The vulnerability is a missing authentication check for a critical function in the Windows Storage VSP Driver. Because the driver allows privileged operations without verifying that the caller is authorized, an attacker who can authenticate locally to Windows and access the VSP Driver may be able to gain higher privileges. This flaw is classified under CWE‑306 and CWE‑73, indicating insufficient authentication and potential path handling weaknesses that could be abused to modify system files or execute code with elevated rights. The result would be a compromise of the integrity and confidentiality of the affected host.

Affected products include Microsoft Windows 10 versions 1809, 21H2, and 22H2; Windows 11 versions 22H3, 23H2, 24H2, and 25H2; and Windows Server 2019, Windows Server 2022 (including the 23H2 Edition Server Core), and Windows Server 2025 (including Server Core). Both 32‑bit and 64‑bit architectures are impacted as shown by the vendor’s CPES, and the flaw is present in the VSP Driver that handles storage volume management.

The CVSS score of 7.8 ranks the issue as high severity, yet the EPSS score of less than 1% signals a very low current exploitation probability. The flaw is not listed in the CISA KEV catalog, supporting the assumption that no large‑scale or active exploitation has been observed. Attackers would need local access to the target machine and the ability to invoke the vulnerable driver function, which likely requires privileged local account access or exploitation of an existing local weakness. Once that local foothold is established, the missing authentication check permits privilege escalation without any network or remote access prerequisites.