CVE-2025-49734 | MSRC Compact Detail

Severity

Important

Impact

Elevation of Privilege

CVSS

7.0 base · 6.1 temporal

Release

2025-09-09

Signals

Windows PowerShell Elevation of Privilege Exploited: No Publicly disclosed: No Exploitability: Exploitation Less Likely

CWE

CWE-923: Improper Restriction of Communication Channel to Intended Endpoints

Patch Diff

Loading module diff metadata...

Resolved binary override

Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.

Old version New version

Description

Improper restriction of communication channel to intended endpoints in Windows PowerShell allows an authorized attacker to elevate privileges locally.

FAQ / Articles

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker, initially a non-admin user on the host, could hijack the PowerShell Direct session intended for communication between the admin user on host and a guest VM. This unauthorized access enables the attacker to impersonate the admin host user in communications with the guest, potentially manipulating or controlling guest-side operations.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition.

FAQ

Why am I getting login failure events on my unpatched guest VM? To ensure compatibility with unpatched guests, the new client attempts a login. This will produce an event in the Security Event log with event id 4625. The username will be ?‹PSDirectVMLegacy> and the domain will be 䕖卒佉N. This event should stop when you patch your guest. Note: The ?‹PSDirectVMLegacy> and 䕖卒佉N text is verbatim - this is what the user sees.

Microsoft Management Console Elevation of Privilege Vulnerability

No cwe for this issue in Microsoft Management Console allows an authorized attacker to elevate privileges locally.

Windows PowerShell Elevation of Privilege Vulnerability

Improper restriction of communication channel to intended endpoints in Windows PowerShell allows an authorized attacker to elevate privileges locally.

FAQ

Where can I find information about additional mitigation steps? There are edge case affecting hotpatched devices that have installed the September 2025 updates . These devices may experience failures with PowerShell Direct (PSDirect) connections when the host and guest virtual machines (VMs) are both not fully updated. If your hotpatched device is experiencing issues with PSDirect connection, we recommend updating both the host and guest VM with these updates. Additional information can be found in the Knowledge Base articles below. KB Article Product 5065306 Windows Server 2022 Hotpatch 5065426 Windows 11, version 24H2 5065432 Windows Server 2022 5065474 Windows Server 2025 Hotpatch 5066359 PowerShell 5066360 PowerShell

MSRC Fields

Module / Tag

Windows PowerShell

Release number

2025-Sep

Latest revision

2025-09-11

CNA

Microsoft

Customer action

required

Denial of service

N/A

CVSS Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

References

MSRC

Official detail

CVE Record

CVE.org

Revision History

v1 · 2025-09-09

Information published.

v2 · 2025-09-11

Revised the Security Updates table to include PowerShell 7.4 and PowerShell 7.5 because these versions of PowerShell 7 are affected by this vulnerability. See https://github.com/PowerShell/Announcements/issues/78 for more information.

CVE-2025-49734 · PowerShell Direct Elevation of Privilege Vulnerability