High CVE-2025-21418 February 2026 · 7 min read

CVE-2025-21418: Windows AFD.sys Privilege Escalation Zero-Day

A zero-day vulnerability in the Windows Ancillary Function Driver (afd.sys) allows local attackers to escalate privileges to SYSTEM level. Actively exploited in the wild. CVSS 7.8 HIGH. Patched in February 2025 Patch Tuesday but widely unpatched across enterprise environments months later.


7.8
HIGH
AttributeValue
CVE IDCVE-2025-21418
CVSS VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWECWE-787: Out-of-bounds Write
PublishedFebruary 11, 2025
ExploitationActive — CISA KEV listed

What Is CVE-2025-21418?

CVE-2025-21418 is a Windows kernel vulnerability in afd.sys — the Ancillary Function Driver for WinSock, a kernel-mode component that handles Windows socket operations. An out-of-bounds write in the driver's IOCTL handling allows a local attacker to corrupt kernel memory and gain SYSTEM-level code execution.

This class of vulnerability is particularly dangerous in post-exploitation scenarios. Once an attacker has any local code execution (via phishing, RCE in a service, or initial access malware), CVE-2025-21418 provides a reliable path to full SYSTEM privileges — bypassing UAC and any user-level security controls.

⚠ Part of Multi-Stage Attack Chains

CVE-2025-21418 was observed being chained with phishing campaigns delivering initial access, followed by this LPE to achieve SYSTEM-level persistence. This pattern — initial access via phishing + kernel LPE — is characteristic of sophisticated ransomware affiliates and APT groups who need to deploy agents and modify system configurations.

Affected Systems

Windows VersionAffected
Windows 10 (all versions)Yes — unpatched
Windows 11 (all versions)Yes — unpatched
Windows Server 2012 R2Yes — unpatched
Windows Server 2016Yes — unpatched
Windows Server 2019Yes — unpatched
Windows Server 2022Yes — unpatched
Windows Server 2025Yes — unpatched

All versions prior to the February 2025 Patch Tuesday updates are vulnerable. Organizations with delayed patch cycles or systems exempt from automatic updates are at significant risk.

How AFD.sys Vulnerabilities Work

The Ancillary Function Driver is a kernel-mode driver that bridges userspace WinSock calls to the kernel networking stack. When a userspace application calls socket functions like WSAIoctl() or DeviceIoControl() with socket handles, the call passes through afd.sys.

The vulnerability is triggered by sending a specially crafted IOCTL request to the driver with a malformed buffer descriptor. The driver fails to properly validate the buffer boundaries before writing, leading to a kernel heap or stack memory corruption:

# Conceptual exploitation flow (simplified)
1. Open SOCKET handle
2. Send crafted DeviceIoControl() with IOCTL_AFD_[SPECIFIC_CODE]
3. Malformed buffer descriptor causes out-of-bounds write in kernel pool
4. Overwrite kernel object (e.g., TOKEN, EPROCESS) to elevate privileges
5. Spawn cmd.exe with SYSTEM token

The AFD driver has been a historically productive target — CVE-2023-21768 (another afd.sys LPE) was similarly exploited in ransomware campaigns before being patched.

Why Enterprise Patching Lags

Despite being patched in February 2025, CVE-2025-21418 remained unpatched on a significant percentage of enterprise Windows systems months after release, for several reasons:

Detection

Windows Event Logs

# Look for kernel fault events near exploitation time
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1001} | 
  Where-Object {$_.Message -like '*afd*'} | 
  Select-Object TimeCreated, Message

# Check for unexpected SYSTEM token spawning from user processes
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
  Where-Object {$_.Properties[6].Value -eq 'S-1-5-18'} |
  Where-Object {$_.Properties[13].Value -notlike 'C:\Windows\*'}

EDR Behavioral Signatures

Mitigation

  1. Apply KB5051974 (Windows 10/11) or equivalent Server patches from February 2025 Patch Tuesday immediately
  2. Enable Windows Defender Exploit Guard attack surface reduction rules to limit post-exploitation impact
  3. Implement least privilege: Minimize the number of users with local admin rights; LPE is only useful if an attacker already has some foothold
  4. Deploy EDR: Behavioral detection is the only pre-patch mitigation for LPE vulnerabilities of this class
  5. Monitor for LOLBins: Post-LPE activity often uses legitimate Windows tools; monitor for abnormal parent-child process relationships

KENSAI Detection Capability

Find Unpatched Windows Systems in Your Environment

KENSAI provides continuous visibility into patch status across all Windows endpoints. Identify CVE-2025-21418 exposure before attackers chain it with initial access.

Start Vulnerability Assessment →

Related Articles

Redirecting... SaaS SOC2 Security Testing Guide Security Platform European Commission AWS Breach Exposes 350GB, TP-Link Router Flaws Allow Auth By