Microsoft disclosed elevation-of-privilege flaws in Visual Studio and Windows SDK
Microsoft published Security Update Guide entries for multiple elevation-of-privilege vulnerabilities affecting developer tooling, including Visual Studio and the Windows SDK. The referenced issues include CVE-2025-55240 and CVE-2024-49044 in Visual Studio, as well as CVE-2025-47962 in the Windows SDK, indicating that software used to build and maintain applications was impacted rather than a single end-user product.
The disclosures appeared across both vulnerability and advisory pages in Microsoft's update portal, with CVE-2024-49044 listed in both formats. While the entries provided no public synopsis in the referenced material, the classification of all three flaws as elevation-of-privilege bugs signals a risk that an attacker could gain higher permissions through affected development environments, making patch review and remediation in enterprise developer workstations a priority.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes advisory for CVE-2025-55240 in Visual Studio
Microsoft listed CVE-2025-55240 in its Security Update Guide as a Visual Studio elevation of privilege vulnerability. No additional synopsis details are provided in the reference.
Microsoft publishes advisory for CVE-2025-47962 in Windows SDK
Microsoft published CVE-2025-47962 in its Security Update Guide as a Windows SDK elevation of privilege vulnerability. This marks Microsoft's disclosure of the vulnerability.
Microsoft publishes advisory for CVE-2024-49044 in Visual Studio
Microsoft added CVE-2024-49044 to its Security Update Guide as a Visual Studio elevation of privilege vulnerability. The advisory and vulnerability pages indicate public disclosure of the issue by Microsoft.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2025-47962 - Security Update Guide - Microsoft - Windows SDK Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49044 - Security Update Guide - Microsoft - Visual Studio Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2024-49044 - Security Update Guide - Microsoft - Visual Studio Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2025-55240 - Security Update Guide - Microsoft - Visual Studio Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft discloses multiple elevation-of-privilege flaws across Windows and developer tools
Microsoft published security advisories for several **elevation-of-privilege** vulnerabilities affecting Windows components and related software, including **Microsoft PC Manager** (`CVE-2025-21322`), **Windows Installer** (`CVE-2025-21331`, `CVE-2025-21373`), **Visual Studio** (`CVE-2025-49739`), **.NET** (`CVE-2025-55247`), **Windows Health and Optimized Experiences** (`CVE-2025-59241`), and **Host Process for Windows Tasks** (`CVE-2025-60710`). Microsoft also lists an earlier **Windows Storage** privilege-escalation issue, `CVE-2023-36399`, in its security guidance portal. The advisories provide limited public detail beyond product names and vulnerability class, but the grouping indicates broad exposure across both endpoint and developer environments where successful exploitation could allow an attacker to gain higher privileges on a target system. Organizations using affected Microsoft software should review the corresponding Security Update Guide entries, prioritize patch validation for Windows and developer-tooling assets, and assess whether privilege-escalation paths could be chained with other flaws or post-compromise activity.
May 25, 2026
Microsoft disclosed multiple Windows, IIS, and .NET elevation of privilege flaws
Microsoft published security advisories for several **elevation of privilege** vulnerabilities affecting core enterprise technologies, including **Win32k** (`CVE-2023-36732`, `CVE-2023-24902`), **Windows IIS Server** (`CVE-2023-36434`), and **.NET** (`CVE-2026-26131`). The issues span both operating system and application server components, indicating potential paths for attackers to gain higher privileges after initial access on Windows-based environments. The advisories were released through Microsoft's Security Update Guide and portal, signaling that organizations running affected Windows desktops, servers, web infrastructure, or .NET workloads should review product exposure and apply the relevant security updates. For defenders, the concentration of privilege-escalation bugs across **Win32k**, **IIS**, and **.NET** underscores the need to prioritize patching on systems where local access, web server compromise, or application-layer abuse could be leveraged to obtain elevated permissions.
May 25, 2026
Microsoft Fixes Visual Studio Code Elevation of Privilege Flaws
Microsoft disclosed and patched multiple **elevation of privilege** vulnerabilities affecting **Visual Studio Code** and its **JS Debug Extension**, including `CVE-2025-24039`, `CVE-2025-24042`, and `CVE-2026-41613`. The latest issue, `CVE-2026-41613`, is rated **Important** with a **CVSS 3.1 score of 8.8** and is described as a **session fixation** flaw mapped to `CWE-384` and `CWE-78`. Microsoft said the vulnerability affects Visual Studio Code itself, while the earlier 2025 advisories cover separate privilege-escalation bugs in the core product and the JS Debug Extension. According to Microsoft, exploitation of `CVE-2026-41613` requires **user interaction**, specifically convincing a target to open a malicious file in VS Code, and could allow an attacker to obtain the permissions of the **MCP Server’s managed identity**. Microsoft said the flaw was **not publicly disclosed** and **not exploited** at the time of release, assessed exploitation as **less likely**, and made a fix available; the issue was credited to **Elad Luz of Oasis Security** through coordinated disclosure.
May 25, 2026