CVE-2025-21379 Overview
CVE-2025-21379 is a remote code execution vulnerability in the Microsoft Windows Dynamic Host Configuration Protocol (DHCP) Client Service. The flaw stems from a use-after-free condition [CWE-416] in the DHCP client implementation shipped with Windows 11 24H2 and Windows Server 2025. An attacker on an adjacent network can exploit the vulnerability to execute arbitrary code on a vulnerable host. Successful exploitation requires user interaction and high attack complexity, but compromises the confidentiality, integrity, and availability of the target system. Microsoft published the advisory on February 11, 2025 as part of its monthly security update cycle.
Critical Impact
An adjacent network attacker who successfully exploits this DHCP client flaw can execute arbitrary code on Windows 11 24H2 and Windows Server 2025 hosts, with full impact on confidentiality, integrity, and availability.
Affected Products
- Microsoft Windows 11 24H2 (x64)
- Microsoft Windows 11 24H2 (ARM64)
- Microsoft Windows Server 2025 (x64)
Discovery Timeline
- 2025-02-11 - CVE-2025-21379 published to NVD and addressed in Microsoft's February 2025 security update
- 2025-02-14 - Last updated in NVD database
Technical Details for CVE-2025-21379
Vulnerability Analysis
The vulnerability resides in the Windows DHCP Client Service, which negotiates IP configuration with DHCP servers on the local broadcast domain. Microsoft classifies the issue under [CWE-416] Use After Free, meaning the service references memory after it has been released. An attacker who can deliver crafted DHCP traffic on an adjacent network segment can trigger the dangling pointer condition. Reuse of the freed object permits the attacker to influence control flow inside the privileged client process.
Exploitation requires user interaction, which typically means an action that causes the host to renew a lease or attach to an attacker-controlled network. Because the DHCP client runs with elevated privileges, successful code execution yields high impact across confidentiality, integrity, and availability. The EPSS model places exploitation probability at roughly 1.22%, with a percentile of 79.2.
Root Cause
The defect is a use-after-free in the DHCP client's handling of protocol messages. Object lifetime is not correctly tracked across asynchronous DHCP operations, allowing freed memory to be referenced during subsequent processing. Public technical details are limited; Microsoft has not published exploit specifics. Refer to the Microsoft Security Update CVE-2025-21379 advisory for the authoritative description.
Attack Vector
The attack vector is adjacent network, meaning the attacker must be positioned on the same layer-2 broadcast domain or logical network segment as the victim. The attacker sends crafted DHCP responses or options to the client. Combined with the required user interaction, the attacker typically lures the victim onto a rogue or attacker-controlled DHCP network before triggering memory corruption inside the privileged service.
No public proof-of-concept code is currently available for CVE-2025-21379. See the vendor advisory for technical details.
Detection Methods for CVE-2025-21379
Indicators of Compromise
- Unexpected crashes or restarts of the dhcpcsvc.dll-hosted service or the svchost.exe process hosting the DHCP Client.
- Anomalous DHCP traffic patterns from untrusted sources, including malformed options or oversized vendor-specific fields.
- New child processes spawned by the DHCP Client service context, which is not expected behavior on a healthy Windows host.
Detection Strategies
- Monitor for Windows Error Reporting (WER) events and crash dumps that reference the DHCP client service or related modules.
- Inspect network telemetry for rogue DHCP servers on enterprise subnets, including unauthorized DHCPOFFER and DHCPACK traffic.
- Correlate process lineage events to flag any code execution chains originating from the DHCP Client service.
Monitoring Recommendations
- Enable DHCP server authorization in Active Directory and alert on unauthorized DHCP server announcements.
- Forward Sysmon process creation, image load, and network connection events to a centralized analytics platform for behavioral review.
- Audit endpoints to confirm the February 2025 cumulative update is installed on all Windows 11 24H2 and Windows Server 2025 systems.
How to Mitigate CVE-2025-21379
Immediate Actions Required
- Apply the February 2025 Microsoft security update on all Windows 11 24H2 and Windows Server 2025 systems referenced in the advisory.
- Inventory affected hosts using configuration management tooling and prioritize patching of mobile and roaming endpoints that frequently attach to untrusted networks.
- Enforce DHCP snooping and rogue DHCP server detection on managed network infrastructure.
Patch Information
Microsoft released a security update addressing CVE-2025-21379 on February 11, 2025. Patch availability and KB identifiers are documented in the Microsoft Security Update CVE-2025-21379 advisory. Administrators should deploy the update through Windows Update, Windows Server Update Services (WSUS), or Microsoft Intune according to standard change management procedures.
Workarounds
- Restrict use of untrusted Wi-Fi and public networks on unpatched Windows 11 24H2 and Windows Server 2025 endpoints until the security update is applied.
- Enable DHCP snooping on managed switches and use 802.1X network access control to limit which devices can serve DHCP traffic.
- Segment user and server subnets to reduce the population of hosts an attacker on an adjacent network can reach.
# Verify the DHCP Client service status and confirm latest update on Windows
Get-Service -Name Dhcp
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
