CVE-2025-21347
📋 TL;DR
This vulnerability in Windows Deployment Services allows attackers to cause a denial of service by sending specially crafted packets to vulnerable servers. It affects organizations using Windows Deployment Services for network-based operating system installations. The vulnerability could disrupt deployment services and affect IT operations.
💻 Affected Systems
- Windows Deployment Services
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of Windows Deployment Services, preventing network-based OS installations and potentially affecting PXE boot services across the organization.
Likely Case
Temporary service interruption requiring service restart, delaying OS deployment operations and IT maintenance activities.
If Mitigated
Minimal impact with proper network segmentation and access controls limiting exposure to trusted internal networks only.
🎯 Exploit Status
Based on CWE-59 (Improper Link Resolution Before File Access), this likely involves path traversal or similar manipulation of deployment service requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21347
Restart Required: Yes
Instructions:
1. Apply the latest Windows Server security updates from Microsoft
2. Restart affected servers after patch installation
3. Verify Windows Deployment Services are functioning correctly post-patch
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict access to Windows Deployment Services to only trusted management networks
Configure firewall rules to limit WDS traffic to specific source IP ranges
Service Disablement
windowsTemporarily disable Windows Deployment Services if not actively needed
sc config WDSServer start= disabled
net stop WDSServer
🧯 If You Can't Patch
- Implement strict network access controls to limit WDS traffic to authorized management systems only
- Monitor WDS service logs for unusual activity and implement alerting for service restarts
🔍 How to Verify
Check if Vulnerable:
Check if Windows Deployment Services role is installed and enabled on Windows Server systemsCheck Version:
wmic product get name,version | findstr /i "deployment"Verify Fix Applied:
Verify the security update KB number is installed via 'wmic qfe list' or 'Get-HotFix' PowerShell command📡 Detection & Monitoring
Log Indicators:
- Unexpected Windows Deployment Service restarts
- Failed deployment requests with unusual paths or parameters
- Event ID 256 from WDSServer source in Windows Event Logs
Network Indicators:
- Unusual traffic patterns to WDS ports (default UDP 67, 4011; TCP 135, 5040)
- Connection attempts from unauthorized source IPs to WDS services
SIEM Query:
source="WinEventLog:Application" AND (EventID=256 OR source_name="WDSServer") AND (keywords="Audit Failure" OR level="Error")