{"id":27808,"date":"2025-07-09T20:56:12","date_gmt":"2025-07-09T18:56:12","guid":{"rendered":"https:\/\/perseus.de\/critical-vulnerability-in-windows-authentication\/"},"modified":"2026-03-31T07:17:17","modified_gmt":"2026-03-31T05:17:17","slug":"critical-vulnerability-in-windows-authentication","status":"publish","type":"post","link":"https:\/\/perseus.de\/en\/critical-vulnerability-in-windows-authentication\/","title":{"rendered":"Critical vulnerability in Windows authentication"},"content":{"rendered":"\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t
09.07.2025<\/h6>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Critical vulnerability in Windows authentication<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

We would like to draw your attention to a critical security vulnerability in Microsoft Windows that currently poses an acute risk to your IT infrastructure. The vulnerability with a CVSS score of 9.8<\/a> affects almost all current Windows and Windows Server versions \u2013 including Windows Server 2008 R2 \u2013 and allows attackers to execute malicious code with system privileges without user interaction. <\/p>

<\/p>

Immediate patching of affected systems is urgently needed.<\/p>

IT security researchers report <\/span>active attacks<\/b> in which, among other things, existing web sessions were compromised and authentications were obtained without the knowledge of the users \u2013 <\/span>suggesting that active multi-factor authentication could also be bypassed<\/b>.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What happened?<\/b><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Microsoft has identified and published a serious vulnerability<\/a> (CVE-2025-47981<\/a>) in the SPNEGO NEGOEX authentication protocol – an important part of Windows authentication in the domain environment, among other things. This vulnerability allows attackers to execute arbitrary code with system privileges \u2013 without logging in and without any user action. <\/p>

<\/p>

The threat is particularly serious because Microsoft classifies it as “wormable”.<\/a> This means that the malware can spread automatically via networks. According to Microsoft, a first abuse of this vulnerability is expected shortly. <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Reported vulnerability

<\/b><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The vulnerability allows unauthenticated attackers to execute code with system privileges through crafted NETWORK messages, triggering a “heap-based buffer overflow”. This is a bug in the handling of memory. When they are executed, programs reserve space in the so-called heap \u2013 a dynamic memory area that is flexibly requested at runtime. <\/p>

If more is written in this area than is intended, neighboring memory areas can be manipulated. This allows attackers to inject and execute their own malicious code \u2013 in this case, even with the highest privileges. <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

What is affected?<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t

\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

This vulnerability affects all Windows clients starting with Windows 10 version 1607<\/a> because these versions have the following Group Policy enabled by default: “Network Security: Allow PKU2U<\/wbr> authentication requests<\/wbr>to this computer with online identities”.<\/p>

This default setting means that the attack surface is already active on many systems \u2013 even without any special configuration.<\/p>

<\/p>

Systems in which NEGOEX is used in combination with the following services are also particularly at risk:<\/p>