CVE-2025-49735: Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

More Likely

Patch Tuesday

2025-Jul

Released

2025-07-08

Last Updated

2025-07-17

EPSS Score

0.38% (percentile: 59.4%)

Description

Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.

FAQ

Are all Windows Servers affected by this vulnerability? This vulnerability only affects Windows Servers that are configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server. Domain controllers are not affected. According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. How could an attacker exploit this vulnerability? An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target.

Affected Products (13)

Windows

• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2025 (Server Core installation)
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2025
• Windows Server 2016
• Windows Server 2016 (Server Core installation)

ESU

• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)

Security Updates (7)

• 5060531
• 5060526
• 5060842
• 5060118
• 5061010
• 5061059
• 5061018

Acknowledgments

ʌ!ɔ⊥ojv with Kunlun Lab

Revision History

• 2025-07-08: Information published.
• 2025-07-14: Information published. This CVE was addressed by updates that were released in June 2025, but the CVE was inadvertently omitted from the June 2025 Security Updates. This is an informational change only. Customers who have already installed the June 2025 updates do not need to take any further action.
• 2025-07-15: Corrected Download and Article links in the Security Updates table. This is an informational change only.
• 2025-07-17: Corrected Download and Article links in the Security Updates table. This is an informational change only.