Microsoft has issued an urgent security update to address CVE-2025-10966, a critical vulnerability affecting multiple Windows operating systems. The flaw, rated 9.8/10 on the CVSS scale, allows remote code execution and requires immediate patching.
Microsoft has released a critical security update to address CVE-2025-10966, a severe vulnerability in Windows operating systems that could allow attackers to execute arbitrary code remotely. The vulnerability affects Windows 10, Windows 11, and Windows Server versions 2016 through 2022.
The flaw exists in the Windows Remote Procedure Call (RPC) service, where improper input validation could enable an unauthenticated attacker to send specially crafted packets to a targeted system. Successful exploitation would grant the attacker the same user rights as the local system account.
Technical Details
CVE-2025-10966 affects the RPC runtime library (rpcrt4.dll) and is triggered when processing malformed RPC requests. The vulnerability stems from a buffer overflow condition that occurs during memory allocation for incoming RPC calls. Attackers can exploit this by sending malicious packets to TCP port 135, which Windows uses for RPC communication.
The vulnerability has been assigned a CVSS score of 9.8 out of 10, categorizing it as critical. The attack vector is network-based, requiring no authentication or user interaction. This makes it particularly dangerous as it can be exploited remotely without any prior access to the target system.
Affected Products
- Windows 10 version 1809 and later
- Windows 11 version 21H2 and later
- Windows Server 2016 and later
- Windows Server 2019
- Windows Server 2022
- Windows Server (Semi-Annual Channel)
Mitigation Steps
Microsoft has released security updates for all affected versions. Organizations should:
- Apply the security update immediately through Windows Update
- For enterprise environments, deploy via WSUS or Microsoft Endpoint Manager
- Verify patch installation by checking for KB5034441 (or later)
- Monitor systems for unusual network traffic on port 135
- Consider temporarily blocking external access to RPC endpoints if immediate patching isn't possible
Timeline
Microsoft became aware of the vulnerability on January 15, 2025, through coordinated disclosure from a security researcher. The company developed a patch within 72 hours and began rolling out the update on January 21, 2025, as part of its monthly Patch Tuesday cycle.
Additional Resources
Organizations are strongly advised to prioritize this update due to the critical nature of the vulnerability and the potential for widespread exploitation. Microsoft reports no evidence of active exploitation in the wild at this time, but the severity warrants immediate action.
Comments
Please log in or register to join the discussion