CVE-2025-29975: 
vulnerability analysis and mitigation

CVE-2025-29975 is a security vulnerability discovered in Microsoft PC Manager that involves improper link resolution before file access (link following). The vulnerability was initially disclosed on May 13, 2025, affecting Microsoft PC Manager versions prior to 3.16.1.0. This security flaw was assigned a CVSS v3.1 base score of 7.8 (High) (NVD, Wiz).

The vulnerability has been categorized as CWE-59 (Improper Link Resolution Before File Access) with a CVSS v3.1 vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical assessment indicates that exploitation requires local access (AV:L), features low attack complexity (AC:L), needs low privileges (PR:L), and requires no user interaction (UI:N). The scope is unchanged (S:U), with high impact potential across confidentiality, integrity, and availability (C:H/I:H/A:H) (NVD).

The successful exploitation of this vulnerability enables an authorized attacker with local access to elevate their privileges on the affected system. This could result in complete system compromise, allowing unauthorized access to sensitive data, modification of system settings, and execution of arbitrary commands with elevated privileges (NVD, ZDI).

Microsoft has released a security update to address this vulnerability. Users are strongly advised to upgrade to Microsoft PC Manager version 3.16.1.0 or later to mitigate the risk (NVD, Wiz).