On July 8, 2025, Microsoft issued a critical security update to address a severe vulnerability identified as CVE-2025-47981. This flaw, found in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, affects multiple versions of Windows and Windows Server. With a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, this vulnerability poses a significant risk, allowing remote code execution without user interaction.
Understanding CVE-2025-47981
CVE-2025-47981 is a heap-based buffer overflow vulnerability within the SPNEGO Extended Negotiation mechanism, which is an extension of the Simple and Protected GSS-API Negotiation Mechanism. This flaw enables unauthenticated attackers to execute arbitrary code over network connections, making it particularly dangerous for enterprise environments. The vulnerability is classified under CWE-122, indicating a critical weakness that can be exploited remotely.
Technical Details and Exploitation
The vulnerability arises from improper handling of memory within the NEGOEX processing mechanism. By sending specially crafted messages to affected servers, attackers can exploit this flaw to achieve remote code execution. The heap-based buffer overflow allows attackers to overwrite memory structures, potentially gaining control over the execution flow of the program. Notably, this vulnerability is considered wormable, meaning it could propagate across network-connected systems without requiring user intervention.
Affected Systems
The following Windows client and server versions are impacted by CVE-2025-47981:
– Windows Client Versions:
– Windows 10 (versions 1607 and above)
– Windows 11 (versions 23H2, 24H2)
– Windows Server Versions:
– Windows Server 2008 R2
– Windows Server 2012
– Windows Server 2012 R2
– Windows Server 2016
– Windows Server 2019
– Windows Server 2022
– Windows Server 2025
Both x64, x86, and ARM64 architectures are affected, including Server Core installations.
Risk Assessment
The CVSS vector string for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C. This indicates that the attack vector is network-based, with low attack complexity, requiring no privileges or user interaction. The potential impact on confidentiality, integrity, and availability is high. Security researchers have assessed this vulnerability as Exploitation More Likely, though no public exploits or active exploitation have been reported at the time of disclosure.
Patch Deployment and Recommendations
Microsoft has released comprehensive security updates to address this vulnerability across different Windows configurations. Organizations are strongly advised to prioritize the immediate deployment of these patches, especially on internet-facing systems and domain controllers, to mitigate potential risks.
Historical Context of Wormable Vulnerabilities
This is not the first time Microsoft has addressed wormable vulnerabilities. In August 2019, Microsoft patched similar critical remote code execution vulnerabilities in Remote Desktop Services, known as DejaBlue (CVE-2019-1181 and CVE-2019-1182). These vulnerabilities were also classified as wormable, meaning they could propagate from one vulnerable computer to another without user interaction. The affected versions included Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions. Microsoft emphasized the importance of patching affected systems promptly due to the elevated risks associated with such vulnerabilities.
Similarly, in July 2020, Microsoft addressed a wormable remote code execution vulnerability in Windows DNS Server, known as SIGRed (CVE-2020-1350). This flaw had existed for 17 years and affected Windows Server versions from 2003 to 2019. The vulnerability allowed unauthenticated attackers to send malicious requests to a Windows DNS server, potentially leading to remote code execution on a Domain Controller. Microsoft released patches and provided workarounds to mitigate the risk, underscoring the severity of the issue.
In January 2022, Microsoft patched another wormable remote code execution vulnerability in the HTTP Protocol Stack (CVE-2022-21907). This flaw affected Windows Server 2022, 20H2 core, and various Windows 10 and Windows 11 versions. The vulnerability allowed unauthenticated attackers to send specially crafted packets to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets, potentially leading to remote code execution. Microsoft recommended prompt patching to prevent potential exploitation.
Conclusion
The release of the patch for CVE-2025-47981 highlights the ongoing challenges in maintaining cybersecurity within complex systems. Organizations must remain vigilant, ensuring that security updates are applied promptly to protect against potential exploits. The wormable nature of this vulnerability underscores the importance of proactive security measures to prevent widespread network compromise.
