CVE-2025-49730

Q: What is the severity of CVE-2025-49730?

CVE-2025-49730 has a CVSS score of 7.8 (HIGH). A Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in Microsoft Windows QoS scheduler allows authenticated attackers to escalate privileges locally. This affects Windows systems where an attacker can execute code with standard user privileges and exploit the race condition to gain SYSTEM-level access. Only Windows systems with the vulnerable QoS scheduler component are affected.

7.8 HIGH

📋 TL;DR

A Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in Microsoft Windows QoS scheduler allows authenticated attackers to escalate privileges locally. This affects Windows systems where an attacker can execute code with standard user privileges and exploit the race condition to gain SYSTEM-level access. Only Windows systems with the vulnerable QoS scheduler component are affected.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with QoS (Quality of Service) scheduler enabled are vulnerable. Most Windows installations have this enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM, enabling attackers to bypass security controls, install backdoors, and access sensitive system resources.

🟢

If Mitigated

Limited impact with proper privilege separation, application control policies, and endpoint protection that can detect privilege escalation attempts.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Attackers with initial access to a Windows workstation or server can use this to escalate privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

TOCTOU race conditions require precise timing and may be challenging to exploit reliably. Requires authenticated access to the system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49730

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Install the specific patch for CVE-2025-49730. 3. Restart the system as required.

🔧 Temporary Workarounds

Disable QoS Scheduler

windows

Disable the Quality of Service scheduler service to mitigate the vulnerability

sc config qwave start= disabled
sc stop qwave

🧯 If You Can't Patch

Implement strict application control policies to prevent unauthorized code execution
Use endpoint detection and response (EDR) solutions configured to alert on privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if QoS scheduler service (qwave) is running and verify Windows version against affected versions

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify that the latest Windows security updates are installed and check that the specific KB patch for CVE-2025-49730 is present

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with process creation from suspicious locations
Unexpected privilege escalation events in security logs
QoS scheduler service manipulation attempts

Network Indicators:

Unusual outbound connections following local privilege escalation

SIEM Query:

EventID=4688 AND (ProcessName="*qwave*" OR CommandLine="*qwave*") | stats count by host, user

📊 Metadata

CVE ID: CVE-2025-49730

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.53% exploit probability (66.5th percentile)

Published: July 8, 2025

Last Updated: July 16, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49730 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable QoS Scheduler

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities