OTPulse

Windows NTFS Elevation of Privilege Vulnerability

Plan Patch7.8CVE-2026-25175Mar 10, 2026
Microsoft
IT in OT - Windows Server and Active Directory are widely deployed in OT environments
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Out-of-bounds read vulnerability in Windows NTFS driver allows a user with standard account privileges to read memory beyond allocated boundaries, potentially leading to local privilege escalation. The vulnerability exists in NTFS file system handling and can be triggered through crafted file system interactions. Affects Windows 10 (versions 1607, 1809, 21H2, 22H2), Windows 11 (version 23H2), Windows Server 2016, 2019, 2022, and 2022 23H2 Edition across all architecture variants.

What this means
What could happen
A user with standard account permissions on a Windows workstation or server could exploit an out-of-bounds read in NTFS to gain administrator-level access, allowing them to modify critical files, install malware, or disable security controls.
Who's at risk
Windows Server 2016, 2019, and 2022 administrators; Windows 10 and 11 users across all supported versions and architectures (32-bit, x64, ARM64). Any organization running these OS versions on workstations, servers, or edge devices is affected. Particular concern for servers hosting databases, file shares, or critical applications where privilege escalation could cause data loss or operational disruption.
How it could be exploited
An attacker with a local user account on a Windows system triggers an out-of-bounds read vulnerability in the NTFS driver by accessing specially crafted file system structures. This causes the kernel to leak sensitive memory or mishandle file access controls, allowing the attacker to escalate privileges to SYSTEM/administrator level.
Prerequisites
  • Local user account on the Windows system
  • Ability to interact with the NTFS file system
  • Standard user privileges (no admin rights required)
Requires local access only (not remotely exploitable)Low complexity exploitationAffects Windows versions across entire lifecycleRequires valid user account
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (19)
19 with fix
ProductAffected VersionsFix Status
Windows Server 2022 (Server Core installation)All versionsBuild 10.0.20348.4893
Windows 10 Version 21H2 for x64-based SystemsAll versionsBuild 10.0.19044.7058
Windows 10 Version 21H2 for 32-bit SystemsAll versionsBuild 10.0.19044.7058
Windows Server 2022All versionsBuild 10.0.20348.4893
Windows Server 2019 (Server Core installation)All versionsBuild 10.0.17763.8511
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply the 2026-Mar security update to Windows 10, Windows 11, or Windows Server to patch the NTFS vulnerability
Long-term hardening
0/2
HARDENINGRestrict local access to file systems containing sensitive data through permission hardening and audit logging
HARDENINGMonitor for unusual privilege escalation attempts or unauthorized NTFS access in security logs
View full vendor advisory
API: /api/v1/advisories/afae3812-ac38-4c6e-95ae-bf80a03fdb58

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.