Background
afd.sys strikes again. Less than six months after CVE-2024-38193 (another AFD driver LPE exploited by Lazarus Group), a new privilege escalation was found in the same driver — CVE-2025-21418, patched in February 2025 Patch Tuesday. This was confirmed as actively exploited in the wild before the patch.
The recurring pattern of AFD driver vulnerabilities isn’t a coincidence. afd.sys is a complex kernel component that handles the intersection of user-mode socket operations and kernel networking. Its complexity and the sensitivity of its privilege interactions make it a recurring hunting ground for vulnerability researchers — both those working for defenders and those working for attackers.
Technical Mechanism
As with CVE-2024-38193, CVE-2025-21418 is a vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys). The specific class of vulnerability is a heap-based buffer overflow in the kernel driver.
The heap overflow occurs when the driver processes certain WinSock API calls with attacker-controlled parameters. By carefully controlling the size and content of the buffer:
- A user-mode application makes specific WinSock API calls with oversized or malformed parameters
- afd.sys allocates a kernel pool buffer and copies user data into it without proper bounds checking
- The overflow corrupts adjacent kernel pool objects
- Through kernel pool grooming techniques, the attacker places a crafted object adjacent to the overflow target
- The overwritten kernel object contains function pointers or privilege tokens that the attacker manipulates
- Code execution in the kernel context is achieved, and the process token is elevated to SYSTEM
This type of kernel pool overflow exploitation is well-understood by advanced attackers. The specific gadgets and techniques vary, but the general pattern has been used in Windows LPE exploits for many years.
Real-World Exploitation Evidence
Microsoft confirmed active exploitation at the time of the February 2025 patch. Details on the specific threat actor were initially limited, but:
- The zero-day confirmation coincided with a broader set of Windows LPE zero-days patched in the same Patch Tuesday, suggesting coordinated or well-resourced threat actor activity
- The February 2025 Patch Tuesday addressed several zero-days simultaneously (including CVE-2025-21391 and CVE-2025-21335), indicating active campaigns using Windows kernel vulnerabilities
- Security researchers noted the exploit was likely shared among multiple threat actors given the speed at which exploitation was reported
- Based on the AFD driver exploitation history (Lazarus Group with CVE-2024-38193), North Korean actor involvement was considered plausible by multiple analysts
Impact Assessment
- SYSTEM privilege escalation from any user-level code execution
- Chained exploit potential — designed to be paired with initial access vulnerabilities (phishing, browser exploits, etc.)
- Security tool bypass — SYSTEM access enables disabling security software
- Credential theft — access to LSASS and other credential stores
- Ransomware precursor — SYSTEM access is required for deploying ransomware across enterprise environments
- Kernel-mode rootkit deployment — as seen with CVE-2024-38193, kernel LPEs enable rootkit deployment
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Windows 10 (21H2, 22H2) | Before February 2025 patches | KB5051974 |
| Windows 11 (22H2, 23H2, 24H2) | Before February 2025 patches | KB5051987, KB5051989 |
| Windows Server 2019 | Before February 2025 patches | KB5051971 |
| Windows Server 2022 | Before February 2025 patches | KB5051979 |
| Windows Server 2025 | Before February 2025 patches | KB5051987 |
Remediation Steps
- Apply February 2025 Patch Tuesday updates immediately
- Given the pattern of AFD driver exploitation by sophisticated actors, treat this as high priority even in environments that seem low-risk
- If any endpoints were running unpatched Windows during the zero-day exploitation window, conduct endpoint forensics:
- Look for unexpected SYSTEM-level process activity
- Review network connections from endpoints around the zero-day period
- Enable comprehensive process creation auditing (Event ID 4688 with command line logging):
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable - Deploy EDR with kernel-level telemetry capable of detecting privilege escalation attempts
Detection Guidance
Kernel monitoring — kernel pool overflows often cause instability. Look for:
- Unexpected system crashes (BSODs) with afd.sys in the crash stack
- Windows Error Reporting entries related to afd.sys
- System reliability data showing unexpected crashes
Process telemetry:
- Track privilege token changes — processes that gain SYSTEM tokens without going through standard elevation (UAC, runas, service start) are suspicious
- Monitor for afd.sys-related kernel events in ETW streams if you have kernel ETW monitoring
SIEM rule:
event_source = "Microsoft-Windows-Kernel-Process" AND
event_id = 2 AND (
target_process_integrity_level = "System" AND
source_process_integrity_level IN ("Medium", "Low", "AppContainer")
)Suricata signature:
alert tcp $HOME_NET any -> any any (msg:"Possible Exploit Chain Using CVE-2025-21418 AFD LPE - Suspicious C2"; flow:established,to_server; dsize:>512; content:"|00 00 00 00|"; offset:0; depth:4; classtype:trojan-activity; sid:2034022; rev:1;)Timeline
| Date | Event |
|---|---|
| Early 2025 | CVE-2025-21418 exploited as zero-day |
| 11 February 2025 | Microsoft patches CVE-2025-21418 in February Patch Tuesday |
| February 2025 | CISA adds to Known Exploited Vulnerabilities catalogue |
| February 2025 | Multiple Windows zero-days patched simultaneously, suggesting active campaigns |