A critical vulnerability has been identified in a core component of the Windows operating system, posing a significant security risk to users. The flaw, cataloged as CVE-2025-49675, affects the Kernel Streaming WOW Thunk Service Driver and could allow a local attacker to gain complete control over a compromised system.

Understanding the Vulnerability

The vulnerability is a "use-after-free" error in the Kernel Streaming WOW Thunk Service Driver. This type of flaw occurs when a program continues to use a pointer after the memory it points to has been freed. This can lead to a variety of malicious outcomes, including the execution of arbitrary code. In the case of CVE-2025-49675, a successful exploit allows an attacker who is already authenticated on the system to elevate their privileges to the highest level, known as "SYSTEM".

The Kernel Streaming WOW Thunk Service Driver (ksthunk.sys) is a crucial component that allows 32-bit applications to communicate with 64-bit kernel streaming drivers. Its primary function is to translate data structures between the two environments, making it a fundamental part of the Windows architecture for backward compatibility.

High-Severity Impact

The National Vulnerability Database (NVD) has assigned a CVSS v3.1 base score of 7.8 to this vulnerability, classifying it as "High" severity. This rating reflects the low complexity of the attack and the potential for a complete compromise of the system's confidentiality, integrity, and availability. An attacker with SYSTEM-level privileges can perform any action on the machine, including installing malware, stealing sensitive data, and creating new user accounts with administrative rights.

Affected Systems and Mitigation

This vulnerability impacts a wide range of Microsoft Windows versions, including Windows 10 and Windows 11. Microsoft has addressed this security flaw as part of its July 2025 Patch Tuesday updates. Users and system administrators are strongly urged to apply these security updates immediately to protect their systems.

At present, there are no known public exploits for CVE-2025-49675, and there is no indication that it is being actively exploited by malware. However, given the severity of the vulnerability, it is a prime target for attackers.

Proactive Security Measures

Beyond applying the latest security patches, users and organizations can take further steps to enhance their security posture:

  • Enforce the Principle of Least Privilege: Restrict user and application permissions to the minimum necessary for their functions. This can limit the damage an attacker can do if they gain initial access.
  • Regularly Audit and Monitor Systems: Proactively conduct security audits and vulnerability assessments to identify and address potential weaknesses.
  • Educate Users: Train users to recognize and avoid security risks like phishing emails and suspicious software.