XenBus Windows PV Driver Missing Security Descriptor Vulnerability
[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464
Quick answer
Xen Project Xen Windows PV Drivers should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Windows PV drivers published before XSA-468 fixes
Fixed versions
- XCP-ng Windows PV Drivers 9.1.200 or vendor fixed release
How to fix it
XenBus in Xen Windows PV Drivers lacks proper security descriptors, allowing unprivileged users inside a Windows guest to access driver facilities and potentially escalate privileges inside that guest. Install the fixed Windows PV driver package from the hypervisor vendor. Prioritize Windows VMs where untrusted users can log in or run code.
- Inventory Windows VMs running Xen Windows PV Drivers across XenServer, XCP-ng, Citrix Hypervisor, and related Xen platforms.
- Upgrade Windows PV drivers to the vendor fixed release for XSA-468, such as XCP-ng Windows PV Drivers 9.1.200 or the applicable vendor package.
- Prioritize multi-user Windows servers, RDS hosts, developer desktops, and externally accessible Windows workloads.
- Restrict untrusted local user access inside affected Windows guests until the driver update is complete.
- Review Windows event logs, driver versions, local administrator membership, and suspicious privilege escalation activity.
- Rotate credentials used inside affected VMs if local compromise is suspected.
- Snapshot or back up critical VMs before driver updates and reboot guests as required.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm XenBus and related PV driver versions match the fixed vendor package.
- Validate unprivileged users cannot access protected XenBus driver facilities after the update.
- Review Windows security logs for unexpected privilege changes or driver interaction errors.
- Test networking, storage, shutdown, migration, and guest tools after reboot.
- Run a Fixnx scan and confirm no public Windows guest management surface is exposed unexpectedly.
Related categories
Trusted references
FAQ
What is affected by CVE-2025-27464?
Xen Project Xen Windows PV Drivers versions listed as affected should be reviewed: Windows PV drivers published before XSA-468 fixes.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
