CVE-2025-21352
📋 TL;DR
This vulnerability in Internet Connection Sharing (ICS) allows attackers to cause a denial of service condition by sending specially crafted network packets. It affects Windows systems with ICS enabled, potentially disrupting network connectivity for affected devices.
💻 Affected Systems
- Windows Internet Connection Sharing
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of network connectivity on the affected system, potentially affecting all devices sharing the connection through ICS.
Likely Case
Temporary network disruption requiring system reboot to restore connectivity.
If Mitigated
Minimal impact if ICS is disabled or systems are properly segmented.
🎯 Exploit Status
Exploitation requires network access to the ICS service port (typically 67/68 for DHCP or ICS-specific ports).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: To be determined from Microsoft's monthly security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21352
Restart Required: Yes
Instructions:
1. Apply latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify ICS service is functioning normally.
🔧 Temporary Workarounds
Disable Internet Connection Sharing
windowsTurn off ICS feature to eliminate the vulnerability surface.
netsh routing ip nat set global state=disabled
sc config SharedAccess start= disabled
sc stop SharedAccess
Network Segmentation
windowsRestrict network access to ICS service ports using firewall rules.
netsh advfirewall firewall add rule name="Block ICS Ports" dir=in action=block protocol=TCP localport=67,68,5355,5358
netsh advfirewall firewall add rule name="Block ICS Ports UDP" dir=in action=block protocol=UDP localport=67,68,5355,5358
🧯 If You Can't Patch
- Disable Internet Connection Sharing on all affected systems
- Implement strict network segmentation and firewall rules to block access to ICS service ports from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if ICS service is running: sc query SharedAccess | findstr "RUNNING"Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security patch and ICS service remains stable under network load.📡 Detection & Monitoring
Log Indicators:
- Event ID 10016 from DCOM in System logs
- ICS service crashes in Application logs
- Unusual network traffic to port 67/68/5355/5358
Network Indicators:
- Flood of malformed packets to ICS service ports
- Sudden drop in network connectivity from ICS host
SIEM Query:
source="windows" (event_id=10016 AND source_name="DCOM") OR (service_name="SharedAccess" AND event_id=7034)