CVE-2025-21307 Overview
CVE-2025-21307 is a remote code execution vulnerability in the Windows Reliable Multicast Transport Driver (RMCAST), which implements the Pragmatic General Multicast (PGM) protocol. The flaw is a use-after-free condition [CWE-416] that an unauthenticated attacker can trigger by sending crafted packets to a system with an active PGM listener. Successful exploitation grants code execution at the kernel level. Microsoft published the advisory on January 14, 2025, and the issue affects supported releases of Windows 10, Windows 11, and Windows Server, including Server 2025.
Critical Impact
Unauthenticated network attackers can achieve remote code execution on Windows systems running Windows Message Queuing (MSMQ) with PGM enabled, exposing both client and server fleets to full compromise.
Affected Products
- Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Windows 11 (22H2, 23H2, 24H2)
- Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-01-14 - Microsoft releases security update for CVE-2025-21307
- 2025-01-14 - CVE-2025-21307 published to NVD
- 2025-01-24 - Last updated in NVD database
Technical Details for CVE-2025-21307
Vulnerability Analysis
The vulnerability resides in rmcast.sys, the Windows kernel driver that handles the Pragmatic General Multicast (PGM) reliable multicast protocol. PGM is exposed only when a Windows Message Queuing (MSMQ) endpoint is configured to use multicast delivery. When the listener is active, the driver parses inbound PGM packets directly in kernel mode, which makes a memory-safety defect in the parser reachable from the network without authentication.
The defect is classified as a use-after-free [CWE-416]. The driver releases an object during PGM packet processing but retains a reference that is later dereferenced. An attacker who controls the timing and contents of subsequent packets can influence the freed allocation and steer execution. The flaw is exploitable over the network with no privileges and no user interaction, which is reflected in the EPSS score of 10.77% (93rd percentile).
Root Cause
The root cause is improper lifetime management of a heap-allocated structure within the RMCAST PGM packet handler. The driver fails to clear or re-validate a pointer after the underlying object is freed, allowing a later code path to operate on attacker-controlled memory.
Attack Vector
Exploitation requires that the target host has an MSMQ queue configured with PGM multicast and that the RMCAST listener (UDP port 2103 by default) is reachable from the attacker. The attacker sends a sequence of crafted PGM packets that trigger the free, groom the kernel pool, and then drive the dangling reference into a controlled callback. Successful exploitation yields kernel-mode code execution. Vulnerable systems without MSMQ installed or without PGM enabled are not exposed to remote attack through this driver.
No public proof-of-concept exploit has been published for CVE-2025-21307 at the time of writing, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Microsoft Security Update Guide for CVE-2025-21307 for vendor-authoritative technical context.
Detection Methods for CVE-2025-21307
Indicators of Compromise
- Unexpected inbound traffic to UDP port 2103, 2104, or 2105 on hosts that do not host MSMQ multicast queues.
- Anomalous PGM packet bursts to hosts where the MSMQ and mqac.sys services are loaded.
- Kernel crashes or bug checks referencing rmcast.sys in Minidump files or WER reports.
- Spawning of cmd.exe, powershell.exe, or other LOLBins by System or services.exe shortly after PGM traffic activity.
Detection Strategies
- Inventory hosts where the Microsoft Message Queue Server (MSMQ) feature is installed and identify those with PGM multicast bindings.
- Hunt for processes loading rmcast.sys on hosts that do not require multicast queuing, which indicates unnecessary attack surface.
- Correlate kernel bug checks with prior inbound multicast or PGM traffic from external or untrusted segments.
- Apply network IDS signatures that flag malformed PGM (IP protocol 113) packets and oversized PGM option headers.
Monitoring Recommendations
- Enable Windows Defender Firewall logging on UDP 2103 to 2105 and review allow/deny outcomes daily.
- Monitor Windows Event Log System channel for BugCheck entries citing modules in the multicast stack.
- Track new MSMQ feature installations through Sysmon Event ID 1 and PowerShell Get-WindowsFeature baselines.
- Alert on creation of new MSMQ multicast queues using audit policy on the \MSMQ\Queues registry hive.
How to Mitigate CVE-2025-21307
Immediate Actions Required
- Apply the Microsoft January 2025 security updates to every Windows 10, Windows 11, and Windows Server host in scope.
- Identify hosts with the MSMQ feature installed using Get-WindowsOptionalFeature -Online -FeatureName MSMQ-Multicast and prioritize patching those first.
- Remove the MSMQ feature on systems that do not require message queuing to eliminate the RMCAST attack surface entirely.
- Block inbound UDP 2103, 2104, and 2105 at the perimeter and on internal segments that do not need PGM multicast.
Patch Information
Microsoft released cumulative updates addressing CVE-2025-21307 on January 14, 2025, across all supported Windows client and server versions, including legacy Server 2008 and 2012 through Extended Security Updates. Refer to the Microsoft Security Update Guide for CVE-2025-21307 for the KB article matching each affected build.
Workarounds
- Uninstall the MSMQ feature where it is not required: Disable-WindowsOptionalFeature -Online -FeatureName MSMQ-Container.
- Where MSMQ is required, disable PGM multicast support by removing the MSMQ-Multicast sub-feature while retaining unicast queuing.
- Restrict PGM traffic to known sender and receiver hosts using host-based firewall rules scoped by IP range.
- Segment MSMQ servers from general user networks so that PGM listeners are unreachable from workstations and the internet.
# Configuration example: disable MSMQ multicast and block PGM traffic
# Run from an elevated PowerShell prompt
# 1. Remove the MSMQ multicast sub-feature
Disable-WindowsOptionalFeature -Online -FeatureName MSMQ-Multicast -NoRestart
# 2. Block PGM traffic (UDP 2103-2105) at the host firewall
New-NetFirewallRule -DisplayName "Block PGM RMCAST Inbound" `
-Direction Inbound -Protocol UDP -LocalPort 2103-2105 `
-Action Block -Profile Any
# 3. Verify MSMQ multicast feature state
Get-WindowsOptionalFeature -Online -FeatureName MSMQ-Multicast
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
