CVE-2025-32724

Q: What is the severity of CVE-2025-32724?

CVE-2025-32724 has a CVSS score of 7.5 (HIGH). This vulnerability allows an unauthorized attacker to cause a denial of service (DoS) in Windows LSASS (Local Security Authority Subsystem Service) by consuming excessive resources. Attackers can trigger this remotely over a network without authentication, potentially crashing LSASS and disrupting authentication services. All Windows systems running affected versions are vulnerable.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows an unauthorized attacker to cause a denial of service (DoS) in Windows LSASS (Local Security Authority Subsystem Service) by consuming excessive resources. Attackers can trigger this remotely over a network without authentication, potentially crashing LSASS and disrupting authentication services. All Windows systems running affected versions are vulnerable.

💻 Affected Systems

Products:

Windows Local Security Authority Subsystem Service (LSASS)

Versions: Specific Windows versions as listed in Microsoft advisory

Operating Systems: Windows Server, Windows Client

Default Config Vulnerable: ⚠️ Yes

Notes: All default Windows installations with LSASS running are vulnerable. Domain controllers are particularly critical targets.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

LSASS crashes, causing complete authentication failure across the domain, preventing all users from logging in, accessing resources, or performing security operations until system restart.

🟠

Likely Case

Temporary service disruption affecting authentication for some users, potentially requiring LSASS restart and causing brief login failures.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring; authentication services remain available with possible performance degradation.

🌐 Internet-Facing: HIGH - Attackers can exploit remotely without authentication, making internet-facing Windows servers prime targets for DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems can still trigger the vulnerability, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability description suggests straightforward resource exhaustion attack that doesn't require complex exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32724

Restart Required: Yes

Instructions:

1. Open Windows Update Settings
2. Check for updates
3. Install all security updates
4. Restart the system when prompted
5. Verify LSASS service is running normally

🔧 Temporary Workarounds

Network Segmentation

windows

Restrict network access to LSASS ports (typically 88, 389, 445, 464, 636) to trusted systems only

netsh advfirewall firewall add rule name="Block LSASS Ports" dir=in action=block protocol=TCP localport=88,389,445,464,636 remoteip=any

Resource Monitoring

windows

Implement monitoring for LSASS resource consumption and restart thresholds

# Use Windows Performance Monitor to track LSASS memory and CPU usage

🧯 If You Can't Patch

Implement strict network segmentation to limit access to LSASS services
Deploy additional monitoring and alerting for LSASS resource exhaustion patterns

🔍 How to Verify

Check if Vulnerable:

Check Windows version and compare against Microsoft's affected versions list in the advisory

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security patch and LSASS service is running normally

📡 Detection & Monitoring

Log Indicators:

Event ID 1000 from LSASS.exe crashes in Application logs
High memory/CPU usage by LSASS process
Authentication failure spikes in Security logs

Network Indicators:

Unusual traffic patterns to LSASS ports (88, 389, 445, 464, 636)
Multiple connection attempts to LSASS from single source

SIEM Query:

source="windows" (event_id=1000 AND process_name="lsass.exe") OR (process_name="lsass.exe" AND (memory_usage>90 OR cpu_usage>80))

📊 Metadata

CVE ID: CVE-2025-32724

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 10.43% exploit probability (93.1th percentile)

Published: June 10, 2025

Last Updated: July 10, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32724 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Resource Monitoring

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities