Windows Hardware Lab Kit
CVE-2025-27488 — Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability
Executive Summary
Use of hard-coded credentials in Windows Hardware Lab Kit allows an authorized attacker to elevate privileges locally.
Overview
6.7
CVSS MEDIUM
Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
CVSS Vector
ATTACK VECTOR
Local
ATTACK COMPLEXITY
Low
PRIVILEGES REQUIRED
High
USER INTERACTION
None
SCOPE
Unchanged
Temporal Score: 5.8
EPSS Score
0.00364
probability of exploitation in the next 30 days
0.28123 percentile - updated 2026-06-20
View on FIRST.org
Affected Products
11 affected products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Windows 10 HLK version 20H2 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows 10 HLK version 21H1 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows 10 HLK version 21H2 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows 10 HLK Version 22H2 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows 11 HLK 22H2 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows 11 HLK 24H2 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows HLK for Windows 10 version 2004 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows HLK for Windows Server 2019 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows HLK for Windows Server 2022 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows HLK for Windows Server 2025 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
| Windows HLK Version 1809 | Release Notes (Security Update) |
Important | Elevation of Privilege | Maybe |
Patches
1 patch
| Article | Type | Restart |
|---|---|---|
Release Notes |
Security Update | Maybe |
Known Exploits
No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.
Acknowledgments
Microsoft
References
On This Page