CVE-2025-60720 is a buffer over-read vulnerability classified under CWE-126 found in the Windows TDX.sys driver component of Microsoft Windows 10 Version 1809 (build 10.0.17763.0). The vulnerability arises due to improper bounds checking within the TDX.sys driver, which leads to reading memory beyond the intended buffer boundaries. This flaw can be exploited by an attacker who already has authorized local access to the system to elevate their privileges. The attack does not require user interaction and can compromise the confidentiality, integrity, and availability of the affected system by allowing unauthorized access to sensitive kernel memory or execution of arbitrary code with elevated privileges. The CVSS 3.1 base score is 7.8, indicating a high severity level, with attack vector local, low attack complexity, and requiring privileges but no user interaction. Although no known exploits are currently in the wild, the vulnerability is critical for environments where Windows 10 Version 1809 is still in use, particularly because this version is no longer the latest and may not receive regular updates. The vulnerability was published on November 11, 2025, and no patches have been linked yet, emphasizing the need for vigilance and proactive mitigation. The TDX.sys driver is related to Intel Trust Domain Extensions, which are used for hardware-based security features, making this vulnerability particularly sensitive as it could undermine trusted execution environments.

For European organizations, the impact of CVE-2025-60720 can be significant, especially in sectors relying on legacy Windows 10 Version 1809 systems such as government agencies, healthcare, finance, and critical infrastructure. Successful exploitation allows an attacker with local access to escalate privileges, potentially gaining full system control, bypassing security controls, and accessing sensitive data. This can lead to data breaches, disruption of services, and compromise of system integrity. The vulnerability affects confidentiality by exposing kernel memory, integrity by enabling unauthorized code execution, and availability by potentially causing system crashes or denial of service. Since the attack requires local access, insider threats or attackers who have already compromised lower-privilege accounts pose the greatest risk. The lack of public exploits currently reduces immediate risk but also means organizations must be proactive before exploitation becomes widespread. The use of this older Windows version in some European enterprises and public sector organizations increases the scope of affected systems.

1. Apply security patches from Microsoft immediately once they become available for Windows 10 Version 1809 systems. 2. If patches are not yet available, restrict local access to affected systems by enforcing strict access controls and monitoring privileged account usage. 3. Employ endpoint detection and response (EDR) solutions to detect anomalous local privilege escalation attempts. 4. Consider upgrading affected systems to a supported and fully patched Windows version to reduce exposure to legacy vulnerabilities. 5. Implement application whitelisting and least privilege principles to limit the impact of potential exploits. 6. Conduct regular security audits and vulnerability assessments focusing on legacy Windows deployments. 7. Educate internal users about the risks of privilege escalation and insider threats. 8. Monitor logs for unusual activity related to TDX.sys or kernel driver interactions. 9. Isolate critical systems using network segmentation to limit lateral movement if exploitation occurs.