Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
“This isn’t just a bug – it’s a loaded gun pointed at your organisation,” one analyst of “wormable” CVE-2025-47981 has said.
Among the 130 vulnerabilities disclosed by Microsoft in its latest Patch Tuesday update, one particular vulnerability is already causing a stir among analysts and security experts.
CVE-2025-47981 is a heap-based buffer overflow in Windows SPNEGO Extended Negotiation that could allow an attacker to execute code remotely. It’s been rated as critical with a score of 9.8, and watchTowr founder CEO Benjamin Harris said it “has the unfortunate hallmarks of becoming a significant problem”.
“It targets SPNEGO, the backbone protocol used to negotiate authentication on critical services, including those that are (whether we like it [or] not) regularly internet-facing, including SMB, RDP, and IIS. As always, remote code execution is bad, but early analysis is suggesting that this vulnerability may be ‘wormable’ – the sort of vulnerability that could be leveraged in self-propagating malware and make many revisit trauma from the WannaCry incident (and similar),” Harris said.
As Microsoft has said, there are no prerequisites for this vulnerability. No authentication is necessary – all that’s needed is network access.
“Microsoft themselves believe exploitation is ‘More Likely’. We shouldn’t fool ourselves – if the private industry has noticed this vulnerability, it is certainly already on the radar of every attacker with an ounce of malice,” Harris said.
“Defenders need to drop everything, patch rapidly, and hunt down exposed systems.”
Saeed Abbasi, senior manager for security research at the Qualys Threat Research Unit, was even more blunt about the risk this vulnerability poses.
“This isn’t just a bug – it’s a loaded gun pointed at your organisation,” Abbasi said.
“Once inside, the exploit can pivot to every Windows 10 endpoint that still has the default PKU2U setting enabled. We expect NEGOEX exploits to be weaponised within days, so attacks are imminent.”
Abbasi’s advice is to patch within 48 hours, starting with internet-facing or VPN reachable assets.
“If you absolutely can’t patch, disable ‘Allow PKU2U authentication requests’ via GPO and block inbound 135/445/5985 at the edge,” Abbasi said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
