criticalCVE-2025-27464

XenBus Windows PV Driver Missing Security Descriptor Vulnerability

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] The Windows PV drivers expose various facilities to userspace. Several of these have no security descriptor, and are therefore fully accessible to unprivileged users. These are: 1. XenCons, CVE-2025-27462 2. XenIface, CVE-2025-27463 3. XenBus, CVE-2025-27464

ProductXen Windows PV Drivers
CVSS9.4
EPSSNot scored yet
UpdatedJuly 9, 2026

Quick answer

Xen Project Xen Windows PV Drivers should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Windows PV drivers published before XSA-468 fixes

Fixed versions

  • XCP-ng Windows PV Drivers 9.1.200 or vendor fixed release

How to fix it

XenBus in Xen Windows PV Drivers lacks proper security descriptors, allowing unprivileged users inside a Windows guest to access driver facilities and potentially escalate privileges inside that guest. Install the fixed Windows PV driver package from the hypervisor vendor. Prioritize Windows VMs where untrusted users can log in or run code.

  1. Inventory Windows VMs running Xen Windows PV Drivers across XenServer, XCP-ng, Citrix Hypervisor, and related Xen platforms.
  2. Upgrade Windows PV drivers to the vendor fixed release for XSA-468, such as XCP-ng Windows PV Drivers 9.1.200 or the applicable vendor package.
  3. Prioritize multi-user Windows servers, RDS hosts, developer desktops, and externally accessible Windows workloads.
  4. Restrict untrusted local user access inside affected Windows guests until the driver update is complete.
  5. Review Windows event logs, driver versions, local administrator membership, and suspicious privilege escalation activity.
  6. Rotate credentials used inside affected VMs if local compromise is suspected.
  7. Snapshot or back up critical VMs before driver updates and reboot guests as required.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm XenBus and related PV driver versions match the fixed vendor package.
  • Validate unprivileged users cannot access protected XenBus driver facilities after the update.
  • Review Windows security logs for unexpected privilege changes or driver interaction errors.
  • Test networking, storage, shutdown, migration, and guest tools after reboot.
  • Run a Fixnx scan and confirm no public Windows guest management surface is exposed unexpectedly.

Related categories

Trusted references

FAQ

What is affected by CVE-2025-27464?

Xen Project Xen Windows PV Drivers versions listed as affected should be reviewed: Windows PV drivers published before XSA-468 fixes.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.