CVE-2025-49735
Published: 08 July 2025
Summary
CVE-2025-49735 is a high-severity Use After Free (CWE-416) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in Windows KDC Proxy Service by requiring timely application of vendor patches as advised by Microsoft.
Implements memory protection mechanisms such as DEP, ASLR, and control flow guard to minimize successful exploitation of use-after-free vulnerabilities in KPSSVC.
Enforces least functionality by disabling the KDC Proxy Service when not required, eliminating the attack surface for remote code execution over the network.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in network-accessible KDC Proxy Service directly enables unauthenticated remote code execution (RCE) on Windows, mapping to exploitation of public-facing/remote services for initial access/execution.
NVD Description
Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.
Deeper analysisAI
CVE-2025-49735 is a use-after-free vulnerability (CWE-416) in the Windows KDC Proxy Service (KPSSVC), published on 2025-07-08. It affects Windows systems where the KDC Proxy Service is enabled, allowing an unauthorized attacker to execute arbitrary code over a network. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote code execution with high confidentiality, integrity, and availability impacts.
An unauthenticated attacker (PR:N) can exploit this vulnerability over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Successful exploitation enables remote code execution on the target system with the privileges of the KDC Proxy Service, potentially leading to full system compromise if chained with other flaws or in certain configurations.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49735 provides details on mitigation, including available patches and recommended actions for affected Windows versions.
Details
- CWE(s)