CVE-2025-47981: 
vulnerability analysis and mitigation

A critical heap-based buffer overflow vulnerability (CVE-2025-47981) was discovered in Windows SPNEGO Extended Negotiation security mechanism. The vulnerability was disclosed on July 8, 2025, and affects multiple versions of Windows and Windows Server. This vulnerability received a CVSS v3.1 base score of 9.8 (Critical), indicating its severe nature (NVD, CVE).

The vulnerability exists in Windows' SPNEGO Extended Negotiation security mechanism and is classified as a heap-based buffer overflow (CWE-122). It affects Windows client machines running Windows 10 version 1607 and above, primarily due to the default enabled GPO setting 'Network security: Allow PKU2U authentication requests to this computer to use online identities'. The vulnerability received the highest exploitability index rating from Microsoft, suggesting potential attacks within 30 days of disclosure (Help Net Security).

The vulnerability allows unauthorized attackers to execute code over a network without requiring user interaction. Due to its wormable nature and the fact that code executes with elevated privileges, successful exploitation could lead to complete system compromise. The attack can be triggered by sending a malicious message to a vulnerable system, potentially leading to remote code execution (Help Net Security).

Microsoft has released security updates for affected Windows versions. For systems that cannot be immediately patched, administrators can implement temporary mitigations by disabling 'Allow PKU2U authentication requests' via GPO and blocking inbound ports 135/445/5985 at the network edge. Priority should be given to patching internet-facing or VPN-reachable assets and systems that interact with Active Directory (Help Net Security).