CVE-2025-21296
📋 TL;DR
This CVE describes a use-after-free vulnerability (CWE-416) in Microsoft's BranchCache service that allows remote attackers to execute arbitrary code on affected systems. Attackers can exploit this by sending specially crafted requests to vulnerable BranchCache servers. Systems running affected Windows versions with BranchCache enabled are vulnerable.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, and persistent backdoor installation across the network.
Likely Case
Initial foothold for lateral movement within enterprise networks, leading to credential harvesting and privilege escalation attacks.
If Mitigated
Limited impact due to network segmentation, proper access controls, and disabled BranchCache service on non-essential systems.
🎯 Exploit Status
Requires network access to BranchCache service (port 3702 by default). No authentication needed if service is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply latest Windows security updates from Microsoft (specific KB numbers in advisory)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21296
Restart Required: Yes
Instructions:
1. Apply Windows Update from Microsoft. 2. Install the security update for your Windows version. 3. Restart the system as required.
🔧 Temporary Workarounds
Disable BranchCache Service
WindowsDisable the BranchCache service if not required for business operations
sc stop PeerDistSvc
sc config PeerDistSvc start= disabled
Block BranchCache Ports
WindowsBlock network access to BranchCache service ports
netsh advfirewall firewall add rule name="Block BranchCache" dir=in action=block protocol=TCP localport=3702,3703
🧯 If You Can't Patch
- Disable BranchCache service on all affected systems
- Implement network segmentation to isolate BranchCache servers and restrict access to trusted hosts only
🔍 How to Verify
Check if Vulnerable:
Check if BranchCache service is running: sc query PeerDistSvc | findstr "RUNNING"Check Version:
systeminfo | findstr "OS Name"Verify Fix Applied:
Verify Windows Update installed the security patch: wmic qfe list | findstr "KB" (check for relevant KB number)📡 Detection & Monitoring
Log Indicators:
- Event ID 4625 with source network address targeting BranchCache service
- Unexpected service crashes in Windows Application logs
Network Indicators:
- Unusual traffic to TCP port 3702 from unexpected sources
- Multiple connection attempts to BranchCache service
SIEM Query:
source="windows" AND (event_id=4625 AND process_name="PeerDistSvc") OR (event_id=1000 AND faulting_module="peerdist.dll")