.