CVE-2025-49735: CWE-416: Use After Free in Microsoft Windows Server 2019
Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.
AI Analysis
Technical Summary
CVE-2025-49735 is a high-severity use-after-free vulnerability identified in the Windows Key Distribution Center (KDC) Proxy Service (KPSSVC) component of Microsoft Windows Server 2019, specifically version 10.0.17763.0. The vulnerability arises from improper handling of memory within the KPSSVC, where a reference to a freed memory object is used, leading to undefined behavior. This flaw can be exploited remotely by an unauthenticated attacker over the network, without requiring user interaction, to execute arbitrary code on the affected server. The vulnerability is classified under CWE-416 (Use After Free), which typically allows attackers to manipulate program execution flow, potentially leading to full system compromise. The CVSS v3.1 base score is 8.1, indicating a high impact on confidentiality, integrity, and availability. The attack vector is network-based (AV:N), with high attack complexity (AC:H), no privileges required (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability’s characteristics make it a significant risk for organizations running the affected Windows Server 2019 version. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring.
Potential Impact
For European organizations, this vulnerability poses a critical risk, especially for enterprises and service providers relying on Windows Server 2019 for domain controller and authentication services. Exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over critical infrastructure components, exfiltrate sensitive data, disrupt authentication processes, or deploy ransomware and other malware. Given the central role of KDC in Kerberos authentication, compromise could cascade to broader network trust issues, affecting multiple systems and services. The high impact on confidentiality, integrity, and availability could disrupt business operations, cause regulatory compliance violations (e.g., GDPR), and damage organizational reputation. The network-based attack vector and lack of required privileges make it accessible to a wide range of threat actors, increasing the likelihood of targeted attacks against European entities, particularly those in finance, government, healthcare, and critical infrastructure sectors.
Mitigation Recommendations
1. Immediate deployment of any official patches or security updates from Microsoft once available is paramount. 2. Until patches are released, restrict network access to the KPSSVC service by implementing strict firewall rules limiting inbound traffic to trusted management networks only. 3. Employ network segmentation to isolate domain controllers and critical authentication servers from general user and internet-facing networks. 4. Monitor network traffic for unusual or unauthorized access attempts targeting the KPSSVC or related Kerberos services using intrusion detection systems (IDS) and security information and event management (SIEM) solutions. 5. Conduct regular memory integrity and system behavior monitoring on Windows Server 2019 hosts to detect potential exploitation attempts. 6. Review and harden authentication policies, including enforcing multi-factor authentication (MFA) where possible to reduce the impact of compromised credentials. 7. Maintain up-to-date backups and incident response plans tailored to potential compromise scenarios involving domain controllers. 8. Engage in threat intelligence sharing with industry peers and national cybersecurity centers to stay informed about emerging exploit techniques and indicators of compromise related to this vulnerability.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Finland
CVE-2025-49735: CWE-416: Use After Free in Microsoft Windows Server 2019
Description
Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.
AI-Powered Analysis
Technical Analysis
CVE-2025-49735 is a high-severity use-after-free vulnerability identified in the Windows Key Distribution Center (KDC) Proxy Service (KPSSVC) component of Microsoft Windows Server 2019, specifically version 10.0.17763.0. The vulnerability arises from improper handling of memory within the KPSSVC, where a reference to a freed memory object is used, leading to undefined behavior. This flaw can be exploited remotely by an unauthenticated attacker over the network, without requiring user interaction, to execute arbitrary code on the affected server. The vulnerability is classified under CWE-416 (Use After Free), which typically allows attackers to manipulate program execution flow, potentially leading to full system compromise. The CVSS v3.1 base score is 8.1, indicating a high impact on confidentiality, integrity, and availability. The attack vector is network-based (AV:N), with high attack complexity (AC:H), no privileges required (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no known exploits are currently reported in the wild, the vulnerability’s characteristics make it a significant risk for organizations running the affected Windows Server 2019 version. The lack of available patches at the time of publication increases the urgency for mitigation and monitoring.
Potential Impact
For European organizations, this vulnerability poses a critical risk, especially for enterprises and service providers relying on Windows Server 2019 for domain controller and authentication services. Exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over critical infrastructure components, exfiltrate sensitive data, disrupt authentication processes, or deploy ransomware and other malware. Given the central role of KDC in Kerberos authentication, compromise could cascade to broader network trust issues, affecting multiple systems and services. The high impact on confidentiality, integrity, and availability could disrupt business operations, cause regulatory compliance violations (e.g., GDPR), and damage organizational reputation. The network-based attack vector and lack of required privileges make it accessible to a wide range of threat actors, increasing the likelihood of targeted attacks against European entities, particularly those in finance, government, healthcare, and critical infrastructure sectors.
Mitigation Recommendations
1. Immediate deployment of any official patches or security updates from Microsoft once available is paramount. 2. Until patches are released, restrict network access to the KPSSVC service by implementing strict firewall rules limiting inbound traffic to trusted management networks only. 3. Employ network segmentation to isolate domain controllers and critical authentication servers from general user and internet-facing networks. 4. Monitor network traffic for unusual or unauthorized access attempts targeting the KPSSVC or related Kerberos services using intrusion detection systems (IDS) and security information and event management (SIEM) solutions. 5. Conduct regular memory integrity and system behavior monitoring on Windows Server 2019 hosts to detect potential exploitation attempts. 6. Review and harden authentication policies, including enforcing multi-factor authentication (MFA) where possible to reduce the impact of compromised credentials. 7. Maintain up-to-date backups and incident response plans tailored to potential compromise scenarios involving domain controllers. 8. Engage in threat intelligence sharing with industry peers and national cybersecurity centers to stay informed about emerging exploit techniques and indicators of compromise related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- microsoft
- Date Reserved
- 2025-06-09T21:23:11.524Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686d50d76f40f0eb72f91cb3
Added to database: 7/8/2025, 5:09:43 PM
Last enriched: 8/7/2025, 1:10:56 AM
Last updated: 8/7/2025, 1:10:56 AM
Views: 9
Related Threats
CVE-2025-8533: CWE-863 Incorrect Authorization in Flexibits Fantastical
MediumCVE-2025-35970: Use of weak credentials in SEIKO EPSON Multiple EPSON product
HighCVE-2025-29866: CWE-73: External Control of File Name or Path in TAGFREE X-Free Uploader
HighCVE-2025-32094: CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in Akamai AkamaiGhost
MediumCVE-2025-8583: Inappropriate implementation in Google Chrome
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.