CVE-2025-27488: Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability

Overview

Severity

Medium (CVSS 6.7)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-May

Released

2025-05-13

EPSS Score

0.71% (percentile: 72.2%)

Description

Use of hard-coded credentials in Windows Hardware Lab Kit allows an authorized attacker to elevate privileges locally.

FAQ

What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Affected Products (11)

Windows

• Windows HLK for Windows Server 2025
• Windows 11 HLK 24H2
• Windows HLK, version 1809
• Windows 10 HLK version 21H1
• Windows 11 HLK 22H2
• Windows 10 HLK version 20H2
• Windows 10 HLK Version 22H2
• Windows 10 HLK version 21H2
• Windows HLK for Windows 10 version 2004
• Windows HLK for Windows Server 2019

Azure

• Windows HLK for Windows Server 2022

Security Updates (5)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Microsoft

Revision History

• 2025-05-13: Information published.