CVE-2025-21224 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-21224?

CVE-2025-21224 has a CVSS score of 8.1 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Line Printer Daemon (LPD) service. Attackers can exploit this use-after-free vulnerability (CWE-416) to gain SYSTEM privileges on affected systems. All Windows systems with LPD service enabled are potentially vulnerable.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems running the Line Printer Daemon (LPD) service. Attackers can exploit this use-after-free vulnerability (CWE-416) to gain SYSTEM privileges on affected systems. All Windows systems with LPD service enabled are potentially vulnerable.

💻 Affected Systems

Products:

Windows Line Printer Daemon Service

Versions: Windows Server 2019, Windows Server 2022, Windows 10, Windows 11

Operating Systems: Windows Server 2019, Windows Server 2022, Windows 10, Windows 11

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if LPD service is enabled and running. LPD is not enabled by default on most Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected system, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Remote code execution leading to malware deployment, ransomware installation, or credential harvesting from the compromised system.

🟢

If Mitigated

Limited impact due to network segmentation, LPD service disabled, or proper patch management preventing exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to LPD service port (typically TCP 515). No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Windows Security Update from February 2025 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21224

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates from Windows Update. 2. For enterprise environments, deploy patches via WSUS or SCCM. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable LPD Service

Windows

Disable the Line Printer Daemon service if not required for business operations

sc config lpdsvc start= disabled
sc stop lpdsvc

Block LPD Port

Windows

Block TCP port 515 at network perimeter and internal firewalls

netsh advfirewall firewall add rule name="Block LPD" dir=in action=block protocol=TCP localport=515

🧯 If You Can't Patch

Disable LPD service immediately on all affected systems
Implement strict network segmentation to isolate systems with LPD service from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if LPD service is running: sc query lpdsvc | findstr "RUNNING"

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains February 2025 security updates and LPD service is either disabled or patched

📡 Detection & Monitoring

Log Indicators:

Unexpected LPD service restarts
Security event logs showing process creation from LPD service
Application logs showing LPD service errors

Network Indicators:

Unusual traffic to TCP port 515
Network connections from unexpected sources to LPD port

SIEM Query:

source="windows" AND (event_id=4688 OR event_id=7045) AND process_name="*lpdsvc*"

📊 Metadata

CVE ID: CVE-2025-21224

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 1.34% exploit probability (79.7th percentile)

Published: January 14, 2025

Last Updated: May 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-21224, you might also want to check these: