Microsoft has confirmed a critical out-of-bounds vulnerability in the Desktop Window Manager (DWM) that allows local attackers to escalate privileges to SYSTEM on affected Windows systems.
The vulnerability, identified as CVE-2025-55681, resides in the dwmcore.dll component and impacts Windows 10, Windows 11, and related server editions worldwide.
| Product | Affected Versions |
|---|---|
| Windows 10 | All versions |
| Windows 11 | All versions |
| Windows Server 2016 | All versions |
| Windows Server 2019 | All versions |
| Windows Server 2022 | All versions |
| Windows Server 2025 | All versions |
Understanding the Vulnerability
The flaw exists within the CBrushRenderingGraphBuilder::AddEffectBrush function in the DWM core library.
A critical component responsible for rendering visual effects and managing graphics operations.
Attackers who gain local access to an affected system can exploit improper buffer handling to execute code with elevated privileges.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-55681 |
| Vulnerability Type | Elevation of Privilege / Out of Bounds Memory Access |
| Component | dwmcore.dll (Desktop Windows Manager Core Library) |
| Affected Function | CBrushRenderingGraphBuilder::AddEffectBrush |
| CVSS v3.1 Score | 7.8 (High) |
| CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
The vulnerability requires no user interaction once initial system access is obtained.
Making it particularly dangerous in enterprise environments where multiple users share systems or where remote access solutions are deployed.
Security researchers demonstrated the vulnerability during the TyphoonPWN Windows security competition, where it achieved recognition for its exploitation reliability.
The vulnerability carries a CVSS v3.1 score of 7.8, indicating high severity. An authenticated attacker with low-level user privileges can bypass security controls and gain unrestricted system access.
Allowing installation of malware, modification of system configurations, or theft of sensitive data. The exploit works most reliably on Windows 11 systems but remains functional on Windows 10.
Though there is reduced stability due to different heap memory management implementations in older Windows versions. Microsoft has released security patches to address this vulnerability as part of its regular security updates.
According to SSD-Disclosure reports, organizations should apply patches immediately to all affected Windows systems. Until patches are deployed, administrators should restrict opportunities for local code execution by implementing strict access controls.
Turning off unnecessary services and enforcing the principle of least privilege across user accounts.
System administrators are urged to prioritize deploying this critical update, given the severe nature of the privilege escalation impact and the low complexity required for exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
