Logic scanner now available! Try it out
Back
CVE Analysis - 8 min read

Windows SPNEGO Nightmare: Critical RCE Vulnerability CVE-2025-47981 Unveiled

CVE-2025-47981, a critical heap-based buffer overflow in Windows SPNEGO Extended Negotiation, allows unauthenticated attackers to execute remote code. Immediate patching is crucial.

ZeroPath Security Research

ZeroPath Security Research

2025-07-08
Windows SPNEGO Nightmare: Critical RCE Vulnerability CVE-2025-47981 Unveiled

Introduction

Windows administrators face a critical security threat with the discovery of CVE-2025-47981, a severe heap-based buffer overflow vulnerability within the SPNEGO Extended Negotiation (NEGOEX) mechanism. This flaw, rated at a maximum CVSS score of 9.8, enables unauthenticated attackers to execute arbitrary code remotely, potentially granting full system control. Given the widespread use of SPNEGO across various Windows services, the vulnerability's potential impact is extensive and demands immediate attention.

Technical Information

CVE-2025-47981 stems from improper memory handling within the NEGOEX protocol, part of the SPNEGO authentication negotiation mechanism. Specifically, the vulnerability is identified as a heap-based buffer overflow (CWE-122), triggered when the NEGOEX extension processes specially crafted messages. Attackers can exploit this flaw remotely without authentication by sending malicious packets to vulnerable services such as SMB (port 445/TCP), RDP (port 3389/TCP), HTTP/S (ports 80, 443/TCP), and SMTP (port 25/TCP) that utilize SPNEGO authentication.

The vulnerability affects Windows systems from version 10 (1607) onward, particularly those with the group policy 'Network security: Allow PKU2U authentication requests' enabled by default. This policy setting significantly broadens the attack surface, making exploitation feasible across numerous enterprise environments.

Patch Information

In the July 2025 Patch Tuesday release, Microsoft addressed a publicly disclosed vulnerability in Microsoft SQL Server. This vulnerability, identified as CVE-2025-XXXX, could potentially allow an attacker to execute arbitrary code within the context of the SQL Server process.

To mitigate this risk, Microsoft has released a security update that modifies how SQL Server handles certain database queries. The patch ensures that input data is properly validated and sanitized before processing, thereby preventing the exploitation of this vulnerability.

Administrators are strongly advised to apply this update promptly to safeguard their systems against potential attacks. The update is available through the Microsoft Update Catalog and can be deployed via Windows Update or Windows Server Update Services (WSUS).

For detailed information on the update and deployment instructions, please refer to Microsoft's official documentation.

Affected Systems and Versions

The vulnerability specifically affects:

  • Windows 10 versions: 1607, 1809, 21H2, 22H2
  • Windows 11 versions: 22H2, 23H2, 24H2
  • Windows Server versions: 2016, 2019, 2022, 2025

Systems with the group policy 'Network security: Allow PKU2U authentication requests' enabled by default are particularly vulnerable.

Vendor Security History

Microsoft has previously encountered similar vulnerabilities within the SPNEGO NEGOEX component, notably CVE-2022-37958 and CVE-2025-21295. These recurring issues indicate persistent challenges in securing legacy authentication mechanisms. Microsoft's timely response to CVE-2025-47981, releasing patches within the standard monthly cycle, demonstrates their commitment to addressing security threats promptly, though ongoing vulnerabilities highlight areas for improvement.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo