With over 1.4 billion devices running Windows and widespread adoption of Microsoft 365 and Azure, Microsoft technologies continue to form the foundation of modern enterprise infrastructure. However, this ubiquity also makes them an attractive target for threat actors. According to the 2025 BeyondTrust Microsoft Vulnerabilities Report findings, 2024 saw a record-breaking 1,360 Microsoft-related vulnerabilities — an 11% increase year-over-year — underscoring the growing attack surface.
This rising trend is reflected in Microsoft’s latest Patch Tuesday, which addressed 130 vulnerabilities, including the critical CVE-2025-47981. This heap-based buffer overflow in Windows SPNEGO Extended Negotiation (CVSS 9.8) enables remote code execution. As threat actors increasingly exploit core Microsoft components, defenders must prioritize rapid detection and mitigation.
Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time CTI and curated detection algorithms to address emerging threats. Security teams can explore an extensive collection of context-enriched Sigma rules tagged by “CVE,” backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection.
All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.
Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs into actionable hunting queries, craft detection rules from raw threat reports, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2025-47981 Analysis
For July 2025 Patch Tuesday, Microsoft rolled out fixes for 130 security flaws, including a critical, wormable RCE vulnerability tracked as CVE-2025-47981 that affects both Windows and Windows Server.
CVE-2025-47981 is a heap-based buffer overflow vulnerability in the SPNEGO Extended Negotiation mechanism, which has a high CVSS score reaching 9.8. An attacker can weaponize this flaw by sending a crafted message to a vulnerable system—no user interaction required. The code runs with elevated privileges, making it wormable. Microsoft has rated this vulnerability at the highest level of exploitability, indicating likely exploitation within 30 days.
The patch is included in the security updates for numerous versions of Windows and Windows Server. Microsoft noted that this vulnerability affects Windows 10 (version 1607 and later) due to the GPO’s default settings. As a result, timely patching remains the most feasible CVE-2025-47981 mitigation approach. Saeed Abbasi from Qualys Threat Research Unit recommended prioritizing updates for internet-facing systems, VPN-accessible assets, and any systems interacting with Active Directory. For systems where patching isn’t possible, it is worth disabling the PKU2U GPO setting and blocking inbound ports 135, 445, and 5985 at the network perimeter.
To stay ahead of the ever-expanding attack surface, organizations can rely on SOC Prime’s top expertise and AI, offering a detection rule marketplace, threat hunting automation, detection engineering, AI-native threat intelligence, and more capabilities to transform your SOC. By leveraging SOC Prime’s complete product suite backed by AI, automation, and actionable CTI, and built on zero-trust principles, security teams can effectively minimize the risks of vulnerability exploitation and other emerging threats they anticipate most.
The post CVE-2025-47981: Critical Heap-Based Buffer Overflow Vulnerability in Windows SPNEGO Extended Negotiation Leads to RCE appeared first on SOC Prime.
