Microsoft has confirmed and patched a security vulnerability in the Windows Storage Port Driver that could allow attackers with local access to read sensitive information from a targeted system. Tracked as CVE-2025-32722, the information disclosure flaw stems from improper access control mechanisms within the driver, which manages communication between the operating system and storage devices. Microsoft released the fix as part of its latest security update cycle, and administrators are urged to apply the patch immediately.
Which Windows Versions Are Affected?
The vulnerability impacts a broad range of Windows editions, including both client and server platforms. According to the advisory, the following versions are at risk:
- Windows 10 (multiple editions, version 21H2 and later)
- Windows 11 (all versions, including 22H2 and 23H2)
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Older, out-of-support versions such as Windows 7 and Windows 8.1 are not officially listed, but administrators maintaining legacy systems should verify their exposure through other means or consider upgrading. The specific build numbers and exact update requirements are detailed on the Microsoft Security Response Center (MSRC) advisory page for CVE-2025-32722.
Technical Breakdown: What Went Wrong?
The root cause of CVE-2025-32722 is a failure in the access control logic of the Storage Port Driver (storport.sys). This driver sits at a critical layer, translating I/O requests between the Windows storage stack and physical or virtual disk adapters. The flaw allows a local authenticated attacker to bypass security boundaries and read memory regions ordinarily off-limits to user-mode processes.
While Microsoft has not publicly disclosed the exact exploitation mechanism to prevent active abuse, security researchers familiar with similar issues point to inadequate validation of input/output control (IOCTL) codes or device-control requests. An attacker can craft a malicious application that leverages these insufficient checks to access protected kernel memory or PCI configuration space details, potentially leaking data such as encryption keys, file contents, or system metadata.
The attack does not require any user interaction—once an attacker gains a foothold on the machine (through malware, a compromised account, or physical access), they can exploit the vulnerability to siphon information silently. The CVSS score for CVE-2025-32722 has been rated as Important by Microsoft, with a base score around 6.5 to 7.0, reflecting the local attack vector and low complexity.
Real-World Risks: What Could an Attacker Steal?
Information disclosure bugs are sometimes downplayed because they do not lead directly to remote code execution. But in the hands of a skilled attacker, read access to kernel memory can be devastating. Compromised storage driver memory might reveal:
- Disk encryption keys (if BitLocker or third-party FDE tools store them in non-volatile memory exposed through the driver)
- Sensitive file data temporarily cached by storage controllers or NVMe devices
- Storage network credentials for iSCSI, Fibre Channel, or NVMe over Fabrics configurations
- System state information that helps craft more sophisticated privilege escalation or persistent attacks
For enterprise environments, an attacker who has already breached a low-privilege account could use this vulnerability to gather intelligence about the storage architecture, identify valuable data locations, or extract credentials that move them laterally across the network. The risk is particularly acute in virtualized setups where a guest VM exploiting the driver might bleed host information.
Patch Now: Microsoft’s Official Fix
Microsoft’s security update addresses the improper access control at the code level, ensuring that memory requests are validated correctly before they are passed to the storage hardware. The patch is delivered through Windows Update, Windows Server Update Services (WSUS), and the Microsoft Update Catalog. It does not require a system restart if no other pending updates necessitate one, though a reboot may be forced by cumulative update packaging.
Administrators can verify installation by checking for the specific KB number listed in the advisory. For Windows 11 version 23H2, the KB500XXXX update (exact number varies by month) should be present. Workstations and servers that receive automatic updates will have the fix downloaded and installed according to their configured policies.
There are no known workarounds for CVE-2025-32722 that can fully mitigate the risk without applying the patch. Disabling the Storage Port Driver is not feasible, as it would render the system unable to access any storage devices. Limiting local user privileges and enabling code integrity policies can reduce the attack surface, but they do not eliminate the underlying code flaw.
How to Protect Your Systems
1. Deploy the patch immediately – Prioritize servers that store sensitive data or act as hypervisors. Workstations used by employees with elevated privileges (developers, IT staff) should also be patched urgently.
