CVE-2025-49728: Microsoft PC Manager Security Feature Bypass Vulnerability

Overview

Severity

Medium (CVSS 4)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2025-Sep

Released

2025-09-16

EPSS Score

0.03% (percentile: 9.9%)

Description

Cleartext storage of sensitive information in Microsoft PC Manager allows an unauthorized attacker to bypass a security feature locally.

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker can obtain keys, which could enable an attacker to partially bypass the application's cryptographic protections. Confidential information could be exposed to malicious users, including configuration data but not including personal information or credentials. According to the CVSS metrics, successful exploitation of this vulnerability could lead to some loss of confidentiality (C:L),but lead to no loss of availability (A:N) and integrity (I:N)? What does that mean for this vulnerability? An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker. The attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).

Affected Products (1)

Apps

• Microsoft PC Manager

Security Updates (1)

• Release Notes

Acknowledgments

Microsoft Offensive Research & Security Engineering

Revision History

• 2025-09-16: Information published.