Login Sign Up

CVE-2025-24995

7.8 HIGH

📋 TL;DR

CVE-2025-24995 is a heap-based buffer overflow vulnerability in the Kernel Streaming WOW Thunk Service Driver that allows authenticated attackers to execute arbitrary code with elevated SYSTEM privileges. This affects Windows systems where an attacker already has local access. The vulnerability enables privilege escalation from a lower-privileged user account to full system control.

💻 Affected Systems

Products:
  • Windows Kernel Streaming WOW Thunk Service Driver
Versions: Specific Windows versions as detailed in Microsoft's advisory
Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Affects systems with the vulnerable driver loaded. The driver is typically present on systems supporting audio/video streaming applications.

📦 What is this software?

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 21h2 by Microsoft

View all CVEs affecting Windows 10 21h2 →

Windows 10 22h2 by Microsoft

View all CVEs affecting Windows 10 22h2 →

Windows 11 22h2 by Microsoft

View all CVEs affecting Windows 11 22h2 →

Windows 11 23h2 by Microsoft

View all CVEs affecting Windows 11 23h2 →

Windows 11 24h2 by Microsoft

View all CVEs affecting Windows 11 24h2 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 23h2 by Microsoft

View all CVEs affecting Windows Server 2022 23h2 →

Windows Server 2025 by Microsoft

View all CVEs affecting Windows Server 2025 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data destruction.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install additional malware, and maintain persistence on compromised systems.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are enforced, with attackers unable to gain initial access or execute code.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.
🏢 Internal Only: HIGH - Once an attacker gains initial access through phishing, malware, or other means, they can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local authenticated access and knowledge of driver internals. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft's monthly security updates for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24995

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Use Windows Update or WSUS to deploy patches. 3. Restart affected systems to complete installation.

🔧 Temporary Workarounds

Disable vulnerable driver

Windows

Disable or remove the Kernel Streaming WOW Thunk Service Driver if not required

sc stop ks
sc config ks start= disabled

🧯 If You Can't Patch

  • Implement strict least privilege principles to limit initial access
  • Monitor for suspicious driver loading and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check system for presence of vulnerable driver version using driver query tools or PowerShell

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security update and driver version is updated

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4697: Service installation
  • Suspicious driver loading events
  • Privilege escalation attempts

Network Indicators:

  • None - local exploitation only

SIEM Query:

EventID=4697 AND (ServiceName="ks" OR ServiceName contains "Kernel Streaming")

📊 Metadata

CVE ID: CVE-2025-24995
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-122
EPSS Score: 0.27% exploit probability (50.2th percentile)
Published: March 11, 2025
Last Updated: July 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24995, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)