Sergey Tarasov, Specialist at the Positive Technologies Expert Security Center, discovered a high-severity vulnerability affecting 37 desktop and server Windows operating systems,1 including Windows 11, Windows 10, Server 2025, Server 2022, and Server 2019 of various versions and architectures. The flaw in the NTFS2 file system driver could have led to privilege escalation on a user's computer if they opened a malicious virtual hard disk.3 Identified as CVE-2025-49689, the vulnerability was assigned a severity score of 7.8 on the CVSS 3.1 scale. Microsoft was notified under the responsible disclosure policy and released patches in July 2025.
1 The full list of operating systems is provided in Microsoft's security advisory.
2 New Technology File System (NTFS) is a file system developed by Microsoft for use in modern versions of Windows.
3 Virtual hard disk, hereinafter VHD.