Microsoft Patches Multiple Windows Elevation-of-Privilege Flaws in Networking Components
Microsoft disclosed and patched several Windows elevation-of-privilege vulnerabilities affecting networking-related components, including Windows Remote Access Connection Manager, Windows SMB Server, and Network Connection Status Indicator (NCSI). The issues tracked as CVE-2025-62474, CVE-2025-62472, CVE-2025-47955, CVE-2025-59201, and CVE-2025-58726 could allow attackers with limited access to gain higher privileges on targeted systems, extending a pattern of privilege-escalation risk previously seen in the same Remote Access Connection Manager component with CVE-2022-21914.
Among the disclosed flaws, Microsoft provided additional detail for CVE-2025-58726, describing an Important improper access control issue in Windows SMB Server that can let an authorized low-privilege attacker elevate to SYSTEM over the network by coercing a victim machine to authenticate to an attacker-controlled SMB server using a specially crafted script. Microsoft assigned the bug CWE-284 and a CVSS v3.1 score of 7.5, said exploitation required specific conditions involving an unused or nonexistent Service Principal Name on the target, and stated that the vulnerability was neither publicly disclosed nor exploited in the wild at publication and that a security fix was available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisories for CVE-2025-62472 and CVE-2025-62474
Microsoft added CVE-2025-62472 and CVE-2025-62474 to the Security Update Guide as Windows Remote Access Connection Manager elevation of privilege vulnerabilities. Their publication marks formal disclosure by Microsoft on that date.
Microsoft publishes advisories for CVE-2025-58726 and CVE-2025-59201
Microsoft disclosed CVE-2025-58726, a Windows SMB Server elevation of privilege flaw, and CVE-2025-59201, a Network Connection Status Indicator elevation of privilege flaw, in its October 2025 Security Update Guide. For CVE-2025-58726, Microsoft said a fix was available and that the issue was neither publicly disclosed nor exploited in the wild at publication.
Microsoft publishes advisory for CVE-2025-47955
Microsoft published CVE-2025-47955 in the Security Update Guide as a Windows Remote Access Connection Manager elevation of privilege vulnerability. The reference indicates formal disclosure and update availability on that date.
Microsoft publishes advisory for CVE-2022-21914
Microsoft added CVE-2022-21914 to its Security Update Guide as a Windows Remote Access Connection Manager elevation of privilege vulnerability. The advisory publication indicates the vulnerability was formally disclosed by Microsoft on that date.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CVE-2025-62472 - Security Update Guide - Microsoft - Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-62474 - Security Update Guide - Microsoft - Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-59201 - Security Update Guide - Microsoft - Network Connection Status Indicator (NCSI) Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-58726 - Security Update Guide - Microsoft - Windows SMB Server Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-58726 - Security Update Guide - Microsoft - Windows SMB Server Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-47955 - Security Update Guide - Microsoft - Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2022-21914 - Security Update Guide - Microsoft - Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
portal.msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft Patches Windows Elevation-of-Privilege Flaws in SMB Server and Projected File System
Microsoft published Security Update Guide advisories for multiple **Windows elevation-of-privilege (EoP)** vulnerabilities, including two affecting **Windows SMB Server** (**CVE-2026-24294** and **CVE-2026-26128**) and one affecting **Windows Projected File System (ProjFS)** (**CVE-2026-24290**). The SMB Server issues are associated with **CWE-287 (Improper Authentication)**, while the ProjFS issue is associated with **CWE-284 (Improper Access Control)**; all are rated **Important** with Microsoft-provided **CVSS v3.1** vectors indicating **local** exploitation conditions (e.g., `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`). Across the advisories, Microsoft’s scoring indicates an attacker would need **existing local access and low privileges** (`PR:L`) to exploit the flaws, with potential for **high impact to confidentiality, integrity, and availability** (`C:H/I:H/A:H`) if successfully leveraged for privilege escalation. One entry for **CVE-2026-24294** appears twice (a duplicate URL variant), but it describes the same SMB Server EoP vulnerability and does not add distinct technical details beyond the core advisory metadata (severity, weakness class, and CVSS vector).
Mar 21, 2026
Microsoft Patches Multiple Windows Elevation-of-Privilege Flaws Across Core Services
Microsoft published security updates for a series of Windows elevation-of-privilege vulnerabilities affecting components including **Core Messaging**, **CSC Service**, **Cryptographic Services**, **Win32k**, and the **COM+ Event System Service**. The referenced flaws include `CVE-2025-21378`, `CVE-2025-21184`, `CVE-2025-21414`, `CVE-2025-26634`, `CVE-2025-49727`, `CVE-2025-58725`, and `CVE-2025-62458`, indicating a broad set of local privilege-escalation issues across core Windows subsystems. Among them, Microsoft provided additional detail for `CVE-2026-40377`, an **Important** vulnerability in Microsoft Cryptographic Services caused by a heap-based buffer overflow. Microsoft said a locally authorized attacker with low privileges could exploit the flaw to gain **SYSTEM** privileges without user interaction; the issue received a **CVSS 3.1 score of 7.8**, was assessed as **less likely** to be exploited, and was **not publicly disclosed or exploited** at the time of publication. Microsoft said a fix was available and credited **Bruce Dang of Calif.io** for reporting the bug.
May 25, 2026
Microsoft Patches Multiple Windows Use-After-Free Privilege Escalation Flaws
Microsoft released fixes for several **Windows elevation-of-privilege vulnerabilities** affecting **Win32k**, **Windows Telephony Service**, **Desktop Window Manager**, and the **Windows Cloud Files Mini Filter Driver**. The disclosed flaws include `CVE-2026-34347`, `CVE-2026-42825`, `CVE-2026-27923`, and `CVE-2026-35418`, and are all tied to **use-after-free** conditions, with some cases also involving race conditions such as time-of-check time-of-use behavior. Microsoft said successful exploitation could let a locally authenticated attacker with low privileges gain **SYSTEM** access without user interaction. The vulnerabilities were rated **Important** with **CVSS 3.1 scores ranging from 7.0 to 7.8**, and Microsoft assessed exploitation as **less likely or unlikely** because several attacks require winning a race condition. At the time of disclosure, Microsoft reported **no public disclosure and no evidence of active exploitation** for the documented 2026 flaws, and stated that official security updates were available. Additional Microsoft advisories also reference related Windows and Microsoft Brokering File System elevation-of-privilege issues, including `CVE-2026-24285`, `CVE-2025-32712`, `CVE-2025-21372`, `CVE-2025-21315`, and `CVE-2025-59189`, though public technical details for those entries were limited.
May 25, 2026