Microsoft’s April 14, 2026 Windows security update (KB5083769 for Windows 11) is breaking third-party backup applications across enterprise environments — and it is doing so deliberately. The update blocks the psmounterex.sys kernel driver after Zscaler and Cisco Talos researchers disclosed two privilege-escalation vulnerabilities in the driver that allow a standard user to execute arbitrary kernel-mode code. Backup products from Acronis, Veeam, Macrium Reflect, AOMEI Backupper, and EaseUS Todo Backup are all affected.
CVE-2025-11983 and CVE-2025-14276: Technical Details
The two vulnerabilities in psmounterex.sys are tracked as CVE-2025-11983 and CVE-2025-14276, both rated CVSS v3 7.8 (High). Both flaws share a common root cause: the driver does not properly validate caller privileges when processing IOCTL (I/O Control) requests.
A standard local user can send specially crafted IOCTL messages to the driver, causing it to execute attacker-supplied code in kernel mode. Because psmounterex.sys runs as a kernel-mode driver, successful exploitation results in SYSTEM-level code execution — the highest privilege level on a Windows system.
Researchers at Zscaler and Cisco Talos identified and reported both CVEs to Microsoft. Microsoft opted to protect systems by blocking the vulnerable driver via the April 2026 Patch Tuesday updates rather than waiting for backup vendors to ship patched driver versions.
The driver block is applied via the Windows Kernel Vulnerable Driver Blocklist, a policy that has been enforced by Hypervisor-Protected Code Integrity (HVCI) since Windows 11. Once the blocklist entry is in place, Windows refuses to load any version of psmounterex.sys that is not updated.
Impact: Which Backup Applications Break
Backup applications affected include, but are not limited to:
- Macrium Reflect — image mounting fails
- AOMEI Backupper — image browse and restore operations fail
- EaseUS Todo Backup — virtual drive mounting fails
- Acronis — backup image mounting and VSS snapshot operations affected
- Veeam — certain backup image mount operations affected
The failures manifest when applications try to mount a backup image as a virtual drive for browsing or granular restore. Applications that rely on VSS (Volume Shadow Copy Service) for backup creation may also experience errors. Common error messages include:
The backup has failed because Microsoft VSS has timed out during the snapshot creation.
VSS_E_BAD_STATE
Backup creation itself may still succeed if the application uses an alternative driver path, but mounting, browsing, or restoring from existing images will fail on systems with the April update installed.
Who Is Affected
Any Windows 11 system that received KB5083769 and any Windows 10 system that received the corresponding April 2026 security update is affected. Organizations running affected backup software in automated backup schedules may have been silently failing since April 14, 2026, without generating alerts, depending on how failure conditions are monitored.
On-premises environments with physical backup infrastructure are at highest risk of impact since cloud-managed backup solutions may use different driver paths not dependent on psmounterex.sys.
Industries with strict recovery time objectives (RTOs) and recovery point objectives (RPOs) — healthcare, financial services, critical manufacturing — are particularly exposed if backup restore workflows are broken and not yet identified.
What You Should Do Right Now
- Verify your backup restore process now. Do not assume backups are succeeding because creation jobs are reporting success. Attempt a test mount and granular file restore to confirm the full backup-to-restore chain is functional.
- Check for vendor updates. Contact your backup vendor and check their release notes for psmounterex.sys driver updates. Acronis, Veeam, Macrium, AOMEI, and EaseUS are all aware of the issue; patched driver versions are expected. Neowin’s coverage tracks vendor response timelines.
- Do not roll back the Windows update. CVE-2025-11983 and CVE-2025-14276 are CVSS 7.8 local privilege escalation vulnerabilities. Removing the April update to restore backup functionality trades one risk for another.
- Implement monitoring for backup failures. If you do not already have alerting on backup mount or restore failures, add it. Silent failures are the highest-risk scenario here.
- Document your current recovery capability. If patched backup vendor software is not yet available, document which systems have confirmed-failing restore paths and plan compensating controls (e.g., alternative backup destination, temporary bare-metal restore staging).
Conclusion
Microsoft’s decision to block the vulnerable psmounterex.sys driver is the correct security call — a CVSS 7.8 local privilege escalation in a widely deployed kernel driver is a meaningful risk. Backup teams and security operations need to coordinate immediately to verify restore continuity and deploy vendor patches as they become available.
For any query contact us at contact@cipherssecurity.com
