A stack-based buffer overflow in the Windows Ancillary Function Driver for WinSock (afd.sys) can be exploited by local attackers to seize SYSTEM privileges, Microsoft disclosed in a security advisory. The vulnerability, tracked as CVE-2025-54099, requires immediate patching on all affected Windows builds and has reignited concerns about the enduring attack surface of legacy kernel networking components.

The bug sits in a driver that underpins nearly every network operation on Windows. Afd.sys provides the kernel‑mode socket services that Winsock and many higher‑level APIs rely on. Because it processes input from user‑mode applications via IOCTL calls and standard socket operations, any memory‑safety flaw in its code can become a direct conduit from an unprivileged process to the kernel.

Microsoft’s Security Update Guide describes the issue as a stack‑based buffer overflow that allows an authorized local attacker to elevate privileges. Administrators are instructed to consult the official advisory page for the precise list of affected operating system builds and the corresponding KB articles that deliver the fix. While Microsoft’s own documentation is the authoritative source, independent trackers and vulnerability databases have not yet uniformly indexed this CVE, likely due to the lag between a vendor posting and third‑party aggregation. Defenders should therefore map the MSRC advisory directly to their update pipelines rather than wait for external scoring.

Why AFD.sys bugs are so dangerous

The AFD driver is loaded early in the startup process and remains accessible to every process that uses Windows Sockets. That includes browsers, services, installers, and even sandboxed applications. When attackers find a way to corrupt memory in the driver, they can overwrite critical kernel structures—such as thread tokens, function dispatch tables, or saved return addresses on the kernel stack—and pivot directly to SYSTEM‑level code execution.

Throughout 2024 and 2025, Microsoft patched a series of AFD vulnerabilities spanning multiple flaw classes: heap overflows, use‑after‑free conditions, null pointer dereferences, and untrusted pointer dereferences. Several of those CVEs were reported as being actively exploited in the wild. The recurrence underscores not only the complexity of the codebase but also its attractiveness to both researchers and threat actors. A local privilege escalation in AFD is particularly valuable to ransomware operators and advanced persistent threat groups, who often use such exploits to disable security tools, harvest credentials, and move laterally.

What Microsoft disclosed about CVE-2025-54099

The advisory characterizes the vulnerability as a memory‑safety error in afd.sys that can be triggered locally. No special privileges are required beyond the ability to execute code or a script on the target machine. Successful exploitation gives an attacker complete control over the affected host—SYSTEM integrity level, kernel‑mode access, and the ability to load arbitrary drivers or tamper with security software.

Microsoft does not provide granular technical details in the advisory, but the classification as a stack‑based buffer overflow points to a classic bug: the driver copies more data into a fixed‑size stack buffer than it can hold, overwriting adjacent stack memory. This often lets an attacker control the instruction pointer when the function returns, redirecting execution into a chosen payload. The availability of public proof‑of‑concept code remains unconfirmed at the time of writing, but given the speed with which previous AFD flaws were weaponized, defenders should assume that offensive tooling will surface quickly.

Attack mechanics: from user‑mode IOCTL to kernel compromise

Exploiting a stack overflow in a kernel driver is not trivial, but the steps are well‑understood by experienced exploit developers. A typical chain would look like this:

  • The attacker first obtains code execution on the target through a phishing document, a malicious installer, or a compromised internal application.
  • Using the unprivileged process, they craft malformed socket structures or issue a series of DeviceIoControl calls directed at the AFD device object.
  • The malformed input triggers the stack overflow, overrunning the buffer and overwriting a saved return address or a function pointer stored on the stack.
  • When the function returns, execution jumps to an attacker‑controlled address inside the kernel. Modern mitigations like Kernel Address Space Layout Randomization (KASLR) and Supervisor Mode Execution Prevention (SMEP) make this more difficult, but bypass techniques are well‑documented and often combined with information‑leak primitives to first locate payloads.
  • Once kernel‑mode execution is achieved, the attacker typically locates the SYSTEM token assigned to the current process or another process and replaces the token of their own process. This instantly elevates the attacker’s process to SYSTEM.

Because the AFD driver is called by many normal applications, the IOCTL path is hard to block without breaking legitimate functionality. Attackers can wrap the exploit in innocuous‑looking network operations, making signature‑based detection of static patterns unreliable.

Affected versions and how to patch

The precise list of affected Windows editions is detailed in the MSRC advisory. Historically, AFD fixes have been distributed in the monthly cumulative updates for all supported versions, including Windows 10, Windows 11, Windows Server 2016, 2019, 2022, and corresponding LTSC editions. In previous AFD-related patching cycles, Microsoft sometimes released out‑of‑band updates for older server SKUs still under extended support. Administrators should check for any security‑only or standalone packages if they manage environments that cannot immediately deploy a full cumulative update.

To patch:
- Identify the exact KB number from the MSRC advisory for your Windows build.
- Download the update from the Microsoft Update Catalog or approve it through WSUS/Windows Update for Business.
- Test the update in a pre‑production ring, paying attention to any networking regressions, as AFD.sys is core to socket communication.
- Roll out broadly, prioritising domain controllers, terminal servers, VDI hosts, and developer workstations.

