Critical Vulnerability in Windows Defender Firewall Service Exposes Sensitive Data
A significant security flaw has been identified in the Windows Defender Firewall Service, potentially allowing attackers with elevated privileges to access sensitive information stored in the system’s memory. This vulnerability, designated as CVE-2025-62468, was disclosed on December 9, 2025, and has been assigned an Important severity rating.
Understanding the Vulnerability
The core issue arises from an out-of-bounds read condition within the Windows Defender Firewall Service component. This flaw enables authorized attackers to read portions of the system’s heap memory without requiring any user interaction. While this vulnerability compromises the confidentiality of stored information, it does not impact the system’s integrity or availability. The Common Vulnerability Scoring System (CVSS) v3.1 has assigned it a base score of 4.4, reflecting its potential impact.
Technical Details
– CVE ID: CVE-2025-62468
– Impact: Information Disclosure
– CVSS Score: 4.4
– Attack Vector: Local
– Attack Complexity: Low
– Privileges Required: High
– User Interaction: None
Exploiting this vulnerability requires an attacker to have high-level privileges, which limits the immediate threat scope. Microsoft has assessed the likelihood of exploitation as unlikely, noting that there have been no reports of public exploit code or active exploitation at the time of disclosure.
Affected Systems and Patches
Microsoft has released security updates to address CVE-2025-62468 across multiple Windows platforms. The affected products and their corresponding updates are as follows:
– Windows Server 2025
– KB Articles: KB5072033, KB5072014
– Build Numbers: 10.0.26100.7462 / 10.0.26100.7392
– Windows 11 Version 24H2 (x64 and ARM64)
– KB Articles: KB5072033, KB5072014
– Build Numbers: 10.0.26100.7462 / 10.0.26100.7392
– Windows Server 2022 23H2 (Server Core)
– KB Article: KB5071542
– Build Number: 10.0.25398.2025
– Windows 11 Version 23H2 (x64 and ARM64)
– KB Article: KB5071417
– Build Number: 10.0.22631.6345
– Windows 11 Version 25H2 (x64 and ARM64)
– KB Articles: KB5072033, KB5072014
– Build Numbers: 10.0.26200.7462 / 10.0.26200.7392
These patches are available through Microsoft Update and the Microsoft Update Catalog. Notably, Windows Server 2025 and recent Windows 11 versions have received both standard security updates and security hotpatch updates, providing flexibility in deployment strategies.
Mitigation and Recommendations
To mitigate the risks associated with this vulnerability, it is crucial for system administrators to promptly apply the provided security updates. Given that exploitation requires high-level privileges, organizations should also focus on restricting administrative access and closely monitoring activities of privileged users.
The out-of-bounds read weakness (CWE-125) inherent in this vulnerability allows attackers to access memory regions beyond intended boundaries. Successful exploitation necessitates membership in specific user groups with elevated permissions, making this a targeted threat primarily affecting organizations with strict access controls and privileged-user monitoring protocols.
Acknowledgments
Credit for responsibly disclosing this vulnerability to Microsoft through coordinated disclosure channels goes to security researchers from Kunlun Lab.
Conclusion
While the immediate risk posed by CVE-2025-62468 may be limited due to the high privileges required for exploitation, it underscores the importance of maintaining robust access controls and promptly applying security updates. Organizations are advised to stay vigilant and ensure that their systems are protected against potential threats.
