CVE-2025-49694: 
vulnerability analysis and mitigation

A vulnerability identified as CVE-2025-49694 was discovered in the Microsoft Brokering File System. The vulnerability, disclosed on July 8, 2025, involves a null pointer dereference that allows an authorized attacker to elevate privileges locally. This security flaw affects multiple Microsoft Windows versions including Windows Server 2025, Windows 11 24H2, and Windows Server 2022 23H2 (NVD, CVE).

The vulnerability is classified as a NULL Pointer Dereference (CWE-476) with a CVSS v3.1 Base Score of 7.8 (HIGH). The attack vector is local (AV:L) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U), with high impact on confidentiality (C:H), integrity (I:H), and availability (A:H) (NVD).

If successfully exploited, this vulnerability allows an authorized attacker with low privileges to elevate their privileges locally on the affected system. This could potentially give the attacker full control over the affected system, impacting the confidentiality, integrity, and availability of the system (NVD).

Microsoft has released security updates to address this vulnerability. The fixes are available through KB5062553 for Windows 11 24H2 and Windows Server 2025, and KB5062570 for Windows Server 2022 23H2 (Rapid7).