Skip to main content

CVE-2025-49735: CWE-416: Use After Free in Microsoft Windows Server 2019

High
VulnerabilityCVE-2025-49735cvecve-2025-49735cwe-416
Published: Tue Jul 08 2025 (07/08/2025, 16:57:25 UTC)
Source: CVE Database V5
Vendor/Project: Microsoft
Product: Windows Server 2019

Description

Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.

AI-Powered Analysis

AILast updated: 08/19/2025, 01:07:04 UTC

Technical Analysis

CVE-2025-49735 is a high-severity use-after-free vulnerability (CWE-416) found in the Windows Key Distribution Center (KDC) Proxy Service (KPSSVC) component of Microsoft Windows Server 2019, specifically version 10.0.17763.0. This vulnerability allows an unauthenticated attacker to execute arbitrary code remotely over the network. The flaw arises due to improper handling of memory in KPSSVC, where a reference to a freed memory object is used, leading to potential memory corruption. Exploiting this vulnerability could enable an attacker to execute code with the privileges of the affected service, potentially leading to full system compromise. The CVSS v3.1 base score is 8.1, indicating a high severity with network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and poses a significant risk to Windows Server 2019 deployments that have not applied mitigations or patches. The lack of available patches at the time of disclosure increases the urgency for organizations to implement interim mitigations and monitor for exploit attempts.

Potential Impact

For European organizations, this vulnerability presents a critical risk to enterprise environments relying on Windows Server 2019 for authentication and identity services, particularly those using the KDC Proxy Service for Kerberos ticketing and authentication delegation. Successful exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over domain controllers or critical infrastructure servers. This could result in data breaches, disruption of authentication services, lateral movement within networks, and potential ransomware or espionage campaigns. Given the central role of Windows Server in many European enterprises, government agencies, and critical infrastructure sectors, the impact could be widespread, affecting confidentiality, integrity, and availability of sensitive data and services. The vulnerability's network-based attack vector and lack of required authentication make it especially dangerous in perimeter-exposed or poorly segmented environments.

Mitigation Recommendations

Since no official patches are available yet, European organizations should immediately implement the following mitigations: 1) Restrict network access to the KDC Proxy Service by applying strict firewall rules to limit exposure only to trusted management and authentication endpoints. 2) Employ network segmentation to isolate domain controllers and authentication services from general user and internet-facing networks. 3) Monitor network traffic for unusual or suspicious activity targeting KPSSVC, including anomalous Kerberos requests or unexpected connections on related ports. 4) Apply the principle of least privilege to service accounts and ensure that Windows Server 2019 instances are running with minimal necessary permissions. 5) Prepare for rapid deployment of official patches once released by Microsoft, including testing in controlled environments to ensure compatibility. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. 7) Consider deploying endpoint detection and response (EDR) solutions capable of detecting memory corruption or exploitation attempts related to use-after-free vulnerabilities.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
microsoft
Date Reserved
2025-06-09T21:23:11.524Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686d50d76f40f0eb72f91cb3

Added to database: 7/8/2025, 5:09:43 PM

Last enriched: 8/19/2025, 1:07:04 AM

Last updated: 8/19/2025, 1:07:04 AM

Views: 10

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats