CVE-2025-29971
📋 TL;DR
An out-of-bounds read vulnerability in Microsoft Web Threat Defense (WTD.sys) allows unauthorized attackers to cause denial of service over a network. This affects systems running vulnerable versions of Microsoft security software with Web Threat Defense enabled. Attackers can exploit this without authentication to crash affected systems.
💻 Affected Systems
- Microsoft Defender for Endpoint
- Microsoft Security Software with Web Threat Defense
📦 What is this software?
Windows 11 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 24h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash or kernel panic leading to extended downtime and potential data corruption.
Likely Case
Service disruption affecting web threat defense functionality, potentially allowing other threats to bypass security controls.
If Mitigated
Temporary service interruption that automatically recovers without data loss.
🎯 Exploit Status
Out-of-bounds read vulnerabilities in kernel drivers often lead to denial of service and can potentially be leveraged for more severe attacks with additional vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific patch versions
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29971
Restart Required: Yes
Instructions:
1. Open Windows Update settings
2. Check for updates
3. Install all available security updates
4. Restart system when prompted
5. Verify WTD.sys driver version after restart
🔧 Temporary Workarounds
Disable Web Threat Defense
windowsTemporarily disable the vulnerable component until patching can be completed
sc stop WTD
sc config WTD start= disabled
Network Segmentation
allRestrict network access to systems running Web Threat Defense
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted networks only.
- Deploy additional monitoring and alerting for system crashes or WTD service failures.
🔍 How to Verify
Check if Vulnerable:
Check if WTD.sys driver is loaded and check driver version against patched versions in Microsoft advisory.Check Version:
powershell Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*WTD*'} | Select-Object DeviceName, DriverVersionVerify Fix Applied:
Verify WTD.sys driver version matches patched version from Microsoft advisory and ensure system is not experiencing crashes.📡 Detection & Monitoring
Log Indicators:
- System event logs showing WTD service crashes
- Application logs showing Web Threat Defense failures
- Kernel crash dumps
Network Indicators:
- Unexpected network traffic to systems with WTD enabled
- Multiple connection attempts to WTD service ports
SIEM Query:
EventID=1000 OR EventID=1001 AND SourceName='WTD' OR ProcessName='WTD.sys'