CVE-2025-53149

Q: What is the severity of CVE-2025-53149?

CVE-2025-53149 has a CVSS score of 7.8 (HIGH). This vulnerability is a heap-based buffer overflow in the Kernel Streaming WOW Thunk Service Driver (ksthunk.sys) on Windows systems. It allows an authenticated attacker to execute arbitrary code with elevated SYSTEM privileges locally. Any Windows system with the vulnerable driver is affected.

7.8 HIGH

📋 TL;DR

This vulnerability is a heap-based buffer overflow in the Kernel Streaming WOW Thunk Service Driver (ksthunk.sys) on Windows systems. It allows an authenticated attacker to execute arbitrary code with elevated SYSTEM privileges locally. Any Windows system with the vulnerable driver is affected.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with the Kernel Streaming WOW Thunk Service Driver (ksthunk.sys) enabled, which is present by default on most Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls and maintain persistence.

🟢

If Mitigated

Limited impact if proper endpoint protection, application control, and least privilege principles are enforced, though exploitation may still succeed.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a Windows endpoint, they can exploit this to gain full control of the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local authenticated access. Public proof-of-concept code exists, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the latest Windows security updates from Microsoft's May 2025 Patch Tuesday or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53149

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Disable ksthunk.sys driver

windows

Disables the vulnerable Kernel Streaming WOW Thunk Service Driver to prevent exploitation

sc config ksthunk start= disabled
sc stop ksthunk

Enable Windows Defender Exploit Guard

windows

Configure exploit protection to mitigate heap corruption attacks

🧯 If You Can't Patch

Implement strict application control policies to prevent unauthorized code execution
Enforce least privilege access and segment networks to limit lateral movement

🔍 How to Verify

Check if Vulnerable:

Check if ksthunk.sys driver version is older than the patched version in May 2025 updates

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows is updated to May 2025 or later security updates and ksthunk.sys driver version is updated

📡 Detection & Monitoring

Log Indicators:

Unusual process creation with SYSTEM privileges from non-admin users
Suspicious driver loading events

Network Indicators:

Unusual outbound connections from SYSTEM processes

SIEM Query:

EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"

📊 Metadata

CVE ID: CVE-2025-53149

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.19% exploit probability (41.1th percentile)

Published: August 12, 2025

Last Updated: September 29, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53149 Vendor Advisory
https://www.crowdfense.com/cve-2025-53149-windows-ksthunk-heap-overflow/ Exploit,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

Windows Server 2025 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable ksthunk.sys driver

Enable Windows Defender Exploit Guard

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities