Login Sign Up

CVE-2025-54916

7.8 HIGH
Buffer Overflow

📋 TL;DR

A stack-based buffer overflow vulnerability in Windows NTFS allows authenticated attackers to execute arbitrary code locally on vulnerable systems. This affects Windows systems with NTFS file systems where an attacker has local access. The vulnerability could lead to privilege escalation or system compromise.

💻 Affected Systems

Products:
  • Windows NTFS
Versions: Specific Windows versions as listed in Microsoft advisory
Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Default Config Vulnerable: ⚠️ Yes
Notes: Requires NTFS file system and local authenticated access. Virtualized/containerized environments may also be affected.

📦 What is this software?

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1507 by Microsoft

View all CVEs affecting Windows 10 1507 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1607 by Microsoft

View all CVEs affecting Windows 10 1607 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 1809 by Microsoft

View all CVEs affecting Windows 10 1809 →

Windows 10 21h2 by Microsoft

View all CVEs affecting Windows 10 21h2 →

Windows 10 22h2 by Microsoft

View all CVEs affecting Windows 10 22h2 →

Windows 11 22h2 by Microsoft

View all CVEs affecting Windows 11 22h2 →

Windows 11 23h2 by Microsoft

View all CVEs affecting Windows 11 23h2 →

Windows 11 24h2 by Microsoft

View all CVEs affecting Windows 11 24h2 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2008 by Microsoft

View all CVEs affecting Windows Server 2008 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2012 by Microsoft

View all CVEs affecting Windows Server 2012 →

Windows Server 2016 by Microsoft

View all CVEs affecting Windows Server 2016 →

Windows Server 2019 by Microsoft

View all CVEs affecting Windows Server 2019 →

Windows Server 2022 by Microsoft

View all CVEs affecting Windows Server 2022 →

Windows Server 2022 23h2 by Microsoft

View all CVEs affecting Windows Server 2022 23h2 →

Windows Server 2025 by Microsoft

View all CVEs affecting Windows Server 2025 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attacker to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation from standard user to administrator/SYSTEM level, enabling persistence and lateral movement.

🟢

If Mitigated

Limited impact due to proper access controls, application whitelisting, and network segmentation preventing lateral movement.

🌐 Internet-Facing: LOW - Requires local access and authentication, not directly exploitable over network.
🏢 Internal Only: HIGH - Authenticated attackers on internal networks can exploit this for privilege escalation and lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local authenticated access. Exploit development may be complex due to stack protections like ASLR/DEP.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Microsoft Security Update Guide for specific KB numbers

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54916

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates via Windows Update. 2. For enterprise: Deploy via WSUS, SCCM, or Intune. 3. Verify patch installation with systeminfo or Get-HotFix. 4. Restart systems as required.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local user accounts and implement least privilege access controls

Enable exploit mitigations

windows

Ensure ASLR, DEP, and Control Flow Guard are enabled

Check-ProcessMitigation -System

🧯 If You Can't Patch

  • Implement strict access controls and least privilege principles
  • Monitor for suspicious local privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates against Microsoft advisory

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify specific KB update is installed via systeminfo or Get-HotFix

📡 Detection & Monitoring

Log Indicators:

  • Event ID 4688 (process creation) with unusual parent processes
  • Security log events showing privilege escalation

Network Indicators:

  • Unusual lateral movement following local compromise

SIEM Query:

source="windows_security" EventID=4688 AND (ParentImage="*\cmd.exe" OR ParentImage="*\powershell.exe") AND NewProcessName="*\system32\*"

📊 Metadata

CVE ID: CVE-2025-54916
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
EPSS Score: 0.07% exploit probability (21.3th percentile)
Published: September 9, 2025
Last Updated: October 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54916, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)