Improper restriction of communication channel to intended endpoints in Windows PowerShell allows an authorized attacker to elevate privileges locally.
What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker, initially a non-admin user on the host, could hijack the PowerShell Direct session intended for communication between the admin user on host and a guest VM. This unauthorized access enables the attacker to impersonate the admin host user in communications with the guest, potentially manipulating or controlling guest-side operations. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. Why am I getting login failure events on my unpatched guest VM? To ensure compatibility with unpatched guests, the new client attempts a login. This will produce an event in the Security Event log with event id 4625. The username will be ?‹PSDirectVMLegacy> and the domain will be 䕖卒佉N. This event should stop when you patch your guest. Note: The ?‹PSDirectVMLegacy> and 䕖卒佉N text is verbatim - this is what the user sees. Where can I find information about additional mitigation steps? There are edge case affecting hotpatched devices that have installed the September 2025 updates . These devices may experience failures with PowerShell Direct (PSDirect) connections when the host and guest virtual machines (VMs) are both not fully updated. If your hotpatched device is experiencing issues with PSDirect connection, we recommend updating both the host and guest VM with these updates. Additional information can be found in the Knowledge Base articles below. KB Article Product 5065306 Windows Server 2022 Hotpatch 5065426 Windows 11, version 24H2 5065432 Windows Server 2022 5065474 Windows Server 2025 Hotpatch 5066359 PowerShell 5066360 PowerShell
QWangWang