Multiple vulnerabilities in Microsoft Windows Hello
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2025-26635 CVE-2025-26644 |
| CWE-ID | CWE-287 CWE-1039 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU107244
Risk: Low
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-26635
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass authentication process.
The vulnerability exists due to an error when processing authentication requests in Windows Hello. A remote administrator can bypass the Windows Hello security feature.
MitigationInstall update from vendor's website.
Vulnerable software versionsWindows: 10 21H2 10.0.19041.3920 - 11 23H2 10.0.22631.5039
Windows Server: 2012 R2 6.3.9600.21871 - 2022 23H2 10.0.25398.1486
CPE2.3- cpe:2.3:o:microsoft:windows:10:21H2_10.0.19041.3920:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19043.4529:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1147:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1149:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1151:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1165:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1200:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1263:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server:2012_R2:6.3.9600.21871:*:*:*:*:*:*
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26635
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
EUVDB-ID: #VU107245
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-26644
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform spoofing attack.
The vulnerability exists due to automated recognition mechanism with inadequate detection or handling of adversarial input perturbations in Windows Hello. A local attacker can spoof page content.
MitigationInstall update from vendor's website.
Vulnerable software versionsWindows: 10 21H2 10.0.19041.3920 - 11 24H2 10.0.26100.3476
Windows Server: 2012 R2 6.3.9600.21871 - 2025 10.0.26100.3476
CPE2.3- cpe:2.3:o:microsoft:windows:10:21H2_10.0.19041.3920:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19043.4529:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1147:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1149:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1151:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1165:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1200:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1263:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows:10_21H2:10.0.19044.1266:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server:2012_R2:6.3.9600.21871:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server:2012_R2:6.3.9600.21924:*:*:*:*:*:*
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26644
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
