Critical Windows Flaw (CVE-2025-47981) Exposes Systems to Remote Code Execution

A critical vulnerability, identified as CVE-2025-47981, has been discovered in the Windows SPNEGO Extended Negotiation (NEGOEX) security mechanism, prompting urgent calls for patching from cybersecurity experts. The flaw, a heap-based buffer overflow, could allow unauthenticated attackers to execute arbitrary code remotely on affected systems, posing a significant threat to enterprise IT security.

The vulnerability carries a critical severity rating, with a CVSS score of 9.8 out of 10. This high score reflects the ease of exploitation and the potential for extensive damage. An attacker can trigger the vulnerability by sending a specially crafted message over a network to a vulnerable system, requiring no user interaction. The code is executed with elevated privileges, making the vulnerability "wormable," meaning it could be used to create self-propagating malware that spreads across networks.

The flaw resides in the Windows Local Security Authority Subsystem Service (LSASS) and is triggered by the improper handling of NEGOEX packets during the authentication process. Successful exploitation could lead to a full system compromise, allowing attackers to execute arbitrary code and potentially move laterally across an organization's network.

Affected Systems and Services

The vulnerability impacts a wide range of modern Windows operating systems, including Windows 10 version 1607 and later, as well as Windows Server. The attack surface is broadened by the fact that the 'Network security: Allow PKU2U authentication requests' group policy is enabled by default on these systems.

Attackers can exploit this flaw through various services that utilize SPNEGO for authentication, including:

  • Server Message Block (SMB) on port 445/TCP
  • Remote Desktop Protocol (RDP) on port 3389/TCP
  • HTTP/S on ports 80 and 443/TCP
  • Simple Mail Transfer Protocol (SMTP) on port 25/TCP

Patching and Mitigation

Microsoft addressed this critical vulnerability as part of its July 2025 Patch Tuesday release. Given the severity and the high likelihood of exploitation within 30 days, as assessed by Microsoft, immediate patching is strongly recommended.

For systems that cannot be patched immediately, security researchers suggest the following mitigation strategies:

  • Disable the "Allow PKU2U authentication requests" setting via Group Policy.
  • Block inbound traffic on ports 135, 445, and 5985 at the network edge.

A Recurring Challenge

This is not the first time a critical vulnerability has been discovered in the NEGOEX component. A similar flaw, CVE-2022-37958, was initially classified as an information disclosure vulnerability before being upgraded to a critical remote code execution threat. The recurrence of such issues highlights the ongoing challenges in securing legacy authentication mechanisms within the Windows ecosystem.

The discovery of CVE-2025-47981 underscores the persistent threat of sophisticated cyberattacks and the critical need for organizations to maintain a robust and timely patch management process.