Microsoft has launched important safety updates to deal with CVE-2025-47981, a extreme heap-based buffer overflow vulnerability within the SPNEGO Prolonged Negotiation (NEGOEX) Safety Mechanism that impacts a number of Home windows and Home windows Server variations.
This vulnerability carries a CVSS rating of 9.8 out of 10, indicating most severity with the potential for distant code execution with out consumer interplay.
Key Takeaways1. Heap-based buffer overflow vulnerability in Home windows SPNEGO with 9.8/10 CVSS rating enabling distant code execution.2. Attackers can execute code by sending malicious messages to servers with out consumer interplay or privileges.3. Impacts Home windows 10 (1607+), Home windows 11, and Home windows Server variations throughout 33 system configurations.4. Microsoft launched updates July 8, 2025 – prioritize deployment on internet-facing methods and area controllers.
The flaw permits unauthorized attackers to execute arbitrary code over community connections, making it significantly harmful for enterprise environments.
Wormable RCE Vulnerability (CVE-2025-47981)
The vulnerability resides in Home windows SPNEGO Prolonged Negotiation, which extends the Easy and Protected GSS-API Negotiation Mechanism.
CVE-2025-47981 is assessed as CWE-122, representing a heap-based buffer overflow weak point that may be exploited remotely.
The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C signifies network-based assaults with low complexity, requiring no privileges or consumer interplay, whereas offering excessive affect to confidentiality, integrity, and availability.
Safety researchers have assessed this vulnerability as “Exploitation Extra Probably,” although no public exploits or lively exploitation have been reported on the time of disclosure.
The vulnerability significantly impacts Home windows shopper machines working Home windows 10 model 1607 and above, the place the Group Coverage Object “Community safety: Permit PKU2U authentication requests to this laptop to make use of on-line identities” is enabled by default.
Attackers can exploit CVE-2025-47981 by sending malicious messages to affected servers, doubtlessly reaching distant code execution capabilities.
The heap-based buffer overflow happens inside the NEGOEX processing mechanism, permitting attackers to overwrite reminiscence constructions and acquire management of program execution movement.
This wormable attribute means the vulnerability may doubtlessly propagate throughout network-connected methods with out requiring consumer intervention.
The vulnerability was found via coordinated disclosure by safety researchers, together with nameless contributors and Yuki Chen.
Microsoft’s acknowledgment of those researchers demonstrates the significance of accountable vulnerability disclosure in sustaining enterprise safety postures.
Threat FactorsDetailsAffected Merchandise– Home windows 10 (variations 1607 and above)- Home windows 11 (variations 23H2, 24H2)- Home windows Server 2008 R2 via Server 2025- Each x64, x86, and ARM64 architectures- Server Core installations includedImpactRemote Code ExecutionExploit PrerequisitesNo privileges, consumer interplay required CVSS 3.1 Score9.8 (Essential)
Patch Deployment
Microsoft launched complete safety updates on July 8, 2025, addressing the vulnerability throughout completely different Home windows configurations.
Essential updates embody patches for Home windows Server 2025 (construct 10.0.26100.4652), Home windows 11 Model 24H2 (construct 10.0.26100.4652), Home windows Server 2022 23H2 Version (construct 10.0.25398.1732), and legacy methods together with Home windows Server 2008 R2 (construct 6.1.7601.27820).
Organizations ought to prioritize the instant deployment of those safety updates, significantly for internet-facing methods and area controllers.
The patches can be found via Home windows Replace, Microsoft Replace Catalog, and Home windows Server Replace Providers (WSUS).
System directors ought to confirm profitable set up by checking construct numbers in opposition to Microsoft’s safety bulletin and think about implementing community segmentation as an extra defensive measure whereas patches are deployed.
Suppose like an Attacker, Mastering Endpoint Safety With Marcus Hutchins – Register Now
