Impact
The Microsoft Management Console contains an improper access control flaw (CWE-284) that permits an authorized local user to elevate privileges. By exploiting this weakness, an attacker can gain full control of the affected system, enabling reading, writing, and executing any data or processes. This privileged access threatens confidentiality, integrity, and availability of all local resources.
Affected Systems
Microsoft Windows 10 versions 1607, 1809, 21H2, and 22H2; Windows 11 versions 23H2, 24H2, 25H2, 26H1, and 22H3; and Windows Server editions 2012, 2012 R2, 2016, 2019, 2022, 2025, and 23H2. All listed operating systems and their Core installations are affected.
Risk and Exploitability
The CVSS score of 7.8 indicates high severity. The EPSS score is 3%, which represents a very low but nonzero exploitation probability, and the vulnerability is not listed in CISA KEV. Exploitation requires local access to the Management Console, meaning an attacker must already have some level of authorized access. The combination of high severity, local attack vector, and lack of mitigation updates places impacted systems at significant risk of privilege escalation.
OpenCVE Enrichment