CVE-2025-24066 · Heap-based buffer overflow in Windows Kernel-Mode Drivers

01 · The Real Story

This is a crowbar left inside the building, not a key under the front mat

CVE-2025-24066 is a heap-based buffer overflow in the Windows Kernel Streaming Service Driver, tracked by Microsoft as an Elevation of Privilege issue. The practical outcome is kernel memory corruption that can let a local, already-authorized attacker move from a normal user context to SYSTEM. Microsoft lists a broad Windows footprint: older Windows 10 builds through current Windows 11 and Server releases were affected until their March 11, 2025 security updates, including build floors such as 19045 < 19045.5608, 22631 < 22631.5039, 20348 < 20348.3328, and 26100 < 26100.3476.

Vendor HIGH 7.8 is technically defensible in CVSS terms, but it overshoots enterprise patch urgency in the real world. The big friction point is attacker position: this bug is local-only and requires PR:L, which means it does not create initial access and it does not expand internet exposure. That makes it dangerous as ransomware/post-exploitation glue, but not something that should displace remotely reachable or actively exploited issues at the top of a 10,000-host queue.

"Post-compromise privilege escalator, not a perimeter emergency"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Land low-priv code on the host

The attacker first needs code execution as a normal or lightly privileged local user on a vulnerable Windows endpoint or server. In practice this usually comes from phishing, a browser exploit, malicious install package, stolen user access, or another local foothold. CVE-2025-24066 does nothing for initial access by itself.

Conditions required:

Attacker already has local execution on the Windows system
Target OS build is below the March 11, 2025 fixed level

Where this breaks in practice:

EDR, application control, email filtering, and browser hardening often stop the campaign before the CVE matters
This prerequisite implies the attacker is already inside the device

Detection/coverage: Vulnerability scanners can identify missing March 2025 Windows updates reliably, but they cannot prove exploitability without host context.

STEP 02

Trigger the Kernel Streaming driver bug

Using a crafted local program against the Kernel Streaming stack, the attacker attempts to hit the vulnerable code path and cause a heap-based overflow in kernel mode. A weaponized tool would typically be a custom native executable or a Metasploit-style local privilege escalation module if one ever appears publicly. The goal is deterministic memory corruption, not network interaction.

Conditions required:

Access to the vulnerable driver path from the attacker-controlled user context
Exploit code that matches the target build and memory layout

Where this breaks in practice:

Kernel exploitation is brittle across builds and mitigations
Driver attack surface may behave differently across hardware, codecs, and installed media components

Detection/coverage: Patch-state scanners see exposure; exploit detection is mostly behavioral via EDR crash telemetry, unusual driver interactions, and suspicious child processes.

STEP 03

Convert memory corruption into SYSTEM

If the overflow is made reliable, the attacker pivots from corruption to privilege escalation by overwriting kernel structures or stealing a privileged token. The end state is usually SYSTEM on that one host. At that point, common follow-on actions include disabling defenses, credential theft, service creation, and persistence.

Conditions required:

Successful kernel memory corruption
Exploit reliability on the exact patched/unpatched target state

Where this breaks in practice:

Modern mitigations, EDR kernel sensors, and exploit instability reduce successful conversion
Failure often causes crashes instead of clean privilege escalation

Detection/coverage: EDR may catch token theft, tamper attempts, LSASS access, service installs, or crash/reboot artifacts even if it misses the vulnerability trigger itself.

STEP 04

Use elevated rights for lateral objectives

SYSTEM on a workstation or server lets the operator raid credentials, dump secrets, tamper with security tooling, and prepare for lateral movement. The blast radius is meaningful, but it is still downstream of a prior compromise stage. This is why the bug matters operationally without deserving perimeter-panic handling.

