CVE-2025-27473 Overview
CVE-2025-27473 is an uncontrolled resource consumption vulnerability in the Windows HTTP.sys kernel-mode driver. An unauthenticated remote attacker can send specially crafted HTTP traffic to exhaust system resources and cause a denial of service. The flaw affects a broad range of Windows client and server versions, including Windows 10, Windows 11, and Windows Server releases from 2008 through 2025. Microsoft published the advisory on April 8, 2025, and tracks the issue under [CWE-400]. The EPSS percentile of 97.497 indicates a high likelihood of exploitation attempts relative to other CVEs.
Critical Impact
Unauthenticated network attackers can render IIS, WinRM, and other HTTP.sys-dependent services unavailable without user interaction.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (22H2, 23H2, 24H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-04-08 - CVE-2025-27473 published to NVD
- 2025-04-08 - Microsoft releases security update via MSRC advisory
- 2025-07-08 - Last updated in NVD database
Technical Details for CVE-2025-27473
Vulnerability Analysis
The vulnerability resides in HTTP.sys, the kernel-mode driver that handles HTTP requests for Internet Information Services (IIS), WinRM, WSUS, and other Windows components. The driver fails to enforce proper limits on resource allocation when processing certain network requests. An attacker can trigger excessive memory or CPU consumption by sending crafted HTTP traffic. Because HTTP.sys operates in kernel space, resource exhaustion impacts the entire host, not just a single user-mode service. The attack requires no authentication and no user interaction, making any internet-facing Windows system with HTTP.sys-bound listeners exposed.
Root Cause
The defect maps to [CWE-400] (Uncontrolled Resource Consumption). HTTP.sys does not impose adequate constraints on request handling, allowing repeated or malformed inputs to consume kernel resources without release. Microsoft has not publicly disclosed which specific request parsing path is affected.
Attack Vector
The attack vector is network-based. An attacker sends crafted HTTP or HTTPS requests to any service that registers URL prefixes with HTTP.sys. Common targets include IIS web servers, WinRM management endpoints on TCP/5985 and TCP/5986, and SSDP or WSDAPI listeners. Successful exploitation causes the system to stop responding to legitimate HTTP requests or to crash, requiring a reboot to restore service.
No public proof-of-concept code or verified exploit examples are available for this vulnerability. Refer to the Microsoft Security Update for CVE-2025-27473 for vendor guidance.
Detection Methods for CVE-2025-27473
Indicators of Compromise
- Sudden spikes in kernel memory or non-paged pool usage on hosts running IIS or other HTTP.sys-dependent services.
- HTTP services becoming unresponsive while the underlying TCP listener remains bound.
- Event log entries from HTTP source indicating connection drops, request parsing errors, or listener restarts.
- Repeated malformed or oversized HTTP requests originating from a single source or distributed across many sources.
Detection Strategies
- Monitor performance counters for HTTP Service Request Queues and non-paged pool growth on web-facing servers.
- Inspect IIS logs and HTTPERR logs in %SystemRoot%\System32\LogFiles\HTTPERR for abnormal request patterns.
- Deploy network-layer detection for anomalous HTTP request rates, oversized headers, or malformed request lines targeting Windows hosts.
Monitoring Recommendations
- Centralize Windows event logs and IIS logs in a SIEM and alert on listener restarts or queue overflow conditions.
- Track availability metrics for HTTP.sys-bound services and correlate outages with inbound traffic anomalies.
- Enable network telemetry on management ports such as 5985 and 5986 to catch DoS attempts against WinRM.
How to Mitigate CVE-2025-27473
Immediate Actions Required
- Apply the April 2025 Microsoft security update referenced in the MSRC advisory to all affected Windows client and server versions.
- Inventory internet-exposed systems running IIS, WinRM, or other HTTP.sys consumers and prioritize patching those hosts.
- Restrict inbound HTTP and HTTPS access to management interfaces using firewall rules or network segmentation.
Patch Information
Microsoft issued cumulative updates addressing CVE-2025-27473 across all supported Windows versions on April 8, 2025. Administrators should consult the Microsoft Security Update Guide for the specific KB article and build number matching each operating system.
Workarounds
- Place HTTP.sys-bound services behind a reverse proxy or web application firewall that enforces request size, rate, and header validation.
- Apply rate limiting and connection throttling on perimeter devices to reduce the impact of resource exhaustion attempts.
- Disable unnecessary HTTP.sys listeners such as WSDAPI or SSDP on servers that do not require them.
# Example: rate-limit inbound HTTP connections per source IP using Windows Firewall
New-NetFirewallRule -DisplayName "Limit-HTTP-Inbound" -Direction Inbound -Protocol TCP -LocalPort 80,443 -Action Allow -RemoteAddress Any
# Pair with an upstream WAF or load balancer enforcing per-IP request rate caps
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
