Forbes has confirmed that attackers are exploiting CVE-2025-9491 in the wild and that Microsoft has not released a fix to close the vulnerability. The disclosure comes at an awkward moment for the company: just as it announced an extension of free security updates for Windows 10 and a set of new administrative protections intended to reduce attack surface, a code weakness ranked critical is already being used for espionage operations against victims.

The designation CVE-2025-9491 identifies a security flaw tracked by standard industry databases; the classification as critical signals that successful exploitation can lead to serious consequences such as unauthorized access or data exfiltration. According to the reporting, the exploitation is not limited to isolated proof-of-concept activity but is part of an active and widespread campaign attributed to cyber espionage actors. Microsoft’s lack of an available patch leaves administrators and users with a narrowing window in which to contain risk by other means.

For organizations that rely on Windows, the situation underscores two persistent dilemmas: vendor patch timelines and operational exposure. Microsoft’s recent confirmation that it will continue to provide free security updates for Windows 10 and its announcement of enhanced administrative protections help address long-term platform support, but they do not eliminate the immediate threat posed by an unpatched, actively exploited vulnerability. That gap forces security teams to prioritize incident detection, containment, and interim mitigations while awaiting an official remediation.

Until Microsoft releases a patch, enterprises will need to assume a heightened posture. Basic hardening practices—tightening network segmentation, restricting unnecessary administrative privileges, increasing logging and alerting, and conducting rapid threat-hunting and forensic analysis on endpoints—can reduce the probability and impact of successful exploitation. Security operations centers should treat related alerts as high priority and coordinate with threat intelligence providers to identify indicators of compromise associated with the campaign.

The episode also raises broader questions about how software vendors balance lifecycle support with emergent threats and how quickly critical flaws can be neutralized once they are observed in active exploitation. An extended support promise for older operating systems has clear benefits for organizations that cannot immediately migrate, but it does not substitute for fast vulnerability response when adversaries are already weaponizing flaws.

For users and IT managers, the immediate imperative is vigilance. Monitor vendor advisories closely, apply official patches as soon as they become available, and adopt defensive measures to limit exposure. For policymakers and industry leaders, the incident is a reminder that public accountability, clearer disclosure timelines, and investment in defensive cyber capabilities remain essential if reliance on widely used software is to coexist with acceptable risk.