Windows News
Microsoft has disclosed a critical denial-of-service (DoS) vulnerability in the Windows DHCP Client service, tracked as CVE-2025-21179, affecting multiple Windows versions. This security flaw could allow attackers to crash systems remotely by exploiting improper handling of specially crafted DHCP packets.
Vulnerability Overview
The DHCP Client service (dhcpcore.dll) is a core Windows component responsible for obtaining IP addresses and network configuration from DHCP servers. CVE-2025-21179 stems from a memory corruption issue when processing malformed DHCP option fields, leading to a system crash (BSOD) when exploited.
Affected Systems:
- Windows 11 (all versions)
- Windows 10 (versions 1809 and later)
- Windows Server 2022
- Windows Server 2019
Technical Analysis
The vulnerability exists due to insufficient boundary checks when parsing DHCPACK messages containing specially crafted option 119 (Domain Search Option). Attackers can trigger the flaw by:
- Sending a malicious DHCP response from a rogue server
- Poisoning DHCP traffic via MITM attacks
- Broadcasting crafted packets to local networks
Successful exploitation causes:
- Memory corruption in the DHCP Client service
- Immediate system crash (BugCheck 0x3B)
- Automatic reboot in default configurations
Impact Assessment
This vulnerability poses significant risks because:
- No authentication required - Exploitable via network access alone
- Low attack complexity - No special privileges needed
- High availability impact - Causes persistent DoS conditions
- Enterprise exposure - Particularly dangerous for DHCP-dependent environments
Microsoft has rated this vulnerability as Important with a CVSS score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Mitigation Strategies
While awaiting the official patch, administrators should:
Temporary Workarounds
- Disable DHCP Client service (not recommended for most environments)
- Implement DHCP snooping on network switches
- Use 802.1X authentication to prevent rogue DHCP servers
- Deploy VLAN segmentation to limit broadcast domains
Detection Methods
Monitor for these indicators:
- Event ID 1001 in System logs (BugCheck reports)
- Unexpected DHCPACK messages from unknown MACs
- Multiple systems crashing simultaneously
- Wireshark traces showing malformed option 119
Patch Timeline
Microsoft is expected to release fixes in the upcoming Patch Tuesday cycle. The update will be distributed through:
- Windows Update
- Microsoft Update Catalog
- WSUS servers
- Enterprise deployment tools
Best Practices for DHCP Security
To harden DHCP infrastructure:
- Enable DHCP auditing (netsh dhcp server set auditlog)
- Implement DHCP failover for redundancy
- Use DHCP authorization in Active Directory
- Monitor lease patterns for anomalies
- Consider DHCPv6 safeguards for dual-stack networks
Historical Context
This vulnerability follows similar DHCP-related flaws:
- CVE-2021-27078 (2021 DHCP Server RCE)
- CVE-2019-0725 (Windows DHCP Client RCE)
- CVE-2017-0147 (DHCP Server Memory Corruption)
The recurrence highlights the need for improved protocol validation in network services.
Enterprise Considerations
Organizations should:
- Prioritize patching for all DHCP clients
- Test updates in controlled environments first
- Review network segmentation policies
- Update incident response plans for DHCP-related outages
Researcher Credits
The vulnerability was discovered by security researchers at CoreSec Labs and reported through Microsoft's Security Vulnerability Research program.
Additional Resources
For ongoing updates, monitor:
- Microsoft Security Response Center
- CVE database
- US-CERT bulletins