CVE-2025-21418: Windows AFD.sys Privilege Escalation Zero-Day
A zero-day vulnerability in the Windows Ancillary Function Driver (afd.sys) allows local attackers to escalate privileges to SYSTEM level. Actively exploited in the wild. CVSS 7.8 HIGH. Patched in February 2025 Patch Tuesday but widely unpatched across enterprise environments months later.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-21418 |
| CVSS Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-787: Out-of-bounds Write |
| Published | February 11, 2025 |
| Exploitation | Active — CISA KEV listed |
What Is CVE-2025-21418?
CVE-2025-21418 is a Windows kernel vulnerability in afd.sys — the Ancillary Function Driver for WinSock, a kernel-mode component that handles Windows socket operations. An out-of-bounds write in the driver's IOCTL handling allows a local attacker to corrupt kernel memory and gain SYSTEM-level code execution.
This class of vulnerability is particularly dangerous in post-exploitation scenarios. Once an attacker has any local code execution (via phishing, RCE in a service, or initial access malware), CVE-2025-21418 provides a reliable path to full SYSTEM privileges — bypassing UAC and any user-level security controls.
⚠ Part of Multi-Stage Attack Chains
CVE-2025-21418 was observed being chained with phishing campaigns delivering initial access, followed by this LPE to achieve SYSTEM-level persistence. This pattern — initial access via phishing + kernel LPE — is characteristic of sophisticated ransomware affiliates and APT groups who need to deploy agents and modify system configurations.
Affected Systems
| Windows Version | Affected |
|---|---|
| Windows 10 (all versions) | Yes — unpatched |
| Windows 11 (all versions) | Yes — unpatched |
| Windows Server 2012 R2 | Yes — unpatched |
| Windows Server 2016 | Yes — unpatched |
| Windows Server 2019 | Yes — unpatched |
| Windows Server 2022 | Yes — unpatched |
| Windows Server 2025 | Yes — unpatched |
All versions prior to the February 2025 Patch Tuesday updates are vulnerable. Organizations with delayed patch cycles or systems exempt from automatic updates are at significant risk.
How AFD.sys Vulnerabilities Work
The Ancillary Function Driver is a kernel-mode driver that bridges userspace WinSock calls to the kernel networking stack. When a userspace application calls socket functions like WSAIoctl() or DeviceIoControl() with socket handles, the call passes through afd.sys.
The vulnerability is triggered by sending a specially crafted IOCTL request to the driver with a malformed buffer descriptor. The driver fails to properly validate the buffer boundaries before writing, leading to a kernel heap or stack memory corruption:
# Conceptual exploitation flow (simplified) 1. Open SOCKET handle 2. Send crafted DeviceIoControl() with IOCTL_AFD_[SPECIFIC_CODE] 3. Malformed buffer descriptor causes out-of-bounds write in kernel pool 4. Overwrite kernel object (e.g., TOKEN, EPROCESS) to elevate privileges 5. Spawn cmd.exe with SYSTEM token
The AFD driver has been a historically productive target — CVE-2023-21768 (another afd.sys LPE) was similarly exploited in ransomware campaigns before being patched.
Why Enterprise Patching Lags
Despite being patched in February 2025, CVE-2025-21418 remained unpatched on a significant percentage of enterprise Windows systems months after release, for several reasons:
- Patch ring deployments: Enterprise organizations test patches before broad deployment, creating multi-week windows
- Server exceptions: Critical servers running 24/7 workloads are often patched less frequently
- Legacy systems: Windows Server 2012 R2 on extended support has limited patching options
- Air-gapped environments: Isolated networks require manual patch deployment processes
Detection
Windows Event Logs
# Look for kernel fault events near exploitation time
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1001} |
Where-Object {$_.Message -like '*afd*'} |
Select-Object TimeCreated, Message
# Check for unexpected SYSTEM token spawning from user processes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object {$_.Properties[6].Value -eq 'S-1-5-18'} |
Where-Object {$_.Properties[13].Value -notlike 'C:\Windows\*'}
EDR Behavioral Signatures
- User-context process spawning child processes with SYSTEM integrity level
- Unexpected
DeviceIoControlcalls to\Device\Afdwith unusual IOCTL codes - Process token manipulation from non-SYSTEM parents
- Kernel pool corruption events in crash dumps
Mitigation
- Apply KB5051974 (Windows 10/11) or equivalent Server patches from February 2025 Patch Tuesday immediately
- Enable Windows Defender Exploit Guard attack surface reduction rules to limit post-exploitation impact
- Implement least privilege: Minimize the number of users with local admin rights; LPE is only useful if an attacker already has some foothold
- Deploy EDR: Behavioral detection is the only pre-patch mitigation for LPE vulnerabilities of this class
- Monitor for LOLBins: Post-LPE activity often uses legitimate Windows tools; monitor for abnormal parent-child process relationships
KENSAI Detection Capability
- OS version scanning: KENSAI identifies unpatched Windows versions across your internal and cloud asset inventory
- Patch compliance reporting: Automated reporting of CVE-2025-21418 patch status across all Windows endpoints and servers
- Attack surface prioritization: Internet-facing Windows systems with unpatched LPE vulnerabilities are ranked highest risk
- Integration with patch management: KENSAI integrates with WSUS, SCCM, and Intune to correlate scan results with patch deployment status
Find Unpatched Windows Systems in Your Environment
KENSAI provides continuous visibility into patch status across all Windows endpoints. Identify CVE-2025-21418 exposure before attackers chain it with initial access.
Start Vulnerability Assessment →