CVE-2025-47985

Published Jul 8, 2025

Last updated a year ago

CVSS high 7.8
Windows Event Tracing

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-47985 is a vulnerability identified as an untrusted pointer dereference within Windows Event Tracing. This flaw allows an authorized attacker to elevate their privileges locally on an affected system. The vulnerability is rooted in CWE-822 and can be exploited by crafting malicious local procedure call (LPC) messages containing unvalidated pointers. When processed, these pointers enable arbitrary read/write operations in kernel memory space, facilitating privilege escalation from a standard user context to SYSTEM-level authority.

Description
Untrusted pointer dereference in Windows Event Tracing allows an authorized attacker to elevate privileges locally.
Source
secure@microsoft.com
NVD status
Analyzed
Products
windows_10_1507, windows_10_1607, windows_10_1809, windows_10_21h2, windows_10_22h2, windows_11_22h2, windows_11_23h2, windows_11_24h2, windows_server_2008, windows_server_2012, windows_server_2016, windows_server_2019, windows_server_2022, windows_server_2022_23h2, windows_server_2025

Risk scores

CVSS 3.1

Type
Primary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-822

Social media

Hype score
Not currently trending

  1. ''(CVE-2025-47985) Windows Event Tracing Insufficient Validation Leading to Elevation of Privilege'' #infosec #pentest #redteam #blueteam https://t.co/zVvV3rZ8wR

    @CyberWarship

    25 May 2026

    1502 Impressions

    6 Retweets

    8 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  2. Some of the bugs I disclosed to MSRC last year is now public on the company's advisory page. E.g: CVE-2025-47985 Windows Event Tracing Elevation of Privilege https://t.co/G6eCy2E1kt

    @cplearns2h4ck

    19 Apr 2026

    5579 Impressions

    29 Retweets

    88 Likes

    29 Bookmarks

    3 Replies

    0 Quotes

Configurations

Related CVEs

  1. Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation's behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable.CVE-2026-45585
  2. Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.CVE-2026-42896
  3. Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.CVE-2026-42825
  4. Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.CVE-2026-41097
  5. Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.CVE-2026-41096

References

Sources include official advisories and independent security research.