CVE-2025-47969: Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability
Overview
- Severity
- Medium (CVSS 4.4)
- CVSS Vector
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
- Category
- Information Disclosure
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- Less Likely
- Patch Tuesday
- 2025-Jun
- Released
- 2025-06-10
- EPSS Score
- 1.02% (percentile: 77.2%)
Description
Exposure of sensitive information to an unauthorized actor in Windows Hello allows an authorized attacker to disclose information locally.
FAQ
What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is secrets or privileged information belonging to the user of the affected application.
Affected Products (8)
ESU
- Windows 11 Version 22H2 for ARM64-based Systems
- Windows 11 Version 22H2 for x64-based Systems
Windows
- Windows Server 2025 (Server Core installation)
- Windows 11 Version 23H2 for ARM64-based Systems
- Windows 11 Version 23H2 for x64-based Systems
- Windows 11 Version 24H2 for ARM64-based Systems
- Windows 11 Version 24H2 for x64-based Systems
- Windows Server 2025
Security Updates (3)
Acknowledgments
<a href="https://x.com/_ethicalchaos_">Ceri Coburn</a> with <a href="https://www.netspi.com/">NetSPI</a>
Revision History
- 2025-06-10: Information published. This CVE was addressed by updates that were released in May 2025, but the CVE was inadvertently omitted from the May 2025 Security Updates. This is an informational change only. Customers who have already installed the May 2025 updates do not need to take any further action.