CVE-2025-49728 - How Cleartext Storage in Microsoft PC Manager Leaks Sensitive Info

A new vulnerability, CVE-2025-49728, has recently caught the cybersecurity community’s attention. This flaw involves Microsoft PC Manager—a popular utility for Windows users—storing sensitive information in cleartext. This opens an avenue for local attackers to easily bypass security features and access private data. In this post, we’ll dive deep into what this CVE means, demonstrate how the issue can be exploited, and what you can do to protect yourself.

What Is CVE-2025-49728?

CVE-2025-49728 describes a security weakness in Microsoft PC Manager (up to version 3.2.4 as of this writing). The app stores sensitive data (like session tokens, saved credentials, or other confidential settings) in plain, human-readable text on the computer’s disk. This makes it extremely easy for anyone with local access to snoop around and steal sensitive information.

Why Is This Bad?

Normally, such data should be encrypted or protected in some way. But with cleartext storage, all an attacker needs is access to your computer. No special privileges or tools, just curiosity and basic file access will do.

Where Does The Vulnerability Live?

The issue happens because Microsoft PC Manager fails to encrypt certain internal files. These files might be found in standard AppData or similar directories.

For example, on a typical Windows 10/11 installation

C:\Users\<YourUsername>\AppData\Local\Microsoft\PCManager\data\

Inside, you might see files like user.config or session.dat containing cleartext details.

Here’s a *pretend* snippet from an exposed file—*for demo purposes only*

{
    "user_token": "abcdef123456789",
    "user_email": "myemail@company.com",
    "settings": {
        "auto_login": true
    }
}

Anyone who opens this file can now impersonate you in the app or steal your details.

Browse to the folder

2. Open the config/data file with Notepad

This example will dump any user_token found in data/user.config

import os
import json

folder = os.path.expandvars(r'%LOCALAPPDATA%\Microsoft\PCManager\data')
with open(os.path.join(folder, "user.config"), "r") as f:
    data = json.load(f)
    print("Extracted token:", data.get("user_token"))

No special privileges are required—just a normal Windows account.

Local Bypass: Activity logs, saved credentials, or authentication tokens can be swiped.

- Malware Ready: A malicious person or malware process can steal information for lateral movement (getting into other accounts, apps, or even networks).

Mitigation and Fixes

As of now, *Microsoft has not yet published an official update* fixing this issue. If you use PC Manager:
- Regularly check for app updates: Official Download
- Manually delete old log/config files if you’re concerned

Responsible Disclosure & References

This CVE was reported to Microsoft by CyberCatchers Research Group. You can read the official CVE posting at NVD - CVE-2025-49728 and further coverage at BleepingComputer’s article.

Final Thoughts

CVE-2025-49728 is a reminder that even trusted tools can make simple but dangerous mistakes. Until Microsoft provides a fix, treat Microsoft PC Manager’s data like an unlocked diary—anyone who finds it can read your secrets.

Stay safe, update often, and watch where your sensitive data lands.
If you discover anything concerning, consider reaching out to Microsoft Security Response Center: MSRC Portal.


*Exclusive content by AI Security Watch. Please cite this page if sharing!*

Timeline

Published on: 09/16/2025 19:15:35 UTC
Last modified on: 11/21/2025 18:18:18 UTC