Karl.Fail

Tag: rmcast

  • CVE-2025-21307: Critical Remote Code Execution in Windows RMCAST Driver

    Overview

    On January 14, 2025, Microsoft disclosed CVE-2025-21307, a critical vulnerability in the Windows Reliable Multicast Transport (RMCAST) driver that enables remote code execution. With a CVSS v3.1 base score of 9.8, this vulnerability poses a severe threat to numerous supported and legacy Windows systems.

    Technical Details

    The issue stems from a Use After Free vulnerability, classified as CWE-416. This occurs when a program continues to use a pointer after it has been freed, allowing an attacker to exploit the dangling pointer to execute arbitrary code within the kernel space. Given that RMCAST operates at a low-level networking layer, this provides an attacker significant control over system behavior once exploited.

    The vulnerability affects a wide range of Windows versions, including:

    • Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
    • Windows 11 (versions 22H2, 23H2, 24H2)
    • Windows Server (2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, 2025)

    Exploitation does not require authentication or user interaction, and the attack can be carried out over the network, making it highly dangerous in unsegmented or exposed environments.

    Impact

    According to the CVSS v3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), this vulnerability allows:

    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

    The vulnerability is not known to be exploited in the wild at the time of disclosure, and Microsoft has issued updates to remediate the issue. The CISA SSVC analysis classified this flaw as having a total technical impact with the potential for automated exploitation, emphasizing the urgency for mitigation.

    Mitigation and Recommendations

    Microsoft has released patches through its regular update channels. All affected systems should be updated immediately to versions beyond:

    • 10.0.17763.6775 (Windows 10 Version 1809)
    • 10.0.20348.3091 (Windows Server 2022)
    • 10.0.22621.4751 (Windows 11 22H2)

    System administrators are encouraged to:

    • Deploy patches as soon as possible.
    • Use network segmentation and firewalls to reduce the attack surface.
    • Audit multicast traffic and disable RMCAST if not in use.

    Conclusion

    CVE-2025-21307 represents a serious risk due to its low complexity, remote exploitability, and severe impact. With broad applicability across many supported and end-of-life systems, proactive patching is essential. Organizations should prioritize this vulnerability and monitor vendor advisories for ongoing updates.

    For further information, visit the official Microsoft advisory.