If patching must be delayed, Microsoft’s advisory may include official mitigations. However, for kernel‑level EoP flaws, the only complete remediation is the vendor patch.

Short‑term mitigations and compensating controls

Organizations that cannot patch immediately can reduce risk through a combination of architectural and monitoring controls. These are not substitutes for the update but can make exploitation harder:

  • Application control: Enforce AppLocker, Windows Defender Application Control (WDAC), or third‑party solutions to prevent unauthorized executables from running. Exploits are typically delivered as files or spawned by script interpreters; blocking unknown binaries breaks the delivery chain.
  • Restrict local accounts: Remove interactive logon rights for service accounts and minimize the number of local administrators. The vulnerability requires a local authenticated user; reducing the number of accounts that can log on interactively shrinks the attack surface.
  • Enable Hypervisor‑protected Code Integrity (HVCI): HVCI enforces that all code executing in kernel mode is signed, which can prevent some post‑exploitation payloads. It may be incompatible with certain legacy drivers, so test thoroughly.
  • Harden device access: While you cannot easily block legitimate AFD access, you can monitor for unusual IOCTL patterns (see next section) and ensure that unprivileged users cannot interact with the device object in unexpected ways through existing security boundaries.
  • Least privilege: Ensure that users who handle untrusted content—email attachments, downloads, removable media—do not have administrative rights on their endpoints.

Detection and hunting guidance

Kernel exploitation often leaves forensic traces in endpoint telemetry, even if the final payload is fileless. Security teams should instrument the following alerts and hunts:

  • EDR rules: Monitor for processes that repeatedly issue DeviceIoControl calls to device names associated with AFD (often \.\Afd or \Device\Afd\Endpoint). High‑frequency sequences from low‑privilege processes (such as web browsers or PDF readers) are anomalous and warrant investigation.
  • Sysmon / Event Tracing for Windows (ETW): Configure Sysmon to log CreateFile and DeviceIoControl events (Event IDs 1 and 13) and filter for operations targeting the AFD device. Look for tight loops or thousands of IOCTL calls within a short window.
  • Kernel‑level telemetry: If you have access to kernel tracing or Microsoft Defender for Endpoint’s deep inspection, look for suspicious kernel write operations that modify process token structures or dispatch tables. Alert on any process that suddenly transitions from a low integrity level to SYSTEM without a known parent process.
  • File inventory: Use endpoint management tools to collect the version of afd.sys across your estate. For example, PowerShell: Get-ItemProperty “C:\Windows\System32\drivers\afd.sys” | Select VersionInfo. Compare against the patched version listed in the KB article. Any host running a vulnerable version should be flagged for immediate update.

Preserve memory dumps and EDR logs if an exploit attempt is suspected. Kernel compromises are notoriously difficult to clean without a fresh installation; a successful SYSTEM escalation should trigger a full reimage and forensic analysis of the host.

Who should act first?

Not all endpoints carry equal risk. Prioritize patching on:

  • Domain controllers and servers hosting Active Directory or certificate services—a SYSTEM compromise here threatens the entire forest.
  • Remote Desktop Services (RDS) hosts and VDI virtual machines where multiple users share the same kernel.
  • Developer workstations and build servers that regularly download and execute untrusted code.
  • Any system accessible to contractors, kiosks, or shared accounts where an unprivileged process could be launched by a semi‑trusted user.

Attackers who combine this local exploit with a ransomware payload or lateral movement can cripple an entire network. In recent incidents, privilege escalation flaws have been the lynchpin that turned a limited user‑level compromise into a domain‑wide catastrophe.

A pattern of AFD vulnerabilities demands architectural attention

The stream of AFD patches in 2024–2025 highlights a deeper challenge. The driver is legacy code, originally designed decades ago, yet it remains responsible for critical system functions. While Microsoft has invested in security improvements—such as kernel pool hardening, Control Flow Guard, and Hypervisor‑Code Integrity—the sheer number of newly discovered bugs suggests that a root‑cause analysis and broader refactoring might be prudent. Until then, Windows administrators must accept that AFD bugs will continue to appear and treat every new WinSock advisory as a potential emergency.

Organizations should use this vulnerability as a catalyst to tighten patch management processes. The mean time to patch for kernel flaws should be measured in hours, not weeks. Combine fast patching with robust endpoint detection, strict application control, and the principle of least privilege to create a layered defense that assumes the next AFD zero‑day is inevitable.

Final word

CVE-2025-54099 is a textbook local privilege escalation: a kernel driver mishandles user‑supplied data, an attacker overwrites a return address, and SYSTEM privileges follow. The fix is a cumulative update from Microsoft, already available through normal channels. While the vulnerability requires local access, that bar is low in today’s threat landscape—phishing emails, supply chain compromises, and web‑borne exploits all provide attackers with a foothold. Armed with an EoP exploit, that foothold becomes full control.

Patch the driver, hunt for exploitation attempts, and treat kernel‑side vulnerabilities with the urgency they deserve. The AFD.sys file on your endpoints may be small, but the blast radius of a bug inside it is enormous.