CVE-2025-62570 - Vulnerability Details

- Windows Camera Frame Server Monitor Information Disclosure Vulnerability

Description

Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally.

Published: 2025-12-09

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper access control in the Windows Camera Frame Server Monitor allows an attacker who already has authorized local access to read information that should be restricted, potentially exposing camera-related data or configuration details. This flaw is based on CWE‑284, where insufficient permissions enable sensitive data exposure, leading to a confidentiality breach in the affected environment.

Affected Systems

Microsoft Windows 11 Version 24H2, Windows 11 Version 25H2, Windows Server 2025, and the Server Core installation of Windows Server 2025 are all vulnerable when running the Camera Frame Server Monitor component. The issue applies to the specific versions listed and does not affect earlier releases or versions not enumerated.

Risk and Exploitability

With a CVSS score of 7.1 and an EPSS score of less than 1 %, the vulnerability poses a moderate to high severity but has a very low likelihood of exploitation at this time; it is not currently listed in the CISA KEV catalog. The attack vector is local – an adversary must already possess authorized user rights or sufficient privileges on the system to interact with the Camera Frame Server Monitor, after which the compromised access control can be used to disclose sensitive information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Microsoft

Windows 11 Version 24H2

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.7462

Microsoft

Windows 11 Version 25H2

affected

Version	Status	Constraints
`10.0.26200.0`	affected	< 10.0.26200.7462

Microsoft

Windows Server 2025

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.7462

Microsoft

Windows Server 2025 (Server Core installation)

affected

Version	Status	Constraints
`10.0.26100.0`	affected	< 10.0.26100.7462

Configuration 1 [-]

OR	cpe:2.3:o:microsoft:windows_11_24h2::::::::
	cpe:2.3:o:microsoft:windows_11_25h2::::::::
	cpe:2.3:o:microsoft:windows_server_2025::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Microsoft security update that addresses CVE‑2025‑62570 to the Windows 11 24H2 and 25H2 releases or the Windows Server 2025 releases
Restrict or revoke local user permissions to the Camera Frame Server Monitor service, or disable the service if the device does not require camera monitoring
Restart the affected systems to activate the updated policies and ensure the access controls are enforced

Generated by OpenCVE AI on April 20, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62570

History

Wed, 10 Dec 2025 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft windows 11 24h2 Microsoft windows 11 25h2
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:microsoft:windows_11_24h2:::::::: cpe:2.3:o:microsoft:windows_11_25h2::::::::
Vendors & Products		Microsoft windows 11 24h2 Microsoft windows 11 25h2

Tue, 09 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 09 Dec 2025 18:15:00 +0000

Type	Values Removed	Values Added
Description		Improper access control in Windows Camera Frame Server Monitor allows an authorized attacker to disclose information locally.
Title		Windows Camera Frame Server Monitor Information Disclosure Vulnerability
First Time appeared		Microsoft Microsoft windows 11 24h2 Microsoft windows 11 25h2 Microsoft windows Server 2025
Weaknesses		CWE-284
CPEs		cpe:2.3:o:microsoft:windows_11_24H2:::::::arm64:* cpe:2.3:o:microsoft:windows_11_25H2:::::::arm64:* cpe:2.3:o:microsoft:windows_server_2025::::::::
Vendors & Products		Microsoft Microsoft windows 11 24h2 Microsoft windows 11 25h2 Microsoft windows Server 2025
References		https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62570
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C'}`

Subscriptions

Microsoft Windows 11 24h2 Windows 11 24h2 Windows 11 25h2 Windows 11 25h2 Windows Server 2025

MITRE

Status: PUBLISHED

Assigner: microsoft

Published: 2025-12-09T17:56:04.617Z

Updated: 2026-04-16T14:18:56.980Z

Reserved: 2025-10-15T17:11:21.222Z

Link: CVE-2025-62570

Vulnrichment

Updated: 2025-12-09T20:12:51.296Z

NVD

Status : Analyzed

Published: 2025-12-09T18:16:03.160

Modified: 2025-12-10T19:22:23.733

Link: CVE-2025-62570

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T16:15:11Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object