CVE-2025-49735
📋 TL;DR
CVE-2025-49735 is a use-after-free vulnerability in Windows KDC Proxy Service (KPSSVC) that allows unauthorized attackers to execute arbitrary code remotely over a network. This affects Windows systems running the KDC Proxy Service, primarily domain controllers and systems configured for Kerberos authentication proxy functionality. Attackers can exploit this without authentication to gain SYSTEM-level privileges on vulnerable systems.
💻 Affected Systems
- Windows Server
- Windows Client
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to domain takeover, credential theft, lateral movement across the network, and persistent backdoor installation.
Likely Case
Remote code execution leading to initial foothold in the network, privilege escalation, and subsequent lateral movement to compromise additional systems.
If Mitigated
Limited impact with network segmentation preventing lateral movement, though the initial system would still be compromised.
🎯 Exploit Status
Exploitation requires network access to the KDC Proxy Service port (typically 443/TCP). The use-after-free condition must be triggered with specific network packets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Security Update Guide for specific KB numbers
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49735
Restart Required: Yes
Instructions:
1. Apply the latest Windows security updates from Microsoft. 2. Restart the system to complete the installation. 3. Verify the patch is applied using Windows Update history or system information.
🔧 Temporary Workarounds
Disable KDC Proxy Service
windowsDisable the vulnerable service if not required for your environment
sc config KPSSVC start= disabled
sc stop KPSSVC
Block network access to KDC Proxy
windowsRestrict network access to the KDC Proxy Service port using firewall rules
netsh advfirewall firewall add rule name="Block KDC Proxy" dir=in action=block protocol=TCP localport=443
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running KDC Proxy Service
- Deploy endpoint detection and response (EDR) solutions to detect exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if KPSSVC service is running: sc query KPSSVC | findstr "RUNNING"Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains the relevant security update KB number📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from KPSSVC.exe
- Crash dumps from KPSSVC service
- Failed authentication attempts to KDC Proxy
Network Indicators:
- Unusual traffic patterns to port 443/TCP on domain controllers
- Malformed Kerberos packets to KDC Proxy
SIEM Query:
EventID=4688 AND NewProcessName="*KPSSVC*" AND CommandLine="*suspicious*"