Microsoft, the world's leading supplier of desktop operating systems, fixed a security flaw affecting eight Windows versions, reported by Sergey Tarasov of Positive Technologies Expert Security Center (PT ESC). The vulnerability could have enabled credential theft and, if exploited on a corporate endpoint, facilitated lateral movement within the corporate network. Microsoft was notified under the responsible disclosure policy and has released a security update.
The vulnerability, tracked as PT-2025-368801 (CVE-2025-54916, BDU:2025-06402), was assigned a CVSS 3.1 score of 7.8, indicating high severity. The bug in the Microsoft file system driver2 affects multiple OS versions, including Windows 10, Windows 11, and Windows Server 2025. Successful exploitation could enable access to sensitive data, modification of security settings, and malware propagation across the network, potentially disrupting business processes, causing data leaks, and inflicting financial losses. To remediate the issue, the vendor's security update should be installed as soon as possible.
Microsoft holds over 70% of the global desktop OS market. Its most widely used platform is Windows 11: according to StatCounter, 54% of Microsoft's desktop users were on Windows 11 as of July 2025. Threat intelligence from Positive Technologies indicates that at least 1.5 million Windows 11 devices worldwide are potentially vulnerable. The largest concentrations are in the United States (28%), China (13%), Japan (8%), Germany and South Korea (4% each), and Russia (3%).
1 The security vulnerability has been registered on the dbugs portal, which aggregates data on vulnerabilities in software and hardware from vendors around the world.
2 New Technology File System (NTFS) is a file system developed by Microsoft for use in modern versions of Windows.
"To exploit the vulnerability, all an attacker would need is for the victim to mount and open a malicious virtual disk on their device.3 The attacker could deliver it via email with a persuasive phishing lure. This could enable remote arbitrary code execution and give the attacker full control of the OS to continue the intrusion."
Sergey TarasovHead of the PT ESC Vulnerability Analysis Team
Positive Technologies has collaborated with Microsoft since 2012, helping address roughly ten security issues. Earlier in 2025, Tarasov helped Microsoft fix a file system vulnerability (PT-2025-28587) that enabled privilege escalation via a specially crafted VHD.
To spot attacks that might leverage similar flaws, use a vulnerability management platform (for example, MaxPatrol VM). MaxPatrol SIEM can detect pre-exploitation activity related to this vulnerability inside your environment. For layered protection, deploy an EDR solution to block suspicious endpoint behavior. For example, MaxPatrol EDR detects threats across more than 25 operating systems, covering the major versions among the world's top ten most common operating systems, including Windows.
You can further reduce risk with tools that identify potential attack paths and automate continuous cyber resilience monitoring, such as MaxPatrol Carbon.
For up-to-date security information, visit the dbugs portal, which aggregates vulnerability data and vendor recommendations for software and hardware from vendors around the world.
3 Virtual hard disk.