Issuing CNA: Microsoft

Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.

What privileges could an attacker gain with successful exploitation?

An attacker who successfully exploited the vulnerability could elevate their privileges as ‘NT AUTHORITY\SYSTEM’ user and perform arbitrary code execution.

What actions do customers need to take to protect themselves from this vulnerability?

Customers should update their Azure Connected Machine Agent to the latest version. For more information, see What's new with Azure Connected Machine agent.

According to the CVSS metric, the attack vector is local (AV:L) and privileges required is low (PR:L). What does this mean in the context of this elevation of privilege vulnerability?

An attacker needs to be authorized as a standard user on the localhost to execute this attack. They could then elevate their privileges to perform unauthorized operations.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected.

Information published.

Issuing CNA: AMD

Microsoft is aware of AMD-SB-3020 | CVE-2025-0033 disclosed by AMD on October 13, 2025.

CVE-2025-0033 is a vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP). It involves a race condition during Reverse Map Table (RMP) initialization that could allow a malicious or compromised hypervisor to modify RMP entries before they are locked, potentially impacting the integrity of SEV-SNP guest memory. This issue does not expose plaintext data or secrets and requires privileged control of the hypervisor to exploit.

Across Azure Confidential Computing products, multiple security guardrails are in place to prevent host compromise, combining isolation, integrity verification and continuous monitoring. All host operations follow audited and approved management pathways, with administrative access strictly controlled, limited and logged. Together, these protections reduce the risk of host compromise or unauthorized memory manipulation, helping ensure that confidential workloads and customer VMs maintain their confidentiality and integrity on Azure hosts.

When will an update be available to address this vulnerability?

Updates to mitigate this vulnerability in Azure Confidential Computing's (ACC) AMD-based clusters are being developed but are not yet complete. Once complete, the updates with be deployed across all AMD-based infrastructure and customers will be notified via Azure Service Health Alerts if they are required to reboot their ACC resources. The Security Updates table for this CVE will be updated immediately upon availability of the mitigated versions for any affected ACC product SKUs.

Additionally, customers who have subscribed to the Security Update Guide will be notified when this CVE is revised to indicate updates are available. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE.

Information published.

Issuing CNA: Microsoft

Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.

Issuing CNA: Microsoft

Use after free in Windows Device Association Broker service allows an authorized attacker to elevate privileges locally.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker could use this vulnerability to elevate privileges from Medium Integrity Level to Local Service.

Information published.

Issuing CNA: Microsoft

Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges locally.

How could an attacker exploit this vulnerability?

To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would be able to take over the mailboxes of all Exchange users, read emails, download attachments.

Information published.

Issuing CNA: Microsoft

Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain the privileges of the authenticated user.

According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability?

An authenticated attacker could place a malicious file in the core project path and then wait for a user with admin privileges to create or build a .NET project to gain elevated privileges.

Information published.

Issuing CNA: Microsoft

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

How could an attacker exploit the vulnerability?

An authenticated attacker could exploit the vulnerability by sending a malicious http request to the web server.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to a high loss of confidentiality (C:H), and integrity (I:H) and some loss of availability (A:L). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could view sensitive information such as other user's credentials (Confidentiality) and make changes to file contents on the target server (Integrity), and they might be able to force a crash within the server (Availability).

What should I do to make sure my ASP.NET Core application is protected

• If you are running .NET 8 or later install the .NET update from Microsoft Update, then restart your application or reboot the machine.

• If you are running .NET 2.3 you must update the package reference for Microsoft.AspNet.Server.Kestrel.Core to 2.3.6, then recompile your application and redeploy.

• If you are running a self-contained/single-file application, install the .NET update, recompile your application and redeploy.

According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?

An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

An attacker who successfully exploited this vulnerability could smuggle another HTTP request and bypass front-end security controls or hijack other users' credentials.

Information published.

Issuing CNA: Microsoft

Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update.

Fax modem hardware dependent on this specific driver will no longer work on Windows.

Microsoft recommends removing any existing dependencies on this hardware.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.

Is the vulnerability only exploitable if the Agere Modem is actively being used?

No. All supported versions of Windows can be affected by a successful exploitation of this vulnerability, even if the modem is not actively being used.

Information published.

Issuing CNA: Microsoft

Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update.

Fax modem hardware dependent on this specific driver will no longer work on Windows.

Microsoft recommends removing any existing dependencies on this hardware.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain administrator privileges.

Is the vulnerability only exploitable if the Agere Modem is actively being used?

No. All supported versions of Windows can be affected by a successful exploitation of this vulnerability, even if the modem is not actively being used.

Information published.

Issuing CNA: Microsoft

Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to elevate privileges locally.

What privileges could be gained by an attacker who successfully exploited the vulnerability?

An attacker who successfully exploited this vulnerability could gain sysadmin privileges.

How could an attacker exploit this vulnerability?

An attacker could exploit this vulnerability by injecting malicious SQL into the SyncToken method, allowing execution of arbitrary queries as the SMS service.

Information published.

Issuing CNA: Microsoft

Buffer over-read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.

What type of information could be disclosed by this vulnerability?

An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory.

Information published.

Issuing CNA: Microsoft

Incomplete comparison with missing factors in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

Information published.

Issuing CNA: Microsoft

Use after free in Windows NTFS allows an unauthorized attacker to elevate privileges locally.

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?

Successful exploitation of this vulnerability requires an attacker to win a race condition.

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Information published.

Issuing CNA: Microsoft

Exposure of sensitive information to an unauthorized actor in Windows Cloud Files Mini Filter Driver allows an authorized attacker to disclose information locally.

What type of information could be disclosed by this vulnerability?

Exploiting this vulnerability could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could be potentially leveraged by an attacker for other malicious activities.

Information published.

Issuing CNA: Microsoft

Missing Ability to Patch ROM Code in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.

Information published.