🟒 CVE-2025-21418

CVE-2025-21418 is a heap-based buffer overflow in the Windows Ancillary Function Driver for WinSock that allows local privilege escalation. Despite affecting both Windows client and server systems, this is fundamentally a local vulnerability requiring existing system access to exploit.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 β€” Exploitation for Privilege Escalation
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-02-11

Added to CISA KEV: 2025-02-11 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2025-21418 is a security vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys) that was disclosed and patched by Microsoft in February 2025 [4] [2].

Key Details
  • Active Exploitation: The vulnerability was confirmed to be actively exploited in the wild as a zero-day prior to its patch [2]. Due to this, it was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog [3].
  • Attack Method & Requirements:
* Type: Elevation of Privilege (EoP) [4]. * Requirements: It requires local access to the target system [1]. An attacker must already have low-privilege access to the machine to trigger the exploit [1]. * Mechanism: The vulnerability exists within the Windows networking stack (AFD.sys), which is a frequent target for researchers and attackers due to its universal presence and ability to process complex user-mode input [1] [5].
  • Impact: Successful exploitation allows a low-privilege local attacker to escalate their privileges to SYSTEM-level, granting them complete control over the affected Windows machine [1]. This results in a full system compromise, impacting confidentiality, integrity, and availability [1].
  • Targeting & Usage: While specific ransomware group attribution is not always publicly detailed for every individual zero-day, the vulnerability was noted as being prioritized for updates on high-value infrastructure, such as RDS hosts, terminal servers, and developer workstations, where attackers often seek to gain broader access [1].
  • Patch Status: Microsoft released a fix for this vulnerability in the February 2025 Patch Tuesday update [2]. Organizations were mandated by CISA to apply the patch to mitigate the risk of active exploitation [3] [6].

Sources

  1. CVE-2025-21418 - Exploits & Severity - Feedly

    Where vendors or researchers reported active exploitation for earlier AFD CVEs (for example CVE‑2025‑32709 and CVE‑2025‑21418), organizations prioritized updates for publicly attacked infrastructure β€” RDS hosts, terminal servers, and developer workstations with broad local access. ... CVEs. CVE-2025…

  2. Microsoft fixes two actively exploited zero-days (CVE-2025-21418 ...

    Microsoft has delivered fixes for 56 vulnerabilities, including two zero-days – CVE-2025-21418 and CVE-2025-21391 – under active exploitation.

  3. NVD - CVE-2025-21418

    Microsoft Corporation. Patch Vendor Advisory. This CVE is in CISA's Known Exploited Vulnerabilities Catalog.https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21418 Patch, Vendor Advisory. CVE CISA KEV Update by Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Govern…

  4. Patch Tuesday: February 2025 - RoboShadow

    Exploitation Status: Actively exploited in the wild. CVE-2025-21418: Windows Ancillary Function Driver for WinSock Elevation of Privilege ...

  5. CVE-2025-21418 - KernelSight

    Exploitation Primitive ... Broader Significance afd.sys is a high-value target because it is universally present, reachable from any user, and handles complex data structures from user-mode input. CVE-2025-21418 joins CVE-2023-21768, CVE-2024-38193, and other afd.sys bugs in demonstrating that this…

  6. Microsoft's Patch Tuesday Fixes 63 Flaws, Including Two Under Active...

    Microsoft patches 63 flaws, including two exploited Windows vulnerabilities (CVE-2025-21391, CVE-2025-21418). CISA requires fixes by March 4.Of the 63 vulnerabilities, three are rated Critical, 57 are rated Important, one is rated Moderate, and two are rated Low in severity. This is aside from the 2…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed