On July 8, 2025, Microsoft issued a series of critical security updates to address a severe vulnerability identified as CVE-2025-47981. This flaw, found in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, affects multiple versions of Windows and Windows Server. With a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, this vulnerability poses a significant risk, allowing remote code execution without user interaction.
Key Highlights:
1. Critical Vulnerability in Windows SPNEGO: A heap-based buffer overflow in the SPNEGO mechanism enables remote code execution.
2. Exploitation Without User Interaction: Attackers can execute arbitrary code by sending specially crafted messages to vulnerable servers, requiring no user action or privileges.
3. Wide Range of Affected Systems: The vulnerability impacts Windows 10 (version 1607 and later), Windows 11, and various Windows Server versions across 33 system configurations.
4. Immediate Patch Availability: Microsoft released updates on July 8, 2025. Organizations are urged to prioritize patch deployment, especially on internet-facing systems and domain controllers.
Understanding CVE-2025-47981:
CVE-2025-47981 resides in the SPNEGO Extended Negotiation mechanism, an extension of the Simple and Protected GSS-API Negotiation Mechanism. This vulnerability is classified under CWE-122, indicating a heap-based buffer overflow that can be exploited remotely. The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C suggests that the attack is network-based, of low complexity, requires no privileges or user interaction, and has a high impact on confidentiality, integrity, and availability.
Security researchers have assessed this vulnerability as Exploitation More Likely, though no public exploits or active exploitation have been reported at the time of disclosure. Notably, Windows client machines running Windows 10 version 1607 and above are particularly affected due to the default enabling of the Group Policy Object Network security: Allow PKU2U authentication requests to this computer to use online identities.
Technical Details:
Attackers can exploit CVE-2025-47981 by sending malicious messages to affected servers, potentially achieving remote code execution capabilities. The heap-based buffer overflow occurs within the NEGOEX processing mechanism, allowing attackers to overwrite memory structures and gain control of the program execution flow. This wormable characteristic means the vulnerability could potentially propagate across network-connected systems without requiring user intervention.
The vulnerability was discovered through coordinated disclosure by security researchers, including anonymous contributors and Yuki Chen. Microsoft’s acknowledgment of these researchers underscores the importance of responsible vulnerability disclosure in maintaining enterprise security postures.
Risk Factors:
– Affected Products:
– Windows 10 (versions 1607 and above)
– Windows 11 (versions 23H2, 24H2)
– Windows Server 2008 R2 through Server 2025
– Both x64, x86, and ARM64 architectures
– Server Core installations included
– Impact: Remote Code Execution
– Exploit Prerequisites: No privileges or user interaction required
– CVSS 3.1 Score: 9.8 (Critical)
Patch Deployment:
Microsoft released comprehensive security updates on July 8, 2025, addressing the vulnerability across different Windows configurations. Critical updates include patches for Windows Server 2025 (build 10.0.26100.4652), Windows 11 Version 24H2 (build 10.0.26100.4652), Windows Server 2022 23H2 Edition (build 10.0.25398.1732), and legacy systems including Windows Server 2008 R2 (build 6.1.7601.27820).
Organizations should prioritize the immediate deployment of these security updates, particularly for internet-facing systems and domain controllers. The patches are available through Windows Update, Microsoft Update Catalog, and Windows Server Update Services (WSUS). System administrators should verify successful installation by checking build numbers against Microsoft’s security bulletin and consider implementing network segmentation as an additional defensive measure while patches are deployed.
