Critical Windows Kerberos Flaw Allows for Remote Service Disruption

A significant vulnerability, identified as CVE-2025-47978, has been discovered in the Windows Kerberos authentication system. This flaw, an "out-of-bounds read," could allow an authenticated attacker to remotely cause a denial of service (DoS), leading to major disruptions for network users.

The vulnerability, which was included in Microsoft's July 2025 Patch Tuesday updates, has been rated as having a medium severity with a CVSS score of 6.5. However, the ease of exploitation and the potential for widespread service interruption make it a critical issue for organizations to address.

How the Vulnerability Works

The core of CVE-2025-47978 lies in an out-of-bounds read condition within the Windows Kerberos service. An attacker who has successfully authenticated on a network can send a specially crafted request to the Kerberos service. This malicious request causes the system to attempt to read data from a memory location that is outside of the intended buffer. This action triggers an error that can crash the Kerberos service, effectively shutting down a critical component of Windows network authentication.

Impact of Exploitation

A successful exploit of this vulnerability results in a denial of service. This means that legitimate users would be unable to authenticate to network resources that rely on Kerberos. The potential consequences include:

  • Inability for users to log in to their workstations.
  • Loss of access to file shares, printers, and other networked resources.
  • Disruption of applications and services that use Kerberos for authentication.

While the vulnerability does not allow for the theft of data or the execution of malicious code, the resulting service disruption can have a significant impact on business operations.

Affected Systems and Mitigation

Microsoft has confirmed that the following versions of Windows Server are affected by this vulnerability:

  • Windows Server 2022
  • Windows Server 2025
  • Windows Server 23H2

To mitigate this vulnerability, Microsoft has released security updates as part of its July 2025 Patch Tuesday. System administrators are strongly advised to apply these patches immediately to all affected servers.

In addition to patching, organizations can take the following steps to reduce their risk:

  • Restrict network access: Limit the ability of untrusted users to connect to sensitive network services.
  • Monitor for unusual activity: Keep a close watch on authentication service logs for any signs of disruption or unusual requests.

Vulnerability Details

The Common Vulnerability Scoring System (CVSS) provides a standardized way to assess the severity of vulnerabilities. The CVSS 3.1 score for CVE-2025-47978 is 6.5, which is categorized as "Medium." The breakdown of the score is as follows:

  • Attack Vector: Network (AV:N): The vulnerability can be exploited remotely over a network.
  • Attack Complexity: Low (AC:L): An attacker does not require specialized conditions or significant effort to exploit the vulnerability.
  • Privileges Required: Low (PR:L): The attacker needs to be an authenticated user on the network.
  • User Interaction: None (UI:N): No action is required from a user for the vulnerability to be exploited.
  • Scope: Unchanged (S:U): The exploit affects the vulnerable component but does not impact other parts of the system.
  • Confidentiality: None (C:N): The vulnerability does not lead to the disclosure of sensitive information.
  • Integrity: None (I:N): The vulnerability does not allow an attacker to modify data.
  • Availability: High (A:H): A successful exploit has a significant impact on the availability of the targeted service.

This vulnerability was one of 137 flaws addressed by Microsoft in its July 2025 Patch Tuesday, which also included a publicly disclosed zero-day vulnerability in Microsoft SQL Server.