Conditions required:

Host reaches SYSTEM compromise
Valuable credentials or trust material are present on the host

Where this breaks in practice:

Tiering, PAM, Credential Guard, and EDR containment limit what one compromised host can yield
Blast radius is usually host-local first, not enterprise-wide by default

Detection/coverage: Strong detection coverage exists for the *post-escalation* behavior: credential dumping, defense evasion, remote admin tool launches, and unusual service/task creation.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No authoritative evidence found of active exploitation as of the March 11, 2025 release; Microsoft exploit status was `Publicly Disclosed: No; Exploited: No; Latest Software Release: Exploitation More Likely`.
KEV status	Not listed in CISA KEV at time of review.
Proof-of-concept availability	No credible public PoC or weaponized GitHub exploit surfaced in primary-source review. That lowers urgency materially for fleet-wide emergency handling.
EPSS	`0.00148` from the supplied intel — roughly a low exploitation probability signal, consistent with a local-only LPE that lacks public exploitation evidence.
CVSS vector	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` — the key words are AV:L and PR:L. High impact after compromise, but not reachable from the network and not unauthenticated.
Affected versions	Broad Windows coverage across Windows 10, Windows 11, and Server lines before March 2025 fixed builds; examples include `< 17763.7009`, `< 19044.5608`, `< 19045.5608`, `< 20348.3328`, `< 22621/22631.5039`, `< 25398.1486`, and `< 26100.3476`.
Fixed versions	March 11, 2025 cumulative updates remediate the issue. Common enterprise checkpoints are `20348.3328` for Server 2022, `22621.5039/22631.5039` for Windows 11 22H2/23H2, and `26100.3476` for Windows 11/Server 2025 24H2.
Scanning / exposure data	This is a local kernel driver flaw, so internet census platforms like Shodan/Censys/FOFA are the wrong lens. External exposure is not directly measurable at the network edge; patch inventory and EDR host telemetry are what matter.
Disclosure date	`2025-03-11` via Microsoft Patch Tuesday.
Research / reporting	Microsoft is the CNA/assigner. I did not find a public researcher credit or standalone technical advisory naming an external discoverer in the primary sources reviewed.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (6.1/10)

The decisive factor is attacker position: this bug requires an already-established local, low-privileged foothold, which makes it post-initial-access by definition. That sharply narrows the reachable population compared with remotely triggerable or unauthenticated flaws, even though the end result can be full SYSTEM on the host.

HIGH This is a local-only, post-compromise elevation path

MEDIUM No public exploitation or KEV evidence at time of reassessment

MEDIUM Affected/fixed build mapping across Windows branches

Why this verdict

Downgrade for foothold requirement: AV:L + PR:L means the attacker must already be on the box with a real user context. That is not initial access; it is post-compromise amplification.
Downgrade for exposure population: the vulnerable component lives on a very large Windows estate, but the *reachable* population is only the subset where an attacker already has local code execution. EDR, allowlisting, mail controls, and browser defenses should stop many intrusions before this CVE enters play.
Downgrade for threat signal: no KEV listing, no authoritative active exploitation signal, and a very low supplied EPSS all argue against emergency-tier prioritization.
Hold above LOW because impact is real: if exploited successfully, this is a kernel-to-SYSTEM jump with strong follow-on value for ransomware and lateral movement prep.
Hold above LOW because prevalence is broad: the affected footprint spans mainstream Windows client and server builds, so patching still buys meaningful risk reduction across a large estate.

Why not higher?

There is no network path, no unauthenticated reachability, and no evidence in the reviewed sources that operators are using this in the wild. A vulnerability that needs prior local execution should not outrank remotely exploitable, externally exposed, or KEV-listed issues just because the post-exploit impact is severe.

Why not lower?

This is still kernel-level memory corruption in a widely deployed platform, not a cosmetic bug. Once an attacker has a foothold, converting it into SYSTEM can materially worsen containment, enable credential theft, and accelerate domain-wide damage if the host holds privileged access.

05 · Compensating Control

What to do — in priority order.

Prioritize admin-tier and server patching first — Even with a MEDIUM verdict, focus the remediation window on systems where a SYSTEM jump is most valuable: admin workstations, jump boxes, terminal servers, VDI masters, and application servers. There is no mitigation SLA — go straight to the 365-day remediation window, but do not leave privileged tiers until the end of that window.
Reduce low-priv execution paths — Tighten application control, script restrictions, and user write/execute locations so attackers struggle to obtain the local foothold this bug requires. For a MEDIUM finding there is no mitigation SLA, so use the remediation period to shrink exploit preconditions rather than inventing emergency change activity.
Harden credential exposure on endpoints — Enable or verify Credential Guard, LSA protection, PAW/PAM controls, and admin tier separation so a single SYSTEM compromise yields less reusable access. This matters because the business risk of this CVE is mostly what happens *after* local privilege escalation.
Watch for post-escalation behavior — Tune EDR detections for token abuse, LSASS access, security tool tampering, suspicious service creation, and unusual child processes from user-space launch points. You are unlikely to catch the exact kernel bug trigger consistently, but you can catch the operator immediately after they land SYSTEM.

What doesn't work

Perimeter firewalls or WAF rules do not help; this is not a network-reachable flaw.
Internet exposure reduction projects do not materially change risk here because the bug is local-only.
Credential rotation alone does not fix the underlying host exposure; it only limits some follow-on abuse after SYSTEM is achieved.

06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or through your remote management channel such as WinRM, MECM, or Intune script execution. Invoke it with powershell -ExecutionPolicy Bypass -File .\Test-CVE-2025-24066.ps1; standard user rights are usually enough because it only reads local OS version data from the registry.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# Test-CVE-2025-24066.ps1

# Checks whether the current Windows build is below the fixed build for CVE-2025-24066.

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=ERROR


$ErrorActionPreference = 'Stop'

function Get-OsBuildInfo {
    $cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    $build = [int]$cv.CurrentBuildNumber
    $ubr = [int]$cv.UBR
    $product = [string]$cv.ProductName
    $displayVersion = [string]$cv.DisplayVersion
    return [pscustomobject]@{
        Product        = $product
        DisplayVersion = $displayVersion
        Build          = $build
        UBR            = $ubr
        FullVersion    = "$build.$ubr"
    }
}

function Get-FixedUBR([int]$build) {
    switch ($build) {
        10240 { return 20947 }   # Windows 10 1507

        14393 { return 7876 }    # Windows 10/Server 2016 1607

        17763 { return 7009 }    # Windows 10/Server 2019 1809

        19044 { return 5608 }    # Windows 10 21H2

        19045 { return 5608 }    # Windows 10 22H2

        20348 { return 3328 }    # Windows Server 2022

        22621 { return 5039 }    # Windows 11 22H2

        22631 { return 5039 }    # Windows 11 23H2

        25398 { return 1486 }    # Windows Server 2022 23H2 (Server Core)

        26100 { return 3476 }    # Windows 11/Server 2025 24H2

        default { return $null }
    }
}

try {
    $os = Get-OsBuildInfo
    $fixedUbr = Get-FixedUBR -build $os.Build

    if ($null -eq $fixedUbr) {
        Write-Output "UNKNOWN - Unmapped Windows build $($os.FullVersion) ($($os.Product) $($os.DisplayVersion)) for CVE-2025-24066 check"
        exit 2
    }

    if ($os.UBR -lt $fixedUbr) {
        Write-Output "VULNERABLE - Current build $($os.FullVersion) is below fixed build $($os.Build).$fixedUbr for CVE-2025-24066"
        exit 1
    }
    else {
        Write-Output "PATCHED - Current build $($os.FullVersion) meets or exceeds fixed build $($os.Build).$fixedUbr for CVE-2025-24066"
        exit 0
    }
}
catch {
    Write-Output "UNKNOWN - Error while checking CVE-2025-24066: $($_.Exception.Message)"
    exit 3
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: keep this below remotely exploitable and KEV-listed work, but add it to your regular Windows servicing stream and front-load privileged tiers like admin workstations, jump hosts, VDI gold images, and servers that hold reusable credentials. For a MEDIUM noisgate rating there is no noisgate mitigation SLA — go straight to the 365-day remediation window, so use that time to harden local execution and credential exposure while you deploy the March 11, 2025 Windows updates; the noisgate remediation SLA here is ≤ 365 days.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.