CVE-2025-47993: 
vulnerability analysis and mitigation

Microsoft PC Manager contains an improper access control vulnerability identified as CVE-2025-47993, discovered and disclosed on July 8, 2025. The vulnerability affects various Microsoft Windows systems including Windows Server 2025, Windows 11 24H2, and Windows Server 2022 23H2 versions prior to specific security updates (NVD).

The vulnerability exists within the MSPCManagerService service, where the service loads a file from an unsecured location. This security flaw has been classified with a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is categorized under CWE-284 (Improper Access Control) (ZDI, NVD).

If successfully exploited, this vulnerability allows an attacker to escalate privileges and execute arbitrary code in the context of SYSTEM, potentially gaining complete control over the affected system (ZDI).

Microsoft has released security updates to address this vulnerability. Users are advised to apply the latest security patches available through the Microsoft Security Response Center (MSRC).

The vulnerability was initially reported to Microsoft on March 12, 2025, by security researcher Filip Dragovic (@filip_dragovic), leading to a coordinated public release on July 8, 2025 (ZDI).