A critical-severity flaw in Microsoft Windows enables unauthenticated attackers to execute arbitrary code remotely, requiring immediate patching.
Microsoft has issued an emergency patch for CVE-2025-71074, a critical remote code execution vulnerability affecting multiple Windows versions. Unpatched systems risk complete compromise.
Affected products include Windows 10 versions 2004, 20H2, 21H1, 21H2 and Windows 11 versions 21H2, 22H2. Windows Server 2022 and Azure Stack Hub are also impacted. Systems without February 2025 security updates are vulnerable.
The vulnerability (CVSS 9.8/10) resides in the Windows TCP/IP stack. Attackers can exploit it by sending specially crafted network packets to exposed systems. Successful exploitation grants SYSTEM privileges without authentication. No user interaction is required.
Microsoft confirmed active exploitation attempts in limited attacks. The flaw allows attackers to install malware, exfiltrate data, or create backdoors. Network-accessible systems are at highest risk.
Mitigation requires immediate installation of updates through Windows Update or the Microsoft Update Catalog. For systems that cannot patch immediately, disable IPv6 fragmentation and enable TCP/IP hardware offloading as temporary workarounds. Block TCP port 445 at perimeter firewalls.
Timeline:
- 2025-01-10: Vulnerability reported to Microsoft
- 2025-02-11: Patch released (KB5034200)
- 2025-02-13: Public disclosure
Review full technical details in Microsoft's Security Update Guide. Administrators should prioritize patching within 24 hours.
Comments
Please log in or register to join the discussion