CVE-2025-47986

Q: What is the severity of CVE-2025-47986?

CVE-2025-47986 has a CVSS score of 8.8 (HIGH). CVE-2025-47986 is a use-after-free vulnerability in the Universal Print Management Service that allows authenticated attackers to execute arbitrary code with elevated privileges. This affects Windows systems where the Universal Print feature is enabled. Attackers must already have local access to exploit this vulnerability.

8.8 HIGH

📋 TL;DR

CVE-2025-47986 is a use-after-free vulnerability in the Universal Print Management Service that allows authenticated attackers to execute arbitrary code with elevated privileges. This affects Windows systems where the Universal Print feature is enabled. Attackers must already have local access to exploit this vulnerability.

💻 Affected Systems

Products:

Windows Universal Print Management Service

Versions: Windows 10 versions 21H2 through 24H2, Windows 11 versions 21H2 through 24H2, Windows Server 2022, Windows Server 2025

Operating Systems: Windows 10, Windows 11, Windows Server 2022, Windows Server 2025

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Universal Print feature to be enabled. Systems without Universal Print configured are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling persistence, lateral movement, and data exfiltration across the network.

🟠

Likely Case

Local privilege escalation from standard user to administrator/SYSTEM level, allowing installation of malware, credential theft, and bypassing security controls.

🟢

If Mitigated

Limited impact due to restricted user access, network segmentation, and proper endpoint protection blocking exploitation attempts.

🌐 Internet-Facing: LOW - Requires local authenticated access, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any authenticated user on affected systems can potentially exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and knowledge of memory manipulation techniques. No public exploits available as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security Update KB5034441 for Windows 10/11, KB5034440 for Windows Server 2022/2025

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47986

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable Universal Print Service

windows

Temporarily disable the Universal Print Management Service if not required for business operations

sc stop "PrintWorkflowUserSvc"
sc config "PrintWorkflowUserSvc" start= disabled

Restrict Service Permissions

windows

Modify service permissions to prevent standard users from interacting with the service

sc sdset "PrintWorkflowUserSvc" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

🧯 If You Can't Patch

Implement strict least privilege access controls to limit who can authenticate to affected systems
Deploy application control policies to prevent execution of unauthorized binaries even with elevated privileges

🔍 How to Verify

Check if Vulnerable:

Check if Universal Print service is running: Get-Service -Name PrintWorkflowUserSvc | Select Status, StartType

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5034441/KB5034440 is installed: Get-HotFix -Id KB5034441, KB5034440

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with parent process PrintWorkflowUserSvc.exe
Unexpected service crashes in PrintWorkflowUserSvc
Process creation with unusual parent-child relationships involving print services

Network Indicators:

Unusual outbound connections from print service processes
SMB or RPC traffic from print service to unexpected destinations

SIEM Query:

source="windows" AND (event_id=4688 AND parent_process_name="PrintWorkflowUserSvc.exe") OR (event_id=7034 AND service_name="PrintWorkflowUserSvc")

📊 Metadata

CVE ID: CVE-2025-47986

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.06% exploit probability (19.9th percentile)

Published: July 8, 2025

Last Updated: July 14, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47986 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Universal Print Service

Restrict Service Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities