CVE-2025-26644
📋 TL;DR
This vulnerability in Windows Hello's automated recognition mechanism allows an unauthorized local attacker to bypass facial or fingerprint authentication through carefully crafted adversarial inputs. It affects Windows systems using Windows Hello for biometric authentication. Attackers must have physical or local access to the target device.
💻 Affected Systems
- Windows Hello
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of Windows Hello biometric authentication allowing unauthorized access to the device and potentially sensitive data stored locally.
Likely Case
Local attacker gains unauthorized access to a Windows device by spoofing biometric authentication when they have physical access.
If Mitigated
Attack fails due to additional authentication factors or physical security controls preventing device access.
🎯 Exploit Status
Requires local access and specialized knowledge of adversarial machine learning techniques to craft input perturbations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26644
Restart Required: Yes
Instructions:
1. Open Windows Update settings. 2. Check for updates. 3. Install all available security updates. 4. Restart the computer when prompted.
🔧 Temporary Workarounds
Disable Windows Hello biometric authentication
windowsSwitch to PIN or password authentication only
Settings > Accounts > Sign-in options > Remove Windows Hello
Require additional authentication factor
windowsEnable multi-factor authentication for device sign-in
Settings > Accounts > Sign-in options > Configure Windows Hello for Business
🧯 If You Can't Patch
- Implement strict physical security controls to prevent unauthorized device access
- Use BitLocker encryption with TPM protection to mitigate data access if device is compromised
🔍 How to Verify
Check if Vulnerable:
Check Windows version and installed updates against Microsoft advisoryCheck Version:
winverVerify Fix Applied:
Verify latest security updates are installed and Windows Hello functions normally📡 Detection & Monitoring
Log Indicators:
- Multiple failed Windows Hello authentication attempts followed by successful login
- Unusual login patterns from same device
Network Indicators:
- None - this is a local authentication bypass
SIEM Query:
EventID=4625 (failed logon) with Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 followed by EventID=4624 (successful logon) from same source