Vulnerabilities ›

CVE-2026-25175

High

Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.

CWE-125 — Weakness Type

                    Published: Mar 10, 2026                      ·  Modified: Mar 17, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.

🤖 AI Executive Summary

CVE-2026-25175 is a high-severity out-of-bounds read vulnerability in Windows NTFS affecting multiple Windows 10 versions. An authorized local attacker can exploit this flaw to elevate privileges, potentially gaining system-level access. While no public exploit is currently available, the vulnerability requires immediate patching across all affected Windows 10 builds to prevent privilege escalation attacks in Saudi organizations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 07:02

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi government agencies, banking sector (SAMA-regulated institutions), healthcare facilities, and critical infrastructure operators relying on Windows 10 systems. Government entities using Windows 10 for administrative functions face elevated risk of insider threats and privilege escalation attacks. Banking and financial institutions are particularly vulnerable as compromised workstations could lead to unauthorized access to sensitive financial systems. Energy sector organizations and telecommunications providers (STC) managing critical infrastructure must prioritize patching to prevent lateral movement within their networks.

🏢 Affected Saudi Sectors

Government & Public Administration Banking & Financial Services Healthcare & Medical Institutions Energy & Utilities (ARAMCO, power generation) Telecommunications (STC, Mobily, Zain) Critical Infrastructure Education & Universities Defense & Security

🎯 MITRE ATT&CK Techniques

T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1548 - Abuse Elevation Control Mechanism T1134 - Access Token Manipulation T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1574 - Hijack Execution Flow

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all Windows 10 systems across affected versions (1607, 1809, 21H2, 22H2) in your organization

2. Prioritize patching for systems with high-privilege user accounts and administrative access

3. Restrict local administrative access and enforce principle of least privilege

4. Monitor for suspicious privilege escalation attempts in security logs

PATCHING GUIDANCE:

1. Apply Microsoft security updates immediately upon availability through Windows Update or WSUS

2. Test patches in non-production environments before enterprise deployment

3. Prioritize patching for domain-joined systems and servers first

4. Ensure all Windows 10 versions (1607, 1809, 21H2, 22H2) receive updates

COMPENSATING CONTROLS (if patching delayed):

1. Disable NTFS access for non-administrative users where operationally feasible

2. Implement application whitelisting to prevent unauthorized privilege escalation tools

3. Enable Windows Defender Exploit Guard and Attack Surface Reduction rules

4. Enforce multi-factor authentication for administrative accounts

5. Implement file integrity monitoring on critical NTFS volumes

DETECTION RULES:

1. Monitor Event ID 4688 (Process Creation) for suspicious NTFS-related system calls

2. Alert on unexpected privilege elevation attempts (Event ID 4672)

3. Monitor for unusual file system access patterns and NTFS metadata modifications

4. Track failed and successful privilege escalation attempts in Windows Security logs

5. Implement EDR solutions to detect out-of-bounds memory access patterns

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع أنظمة Windows 10 في الإصدارات المتأثرة (1607، 1809، 21H2، 22H2) في مؤسستك

2. أعط الأولوية لتصحيح الأنظمة ذات حسابات المستخدمين عالية الامتيازات والوصول الإداري

3. قيد الوصول الإداري المحلي وفرض مبدأ أقل امتياز

4. راقب محاولات الارتقاء بالامتيازات المريبة في سجلات الأمان

إرشادات التصحيح:

1. طبق تحديثات أمان Microsoft فوراً عند توفرها عبر Windows Update أو WSUS

2. اختبر التصحيحات في بيئات غير الإنتاج قبل نشرها على مستوى المؤسسة

3. أعط الأولوية لتصحيح الأنظمة المرتبطة بالمجال والخوادم أولاً

4. تأكد من حصول جميع إصدارات Windows 10 (1607، 1809، 21H2، 22H2) على التحديثات

الضوابط البديلة (إذا تأخر التصحيح):

1. عطل وصول NTFS للمستخدمين غير الإداريين حيث يكون ذلك ممكناً من الناحية التشغيلية

2. طبق قائمة بيضاء للتطبيقات لمنع أدوات الارتقاء بالامتيازات غير المصرح بها

3. فعّل Windows Defender Exploit Guard وقواعد تقليل سطح الهجوم

4. فرض المصادقة متعددة العوامل لحسابات المسؤولين

5. طبق مراقبة سلامة الملفات على أحجام NTFS الحرجة

قواعد الكشف:

1. راقب معرف الحدث 4688 (إنشاء العملية) لاستدعاءات نظام NTFS المريبة

2. أصدر تنبيهات لمحاولات الارتقاء بالامتيازات غير المتوقعة (معرف الحدث 4672)

3. راقب أنماط الوصول غير العادية لنظام الملفات وتعديلات بيانات تعريف NTFS

4. تتبع محاولات الارتقاء بالامتيازات الفاشلة والناجحة في سجلات أمان Windows

5. طبق حلول EDR للكشف عن أنماط الوصول إلى الذاكرة خارج الحدود

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 - 5.1.1 Access Control Policy ECC 2024 - 5.2.1 User Registration and De-registration ECC 2024 - 5.3.1 User Access Rights ECC 2024 - 6.1.1 Information Security Incident Management ECC 2024 - 6.2.1 Malware Protection

🔵 SAMA CSF

SAMA CSF - Governance & Risk Management (GRM-01: Risk Assessment) SAMA CSF - Information & Cybersecurity (ICS-02: System Hardening) SAMA CSF - Information & Cybersecurity (ICS-03: Access Control) SAMA CSF - Resilience & Recovery (RR-01: Incident Response) SAMA CSF - Resilience & Recovery (RR-02: Business Continuity)

🟡 ISO 27001:2022

ISO 27001:2022 - A.5.2 Information Security Policies ISO 27001:2022 - A.8.1 User Endpoint Devices ISO 27001:2022 - A.8.2 Privileged Access Rights ISO 27001:2022 - A.8.3 Information Access Restriction ISO 27001:2022 - A.12.2 Configuration Management

🟣 PCI DSS v4.0.1

PCI DSS 4.0 - Requirement 2: Apply Secure Configurations PCI DSS 4.0 - Requirement 6: Develop and Maintain Secure Systems PCI DSS 4.0 - Requirement 7: Restrict Access to System Components

🔗 References & Sources 1

🔗

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25175

secure@microsoft.com

Vendor Advisory

📦 Affected Products / CPE 18 entries

microsoft:windows_10_1607

microsoft:windows_10_1809

microsoft:windows_10_21h2

microsoft:windows_10_22h2

microsoft:windows_11_23h2

microsoft:windows_server_2012:-

microsoft:windows_server_2012:r2

microsoft:windows_server_2016

microsoft:windows_server_2019

microsoft:windows_server_2022

microsoft:windows_server_2022_23h2

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-125

Exploit No

Patch ✓ Yes

Published 2026-03-10

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-125

🏢 Vendor Advisories

🔗 https://msrc.microsoft.com/update-guide/vulnerabilit...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-25175

💬 Comments

Introduce Yourself

Sign In Required