OTPulse

Windows Hyper-V Elevation of Privilege Vulnerability

Plan Patch7CVE-2026-25170Mar 10, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary

A use-after-free vulnerability in Windows Hyper-V allows an authorized local attacker to elevate privileges. The vulnerability exists in Hyper-V on Windows 11 and Windows Server 2022/2025 systems. Exploitation requires local access and valid credentials.

What this means
What could happen
An attacker with local access to a Hyper-V host could gain system-level privileges, potentially allowing them to run arbitrary code on the host system and compromise all virtual machines running on that server.
Who's at risk
This affects IT infrastructure teams managing Hyper-V virtualization hosts, particularly those running Windows Server 2022 and 2025 in data centers or branch offices. Any organization using Hyper-V for virtual machine hosting should prioritize patching. This is relevant for utilities running virtualized SCADA systems, historian servers, or engineering workstations on Hyper-V infrastructure.
How it could be exploited
An attacker with valid local user credentials on a Hyper-V host can exploit a use-after-free flaw in the Hyper-V component to escalate from regular user privileges to SYSTEM privileges on the host machine.
Prerequisites
  • Local access to the Windows system
  • Valid local user account credentials
  • Hyper-V component must be installed and operational on the target system
Local authentication requiredRequires valid user credentialsAffects virtualization hosts (high-value targets)Low EPSS score indicates exploitation less likely
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (13)
13 with fix
ProductAffected VersionsFix Status
Windows 11 Version 26H1 for ARM64-based SystemsAll versionsBuild 10.0.28000.1719
Windows 11 version 26H1 for x64-based SystemsAll versionsBuild 10.0.28000.1719
Windows 11 Version 23H2 for ARM64-based SystemsAll versionsBuild 10.0.22631.6783
Windows 11 Version 23H2 for x64-based SystemsAll versionsBuild 10.0.22631.6783
Windows Server 2022, 23H2 Edition (Server Core installation)All versionsBuild 10.0.25398.2207
Windows 11 Version 24H2 for ARM64-based SystemsAll versionsBuild 10.0.26100.8037
Windows 11 Version 24H2 for x64-based SystemsAll versionsBuild 10.0.26100.8037
Windows Server 2025All versionsBuild 10.0.26100.32522
Remediation & Mitigation
0/12
Schedule — requires maintenance window
0/11

Patching may require device reboot — plan for process interruption

Windows Server 2022
HOTFIXUpdate Windows Server 2022 to Build 10.0.20348.4893 or later
HOTFIXUpdate Windows Server 2022 (23H2 Edition) to Build 10.0.25398.2207 or later
Windows Server 2025
HOTFIXUpdate Windows Server 2025 to Build 10.0.26100.32522 or later
All products
HOTFIXUpdate Windows 11 Version 26H1 (ARM64) to Build 10.0.28000.1719 or later
HOTFIXUpdate Windows 11 Version 26H1 (x64) to Build 10.0.28000.1719 or later
HOTFIXUpdate Windows 11 Version 23H2 (ARM64) to Build 10.0.22631.6783 or later
HOTFIXUpdate Windows 11 Version 23H2 (x64) to Build 10.0.22631.6783 or later
HOTFIXUpdate Windows 11 Version 24H2 (ARM64) to Build 10.0.26100.8037 or later
HOTFIXUpdate Windows 11 Version 24H2 (x64) to Build 10.0.26100.8037 or later
HOTFIXUpdate Windows 11 Version 25H2 (ARM64) to Build 10.0.26200.8037 or later
HOTFIXUpdate Windows 11 Version 25H2 (x64) to Build 10.0.26200.8037 or later
Long-term hardening
0/1
HARDENINGRestrict local console and RDP access to Hyper-V hosts to trusted administrators only
View full vendor advisory
API: /api/v1/advisories/26431f4a-0510-4b99-ba0d-bd182dd8f63b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Windows Hyper-V Elevation of Privilege Vulnerability | CVSS 7 - OTPulse