CVE-2025-27488: Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability

6.7 CVSS

Description

Use of hard-coded credentials in Windows Hardware Lab Kit allows an authorized attacker to elevate privileges locally.

Classification

CVE ID: CVE-2025-27488

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.7

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Problem Types

CWE-798: Use of Hard-coded Credentials

Affected Products

Vendor: Microsoft

Product: Windows HLK for Windows Server 2025, Windows 11 HLK 24H2, Windows 10 HLK Version 1809, Windows 10 HLK version 21H1, Windows 11 HLK 22H2, Windows HLK for Windows Server 2022, Windows 10 HLK version 20H2, Windows 10 HLK Version 22H2, Windows 10 HLK version 21H2, Windows HLK for Windows 10 version 2004, Windows HLK for Windows Server 2019

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 19.01% (scored less or equal to compared to others)

EPSS Date: 2025-06-04 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27488
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-27488

Timeline

2025-05-13 17:40:13 UTC
CVE

Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability