CVE-2025-49658

Q: What is the severity of CVE-2025-49658?

CVE-2025-49658 has a CVSS score of 5.5 (MEDIUM). This vulnerability allows a local authenticated attacker to read memory outside the intended buffer in Windows TDX.sys, potentially exposing sensitive information. It affects Windows systems with the Trusted Domain Extensions component enabled. Attackers need valid local credentials to exploit this flaw.

5.5 MEDIUM

📋 TL;DR

This vulnerability allows a local authenticated attacker to read memory outside the intended buffer in Windows TDX.sys, potentially exposing sensitive information. It affects Windows systems with the Trusted Domain Extensions component enabled. Attackers need valid local credentials to exploit this flaw.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires TDX (Trusted Domain Extensions) component to be present and enabled. Most enterprise Windows deployments have this component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read kernel memory containing sensitive data like credentials, encryption keys, or other protected information, leading to privilege escalation or further system compromise.

🟠

Likely Case

Information disclosure of kernel memory contents, potentially revealing system state or configuration details that could aid in developing further attacks.

🟢

If Mitigated

Limited information disclosure with no direct code execution or system control, though exposed data could facilitate other attacks.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring authenticated access to the system.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials could exploit this to gather information for lateral movement or privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local authenticated access and knowledge of memory layout. No public exploits available as of current information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49658

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Restart the system to complete the installation. 3. Verify the patch is applied using Windows Update history or system information.

🔧 Temporary Workarounds

Disable TDX component

windows

Disable the Trusted Domain Extensions feature if not required for your environment

Disable via Windows Features or Group Policy: Turn off Windows Defender Credential Guard

🧯 If You Can't Patch

Implement strict access controls to limit local administrative privileges
Monitor for unusual local privilege escalation attempts and memory access patterns

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates. Systems without the security patch for CVE-2025-49658 are vulnerable.

Check Version:

wmic os get caption, version, buildnumber, csdversion

Verify Fix Applied:

Verify the security update is installed via Windows Update history or by checking system version against patched versions.

📡 Detection & Monitoring

Log Indicators:

Unusual kernel memory access patterns
Failed attempts to access protected memory regions
Security event logs showing privilege escalation attempts

Network Indicators:

Not applicable - this is a local vulnerability

SIEM Query:

EventID=4688 OR EventID=4656 with process names accessing kernel memory regions

📊 Metadata

CVE ID: CVE-2025-49658

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-125

EPSS Score: 0.05% exploit probability (16th percentile)

Published: July 8, 2025

Last Updated: July 15, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49658 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable TDX component

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities