CVE-2025-21418

Q: What is the severity of CVE-2025-21418?

CVE-2025-21418 has a CVSS score of 7.8 (HIGH). This vulnerability in Windows Ancillary Function Driver for WinSock allows attackers to gain SYSTEM-level privileges by exploiting a heap-based buffer overflow. It affects Windows systems with the vulnerable driver component. Attackers need local access to exploit this vulnerability.

7.8 HIGH CISA KEV

📋 TL;DR

This vulnerability in Windows Ancillary Function Driver for WinSock allows attackers to gain SYSTEM-level privileges by exploiting a heap-based buffer overflow. It affects Windows systems with the vulnerable driver component. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022

Operating Systems: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with the Windows Ancillary Function Driver (afd.sys) component, which is part of standard Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and persistence mechanisms.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM, allowing attackers to bypass security controls and execute arbitrary code.

🟢

If Mitigated

Limited impact due to proper access controls, but still enables privilege escalation within the compromised account's scope.

🌐 Internet-Facing: LOW - Requires local access to exploit, cannot be triggered remotely over the internet.

🏢 Internal Only: HIGH - Local attackers or malware with user-level access can escalate to SYSTEM privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and user privileges. Exploitation involves triggering a heap-based buffer overflow in the AFD driver.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: February 2025 security updates (KB5034765 for Windows 10, KB5034766 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21418

Restart Required: Yes

Instructions:

1. Apply February 2025 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict local access

all

Limit physical and remote access to vulnerable systems to trusted users only.

Enable Windows Defender Exploit Guard

all

Configure Exploit Guard to mitigate exploitation techniques.

🧯 If You Can't Patch

Implement strict access controls and least privilege principles
Monitor for suspicious privilege escalation attempts and driver-related activities

🔍 How to Verify

Check if Vulnerable:

Check if afd.sys driver version is vulnerable by comparing to patched versions in Microsoft advisory.

Check Version:

wmic datafile where name='C:\\Windows\\System32\\drivers\\afd.sys' get version

Verify Fix Applied:

Verify February 2025 security updates are installed and afd.sys driver version matches patched version.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation events
Suspicious driver loading or modification
Process creation with SYSTEM privileges from user accounts

Network Indicators:

Not applicable - local exploitation only

SIEM Query:

EventID=4688 AND NewProcessName contains 'cmd.exe' OR 'powershell.exe' AND SubjectUserName != SYSTEM AND TokenElevationType != %%1936

📊 Metadata

CVE ID: CVE-2025-21418

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 8.43% exploit probability (92.1th percentile)

CISA KEV: Actively Exploited added Feb 11, 2025

Published: February 11, 2025

Last Updated: October 27, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21418 Patch,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21418 US Government Resource

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft