Microsoft thanks Positive Technologies expert for helping to fix vulnerability in 17 operating systems

A vulnerability affecting several Windows operating systems has been resolved thanks to Marat Gayanov, an expert from the Positive Technologies Expert Security Center (PT ESC). The flaw could have allowed attackers to disable targeted devices. The vendor was notified of the threat in line with the responsible disclosure policy and has released updates for all the affected 17 operating systems and their versions.

The vulnerability CVE-2025-49686 was scored 7.8 on the CVSS 3.1 scale and impacted 17 operating systems, including Windows 10, Windows 11, and Windows Server 2025. Classified as a “null pointer dereference[1],” it could have resulted in a system denial of service. Users are advised to update their systems to the recommended versions as soon as possible. A full list of the patched versions is available in the official advisory.

Windows products account for 70% of the global computer operating system market. As of May 2025, 53% of the vendor’s customers were using Windows 10, while 43% were using Windows 11. Windows Server is the second most popular operating system for servers.

In June 2025, search engine data revealed over 1.5 million devices running vulnerable and remotely accessible devices running Windows 11. Most of these devices are located in the U.S. (27%), followed by China (14%), Japan (8%), Germany (4%), and South Korea (4%).

Vulnerable Windows 11 systems accessible from the internet (%)

Marat Gayanov, Vulnerability Analysis Specialist at PT ESC, explains: “To exploit CVE-2025-49686, attackers would not have needed to elevate privileges or gain special access rights. They would only had to trick a user into running a malicious program that exploits the vulnerability in the driver facilitating the communication between devices in the network.

The flaw caused access via an invalid pointer[2] and could have led to a program crash and, consequently, a system failure. As a result, access to corporate resources would have been restricted, potentially disrupting the organization’s operations.”

This is not the first time Positive Technologies helps resolve vulnerabilities in Windows. In fall 2024, Sergey Tarasov, Head of the PT ESC Vulnerability Analysis team, discovered CVE-2024-43629, a zero-day vulnerability that could have allowed attackers to escalate privileges in the system. He worked with Microsoft to address the issue, and updates were released for Windows 10, Windows 11, as well as for Windows Server 2025, 2022, and 2019.

Earlier in 2019, Positive Technologies enhanced the security of Windows 10 by identifying and reporting to the developer two critical vulnerabilities—CVE-2019-0726 and CVE-2019-0697. If exploited, these flaws could have allowed attackers to gain access to computers and intercept sensitive information.