Cyber Resilience

CVE-2025-32709

HighCISA KEVActive ExploitationEUVD Exploited

Published: 13 May 2025

Published
13 May 2025
Modified
13 February 2026
KEV Added
13 May 2025
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0103 77.7th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32709 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 22.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-32709 is a null pointer dereference vulnerability in the Windows Ancillary Function Driver for WinSock. The flaw is tracked under CWE-416 and carries a CVSS 3.1 score of 7.8, reflecting local attack vector, low complexity, and high impact on confidentiality, integrity, and availability.

An authorized local attacker can trigger the dereference to elevate privileges on an affected Windows system. No user interaction or additional privileges beyond an initial local account are required for successful exploitation.

Microsoft’s advisory at msrc.microsoft.com details the issue and corresponding security update, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming that patches should be applied promptly to remediate the flaw.

The vulnerability appears in real-world exploitation tracking, indicating active attacker interest despite a low EPSS score that has remained essentially flat between 0.0103 and a peak of 0.0114.

EU & UK References

Vulnerability details

Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

CWE(s)
KEV Date Added
13 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
windows 10 1507
≤ 10.0.10240.21014
microsoft
windows 10 1607
≤ 10.0.14393.8066
microsoft
windows 10 1809
≤ 10.0.17763.7314 · ≤ 10.0.17763.7314
microsoft
windows 10 21h2
≤ 10.0.19044.5854
microsoft
windows 10 22h2
≤ 10.0.19045.5854
microsoft
windows 11 22h2
≤ 10.0.22621.5335
microsoft
windows 11 23h2
≤ 10.0.22631.5335
microsoft
windows 11 24h2
≤ 10.0.26100.3981
microsoft
windows server 2008
all versions, r2
microsoft
windows server 2012
all versions, r2
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that eliminates the null-pointer dereference in the Ancillary Function Driver for WinSock before local exploitation can occur.

prevent

Enforces least privilege on local accounts so that even an authorized low-privileged user has fewer opportunities to reach or abuse the vulnerable Winsock driver path.

prevent

Implements memory-protection mechanisms that can block or contain null-pointer dereference attempts in kernel drivers such as the Ancillary Function Driver.

References