CVE-2025-47969: 
vulnerability analysis and mitigation

CVE-2025-47969 is an Information Disclosure vulnerability affecting Windows Hello's Virtualization-Based Security (VBS) component. The vulnerability was disclosed on June 10, 2025, as part of Microsoft's June 2025 Patch Tuesday updates. This security flaw allows an authorized attacker to disclose sensitive information locally on affected Windows systems (Wiz).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.4 (MEDIUM) with the following vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires local access, low attack complexity, high privileges, and no user interaction. The scope is unchanged, with high impact on confidentiality but no impact on integrity or availability. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD, Wiz).

The vulnerability allows an authorized attacker with local access to disclose sensitive information from the Windows Hello system. The impact is limited to confidentiality breaches, with no direct effect on system integrity or availability (NVD, Wiz).

Microsoft has released a security update to address this vulnerability as part of the June 2025 Patch Tuesday updates. Organizations and users are advised to apply the security update to affected systems (Wiz).