Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-47973

CVE-2025-47973: Windows 10 1507 Privilege Escalation Flaw

CVE-2025-47973 is a privilege escalation vulnerability in Microsoft Windows 10 1507 caused by a buffer over-read in Virtual Hard Disk (VHDX). This article covers the technical details, affected systems, and mitigation.

Published:

CVE-2025-47973 Overview

CVE-2025-47973 is a buffer over-read vulnerability in the Microsoft Windows Virtual Hard Disk (VHDX) component. The flaw allows a local attacker to elevate privileges by reading memory beyond an allocated buffer boundary during VHDX file processing. Exploitation requires user interaction, typically convincing a user to mount or open a crafted VHDX file. Successful exploitation results in high impact to confidentiality, integrity, and availability on the affected host. Microsoft addressed the vulnerability in its July 2025 security update cycle. The issue is classified under [CWE-126] Buffer Over-read and affects a wide range of Windows client and Windows Server versions.

Critical Impact

A local, unauthenticated attacker who tricks a user into opening a malicious VHDX file can elevate privileges and gain full control of the affected Windows system.

Affected Products

  • Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
  • Microsoft Windows 11 (22H2, 23H2, 24H2)
  • Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025

Discovery Timeline

  • 2025-07-08 - CVE-2025-47973 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-47973

Vulnerability Analysis

The vulnerability resides in the Windows VHDX parser, which handles Virtual Hard Disk v2 (VHDX) image files used by Hyper-V and Windows storage subsystems. A buffer over-read [CWE-126] occurs when the parser reads beyond the bounds of a buffer while processing structures inside a crafted VHDX file. The over-read condition can be leveraged to disclose adjacent memory and, in combination with crafted metadata, manipulate kernel-mode logic that leads to local elevation of privilege.

The attack vector is local and requires user interaction. A standard user or attacker with low-context access can place a malicious VHDX file on the system and convince a user to mount or open it. Once mounted, the operating system parses the file through privileged code paths, where the over-read is triggered. The resulting confidentiality, integrity, and availability impact is high, allowing the attacker to execute code in a higher privilege context than they originally held.

Root Cause

The root cause is improper bounds checking when the VHDX parser reads structured fields from a virtual disk image. Specifically, length or offset values supplied within the VHDX file are trusted without sufficient validation against the actual buffer size. When the parser dereferences these values, it reads memory past the end of the allocated region.

Attack Vector

An attacker delivers a crafted VHDX file through email, removable media, a shared folder, or a download link. When a user double-clicks or mounts the file using Windows Explorer, diskmgmt.msc, or PowerShell cmdlets such as Mount-VHD, the vulnerable parser is invoked. The kernel-mode handling of the malformed metadata produces the over-read, which an attacker chains with controlled data to gain SYSTEM-level execution.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-47973

Indicators of Compromise

  • Unexpected VHDX files appearing in user download directories, email attachment folders, or temporary paths such as %TEMP% and %APPDATA%.
  • Mount events for VHDX files originating from untrusted sources, visible in Microsoft-Windows-VHDMP-Operational event logs.
  • Anomalous process creation of vds.exe, vdsldr.exe, or PowerShell invoking Mount-DiskImage shortly after VHDX file delivery.
  • Crashes or stop errors in vhdmp.sys or storage subsystem drivers following user interaction with disk image files.

Detection Strategies

  • Monitor for file write events creating .vhdx or .vhd files outside expected Hyper-V or backup directories.
  • Alert on user-mode and kernel-mode processes loading vhdmp.sys shortly after interaction with files received from external sources.
  • Correlate email gateway and web proxy logs with endpoint mount events to identify suspicious VHDX delivery chains.

Monitoring Recommendations

  • Enable Windows event log channels for Microsoft-Windows-VHDMP and Microsoft-Windows-Hyper-V-VMMS to capture mount activity.
  • Track Sysmon Event ID 1 (process creation) and Event ID 11 (file create) for VHDX-related operations.
  • Forward storage and disk image telemetry to a centralized log platform for retroactive hunting against newly disclosed indicators.

How to Mitigate CVE-2025-47973

Immediate Actions Required

  • Apply the July 2025 Microsoft security update referenced in the Microsoft Security Update CVE-2025-47973 advisory to all affected Windows and Windows Server systems.
  • Inventory endpoints and servers running affected builds, prioritizing systems used by administrators and developers who frequently mount disk images.
  • Block inbound .vhd and .vhdx attachments at the email gateway and web proxy unless required for business operations.
  • Educate users to avoid opening or mounting VHDX files received from untrusted sources.

Patch Information

Microsoft released a security update addressing CVE-2025-47973 as part of its monthly patching cycle. Administrators should consult the Microsoft Security Update CVE-2025-47973 advisory for the specific KB articles aligned to each Windows version and deploy the corresponding update through Windows Update, WSUS, or Microsoft Configuration Manager.

Workarounds

  • Restrict the ability to mount disk images by removing the file association for .vhdx and .vhd extensions for non-administrative users.
  • Use Microsoft Defender Attack Surface Reduction rules to block execution and scripting actions triggered from disk image content.
  • Apply AppLocker or Windows Defender Application Control policies to prevent unsigned binaries from running out of mounted VHDX volumes.
bash
# Configuration example: disable default VHDX double-click mounting for standard users
# Remove the Windows Explorer mount shell verb for VHDX files
reg delete "HKCR\Windows.VhdFile\shell\Mount" /f
reg delete "HKCR\Windows.VhdxFile\shell\Mount" /f

# Verify systems are patched (replace KB number with the one listed in the MSRC advisory)
Get-HotFix | Where-Object { $_.HotFixID -eq "KBXXXXXXX" }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne