CVE-2025-48819

Q: What is the severity of CVE-2025-48819?

CVE-2025-48819 has a CVSS score of 7.1 (HIGH). This vulnerability in Windows Universal Plug and Play (UPnP) Device Host allows an attacker on the same network to access sensitive data stored in improperly locked memory, potentially leading to privilege escalation. It affects Windows systems with UPnP enabled, requiring network adjacency but not authentication.

7.1 HIGH

📋 TL;DR

This vulnerability in Windows Universal Plug and Play (UPnP) Device Host allows an attacker on the same network to access sensitive data stored in improperly locked memory, potentially leading to privilege escalation. It affects Windows systems with UPnP enabled, requiring network adjacency but not authentication.

💻 Affected Systems

Products:

Windows Universal Plug and Play (UPnP) Device Host

Versions: Specific Windows versions as listed in Microsoft advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires UPnP service to be running and network adjacency. Not all Windows installations have UPnP enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains administrative privileges on the target system, enabling complete system compromise, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to execute code with higher privileges than their current account, potentially installing malware or accessing sensitive data.

🟢

If Mitigated

Limited impact with proper network segmentation and UPnP disabled on critical systems.

🌐 Internet-Facing: LOW (requires adjacent network access, not directly internet exploitable)

🏢 Internal Only: HIGH (exploitable from any compromised device on the same network segment)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authorized access to the network segment and knowledge of memory manipulation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update for specific KB number

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48819

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify update installation and restart systems.

🔧 Temporary Workarounds

Disable UPnP Service

windows

Disable the UPnP Device Host service if not required

sc config upnphost start= disabled
sc stop upnphost

Block UPnP Network Traffic

windows

Configure firewall to block UPnP traffic (TCP/2869, UDP/1900)

netsh advfirewall firewall add rule name="Block UPnP" dir=in action=block protocol=TCP localport=2869
netsh advfirewall firewall add rule name="Block UPnP UDP" dir=in action=block protocol=UDP localport=1900

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems with UPnP enabled
Disable UPnP service on all non-essential systems and monitor for unauthorized re-enablement

🔍 How to Verify

Check if Vulnerable:

Check if UPnP service is running: sc query upnphost. If running and system is unpatched, it's vulnerable.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history for the relevant security update KB number and confirm UPnP service is either patched or disabled.

📡 Detection & Monitoring

Log Indicators:

Unexpected UPnP service restarts
Memory access violations in UPnP process
Privilege escalation events

Network Indicators:

Unusual traffic to TCP/2869 or UDP/1900 from unexpected sources
Network scanning for UPnP services

SIEM Query:

EventID=4688 AND ProcessName="upnphost.exe" AND NewProcessName contains "cmd.exe" OR "powershell.exe"

📊 Metadata

CVE ID: CVE-2025-48819

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-591

EPSS Score: 0.1% exploit probability (28.1th percentile)

Published: July 8, 2025

Last Updated: July 15, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48819 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable UPnP Service

Block UPnP Network Traffic

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities