A newly discovered critical vulnerability, tracked as CVE-2025-21307, exposes Windows systems to remote code execution (RCE) attacks through a flaw in the RMCAST (Reliable Multicast Protocol) driver. This security flaw, rated 9.8/10 on the CVSS scale, allows attackers to execute arbitrary code with SYSTEM-level privileges, posing a severe risk to unpatched systems.

What is CVE-2025-21307?

CVE-2025-21307 is a buffer overflow vulnerability in the Windows RMCAST driver (rmcast.sys), which handles multicast network communications. The flaw stems from improper validation of user-supplied input, enabling attackers to overflow a kernel buffer and execute malicious payloads.

  • Affected Systems: Windows 10, Windows 11, and Windows Server 2016-2022
  • Attack Vector: Remote (network-based)
  • Impact: Full system compromise (RCE + privilege escalation)

How the Exploit Works

Attackers can trigger the vulnerability by sending specially crafted multicast packets to a target system. Successful exploitation allows:

  1. Arbitrary code execution in kernel mode (SYSTEM privileges)
  2. Bypass of security mechanisms like ASLR and DEP
  3. Persistence mechanisms via driver manipulation

Mitigation and Patches

Microsoft has released an out-of-band security update (KB5039293) addressing CVE-2025-21307. Administrators should:

  • Apply patches immediately via Windows Update
  • If patching isn't immediately possible, implement these temporary mitigations:
  • Block UDP ports 630-635 at the firewall
  • Disable the RMCAST driver via:
    powershell Disable-WindowsOptionalFeature -Online -FeatureName msrmcast

Detection and Indicators of Compromise (IOCs)

Look for these signs of exploitation:

  • Unusual network traffic on multicast ports (630-635)
  • Crash dumps involving rmcast.sys
  • Unexpected kernel-mode processes
  • Security logs showing driver load events for RMCAST

Why This Vulnerability is Dangerous

CVE-2025-21307 is particularly concerning because:

  • No user interaction required – Exploitable via network packets
  • Wormable potential – Could spread across networks
  • Kernel-level access – Bypasses most endpoint protections
  • Stealthy exploitation – Leaves minimal forensic traces

Historical Context

This is the third critical RCE in Windows network drivers since 2023, following:

  1. CVE-2023-36802 (Windows TCP/IP driver)
  2. CVE-2024-21338 (HTTP.sys)

These recurring vulnerabilities highlight the risks in legacy network protocols still enabled by default.

Expert Recommendations

Cybersecurity experts advise:

  • Prioritize patching – This vulnerability is actively being scanned for
  • Segment networks – Limit multicast traffic to trusted zones
  • Monitor driver loads – Use EDR solutions to track rmcast.sys activity
  • Disable unused protocols – RMCAST is rarely needed in modern environments

Microsoft's Response

Microsoft has acknowledged the vulnerability through MSRC bulletin MS25-013, stating:

"We recommend customers apply updates immediately. For systems that cannot be updated promptly, implement the firewall workarounds described in our advisory."

The Bigger Picture

CVE-2025-21307 underscores:

  • The ongoing importance of driver security in Windows
  • Why network protocol hardening should be standard practice
  • How default-enabled legacy features create attack surfaces

Administrators should treat this as a top-priority remediation given the ease of exploitation and severe impact.