We would like to draw your attention to a critical security vulnerability in Microsoft Windows that currently poses an acute risk to your IT infrastructure. The vulnerability with a CVSS score of 9.8 affects almost all current Windows and Windows Server versions – including Windows Server 2008 R2 – and allows attackers to execute malicious code with system privileges without user interaction.
Immediate patching of affected systems is urgently needed.
IT security researchers report active attacks in which, among other things, existing web sessions were compromised and authentications were obtained without the knowledge of the users – suggesting that active multi-factor authentication could also be bypassed.
What happened?
Microsoft has identified and published a serious vulnerability (CVE-2025-47981) in the SPNEGO NEGOEX authentication protocol – an important part of Windows authentication in the domain environment, among other things. This vulnerability allows attackers to execute arbitrary code with system privileges – without logging in and without any user action.
The threat is particularly serious because Microsoft classifies it as “wormable”. This means that the malware can spread automatically via networks. According to Microsoft, a first abuse of this vulnerability is expected shortly.
Reported vulnerability
The vulnerability allows unauthenticated attackers to execute code with system privileges through crafted NETWORK messages, triggering a “heap-based buffer overflow”. This is a bug in the handling of memory. When they are executed, programs reserve space in the so-called heap – a dynamic memory area that is flexibly requested at runtime.
If more is written in this area than is intended, neighboring memory areas can be manipulated. This allows attackers to inject and execute their own malicious code – in this case, even with the highest privileges.
What is affected?
This vulnerability affects all Windows clients starting with Windows 10 version 1607 because these versions have the following Group Policy enabled by default: “Network Security: Allow PKU2U
This default setting means that the attack surface is already active on many systems – even without any special configuration.
Systems in which NEGOEX is used in combination with the following services are also particularly at risk:
What can I do?
The CVE-2025-47981 vulnerability poses an acute threat to Windows-based networks. The combination of high criticality, ease of exploitation, and the possibility of automatic distribution makes this vulnerability particularly dangerous.
We recommend that you act immediately to prevent potential harm:
Important note: Please note that blocking ports 135, 445 and 5985 may result in the following effects:
Here’s how you can identify a potential exploitation of the vulnerability:
