CVE-2025-47981: 
vulnerability analysis and mitigation

CVE-2025-47981 is a critical Remote Code Execution (RCE) vulnerability in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. Discovered and disclosed in July 2025, this heap-based buffer overflow vulnerability affects Windows machines version 10 version 1607 and above. The vulnerability was assigned a CVSSv3 score of 9.8, indicating critical severity. The vulnerability was discovered by security researcher Yuki Chen (Tenable Blog, ZDI Blog).

The vulnerability is a heap-based buffer overflow in the Windows SPNEGO Extended Negotiation component that allows remote code execution. The flaw specifically affects systems with a Group Policy Object (GPO) enabled by default called 'Network security: Allow PKU2U authentication requests to this computer to use online identities'. This is only the third vulnerability in SPNEGO NEGOEX since 2022, and the second in 2025, following CVE-2025-21295 from January 2025 (Tenable Blog).

The vulnerability allows an unauthenticated, remote attacker to execute code with elevated privileges by sending a specially crafted message to a vulnerable server. Due to its network-based attack vector and no requirement for user interaction, this vulnerability is classified as 'wormable', meaning it could potentially spread automatically between vulnerable systems (ZDI Blog).

Microsoft has released security patches as part of the July 2025 Patch Tuesday updates to address this vulnerability. Due to the critical nature of the vulnerability and its high likelihood of exploitation, organizations are strongly advised to test and deploy these patches quickly. No alternative workarounds have been provided by Microsoft, making patch application the only effective mitigation strategy (Tenable Blog).