Sergey Tarasov, Specialist at the Positive Technologies Expert Security Center, discovered a high-severity vulnerability affecting 37 desktop and server Windows operating systems, including Windows 11, Windows 10, Server 2025, Server 2022, and Server 2019 of various versions and architectures. The flaw in the NTFS file system driver could have led to privilege escalation on a user's computer if they opened a malicious virtual hard disk. Identified as CVE-2025-49689, the vulnerability was assigned a severity score of 7.8 on the CVSS 3.1 scale. Microsoft was notified under the responsible disclosure policy and released patches in July 2025.
