CVE-2025-49735: CWE-416: Use After Free in Microsoft Windows Server 2019
Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.
AI Analysis
Technical Summary
CVE-2025-49735 is a high-severity use-after-free vulnerability (CWE-416) found in the Windows Key Distribution Center (KDC) Proxy Service (KPSSVC) component of Microsoft Windows Server 2019, specifically version 10.0.17763.0. This vulnerability allows an unauthenticated attacker to execute arbitrary code remotely over the network. The flaw arises due to improper handling of memory in KPSSVC, where a reference to a freed memory object is used, leading to potential memory corruption. Exploiting this vulnerability could enable an attacker to execute code with the privileges of the affected service, potentially leading to full system compromise. The CVSS v3.1 base score is 8.1, indicating a high severity with network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and poses a significant risk to Windows Server 2019 deployments that have not applied mitigations or patches. The lack of available patches at the time of disclosure increases the urgency for organizations to implement interim mitigations and monitor for exploit attempts.
Potential Impact
For European organizations, this vulnerability presents a critical risk to enterprise environments relying on Windows Server 2019 for authentication and identity services, particularly those using the KDC Proxy Service for Kerberos ticketing and authentication delegation. Successful exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over domain controllers or critical infrastructure servers. This could result in data breaches, disruption of authentication services, lateral movement within networks, and potential ransomware or espionage campaigns. Given the central role of Windows Server in many European enterprises, government agencies, and critical infrastructure sectors, the impact could be widespread, affecting confidentiality, integrity, and availability of sensitive data and services. The vulnerability's network-based attack vector and lack of required authentication make it especially dangerous in perimeter-exposed or poorly segmented environments.
Mitigation Recommendations
Since no official patches are available yet, European organizations should immediately implement the following mitigations: 1) Restrict network access to the KDC Proxy Service by applying strict firewall rules to limit exposure only to trusted management and authentication endpoints. 2) Employ network segmentation to isolate domain controllers and authentication services from general user and internet-facing networks. 3) Monitor network traffic for unusual or suspicious activity targeting KPSSVC, including anomalous Kerberos requests or unexpected connections on related ports. 4) Apply the principle of least privilege to service accounts and ensure that Windows Server 2019 instances are running with minimal necessary permissions. 5) Prepare for rapid deployment of official patches once released by Microsoft, including testing in controlled environments to ensure compatibility. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. 7) Consider deploying endpoint detection and response (EDR) solutions capable of detecting memory corruption or exploitation attempts related to use-after-free vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Austria
CVE-2025-49735: CWE-416: Use After Free in Microsoft Windows Server 2019
Description
Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.
AI-Powered Analysis
Technical Analysis
CVE-2025-49735 is a high-severity use-after-free vulnerability (CWE-416) found in the Windows Key Distribution Center (KDC) Proxy Service (KPSSVC) component of Microsoft Windows Server 2019, specifically version 10.0.17763.0. This vulnerability allows an unauthenticated attacker to execute arbitrary code remotely over the network. The flaw arises due to improper handling of memory in KPSSVC, where a reference to a freed memory object is used, leading to potential memory corruption. Exploiting this vulnerability could enable an attacker to execute code with the privileges of the affected service, potentially leading to full system compromise. The CVSS v3.1 base score is 8.1, indicating a high severity with network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and poses a significant risk to Windows Server 2019 deployments that have not applied mitigations or patches. The lack of available patches at the time of disclosure increases the urgency for organizations to implement interim mitigations and monitor for exploit attempts.
Potential Impact
For European organizations, this vulnerability presents a critical risk to enterprise environments relying on Windows Server 2019 for authentication and identity services, particularly those using the KDC Proxy Service for Kerberos ticketing and authentication delegation. Successful exploitation could lead to unauthorized remote code execution, allowing attackers to gain control over domain controllers or critical infrastructure servers. This could result in data breaches, disruption of authentication services, lateral movement within networks, and potential ransomware or espionage campaigns. Given the central role of Windows Server in many European enterprises, government agencies, and critical infrastructure sectors, the impact could be widespread, affecting confidentiality, integrity, and availability of sensitive data and services. The vulnerability's network-based attack vector and lack of required authentication make it especially dangerous in perimeter-exposed or poorly segmented environments.
Mitigation Recommendations
Since no official patches are available yet, European organizations should immediately implement the following mitigations: 1) Restrict network access to the KDC Proxy Service by applying strict firewall rules to limit exposure only to trusted management and authentication endpoints. 2) Employ network segmentation to isolate domain controllers and authentication services from general user and internet-facing networks. 3) Monitor network traffic for unusual or suspicious activity targeting KPSSVC, including anomalous Kerberos requests or unexpected connections on related ports. 4) Apply the principle of least privilege to service accounts and ensure that Windows Server 2019 instances are running with minimal necessary permissions. 5) Prepare for rapid deployment of official patches once released by Microsoft, including testing in controlled environments to ensure compatibility. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation. 7) Consider deploying endpoint detection and response (EDR) solutions capable of detecting memory corruption or exploitation attempts related to use-after-free vulnerabilities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- microsoft
- Date Reserved
- 2025-06-09T21:23:11.524Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686d50d76f40f0eb72f91cb3
Added to database: 7/8/2025, 5:09:43 PM
Last enriched: 8/19/2025, 1:07:04 AM
Last updated: 8/19/2025, 1:07:04 AM
Views: 10
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.