Skip to main content

CVE-2025-49735: CWE-416: Use After Free in Microsoft Windows Server 2019

High
VulnerabilityCVE-2025-49735cvecve-2025-49735cwe-416
Published: Tue Jul 08 2025 (07/08/2025, 16:57:25 UTC)
Source: CVE Database V5
Vendor/Project: Microsoft
Product: Windows Server 2019

Description

Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.

AI-Powered Analysis

AILast updated: 08/07/2025, 01:10:56 UTC

Technical Analysis

CVE-2025-49735 is a high-severity use-after-free vulnerability identified in the Windows Key Distribution Center (KDC) Proxy Service (KPSSVC) component of Microsoft Windows Server 2019, specifically version 10.0.17763.0. The vulnerability arises from improper handling of memory within the KPSSVC, where a reference to a freed memory object is used, leading to undefined behavior. This flaw can be exploited remotely by an unauthenticated attacker over the network, without requiring user interaction, to execute arbitrary code on the affected server. The vulnerability is classified under CWE-416 (Use After Free), which typically allows attackers to manipulate program execution flow, potentially leading to full system compromise. The CVSS v3.1 base score is 8.1, indicating a high impact on confidentiality, integrity, and availability. The attack vector is network-based (AV:N), with high attack complexity (AC:H), no privileges required (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability’s characteristics make it a significant risk for organizations running the affected Windows Server 2019 version. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring.

Potential Impact

For European organizations, this vulnerability poses a critical risk, especially for enterprises and service providers relying on Windows Server 2019 for domain controller and authentication services. Exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over critical infrastructure components, exfiltrate sensitive data, disrupt authentication processes, or deploy ransomware and other malware. Given the central role of KDC in Kerberos authentication, compromise could cascade to broader network trust issues, affecting multiple systems and services. The high impact on confidentiality, integrity, and availability could disrupt business operations, cause regulatory compliance violations (e.g., GDPR), and damage organizational reputation. The network-based attack vector and lack of required privileges make it accessible to a wide range of threat actors, increasing the likelihood of targeted attacks against European entities, particularly those in finance, government, healthcare, and critical infrastructure sectors.

Mitigation Recommendations

1. Immediate deployment of any official patches or security updates from Microsoft once available is paramount. 2. Until patches are released, restrict network access to the KPSSVC service by implementing strict firewall rules limiting inbound traffic to trusted management networks only. 3. Employ network segmentation to isolate domain controllers and critical authentication servers from general user and internet-facing networks. 4. Monitor network traffic for unusual or unauthorized access attempts targeting the KPSSVC or related Kerberos services using intrusion detection systems (IDS) and security information and event management (SIEM) solutions. 5. Conduct regular memory integrity and system behavior monitoring on Windows Server 2019 hosts to detect potential exploitation attempts. 6. Review and harden authentication policies, including enforcing multi-factor authentication (MFA) where possible to reduce the impact of compromised credentials. 7. Maintain up-to-date backups and incident response plans tailored to potential compromise scenarios involving domain controllers. 8. Engage in threat intelligence sharing with industry peers and national cybersecurity centers to stay informed about emerging exploit techniques and indicators of compromise related to this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
microsoft
Date Reserved
2025-06-09T21:23:11.524Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686d50d76f40f0eb72f91cb3

Added to database: 7/8/2025, 5:09:43 PM

Last enriched: 8/7/2025, 1:10:56 AM

Last updated: 8/7/2025, 1:10:56 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats