CVE-2025-21307
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by exploiting a use-after-free bug in the Reliable Multicast Transport driver. Attackers can gain SYSTEM privileges without user interaction. All Windows systems with the vulnerable driver enabled are affected.
💻 Affected Systems
- Windows Reliable Multicast Transport Driver (RMCAST.sys)
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to complete data theft, ransomware deployment, or persistent backdoor installation across the network.
Likely Case
Initial foothold for lateral movement within enterprise networks, credential harvesting, and deployment of additional malware payloads.
If Mitigated
Limited impact due to network segmentation, strict firewall rules blocking multicast traffic, and endpoint protection blocking exploit attempts.
🎯 Exploit Status
CVSS 9.8 indicates critical severity with low attack complexity and no authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21307
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft
2. Restart the system to complete the installation
3. Verify the patch is applied using Windows Update history
🔧 Temporary Workarounds
Disable RMCAST driver
windowsDisable the Reliable Multicast Transport driver to prevent exploitation
sc config rmcast start= disabled
sc stop rmcast
Block multicast traffic at firewall
allConfigure network firewalls to block multicast traffic (224.0.0.0/4)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems
- Deploy endpoint detection and response (EDR) solutions with behavioral blocking
🔍 How to Verify
Check if Vulnerable:
Check if RMCAST driver is running: sc query rmcastCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security update KB📡 Detection & Monitoring
Log Indicators:
- Event ID 7036: RMCAST service stopped unexpectedly
- Crash dumps from RMCAST.sys
- Unusual network connections to multicast addresses
Network Indicators:
- Unexpected multicast traffic (224.0.0.0/4) from internal hosts
- Anomalous SMB or RPC traffic following multicast activity
SIEM Query:
source="windows" AND (event_id=7036 AND service_name="rmcast") OR (process_name="rmcast.sys" AND event_id=1000)