CVE-2025-26635: 
vulnerability analysis and mitigation

A security vulnerability identified as CVE-2025-26635 was discovered in Windows Hello, Microsoft's biometric authentication system. The vulnerability was disclosed on April 8, 2025, and involves a weak authentication mechanism that could potentially allow an authorized attacker to bypass security features over a network (NVD, CVE Mitre).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N. The weakness has been categorized under CWE-1390 (Weak Authentication). The vulnerability is network-exploitable and requires high privileges but no user interaction (NVD).

The vulnerability affects the confidentiality and integrity of the system, with potential high impacts in both areas, though availability is not affected. The CVSS scoring indicates that while the vulnerability is serious, it requires high privileges to exploit, which somewhat limits its potential impact (Rapid7).

Microsoft has released security updates to address this vulnerability across multiple Windows versions, including Windows 10 (versions 1809, 21H2, 22H2), Windows 11 (versions 22H2, 23H2), Windows Server 2019, and Windows Server 2022 (versions 21H2, 22H2, 23H2). The fixes are available through various KB updates including KB5055518, KB5055519, KB5055526, KB5055527, and KB5055528 (Rapid7).