The problem exists in Windows' handling of code within its Internet Information Services (IIS) and SQL Server.
If exploited, the vulnerability could allow a user to elevate access privileges to that of the LocalSystem administration tool.
Microsoft warned that companies that make extensive use of user-provided code, such as site hosts, are especially vulnerable.
Microsoft has yet to receive any reports of the vulnerability being targeted, but security experts have already warned of a possible attack.
"The vulnerability is limited to a local privilege escalation, but IIS' susceptibility is concerning," wrote McAfee researcher Karthik Raman.
"The web server is widely used on the internet, and is a top pick by web-hosting providers. We might see web-hosting providers targeted, and their clients' websites breached."
Microsoft is still investigating the reports and will make a decision on whether to issue a patch immediately or wait until its next scheduled security update on 13 May.
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
Digital NSW 2025 Showcase
_(1).jpg&h=140&w=231&c=1&s=0)
