Use of hard-coded credentials in Microsoft products - CVE-2025-27488
Published: May 16, 2025
Vulnerability identifier: #VU109250
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-27488
CWE-ID: CWE-798
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Hardware Lab Kit (HLK) for Windows Version 1809
Hardware Lab Kit (HLK) for Windows 10
Hardware Lab Kit (HLK) for Windows 11
Hardware Lab Kit (HLK) for Windows Server 2019
Hardware Lab Kit (HLK) for Windows Server 2022
Hardware Lab Kit (HLK) for Windows Server 2025
Hardware Lab Kit (HLK) for Windows Version 1809
Hardware Lab Kit (HLK) for Windows 10
Hardware Lab Kit (HLK) for Windows 11
Hardware Lab Kit (HLK) for Windows Server 2019
Hardware Lab Kit (HLK) for Windows Server 2022
Hardware Lab Kit (HLK) for Windows Server 2025
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to presence of hard-coded credentials in application code. A local user can execute arbitrary code with elevated privileges.
How to mitigate CVE-2025-27488
Install updates from vendor's website.