Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

IdentifiersCVE-2025-21418CWE-269

CVE-2025-21418 is an elevation-of-privilege vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys). The provided content consistently identifies the affected component as AFD.sys and states that successful exploitation allows execution of a specially crafted local program to elevate privileges to SYSTEM. Multiple sources in the content note that the vulnerability was under active exploitation in the wild at the time of Microsoft’s February 2025 Patch Tuesday release. Although one mention context characterizes it as similar to prior AFD.sys use-after-free issues, the provided material does not supply authoritative technical details such as the exact vulnerable function, code path, or a confirmed CWE classification for this specific CVE.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local attacker to elevate privileges from a lower-privileged context to SYSTEM on the affected Windows host. This level of access would enable full compromise of the local machine, including execution of arbitrary code as SYSTEM, disabling defenses, credential theft, persistence, and follow-on lateral movement. The content also indicates the vulnerability was actively exploited in the wild, increasing operational risk.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce opportunities for local code execution by untrusted users and applications, restrict interactive logon rights, enforce application control, and monitor for suspicious privilege-escalation behavior on Windows hosts. Because the vulnerability is local and was reportedly exploited in the wild, compensating controls should focus on limiting attacker footholds and detecting post-compromise escalation attempts. The provided content does not describe any vendor-supplied workaround specific to this CVE.

Remediation

Patch, then assume compromise.

Apply Microsoft’s February 2025 security updates that address CVE-2025-21418 across affected Windows client and server platforms. Prioritize patching internet-exposed, multi-user, and high-value systems where local code execution by unprivileged or low-privileged users is possible. Validate that the relevant cumulative/security update for the installed Windows version has been successfully deployed.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Microsoft CorporationWindows 10 1507operating_system
Microsoft CorporationWindows 10 1607operating_system
Microsoft CorporationWindows 10 1809operating_system
Microsoft CorporationWindows 10 21h2operating_system
Microsoft CorporationWindows 10 22h2operating_system
Microsoft CorporationWindows 11 22h2operating_system
Microsoft CorporationWindows 11 23h2operating_system
Microsoft CorporationWindows 11 24h2operating_system
Microsoft CorporationWindows Server 2008operating_system
Microsoft CorporationWindows Server 2008 R2operating_system
Microsoft CorporationWindows Server 2008 Sp2operating_system
Microsoft CorporationWindows Server 2012operating_system
Microsoft CorporationWindows Server 2012 R2operating_system
Microsoft CorporationWindows Server 2016operating_system
Microsoft CorporationWindows Server 2019operating_system
Microsoft CorporationWindows Server 2022operating_system
Microsoft CorporationWindows Server 2022 23h2operating_system
Microsoft CorporationWindows Server 2025operating_system
Microsoft CorporationWindows Server 23h2operating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
rapid7 blogNews
Jan 28, 2026
Patch Tuesday and the Enduring Challenge of Windows’ Backwards Compatibility

A Windows Ancillary Function Driver (AFD) vulnerability (kernel/user boundary) discussed in the context of recent AFD zero-days; treated as a likely elevation-of-privilege issue affecting kernel parsing of user-mode input.

Read more
expel blogNews
Jan 14, 2026
Patch Tuesday: January 2026 (Expel’s version) | Expel

An elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock.

Read more
sophos threat researchNews
Jan 1, 2026
February Patch Tuesday delivers 57 packages | SOPHOS

A Windows Ancillary Function Driver for WinSock elevation of privilege vulnerability that Microsoft reports is under active exploitation in the wild.

Read more
zeropath blogNews
May 13, 2025
Windows AFD.sys Zero-Day CVE-2025-32709: Exploiting Use-After-Free for SYSTEM Privileges - ZeroPath Blog | ZeroPath

Another use-after-free vulnerability in the Windows AFD.sys driver that was reportedly exploited by ransomware actors.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-21418
NVD
nvd.nist.gov/vuln/detail/CVE-2025-21418
MITRE CWE · CWE-269
cwe.mitre.org
Patch
msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21418
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21418