Severity by source
Sources disagree (Medium–Critical)CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local unprivileged account required so AV:L/PR:L, no user interaction; missing ACL lets escalation cross from the driver into the guest OS (S:C) with full C/I/A loss.
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorVendor: XEN
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.]
The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are:
- XenCons, CVE-2025-27462
- XenIface, CVE-2025-27463
- XenBus, CVE-2025-27464
AnalysisAI
Local privilege escalation in the Xen Windows PV Drivers (the XenCons paravirtualized console interface) lets any unprivileged user of a Windows guest reach a device object that ships with no security descriptor, so its facilities are fully accessible to non-administrators. Successful abuse can yield full compromise of the guest with integrity, confidentiality and availability impact, and the vendor scores it critical (CVSS 4.0 base 9.4) with subsequent-system impact. There is no public exploit identified at time of analysis and it is not on CISA KEV. This is one of three related XSA-468 issues (XenCons/CVE-2025-27462, XenIface/CVE-2025-27463, XenBus/CVE-2025-27464).
Technical ContextAI
Xen PV (paravirtualized) drivers are installed inside Windows guests running on the Xen hypervisor to provide fast disk, network, console and management channels between the guest and the host/toolstack. The affected interface here, XenCons, is the PV console facility exposed to userspace. The root cause maps to CWE-276 (Incorrect Default Permissions): the device object created by the driver has no security descriptor (DACL) attached, so Windows applies effectively open access and any unprivileged process in the guest can open and interact with a facility that should be restricted to privileged or system callers. The affected CPE is cpe:2.3:a:xen:windows_pv_drivers:*:*:*:*:*:*:*:* - i.e. the Xen-supplied Windows guest driver package, independent of the specific Windows version.
RemediationAI
Apply the corrected Xen Windows PV Drivers from Xen Security Advisory XSA-468 (https://xenbits.xen.org/xsa/advisory-468.html), which adds proper security descriptors to the affected device objects; no exact fixed version string is given in the provided data, so obtain the patched driver build referenced by XSA-468 rather than assuming a version number (Upstream fix available per vendor advisory; released patched version not independently confirmed here). Where immediate patching of a guest is not possible, compensating controls are limited because the exposure is inside the guest: restrict the set of users who can log in interactively or run code on affected Windows guests (reducing the pool of local unprivileged accounts that could abuse XenCons), and treat any multi-user or shell-hosting Windows guest on Xen as higher risk. Because the weakness is a missing ACL on a driver-created object, there is no safe in-guest configuration toggle to remove access without the patch, so prioritize deploying the corrected drivers across all Windows guests, including templates and golden images.
More in Windows Pv Drivers
View allLocal privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenBus interface (CVE-2025-2
Local privilege escalation in Xen's Windows PV (paravirtualized) drivers arises because the XenIface interface is expose
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Micro 5.3 | Not-Affected |
| SUSE Linux Enterprise Micro 5.4 | Not-Affected |
| SUSE Linux Enterprise Micro 5.5 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP6 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Not-Affected |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Not-Affected |
| SUSE Manager Proxy 4.3 | Not-Affected |
| SUSE Manager Proxy LTS 4.3 | Not-Affected |
| SUSE Manager Retail Branch Server 4.3 | Not-Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Not-Affected |
| SUSE Manager Server 4.3 | Not-Affected |
| SUSE Manager Server LTS 4.3 | Not-Affected |
| SUSE CaaS Platform 3.0 | Not-Affected |
| SUSE CaaS Platform 4.0 | Not-Affected |
| SUSE Enterprise Storage 6 | Not-Affected |
| SUSE Enterprise Storage 7 | Not-Affected |
| SUSE Enterprise Storage 7.1 | Not-Affected |
| SUSE Linux Enterprise Desktop 11 SP4 | Not-Affected |
| SUSE Linux Enterprise Desktop 12 SP2 | Not-Affected |
| SUSE Linux Enterprise Desktop 12 SP3 | Not-Affected |
| SUSE Linux Enterprise Desktop 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15-ESPOS | Not-Affected |
| SUSE Linux Enterprise High Performance Computing 15-LTSS | Not-Affected |
| SUSE Linux Enterprise Micro 5.0 | Not-Affected |
| SUSE Linux Enterprise Micro 5.1 | Not-Affected |
| SUSE Linux Enterprise Micro 5.2 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Module for Server Applications 15 | Not-Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Module for Server Applications 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Point of Sale 12 SP2-CLIENT | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 11 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 11 SP4 LTSS | Not-Affected |
| SUSE Linux Enterprise Server 11 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP2 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP2-BCL | Not-Affected |
| SUSE Linux Enterprise Server 12 SP2-ESPOS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP3 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP3-BCL | Not-Affected |
| SUSE Linux Enterprise Server 12 SP3-ESPOS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | Not-Affected |
| SUSE Linux Enterprise Server 12 SP4-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-BCL | Not-Affected |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Not-Affected |
| SUSE Linux Enterprise Server 15-LTSS | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 11 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Not-Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Not-Affected |
| SUSE Linux Enterprise Software Development Kit 11 SP4 | Not-Affected |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Not-Affected |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Not-Affected |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Not-Affected |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Not-Affected |
| SUSE Manager Proxy 4.0 | Not-Affected |
| SUSE Manager Proxy 4.1 | Not-Affected |
| SUSE Manager Proxy 4.2 | Not-Affected |
| SUSE Manager Retail Branch Server 4.0 | Not-Affected |
| SUSE Manager Retail Branch Server 4.1 | Not-Affected |
| SUSE Manager Retail Branch Server 4.2 | Not-Affected |
| SUSE Manager Server 4.0 | Not-Affected |
| SUSE Manager Server 4.1 | Not-Affected |
| SUSE Manager Server 4.2 | Not-Affected |
| SUSE OpenStack Cloud 7 | Not-Affected |
| SUSE OpenStack Cloud 8 | Not-Affected |
| SUSE OpenStack Cloud 9 | Not-Affected |
| SUSE OpenStack Cloud Crowbar 8 | Not-Affected |
| SUSE OpenStack Cloud Crowbar 9 | Not-Affected |
| openSUSE Leap 15.3 | Not-Affected |
| openSUSE Leap 15.4 | Not-Affected |
| openSUSE Leap 15.5 | Not-Affected |
| openSUSE Leap 15.6 | Not-Affected |
| openSUSE Leap Micro 5.2 | Not-Affected |
| openSUSE Leap Micro 5.3 | Not-Affected |
| openSUSE Leap Micro 5.4 | Not-Affected |
| openSUSE Leap Micro 5.5 | Not-Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210443
GHSA-8q95-g4m7-2crp