CVE-2025-55231: Windows Storage-based Management Service Remote Code Execution Vulnerability

Overview

Severity: High (CVSS 7.5)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category: Remote Code Execution
Exploit Status: Not Exploited
Exploitation Likelihood: Unlikely
Patch Tuesday: 2025-Aug
Released: 2025-08-21
Last Updated: 2025-08-26
EPSS Score: 0.07% (percentile: 20.3%)

Description

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Storage allows an unauthorized attacker to execute code over a network.

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. How could an attacker exploit the vulnerability? An unauthenticated attacker could exploit the vulnerability by sending a malicious http request to the web server. A user would then have to restart the compromised service on the server to trigger the vulnerability.

Affected Products (10)

Windows

Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server 2025 (Server Core installation)
Windows Server 2025
Windows Server 2016
Windows Server 2016 (Server Core installation)

ESU

Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)

Security Updates (5)

Acknowledgments

<a href="https://twitter.com/keyz3r0">k0shl</a> with <a href="https://www.cyberkl.com/">Kunlun Lab</a>

Revision History

2025-08-21: Information published. This CVE was addressed by updates that were released in July 2025, but the CVE was inadvertently omitted from the July 2025 Security Updates. This is an informational change only. Customers who have already installed the July 2025 updates do not need to take any further action.
2025-08-26: Corrected Download and Article links in the Security Updates table. This is an informational change only.