Overview

A critical remote code execution vulnerability (CVE-2025-47981) has been discovered in the SPNEGO Extended Negotiation (NEGOEX) protocol, affecting the Windows Local Security Authority Subsystem Service (LSASS). This vulnerability allows unauthenticated attackers to remotely execute code on a targeted system without user interaction.

Description

CVE-2025-47981 is a high-severity flaw in the NEGOEX security mechanism of the Windows LSASS process. It carries a CVSS score of 9.8. The vulnerability arises from improper handling of NEGOEX packets during the authentication process. An attacker can exploit this by sending a specially crafted NEGOEX packet to a vulnerable system, leading to the injection and execution of arbitrary code within the context of the LSASS process. Since LSASS operates with high privileges, successful exploitation can provide system-level access without requiring valid credentials. This flaw is particularly dangerous because it is exploitable without authentication and does not require any user interaction, making it an ideal target for automated attacks or worms.

Impact

Exploitation of this vulnerability may allow attackers to achieve full system compromise, execute arbitrary code, and potentially move laterally across networks.

Solution

Microsoft has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47981
• 2. https://www.darkreading.com/application-security/microsoft-patches-137-cves-no-zero-days