2. Audit local account privileges – Since the attack requires local access, review who can log in interactively, via Remote Desktop, or through terminal services. Remove unnecessary user accounts and enforce strong multi-factor authentication.
3. Enable attack surface reduction (ASR) rules – If using Microsoft Defender for Endpoint, configure rules that block executable files from running unless they meet prevalence, age, or trusted list criteria. While not a direct shield, ASR can prevent unknown malware from executing and exploiting the driver.
4. Monitor for unusual storage I/O patterns – Use Windows Event Logging and Sysmon to track IOCTL requests to storport.sys. Anomalous requests from non-system processes should raise flags.
5. Conduct regular security assessments – Penetration tests and vulnerability scans should now include checks for CVE-2025-32722. If patching is delayed, additional endpoint detection rules can be deployed to log potential exploitation attempts.
A Pattern of Driver Vulnerabilities
CVE-2025-32722 is far from the first driver-related security flaw in Windows. Over the years, vulnerabilities in graphics drivers, network drivers, and other kernel-mode components have been a recurring theme. In 2023, a critical flaw in the DirectX Graphics Kernel (CVE-2023-21674) allowed local elevation of privilege. Similarly, a 2022 bug in the Windows Network File System (CVE-2022-26937) gave remote attackers code execution rights.
Driver code operates at one of the highest privilege levels in the OS, making any oversight in access control or input validation especially dangerous. Microsoft has been gradually improving its driver security with initiatives like driver signature enforcement, the Hypervisor-Protected Code Integrity (HVCI), and the vulnerable driver blocklist. However, legacy compatibility requirements and the sheer volume of third-party drivers mean risks persist for years.
Industry and Community Response
Since the advisory was published, security researchers and IT professionals have been discussing the implications on forums. Many note that storage drivers are rarely scrutinized as heavily as network-facing components, yet they are foundational to data security. One community member on a Windows insider forum commented, “We often focus on the CPU and memory isolation, but the storage pipeline is a blind spot. This bug shows that even well-established drivers need continuous review.”
Others have highlighted the importance of applying the patch even if the system is not directly exposed to the internet. “Local attacks still matter, especially in shared hosting environments and corporate networks where an attacker can pivot from a single compromised endpoint to storage arrays,” wrote another user.
Beyond the Patch: Long-Term Mitigations
Organizations should adopt a defense-in-depth strategy that assumes drivers may always have undiscovered bugs. Measures include:
- Application control: Whitelist only approved software using Windows Defender Application Control (WDAC) or AppLocker.
- Credential Guard: Enable virtualization-based security to isolate secrets from the operating system kernel.
- Storage-level encryption: Use BitLocker with pre-boot authentication and network unlock where possible, ensuring data at rest is encrypted even if a driver leaks memory.
- Network segmentation: Keep storage traffic on separate VLANs with strict access controls, preventing compromised workstations from directly interacting with SANs or NAS devices.
What’s Next?
Microsoft has not indicated whether this vulnerability was exploited in the wild before the patch was released. The MSRC advisory does not list exploitation detected, but that does not guarantee safety—some attacks go unnoticed. Now that the patch is available, reverse engineers will compare the patched and unpatched versions of storport.sys, potentially uncovering the exact flawed code. This means proof-of-concept exploits will likely surface soon, increasing the urgency for unpatched systems.
For IT departments, the immediate task is to identify all affected devices and deploy the update. Vulnerability scanners like Nessus, Qualys, or Microsoft’s own built-in tools can be used to find machines missing the KB number. Large environments may take days or weeks to roll out patches completely, so interim detection rules should remain active.
The discovery of CVE-2025-32722 is a reminder that access control bugs remain a critical threat even in mature operating systems. As Windows continues to evolve, the storage stack—constantly growing with innovations like NVMe over Fabrics and storage-class memory—must be hardened against internal threats as robustly as external ones.
The patch for CVE-2025-32722 is available now via Windows Update. For detailed technical information, refer to the Microsoft Security Response Center advisory.