CVE-2025-27488

Summary

Use of hard-coded credentials in Windows Hardware Lab Kit allows an authorized attacker to elevate privileges locally.

Affected Software

VendorProductVersion RangeStatus
MicrosoftWindows 10 HLK version 20H21.0.0 < 10.1.19041.5609affected
MicrosoftWindows 10 HLK version 21H11.0.0 < 10.1.19041.5609affected
MicrosoftWindows 10 HLK version 21H21.0.0 < 10.1.19041.5609affected
MicrosoftWindows 10 HLK Version 22H21.0.0 < 10.1.19041.5609affected
MicrosoftWindows 11 HLK 22H21.0.0 < 10.1.22621.5040affected
MicrosoftWindows 11 HLK 24H21.0.0 < 10.1.26100.3478affected
MicrosoftWindows HLK for Windows 10 version 20041.0.0 < 10.1.19041.5609affected
MicrosoftWindows HLK for Windows Server 20191.0.0 < 10.1.17763.7010affected
MicrosoftWindows HLK for Windows Server 20221.0.0 < 10.1.20348.3330affected
MicrosoftWindows HLK for Windows Server 20251.0.0 < 10.1.26100.3478affected
MicrosoftWindows HLK, version 18091.0.0 < 10.1.17763.7010affected

Weaknesses

  • CWE-798: CWE-798: Use of Hard-coded Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References