CVE-2025-59033
BaseFortify
Publication date: 2025-09-08
Last updated on: 2025-11-17
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-420 | The product protects a primary channel, but it does not use the same level of protection for an alternate channel. |
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Microsoft vulnerable driver block list, which is implemented as a Windows Defender Application Control (WDAC) policy. On Windows systems without Hypervisor-Protected Code Integrity (HVCI) enabled, certain blocklist entries that specify the signing certificate's TBS hash along with a 'FileAttribRef' qualifier (like file name or version) are not properly blocked. This means vulnerable or malicious drivers that should be blocked might still load, potentially allowing exploitation. The blocklist is intended to be used with HVCI enabled; systems without HVCI require a more granular approach using App Control policies to enforce blocking properly. [1]
How can this vulnerability impact me? :
If your Windows system does not have HVCI enabled or supported, vulnerable or malicious kernel drivers that should be blocked may still load due to improper enforcement of the driver blocklist. This can allow attackers to exploit these drivers to execute malware with elevated privileges in the Windows kernel, potentially leading to privilege escalation, system compromise, or other security breaches. Systems with HVCI enabled are protected as intended by the blocklist. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying whether Hypervisor-Protected Code Integrity (HVCI) is enabled on the system, as the vulnerability affects systems without HVCI enabled or supported. You can check HVCI status using PowerShell commands such as `Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard` to query virtualization-based security and memory integrity status. Additionally, you can use the Windows Security app under Device Security > Core Isolation > Memory Integrity to check if HVCI is enabled. For verifying the application of the vulnerable driver blocklist policy, you can use Event Viewer to filter for event ID 3099 under CodeIntegrity logs, which confirms policy application. No specific network commands are provided for detection. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enabling Hypervisor-Protected Code Integrity (HVCI) or Memory Integrity on your Windows system, which can be done via the Windows Security app (Device Security > Core Isolation > Memory Integrity), Group Policy, registry settings, or App Control for Business policies. If enabling HVCI is not feasible, Microsoft recommends applying the vulnerable driver blocklist using App Control for Business policies, starting in audit mode to monitor impact before enforcement. Additionally, enabling the Attack Surface Reduction (ASR) rule "Block abuse of exploited vulnerable signed drivers" helps prevent writing vulnerable drivers to disk. Applying the latest vulnerable driver blocklist policy involves downloading the policy files, placing them in `%windir%\system32\CodeIntegrity`, running the policy refresh tool, and rebooting the system to block vulnerable drivers. Careful testing is advised to avoid system malfunctions or blue screens. [1, 2]