Description
Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally.
Published: 2025-12-09
Score: 7.8 High
EPSS: 2.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a missing authentication check that permits an authorized local user to call a critical VSP Driver procedure without proper verification. This omission is rooted in improper authentication mechanisms and potential path handling weaknesses, as reflected by the associated weakness types. When exploited, the attacker can raise their privileges, potentially gaining administrative rights on the host and compromising confidentiality and integrity of the system.

Affected Systems

Microsoft Windows 10 versions 1809, 21H2, 22H2; Windows 11 versions 22H3, 23H2, 24H2, 25H2; Windows Server 2019; Windows Server 2022 including the 23H2 Edition Server Core; and Windows Server 2025 including Server Core. Both 32‑bit and 64‑bit builds are affected as the vendor’s information covers x86 and x64 platforms.

Risk and Exploitability

The CVSS score of 7.8 rates the issue as high severity, but an EPSS score of 2% indicates a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, suggesting no large‑scale exploitation has been observed. Based on the description, a local attacker with the ability to invoke the vulnerable driver function—likely via an existing local privilege or by executing custom code—can bypass authentication checks and elevate their privileges. Remote exploitation is not implied by the available data.

Generated by OpenCVE AI on June 18, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and apply the cumulative update that addresses CVE-2025-59516 from Microsoft’s update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59516.
  • Reboot the system after applying the update to load the patched VSP Driver.
  • Limit local accounts that can interact with the VSP Driver by enforcing least privilege, removing unnecessary administrative rights, and enabling audit policies to detect anomalous driver activity.

Generated by OpenCVE AI on June 18, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_24h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_11_25h2:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2022 23h2

Tue, 09 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Missing authentication for critical function in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally.
Title Windows Storage VSP Driver Elevation of Privilege Vulnerability
First Time appeared Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
Weaknesses CWE-306
CWE-73
CPEs cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*
cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*
cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows 10 1809
Microsoft windows 10 21h2
Microsoft windows 10 22h2
Microsoft windows 11 23h2
Microsoft windows 11 24h2
Microsoft windows 11 25h2
Microsoft windows Server 2019
Microsoft windows Server 2022
Microsoft windows Server 2025
Microsoft windows Server 23h2
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}


Subscriptions

Microsoft Windows 10 1809 Windows 10 21h2 Windows 10 21h2 Windows 10 22h2 Windows 10 22h2 Windows 11 23h2 Windows 11 23h2 Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2019 Windows Server 2022 Windows Server 2022 23h2 Windows Server 2025 Windows Server 23h2
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:42.586Z

Reserved: 2025-09-17T03:06:33.549Z

Link: CVE-2025-59516

cve-icon Vulnrichment

Updated: 2025-12-09T20:15:51.983Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:15:54.640

Modified: 2026-06-17T09:46:19.720

Link: CVE-2025-59516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T15:15:03Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-73

    External Control of File Name or Path