A critical remote code execution vulnerability exists in Microsoft Windows systems that use the Windows Defender Application Control (WDAC) feature. This flaw allows an unauthenticated remote attacker to bypass the vulnerable driver blocklist on systems where Hypervisor-Protected Code Integrity (HVCI) is not enabled, leading to a complete system compromise. Successful exploitation could allow an attacker to take full control of affected servers and workstations without any user interaction.

This vulnerability stems from an improper validation flaw in the enforcement of the Windows Defender Application Control (WDAC) vulnerable driver blocklist. On systems that do not have Hypervisor-Protected Code Integrity (HVCI) enabled, an unauthenticated attacker can send a specially crafted network packet to a vulnerable system service. This packet can trigger a driver load request that bypasses the WDAC policy check, allowing a known-vulnerable and blocked driver to be loaded into the kernel, resulting in remote code execution with SYSTEM privileges.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe and direct impact on business operations. A successful remote attack could lead to a complete system takeover, granting the adversary the ability to steal sensitive data, deploy ransomware, disrupt critical services, or use the compromised system as a pivot point for further attacks within the network. The lack of authentication or user interaction required for an attack significantly increases the risk to all internet-facing or otherwise accessible Windows systems.

Immediate Action: Apply the latest security updates from Microsoft to patch the affected Windows components immediately. The vendor's primary recommendation is to update the Windows Defender Application Control policy and related system files through the standard Windows Update process. After patching, continue to monitor for any signs of exploitation and review relevant system and security logs for anomalous driver loading activity.

Proactive Monitoring: Security teams should proactively monitor for indicators of compromise. This includes monitoring Windows Event Logs, specifically the CodeIntegrity operational log (Event IDs 3076, 3077) for policy violations or unexpected driver load events. Implement EDR/XDR rules to alert on the loading of any drivers present on Microsoft's vulnerable driver blocklist. Network monitoring should be configured to detect unusual traffic patterns directed at core Windows services.

Compensating Controls: If patching cannot be immediately deployed, the following compensating controls can reduce the risk:

• Enable HVCI: The vulnerability is only exploitable when Hypervisor-Protected Code Integrity (HVCI) is disabled. Enabling HVCI across the environment is a highly effective mitigating control.
• Network Segmentation: Restrict network access to critical Windows systems from untrusted networks. Use host-based and network firewalls to limit exposure of system services.
• Application Control: Ensure WDAC or other application control solutions are in audit or enforcement mode to detect or block unauthorized driver loads.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization and must be addressed with the highest priority. Due to the 9.8 CVSS score indicating a remote, unauthenticated, and low-complexity attack vector, immediate patching is strongly recommended for all affected Windows systems. Although CVE-2025-59033 is not currently on the CISA KEV list, its critical nature makes it a prime candidate for future inclusion and widespread exploitation. Organizations should treat this as an active threat and expedite remediation efforts or implement compensating controls, such as enabling HVCI, without delay.