Microsoft has confirmed a dangerous flaw in the Windows kernel that could let an attacker with minimal access take full control of a system, and the company is urging everyone to install the just-released security updates. The vulnerability, tracked as CVE-2025-55696, stems from a time-of-check-time-of-use (TOCTOU) race condition in how the operating system handles security tokens.
What Microsoft Fixed This Week
The company’s Security Update Guide now includes CVE-2025-55696, a high-severity bug in the NtQueryInformationToken function. This kernel-level component is declared in ntifs.h and is responsible for returning metadata about Windows security tokens. A TOCTOU race occurs when code checks a condition—say, validating a token—and then later uses it, with the assumption that nothing changed in between. An attacker racing between that check and use can trick the kernel into leaking data or allowing unauthorized token manipulation. Microsoft has assigned a CVSS v3.1 base score of 7.8, which translates to a “High” severity rating. The attack vector is local, meaning someone must already have the ability to run code on the target machine, but they don’t need admin rights to trigger the race.
No public proof-of-concept exploit is tied directly to this CVE at the time of disclosure, but the pattern is well-known. Similar TOCTOU bugs in Windows kernel token handling have been exploited before, and the absence of a public weaponization shouldn’t breed complacency. “The vulnerability is confirmed by the vendor, and security updates have been released to address it,” the advisory notes. IT teams should treat this as a “patch immediately” scenario for critical systems.
Why This Bug Matters More Than Most
At first glance, a local vulnerability might seem less urgent than a remote one. That’s a dangerous misreading. Attackers often chain local privilege escalation to turn a low-level compromise—say, a malware infection from a phishing email—into total control of the machine. Once an attacker can manipulate or impersonate a SYSTEM token, they can bypass practically all user-level defenses. They can install programs, modify registry settings, access sensitive files, and disable security tools.
Token-wrangling bugs are particularly potent because Windows’ entire authorization model rests on tokens to decide who can do what. A successful exploit here means an attacker can assume the identity of the most powerful account on the system, no password required.
Moreover, if the race condition leaks kernel memory addresses, it can defeat Kernel Address Space Layout Randomization (KASLR). That turns once-fragile exploits into reliable, mass-deployable weaponry. For organizations that run multi-user servers, virtual desktop infrastructure (VDI), build machines, or kiosks—anywhere local code execution is possible—this CVE should rise to the top of the patching list.
Your Risk Level: Home Users vs. Admins vs. Developers
Home Users and Small Business
If you have automatic updates enabled and install patches promptly, you’re likely protected once the update rolls out to your PC. The attack requires local code execution, so standard security hygiene—don’t open suspicious attachments, avoid sketchy downloads, use Windows Defender—reduces the chance of reaching the point where this bug could be triggered. Still, apply the patch as soon as it’s offered.
IT Administrators
For you, this is a high-priority item. Domain controllers, jump boxes, admin workstations, terminal servers, and any host that accepts user logins are prime targets. A successful escalation on a shared server can quickly lead to lateral movement across an entire network. Prioritize these systems first, then move to standard employee desktops. Even if your environment enforces tight application control, a determined attacker who already has a foothold will seek any available EoP opportunity.
Developers and Power Users
If you work with kernel-mode software or regularly run untrusted test code, your machine is a more attractive target. Build servers and CI agents that pull third-party libraries should be kept isolated, but the patch is still essential. The bug’s location in NtQueryInformationToken means that any process—even one running with low integrity—can potentially race the kernel if it knows the right API sequence. Monitoring tools that flag unusual token query activity gain importance here.
How We Got Here: A Brief History of TOCTOU in Windows
TOCTOU races have plagued Windows for decades. The kernel must constantly validate pointers, buffers, and object handles that are shared with user mode. In a preemptive multitasking environment, another thread can always slip in and alter the data between a validation step and the actual use. Token handling has been a particular hotspot because tokens are mutable and heavily accessed.
Microsoft hardened many of these paths over the years, but the complexity of the kernel means new races can emerge with code changes. Earlier in 2025, the MSRC addressed related information-disclosure bugs that also involved token querying. This latest CVE appears to be another variation on the same theme. Independent researchers who track Windows internals have long warned that functions like NtQueryInformationToken are difficult to secure perfectly because they must operate in a highly concurrent environment.
The CVSS vector string (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) tells the story: low attack complexity, low privileges required, no user interaction, and complete impact on confidentiality, integrity, and availability. That’s as bad as it gets for a local flaw.
Immediate Steps for Defense
1. Patch First, and Fast
Go to the Microsoft Security Update Guide for CVE-2025-55696 and fetch the specific KB numbers for your Windows editions. Deploy using your standard management tools—WSUS, ConfigMgr, Intune, or manual install. Stagger the rollout: pilot on a representative subset of devices, monitor for 48 hours, then proceed broadly. Have a rollback plan in case of driver incompatibilities or application breakage.
2. Harden What You Already Have
If immediate patching is impossible, or even after patching, enable these defenses:
- Memory Integrity (HVCI): Enforces code integrity at the hypervisor level and makes kernel manipulation harder. Turn it on under Windows Security > Device Security > Core isolation.
- Microsoft Vulnerable Driver Blocklist: Prevents known bad drivers from loading. It’s managed via Windows Security, and you should ensure it’s enabled.
- Application Control: Use WDAC or AppLocker to keep untrusted binaries from running. This won’t stop a determined attacker who already has a shell, but it can cut off the most common delivery methods for the initial foothold.
- Least Privilege: Remove unnecessary local admin rights. Reduce the number of interactive logons on valuable servers.
3. Watch for Telltale Signs
Even without a public exploit, defenders can look for behavioral patterns:
- Repeated calls to NtQueryInformationToken from non-privileged processes. EDR tools can alert on high-frequency usage.
- User-mode threads rapidly sampling buffers immediately after token queries—a classic TOCTOU sign.
- Unexpected SYSTEM-token impersonation, strange scheduled task creation, or sudden service installation by low-integrity accounts.
Capture full memory dumps and EDR telemetry if you suspect an attempt; post-exploit analysis often reveals whether a chain like this was used.
4. Isolate High-Value Targets
For VDI hosts, terminal servers, and build machines that absolutely must stay online without the patch, consider network-level segmentation and restrict file or device mounting. Block known unsigned drivers via GPO. Every layer you add increases the cost of exploitation.
What to Watch For Next
Security researchers will almost certainly dissect the patch to understand the exact race window within NtQueryInformationToken. Once that happens, a working proof-of-concept is likely to appear. Historically, the gap between patch and PoC for kernel TOCTOU bugs is measured in weeks, not months. That means the urgency is real: the window before widespread exploitation is short.
Microsoft may update the advisory with additional details, especially if active attacks surface. Keep an eye on the MSRC blog and reputable security outlets. In the longer term, this CVE underscores the need for moving to hardware-backed isolation like VBS and HVCI, which can defang many kernel races. If you’ve been putting off enabling those features, now is the time.