Microsoft has released critical security patches addressing CVE-2025-47981, a severe heap-based buffer overflow vulnerability in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. The flaw, rated with a CVSS score of high, poses a significant remote code execution (RCE) risk that requires no user interaction or privileges to exploit. It impacts a wide range of systems, including Windows 10 (1607+), Windows 11, and Windows Server versions from 2008 R2 through 2025, across 33 system configurations and multiple architectures (x64, x86, ARM64), including Server Core editions.

The vulnerability, identified under CWE-122, allows attackers to send specially crafted malicious messages to vulnerable servers, leading to memory corruption via heap-based buffer overflow within the NEGOEX processing mechanism. This allows attackers to overwrite memory structures, control program execution flow, and potentially gain full access to compromised systems. Notably, CVE-2025-47981 is considered wormable, meaning it could spread automatically across connected systems, elevating the threat level significantly in enterprise environments, especially where the Group Policy Object “Allow PKU2U authentication requests to this computer to use online identities” is enabled by default.

Security researchers discovered and responsibly disclosed this flaw, which Microsoft confirmed in its July 8, 2025, patch release. Despite no reports of active exploitation at the time of disclosure, the vulnerability is marked as “Exploitation More Likely” due to its ease of exploitation and potential for wide-scale impact. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC: C emphasizes the network-based nature, low complexity, and high impact on confidentiality, integrity, and availability.

Organizations are strongly advised to immediately deploy the security updates, especially on internet-facing systems and domain controllers. Critical patches are available for Windows Server 2025 (build 10.0.26100.4652), Windows 11 24H2 (build 10.0.26100.4652), Windows Server 2022 23H2 (build 10.0.25398.1732), and legacy systems like Windows Server 2008 R2 (build 6.1.7601.27820). Updates can be obtained via Windows Update, Microsoft Update Catalog, and WSUS. As an additional safeguard, organizations should consider implementing network segmentation and verifying patch deployment by matching system build numbers with Microsoft’s security advisories.