CVE-2025-48821

Q: What is the severity of CVE-2025-48821?

CVE-2025-48821 has a CVSS score of 7.1 (HIGH). CVE-2025-48821 is a use-after-free vulnerability in Windows Universal Plug and Play (UPnP) Device Host that allows an authenticated attacker on the same network to elevate privileges. This affects Windows systems with UPnP enabled, potentially allowing attackers to gain higher system privileges than they should have.

7.1 HIGH

📋 TL;DR

CVE-2025-48821 is a use-after-free vulnerability in Windows Universal Plug and Play (UPnP) Device Host that allows an authenticated attacker on the same network to elevate privileges. This affects Windows systems with UPnP enabled, potentially allowing attackers to gain higher system privileges than they should have.

💻 Affected Systems

Products:

Windows Universal Plug and Play (UPnP) Device Host

Versions: Specific Windows versions as detailed in Microsoft advisory

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with UPnP service enabled are vulnerable. UPnP is often enabled by default on consumer Windows editions but may be disabled on servers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains SYSTEM-level privileges on the target Windows machine, enabling complete system compromise, data theft, and lateral movement across the network.

🟠

Likely Case

Attacker gains elevated privileges on the target system, potentially installing malware, stealing credentials, or establishing persistence.

🟢

If Mitigated

With proper network segmentation and UPnP disabled, impact is limited to isolated network segments or prevented entirely.

🌐 Internet-Facing: LOW (UPnP typically operates on internal networks and requires adjacent network access)

🏢 Internal Only: HIGH (Attackers on the same network can exploit this to elevate privileges on vulnerable systems)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to be authenticated on the same network as the target. Use-after-free vulnerabilities typically require precise timing and memory manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft's monthly security updates for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48821

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft
2. Restart the system to complete the patch installation
3. Verify the patch is applied using Windows Update history

🔧 Temporary Workarounds

Disable UPnP Device Host Service

windows

Disables the vulnerable UPnP service to prevent exploitation

sc config upnphost start= disabled
sc stop upnphost

Block UPnP Network Traffic

windows

Blocks UPnP network traffic at firewall to prevent network-based attacks

netsh advfirewall firewall add rule name="Block UPnP" dir=in action=block protocol=TCP localport=2869
netsh advfirewall firewall add rule name="Block UPnP UDP" dir=in action=block protocol=UDP localport=1900

🧯 If You Can't Patch

Disable UPnP Device Host service on all vulnerable systems
Implement strict network segmentation to isolate systems with UPnP enabled

🔍 How to Verify

Check if Vulnerable:

Check if UPnP Device Host service is running: sc query upnphost

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Check Windows Update history for the latest security updates and verify UPnP service is either patched or disabled

📡 Detection & Monitoring

Log Indicators:

Unusual service crashes in Windows Event Logs (Event ID 1000, 1001)
Suspicious UPnP service activity
Privilege escalation attempts

Network Indicators:

Unusual traffic to UPnP ports (TCP 2869, UDP 1900) from unexpected sources
Network scanning for UPnP services

SIEM Query:

EventID=1000 OR EventID=1001 | where ProcessName contains "upnphost" OR SourceName="UPnP"

📊 Metadata

CVE ID: CVE-2025-48821

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.13% exploit probability (32th percentile)

Published: July 8, 2025

Last Updated: July 15, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-48821 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable UPnP Device Host Service

Block UPnP Network Traffic

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities