• Positive Technologies helps resolve zero-day vulnerability in Windows
News

Positive Technologies helps resolve zero-day vulnerability in Windows

Sergey Tarasov, Specialist at the Positive Technologies Expert Security Center, discovered a high-severity vulnerability affecting 37 desktop and server Windows operating systems,1 including Windows 11, Windows 10, Server 2025, Server 2022, and Server 2019 of various versions and architectures. The flaw in the NTFS2 file system driver could have led to privilege escalation on a user's computer if they opened a malicious virtual hard disk.3 Identified as CVE-2025-49689, the vulnerability was assigned a severity score of 7.8 on the CVSS 3.1 scale. Microsoft was notified under the responsible disclosure policy and released patches in July 2025.
 

1 The full list of operating systems is provided in Microsoft's security advisory.

2 New Technology File System (NTFS) is a file system developed by Microsoft for use in modern versions of Windows.

3 Virtual hard disk, hereinafter VHD.

Among all the products that contained the vulnerability, Windows 11 is one of the most popular operating systems globally. According to the web analytics platform StatCounter, its market share grew from less than 30% in 2024 to over 43% by May 2025. Open-source data estimates that more than 1.5 million devices are exposed to this vulnerability, affecting both corporate and home users. The largest number of affected devices are in the U.S. (26%) and China (14%).

The flaw in the NTFS file system could have allowed attackers to bypass Windows security measures. A victim only had to open a specially crafted virtual disk for an attacker to exploit the vulnerability and gain full control of the system.

To stay protected, users are strongly advised to install the latest updates. If updating is not possible, Positive Technologies recommends only opening virtual hard disks (VHD) from trusted sources.

"This vulnerability is particularly dangerous as attackers often use VHD files in phishing campaigns. Users tend to open them like regular archives, unaware of the risks."

Sergey Tarasov
Sergey TarasovHead of the PT Expert Security Center Vulnerability Analysis Group

Positive Technologies has consistently helped enhance the security of Microsoft systems. In 2024, Sergey Tarasov helped fix CVE-2024-43629, a vulnerability that affected Windows 10, Windows 11, and Windows Server versions 2025, 2022, and 2019. In 2017, the PT Expert Security Center collaborated with Microsoft to address CVE-2017-0263 in Windows 10 and earlier versions.

To detect attacks exploiting similar vulnerabilities, Positive Technologies recommends using a vulnerability management system like MaxPatrol VM. We also advise using MaxPatrol EDR, which supports all major operating systems, including Windows.