Windows SPNEGO: Critical heap-based buffer overflow in Windows SPNEGO Extended Negotiation (CVE-2025-47981) #shorts

Summary

Welcome to our security podcast. In this episode, we’re covering CVE-2025-47981, a critical heap-based buffer overflow in Windows SPNEGO Extended Negotiation. Disclosed on July 8, 2025, this vulnerability allows an unauthenticated attacker to execute code remotely over the network. Microsoft has labeled it wormable, meaning a compromised host could propagate the exploit across unpatched systems without further user interaction.

Product details

The flaw affects a broad range of Windows releases, from legacy editions like Windows Server 2008 R2 SP1, Windows Server 2012/2012 R2, through Windows 10 versions 1507, 1607, 1809, 21H2, 22H2, and Windows 11 versions 22H2, 22H3, 23H2, 24H2. It also impacts Windows Server 2016, 2019 (including Server Core), 2022 (23H2 Edition Server Core), and the newly released Windows Server 2025. Systems with SPNEGO Extended Negotiation enabled are exploitable until the respective patch levels are applied.

Vulnerability type summary

CVE-2025-47981 is classified under CWE-122: Heap-based Buffer Overflow. It occurs when the SPNEGO negotiation code fails to validate the size of incoming packets. Excessive data overruns an allocated heap buffer, corrupting memory and enabling arbitrary code execution.

Details of the vulnerability

During authentication, Windows uses SPNEGO Extended Negotiation to agree on security protocols. An attacker crafts a specially formed negotiation packet with an oversized field. The overflow overwrites function pointers or control structures, hijacking execution flow. Because SPNEGO runs in the context of the Local Security Authority Subsystem Service (LSASS) over RPC, exploitation requires only network access to the target’s RPC service. No user credentials are needed, making it a true network-based remote code execution vector. Microsoft warns the vulnerability is wormable, meaning a successful exploit could automatically spread through unpatched hosts in an organization.

Conclusion

This is a high-impact issue: widespread affected systems, unauthenticated remote code execution, and a wormable attack path. Administrators should apply Microsoft’s July 2025 security updates immediately. If patching is delayed, consider isolating servers running SPNEGO services from untrusted networks and enable firewall rules to block inbound RPC traffic. Stay tuned for our next episode, and stay secure.

Watch the full video on YouTube: CVE-2025-47981

Remediation and exploitation details

This chain involves the following actors

  • Remote Attacker: Unauthorized network actor seeking to execute code on a target system
  • System Administrator: Responsible for applying patches and hardening services

This following systems are involved

  • Windows SPNEGO Extended Negotiation (Provides extended authentication negotiation over network protocols): Processes incoming negotiation tokens during authentication handshake
  • Target Windows Host (Runs Windows 10, Windows 11 or Windows Server with SPNEGO enabled): Victim of the buffer overflow leading to remote code execution

Attack entry point

  • SPNEGO Extended Negotiation Interface: Exposed network endpoint that accepts extended authentication tokens during initial connection setup

Remediation actions

System Administrator
Install Microsoft’s July 2025 security update
Target Windows Host
System Administrator
Disable SPNEGO Extended Negotiation if not required
Windows SPNEGO Extended Negotiation
System Administrator
Restrict network access to authentication services
Target Windows Host

Exploitation actions

Network scanning and banner inspection

Remote Attacker
Discover and fingerprint hosts running SPNEGO
Target Windows Host
Examples:
  • Scan common authentication ports used by Windows services
  • Inspect protocol banners to verify SPNEGO support

Malformed protocol packet

Remote Attacker
Craft a malicious SPNEGO extended negotiation token containing an oversized payload
Windows SPNEGO Extended Negotiation
Examples:
  • Embed a token larger than expected buffer size in extended negotiation field
  • Include shellcode or return-oriented-gadget sequences in the overflow region

Network-based request

Remote Attacker
Send the malicious token to the SPNEGO endpoint
Target Windows Host
Examples:
  • Initiate a connection and inject the crafted token during the authentication handshake
  • Repeat against multiple hosts to identify unpatched machines

Buffer overwrite

Remote Attacker
Trigger the heap-based buffer overflow and hijack execution flow
Windows SPNEGO Extended Negotiation
Examples:
  • Overflow the allocated heap buffer to overwrite function pointers or control structures
  • Redirect execution to attacker-controlled code in the overflow payload

Payload execution

Remote Attacker
Execute arbitrary code with system privileges
Target Windows Host
Examples:
  • Download and run additional tools for persistence
  • Create new administrative user for backdoor access

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-47981
Description
Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network.
Provider
microsoft
CWE / problem types
CWE-122: Heap-based Buffer Overflow
Affected Software Versions
Microsoft:Windows 10 Version 1809:[{'version': '10.0.17763.0', 'lessThan': '10.0.17763.7558', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2019:[{'version': '10.0.17763.0', 'lessThan': '10.0.17763.7558', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2019 (Server Core installation):[{'version': '10.0.17763.0', 'lessThan': '10.0.17763.7558', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2022:[{'version': '10.0.20348.0', 'lessThan': '10.0.20348.3932', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 10 Version 21H2:[{'version': '10.0.19044.0', 'lessThan': '10.0.19044.6093', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 11 version 22H2:[{'version': '10.0.22621.0', 'lessThan': '10.0.22621.5624', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 10 Version 22H2:[{'version': '10.0.19045.0', 'lessThan': '10.0.19045.6093', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2025 (Server Core installation):[{'version': '10.0.26100.0', 'lessThan': '10.0.26100.4652', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 11 version 22H3:[{'version': '10.0.22631.0', 'lessThan': '10.0.22631.5624', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 11 Version 23H2:[{'version': '10.0.22631.0', 'lessThan': '10.0.22631.5624', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2022, 23H2 Edition (Server Core installation):[{'version': '10.0.25398.0', 'lessThan': '10.0.25398.1732', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 11 Version 24H2:[{'version': '10.0.26100.0', 'lessThan': '10.0.26100.4652', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2025:[{'version': '10.0.26100.0', 'lessThan': '10.0.26100.4652', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 10 Version 1507:[{'version': '10.0.10240.0', 'lessThan': '10.0.10240.21073', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows 10 Version 1607:[{'version': '10.0.14393.0', 'lessThan': '10.0.14393.8246', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2016:[{'version': '10.0.14393.0', 'lessThan': '10.0.14393.8246', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2016 (Server Core installation):[{'version': '10.0.14393.0', 'lessThan': '10.0.14393.8246', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2008 R2 Service Pack 1:[{'version': '6.1.7601.0', 'lessThan': '6.1.7601.27820', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2008 R2 Service Pack 1 (Server Core installation):[{'version': '6.1.7601.0', 'lessThan': '6.1.7601.27820', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2012:[{'version': '6.2.9200.0', 'lessThan': '6.2.9200.25573', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2012 (Server Core installation):[{'version': '6.2.9200.0', 'lessThan': '6.2.9200.25573', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2012 R2:[{'version': '6.3.9600.0', 'lessThan': '6.3.9600.22676', 'versionType': 'custom', 'status': 'affected'}],Microsoft:Windows Server 2012 R2 (Server Core installation):[{'version': '6.3.9600.0', 'lessThan': '6.3.9600.22676', 'versionType': 'custom', 'status': 'affected'}]
Date Published
2025-07-08T16:57:31.364Z
Last Updated
2025-07-08T23:15:46.476Z