Microsoft Patches Wormable RCE Vulnerability in Windows and Windows Server

Microsoft has released critical security updates to address CVE-2025-47981, a severe heap-based buffer overflow vulnerability in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism that affects multiple Windows and Windows Server versions. 

This vulnerability carries a CVSS score of 9.8 out of 10, indicating maximum severity with the potential for remote code execution without user interaction. 

Key Takeaways
1. Heap-based buffer overflow vulnerability in Windows SPNEGO with 9.8/10 CVSS score enabling remote code execution.
2. Attackers can execute code by sending malicious messages to servers without user interaction or privileges.
3. Affects Windows 10 (1607+), Windows 11, and Windows Server versions across 33 system configurations.
4. Microsoft released updates July 8, 2025 - prioritize deployment on internet-facing systems and domain controllers.

The flaw enables unauthorized attackers to execute arbitrary code over network connections, making it particularly dangerous for enterprise environments.

Wormable RCE Vulnerability (CVE-2025-47981)

The vulnerability resides in Windows SPNEGO Extended Negotiation, which extends the Simple and Protected GSS-API Negotiation Mechanism. 

CVE-2025-47981 is classified as CWE-122, representing a heap-based buffer overflow weakness that can be exploited remotely. 

The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C indicates network-based attacks with low complexity, requiring no privileges or user interaction, while providing high impact to confidentiality, integrity, and availability.

Security researchers have assessed this vulnerability as “Exploitation More Likely,” though no public exploits or active exploitation have been reported at the time of disclosure. 

The vulnerability particularly affects Windows client machines running Windows 10 version 1607 and above, where the Group Policy Object “Network security: Allow PKU2U authentication requests to this computer to use online identities” is enabled by default.

Attackers can exploit CVE-2025-47981 by sending malicious messages to affected servers, potentially achieving remote code execution capabilities. 

The heap-based buffer overflow occurs within the NEGOEX processing mechanism, allowing attackers to overwrite memory structures and gain control of program execution flow. 

This wormable characteristic means the vulnerability could potentially propagate across network-connected systems without requiring user intervention.

The vulnerability was discovered through coordinated disclosure by security researchers, including anonymous contributors and Yuki Chen. 

Microsoft’s acknowledgment of these researchers demonstrates the importance of responsible vulnerability disclosure in maintaining enterprise security postures.

Patch Deployment

Microsoft released comprehensive security updates on July 8, 2025, addressing the vulnerability across different Windows configurations. 

Critical updates include patches for Windows Server 2025 (build 10.0.26100.4652), Windows 11 Version 24H2 (build 10.0.26100.4652), Windows Server 2022 23H2 Edition (build 10.0.25398.1732), and legacy systems including Windows Server 2008 R2 (build 6.1.7601.27820).

Organizations should prioritize the immediate deployment of these security updates, particularly for internet-facing systems and domain controllers.

The patches are available through Windows Update, Microsoft Update Catalog, and Windows Server Update Services (WSUS). 

System administrators should verify successful installation by checking build numbers against Microsoft’s security bulletin and consider implementing network segmentation as an additional defensive measure while patches are deployed.

Think like an Attacker, Mastering Endpoint Security With Marcus Hutchins – Register Now