KB5055528: Windows 11 version 22H2 / Windows 11 version 23H2 Security Update (April 2025)

🗓️ 08 Apr 2025 00:00:00Reported by TenableType

Critical security update 5055528 for Windows 11 versions fixes multiple vulnerabilities.

Reporter	Title	Published	Views	Family All 864
GithubExploit	Exploit for Use After Free in Microsoft	14 May 202501:45	–	githubexploit
GithubExploit	Exploit for Use After Free in Microsoft	27 Oct 202509:46	–	githubexploit
GithubExploit	Exploit for Use After Free in Microsoft	30 Jul 202508:04	–	githubexploit
GithubExploit	exploits	25 May 202601:12	–	githubexploit
ATTACKERKB	CVE-2025-29811	8 Apr 202518:16	–	attackerkb
ATTACKERKB	CVE-2025-29824	8 Apr 202500:00	–	attackerkb
ATTACKERKB	CVE-2025-29812	8 Apr 202518:16	–	attackerkb
ATTACKERKB	CVE-2025-29809	8 Apr 202518:16	–	attackerkb
Information Security Automation	About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability	10 May 202514:43	–	avleonov
Information Security Automation	May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework	21 May 202513:22	–	avleonov

Source	Link
support	www.support.microsoft.com/help/5055528
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.

#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
##

include('compat.inc');

if (description)
{
  script_id(234039);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/17");

  script_cve_id(
    "CVE-2025-21191",
    "CVE-2025-21197",
    "CVE-2025-21204",
    "CVE-2025-21205",
    "CVE-2025-21221",
    "CVE-2025-21222",
    "CVE-2025-24058",
    "CVE-2025-24060",
    "CVE-2025-24062",
    "CVE-2025-24073",
    "CVE-2025-24074",
    "CVE-2025-26635",
    "CVE-2025-26637",
    "CVE-2025-26639",
    "CVE-2025-26640",
    "CVE-2025-26641",
    "CVE-2025-26644",
    "CVE-2025-26648",
    "CVE-2025-26649",
    "CVE-2025-26651",
    "CVE-2025-26663",
    "CVE-2025-26665",
    "CVE-2025-26666",
    "CVE-2025-26668",
    "CVE-2025-26669",
    "CVE-2025-26670",
    "CVE-2025-26672",
    "CVE-2025-26673",
    "CVE-2025-26674",
    "CVE-2025-26675",
    "CVE-2025-26678",
    "CVE-2025-26679",
    "CVE-2025-26681",
    "CVE-2025-26686",
    "CVE-2025-26687",
    "CVE-2025-26688",
    "CVE-2025-27467",
    "CVE-2025-27469",
    "CVE-2025-27471",
    "CVE-2025-27473",
    "CVE-2025-27475",
    "CVE-2025-27476",
    "CVE-2025-27477",
    "CVE-2025-27478",
    "CVE-2025-27481",
    "CVE-2025-27484",
    "CVE-2025-27487",
    "CVE-2025-27490",
    "CVE-2025-27491",
    "CVE-2025-27492",
    "CVE-2025-27727",
    "CVE-2025-27729",
    "CVE-2025-27730",
    "CVE-2025-27731",
    "CVE-2025-27732",
    "CVE-2025-27735",
    "CVE-2025-27736",
    "CVE-2025-27737",
    "CVE-2025-27738",
    "CVE-2025-27739",
    "CVE-2025-27742",
    "CVE-2025-29809",
    "CVE-2025-29810",
    "CVE-2025-29811",
    "CVE-2025-29812",
    "CVE-2025-29824"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/04/29");
  script_xref(name:"MSKB", value:"5055528");
  script_xref(name:"MSFT", value:"MS25-5055528");
  script_xref(name:"IAVA", value:"2025-A-0256-S");
  script_xref(name:"IAVA", value:"2025-A-0255-S");

  script_name(english:"KB5055528: Windows 11 version 22H2 /  Windows 11 version 23H2 Security Update (April 2025)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing security update 5055528. It is, therefore, affected by multiple vulnerabilities

  - Use after free in Windows Win32K - GRFX allows an unauthorized attacker to elevate privileges over a
    network. (CVE-2025-26687)

  - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute 
    unauthorized arbitrary commands. (CVE-2025-27481)
    
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5055528");
  script_set_attribute(attribute:"solution", value:
"Apply Security Update 5055528");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-27481");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 59, 121, 122, 125, 126, 190, 200, 284, 345, 362, 367, 400, 415, 416, 591, 667, 693, 749, 787, 822, 922, 1039, 1390);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/04/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/04/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_11_22h2");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_11_23h2");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

var bulletin = 'MS25-04';
var kbs = make_list(
  '5055528'
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

var os_name = get_kb_item("SMB/ProductName");

if (  ( ("enterprise" >< tolower(os_name) || "education" >< tolower(os_name))
  &&
  smb_check_rollup(os:'10',
                   os_build:22621,
                   rollup_date:'04_2025',
                   bulletin:bulletin,
                   rollup_kb_list:[5055528])
)
|| 
smb_check_rollup(os:'10',
                   os_build:22631,
                   rollup_date:'04_2025',
                   bulletin:bulletin,
                   rollup_kb_list:[5055528])
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

17 Sep 2025 00:00Current

9.2High risk

Vulners AI Score9.2

CVSS 3.18.8

EPSS0.29274

SSVC