Login Sign Up

CVE-2025-49721

7.8 HIGH
Buffer Overflow

📋 TL;DR

A heap-based buffer overflow vulnerability in the Windows Fast FAT driver allows local attackers to execute arbitrary code with elevated privileges. This affects Windows systems with the vulnerable driver loaded. Attackers must have local access to exploit this vulnerability.

💻 Affected Systems

Products:
  • Microsoft Windows
Versions: Specific versions not yet detailed in public advisory
Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Fast FAT driver (fastfat.sys) to be loaded, which typically occurs when FAT file systems are mounted.

📦 What is this software?

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 21h2 by Microsoft

View all CVEs affecting Windows 10 21h2 →

Windows 10 22h2 by Microsoft

View all CVEs affecting Windows 10 22h2 →

Windows 11 22h2 by Microsoft

View all CVEs affecting Windows 11 22h2 →

Windows 11 23h2 by Microsoft

View all CVEs affecting Windows 11 23h2 →

Windows 11 24h2 by Microsoft

View all CVEs affecting Windows 11 24h2 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 23h2 by Microsoft

View all CVEs affecting Windows Server 2022 23h2 →

Windows Server 2025 by Microsoft

View all CVEs affecting Windows Server 2025 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected system, data theft, and lateral movement.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM or administrator privileges, enabling persistence and further attacks.

🟢

If Mitigated

Limited impact if proper access controls prevent local execution or if the vulnerable driver is not loaded.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to exploit.
🏢 Internal Only: HIGH - Malicious insiders or attackers who gain initial access can use this to elevate privileges and move laterally.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of heap manipulation techniques. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49721

Restart Required: Yes

Instructions:

1. Open Windows Update Settings
2. Click 'Check for updates'
3. Install all available security updates
4. Restart the system when prompted

🔧 Temporary Workarounds

Disable Fast FAT driver loading

windows

Prevent the vulnerable driver from loading by disabling it via registry or group policy

reg add "HKLM\SYSTEM\CurrentControlSet\Services\fastfat" /v Start /t REG_DWORD /d 4 /f

Restrict local access

all

Implement strict access controls to prevent unauthorized local logins

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized binaries
  • Use endpoint detection and response (EDR) solutions to monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if fastfat.sys driver is loaded: 'sc query fastfat' or 'driverquery | findstr fastfat'

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history contains the relevant security update KB number

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688: Process creation with elevated privileges
  • Event ID 4672: Special privileges assigned to new logon
  • Driver load events for fastfat.sys

Network Indicators:

  • No network indicators - this is a local exploit

SIEM Query:

EventID=4688 AND (NewProcessName="*\cmd.exe" OR NewProcessName="*\powershell.exe") AND TokenElevationType="%%1938"

📊 Metadata

CVE ID: CVE-2025-49721
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
EPSS Score: 0.06% exploit probability (19.6th percentile)
Published: July 8, 2025
Last Updated: July 16, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49721, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)