Severity
High
Analysis Summary
Two significant privilege escalation vulnerabilities CVE-2025-62472 and CVE-2025-62474 were disclosed on December 9, 2025, affecting the Windows Remote Access Connection Manager across a wide range of supported Windows systems. Both flaws allow attackers with low-level local privileges to escalate to SYSTEM, the highest permission level on Windows. Because no additional user interaction is required after the initial access, these vulnerabilities pose elevated risks in enterprise environments with shared systems or compromised user accounts.
CVE-2025-62472 is rooted in the use of uninitialized resources within the Remote Access Connection Manager and is associated with CWE-908 (Uninitialized Resource) and CWE-416 (Use After Free). This memory-mismanagement pathway makes privilege escalation possible and contributes to the flaw’s CVSS score and Important severity rating. Microsoft’s exploitability assessment classifies it as “Exploitation More Likely,” indicating that attackers may find it easier to weaponize compared to the companion vulnerability. CVE-2025-62474, rated with the same CVSS score, results from Improper Access Control (CWE-284) in the same component and is categorized as “Exploitation Less Likely.”
Although both vulnerabilities require strictly local attack vectors, meaning the attacker must already be on the system, their impact is severe: successful exploitation immediately grants complete SYSTEM privileges. No confirmed active exploitation or public proof-of-concept code has been reported, and both vulnerabilities currently remain at the unproven exploit code maturity stage. Nevertheless, the lack of user interaction requirements and the potential for widespread lateral abuse elevate their importance, especially in environments with multiple user accounts or sensitive workloads.
Microsoft released patches for all supported Windows versions spanning Windows Server 2016 through 2025, Windows 10 (including 1809 and 22H2), and Windows 11 (23H2 and 24H2)—on the same day as disclosure. Relevant KB updates such as KB5072033, KB5072014, KB5071547, KB5071417, KB5071546, and others address these issues across build numbers including 26100.7462, 20348.4529, 19045.6691, and more. Organizations are strongly advised to apply these updates immediately, prioritizing systems that manage sensitive operations or host multiple users. The availability of verified fixes provides timely protection against these high-impact privilege escalation threats.
Impact
- Privilege Escalation
- Gain Access
Indicators of Compromise
CVE
CVE-2025-62472
CVE-2025-62474
Affected Vendors
Remediation
- Apply Microsoft’s December 9, 2025 security updates immediately across all affected Windows versions, including Windows 10, Windows 11, and Windows Server editions (2016–2025).
- Prioritize patching high-risk systems, especially multi-user servers, remote-access endpoints, and systems handling sensitive workloads.
- Verify installation of the appropriate KB updates, such as KB5072033, KB5072014, KB5071547, KB5071544, KB5071546, KB5071417, and others tied to your Windows build.
- Confirm Windows build numbers after patching to ensure updates applied correctly (e.g., 10.0.26100.7462, 10.0.20348.4529, 10.0.19045.6691).
- Enable strict least-privilege policies to limit the number of accounts with local system access, reducing the attack surface for privilege escalation.
- Monitor for unusual privilege elevation attempts, especially processes interacting with the Remote Access Connection Manager service.
- Audit local user accounts regularly to identify compromised, unused, or misconfigured accounts that could be leveraged in local exploitation.
- Review endpoint protection and logging policies to ensure detection of suspicious local behavior, including memory manipulation or unauthorized service interaction.
- Harden local device access controls, such as requiring stronger authentication and limiting physical or remote local-session access.