Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Windows ADK for Windows 11, version 23H2 by Microsoft

    CVE-2026-25166 (GCVE-0-2026-25166)

    Vulnerability from nvd – Published: 2026-03-10 17:04 – Updated: 2026-06-19 18:17
    VLAI
    Title
    Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability
    Summary
    Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Date Public
    2026-03-10 14:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-11T14:49:27.115711Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T18:57:32.266Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Windows ADK for Windows 10, version 2004",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            },
            {
              "product": "Windows ADK for Windows 11, version 22H2",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            },
            {
              "product": "Windows ADK for Windows 11, version 23H2",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            },
            {
              "product": "Windows ADK for Windows 11, version 24H2",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            },
            {
              "product": "Windows ADK for Windows Server 2022",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_11_adk_24H2:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_11_adk_23h2:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_11_adk_22H2:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_server_2022_adk:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_10_adk_version_2004:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "datePublic": "2026-03-10T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T18:17:33.872Z",
            "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
            "shortName": "microsoft"
          },
          "references": [
            {
              "name": "Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability",
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25166"
            }
          ],
          "title": "Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "assignerShortName": "microsoft",
        "cveId": "CVE-2026-25166",
        "datePublished": "2026-03-10T17:04:48.427Z",
        "dateReserved": "2026-01-29T18:36:49.695Z",
        "dateUpdated": "2026-06-19T18:17:33.872Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25166 (GCVE-0-2026-25166)

    Vulnerability from cvelistv5 – Published: 2026-03-10 17:04 – Updated: 2026-06-19 18:17
    VLAI
    Title
    Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability
    Summary
    Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    References
    Date Public
    2026-03-10 14:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25166",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-11T14:49:27.115711Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T18:57:32.266Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Windows ADK for Windows 10, version 2004",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            },
            {
              "product": "Windows ADK for Windows 11, version 22H2",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            },
            {
              "product": "Windows ADK for Windows 11, version 23H2",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            },
            {
              "product": "Windows ADK for Windows 11, version 24H2",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            },
            {
              "product": "Windows ADK for Windows Server 2022",
              "vendor": "Microsoft",
              "versions": [
                {
                  "status": "affected",
                  "version": "-"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_11_adk_24H2:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_11_adk_23h2:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_11_adk_22H2:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_server_2022_adk:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:o:microsoft:windows_10_adk_version_2004:*:*:*:*:*:*:*:*",
                      "versionStartIncluding": "-",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "datePublic": "2026-03-10T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Deserialization of untrusted data in Windows System Image Manager allows an authorized attacker to execute code locally."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en-US",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502: Deserialization of Untrusted Data",
                  "lang": "en-US",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-19T18:17:33.872Z",
            "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
            "shortName": "microsoft"
          },
          "references": [
            {
              "name": "Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability",
              "tags": [
                "vendor-advisory",
                "patch"
              ],
              "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25166"
            }
          ],
          "title": "Windows System Image Manager Assessment and Deployment Kit (ADK) Remote Code Execution Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "assignerShortName": "microsoft",
        "cveId": "CVE-2026-25166",
        "datePublished": "2026-03-10T17:04:48.427Z",
        "dateReserved": "2026-01-29T18:36:49.695Z",
        "dateUpdated": "2026-06-19T18:17:33.872Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }