CVE-2025-60708 is a vulnerability classified under CWE-822 (Untrusted Pointer Dereference) found in the Storvsp.sys driver component of Microsoft Windows 10 Version 1607 (build 10.0.14393.0). The flaw arises when the driver dereferences pointers that have not been properly validated or sanitized, leading to potential system instability or crashes. An attacker with authorized local access and low privileges can exploit this vulnerability to trigger a denial of service condition by causing the system to crash or become unresponsive. The vulnerability does not require user interaction and has a CVSS 3.1 base score of 6.5, reflecting its medium severity. The attack vector is local, meaning remote exploitation is not feasible without prior access. The vulnerability affects only availability, with no impact on confidentiality or integrity, and the scope is changed (S:C) indicating that the vulnerability can affect resources beyond the vulnerable component. No public exploits or patches are currently available, but the issue has been officially published and reserved by Microsoft. Since Windows 10 Version 1607 is an older release, many organizations may have already migrated to newer versions, limiting the exposure. However, legacy systems still in operation remain vulnerable to potential denial of service attacks that could disrupt business operations or critical services.

For European organizations, the primary impact of CVE-2025-60708 is the potential for local denial of service attacks on systems running Windows 10 Version 1607. This could lead to unexpected system crashes, service interruptions, and downtime, particularly affecting legacy infrastructure or specialized environments that have not been upgraded. Critical systems relying on this Windows version could experience availability issues, impacting business continuity and operational efficiency. Since the vulnerability requires local access and low privileges, insider threats or compromised user accounts could exploit it to disrupt services. The lack of confidentiality or integrity impact reduces the risk of data breaches, but availability disruptions can still have significant operational and financial consequences. European sectors with strict uptime requirements, such as healthcare, finance, and manufacturing, may be particularly sensitive to such disruptions. The absence of known exploits in the wild provides some time for mitigation, but organizations should prioritize identifying and upgrading affected systems to reduce risk.

To mitigate CVE-2025-60708, European organizations should first identify all systems running Windows 10 Version 1607 (build 10.0.14393.0) using inventory and asset management tools. Since no patches are currently available, the most effective mitigation is to upgrade these systems to a supported and updated version of Windows 10 or later, where this vulnerability is not present. Organizations should also enforce strict access controls to limit local user privileges, reducing the risk of exploitation by unauthorized or low-privilege users. Implementing endpoint protection and monitoring for unusual system crashes or behavior can help detect potential exploitation attempts. Additionally, organizations should prepare incident response plans to quickly recover from denial of service conditions caused by this vulnerability. Regularly checking for Microsoft security advisories and applying patches promptly once released is critical. For environments where upgrading is not immediately feasible, isolating vulnerable systems and restricting local access can reduce exposure.