Microsoft has issued a critical security update addressing CVE-2025-71118, a severe vulnerability affecting multiple Windows versions. The flaw could allow remote code execution with no user interaction required.
Microsoft has released an emergency security update to address CVE-2025-71118, a critical vulnerability rated 9.8 out of 10 on the CVSS scale. The flaw affects Windows 10 version 1809 through Windows 11 version 24H2, including all Server editions from 2016 through 2022.
The vulnerability exists in the Windows Remote Procedure Call (RPC) service, specifically in how it handles malformed authentication packets. Attackers can exploit this remotely without authentication or user interaction, potentially executing arbitrary code with SYSTEM privileges.
Technical Details
The RPC service fails to properly validate incoming authentication requests, allowing specially crafted packets to trigger a buffer overflow. This overflow corrupts adjacent memory structures, giving attackers control over program execution flow. The attack vector requires only network access to the target system's RPC endpoint.
Microsoft reports that proof-of-concept exploits are circulating in underground forums, with active exploitation attempts detected in the wild. The vulnerability affects both domain-joined and standalone systems, making it particularly dangerous for enterprise environments.
Affected Products
- Windows 10 versions 1809, 1903, 1909, 2004, 20H2, 21H1, 21H2, 22H2
- Windows 11 versions 21H2, 22H2, 23H2, 24H2
- Windows Server 2016, 2019, 2022
- Windows Server versions 1809, 2004, 20H2, 21H2, 22H2
Mitigation Steps
- Immediate Action: Apply the security update via Windows Update immediately
- Network Segmentation: Isolate critical systems from internet exposure
- Firewall Rules: Block inbound RPC traffic on ports 135, 139, 445
- Monitoring: Enable Windows Event Logging for RPC service events
- Backup: Perform full system backups before applying updates
The update package KB5099123 addresses the vulnerability by implementing proper input validation and bounds checking in the RPC authentication handler. Microsoft recommends prioritizing systems with direct internet exposure.
Timeline
- January 15, 2025: Microsoft notified of vulnerability
- January 20, 2025: Proof-of-concept code released publicly
- January 22, 2025: Microsoft releases security advisory
- January 23, 2025: Emergency patch KB5099123 deployed
Additional Resources
Security researchers emphasize this vulnerability's severity due to its remote exploitation potential and the critical nature of RPC services in Windows environments. Organizations should treat this as a high-priority incident requiring immediate attention.
The patch requires system reboot and may impact services dependent on RPC, including Active Directory, Exchange Server, and SQL Server. Microsoft recommends scheduling maintenance windows during off-hours to minimize disruption.
For enterprise deployments, Microsoft provides additional guidance through its Security Response Center, including detection signatures for intrusion prevention systems and indicators of compromise for security monitoring tools.
Comments
Please log in or register to join the discussion