Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-33050

CVE-2025-33050: Windows Server 2016 DHCP DoS Vulnerability

CVE-2025-33050 is a denial of service flaw in Windows Server 2016 DHCP Server caused by a protection mechanism failure. Attackers can exploit this remotely to disrupt service availability. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Updated:

CVE-2025-33050 Overview

CVE-2025-33050 is a denial-of-service vulnerability in the Microsoft Windows DHCP Server service. The flaw stems from a protection mechanism failure [CWE-693] that allows an unauthenticated remote attacker to disrupt DHCP service availability over the network. An attacker can send crafted traffic to a vulnerable DHCP server and prevent it from servicing legitimate DHCP requests. Because DHCP is foundational to IP address allocation, a successful attack can cascade into widespread network connectivity failures for clients dependent on dynamic addressing. Microsoft addressed the issue in its June 2025 security update cycle.

Critical Impact

Unauthenticated remote attackers can disable DHCP services on affected Windows Server hosts, preventing IP address assignment and breaking network connectivity for downstream clients.

Affected Products

  • Microsoft Windows Server 2016
  • Microsoft Windows Server 2019
  • Microsoft Windows Server 2022 (including 23H2)
  • Microsoft Windows Server 2025

Discovery Timeline

  • 2025-06-10 - CVE-2025-33050 published to NVD
  • 2025-06-10 - Microsoft releases security update addressing CVE-2025-33050
  • 2025-07-10 - Last updated in NVD database

Technical Details for CVE-2025-33050

Vulnerability Analysis

The vulnerability resides in the Windows DHCP Server role, which handles dynamic IP address allocation using the Dynamic Host Configuration Protocol. The flaw is classified under [CWE-693] Protection Mechanism Failure, indicating that a safeguard intended to prevent abusive or malformed input does not function as designed. An attacker exploiting this weakness can render the DHCP service unresponsive without authenticating or interacting with a user. Because the attack targets availability only, confidentiality and integrity remain unaffected. The EPSS probability of 10.844% places this vulnerability in the 93rd percentile for likelihood of exploitation activity.

Root Cause

The root cause is an inadequate protection mechanism within the DHCP Server service that fails to properly validate or constrain specific network input. When the protective control is bypassed or exhausted, the service enters a state where it can no longer process DHCP DISCOVER, REQUEST, or related messages from clients. Microsoft has not published low-level technical details beyond the advisory.

Attack Vector

The attack is conducted over the network against UDP port 67, where the DHCP server listens. No authentication, privileges, or user interaction are required. An attacker with network reachability to the DHCP server, including an adversary on the local broadcast domain or one that has pivoted into an internal network segment, can transmit crafted DHCP traffic that triggers the protection mechanism failure and halts service availability.

No public proof-of-concept exploit code or verified technical write-up is available at this time. Refer to the Microsoft Security Update Guide for CVE-2025-33050 for vendor-supplied details.

Detection Methods for CVE-2025-33050

Indicators of Compromise

  • Sudden cessation of DHCP lease grants or renewals across an environment despite an apparently running DHCP service
  • Unusual volume or malformed DHCP traffic directed at UDP port 67 on the DHCP server
  • DHCP service crashes, hangs, or repeated restarts recorded in the Windows System and DHCP Server event logs
  • Spikes in client-side DHCP failed events and devices falling back to APIPA (169.254.x.x) addresses

Detection Strategies

  • Monitor the Windows DHCP Server service state and key event IDs (e.g., 1056, 1059, 10031) for abnormal patterns or service termination
  • Inspect network telemetry for high-rate or anomalously structured DHCP packets originating from a single host or subnet
  • Correlate DHCP service degradation with concurrent network-layer events to identify intentional disruption versus capacity issues

Monitoring Recommendations

  • Alert on DHCP Server service stop, restart, or unresponsive states from infrastructure monitoring
  • Track DHCP scope utilization, lease grant rates, and NACK counts to detect availability regressions
  • Capture and retain packet samples on DHCP-facing interfaces to support incident triage and forensic analysis

How to Mitigate CVE-2025-33050

Immediate Actions Required

  • Apply the Microsoft June 2025 security update to all Windows Server hosts running the DHCP Server role
  • Inventory all systems where the DHCP Server role is enabled, including domain controllers and branch office servers, and prioritize patching
  • Restrict network paths to UDP port 67 so that only trusted client segments can reach DHCP servers

Patch Information

Microsoft published security updates for all affected Windows Server versions on June 10, 2025. Administrators should consult the Microsoft Security Update Guide for CVE-2025-33050 to identify the specific KB articles for Windows Server 2016, 2019, 2022, 2022 23H2, and 2025, then deploy the updates through Windows Update, WSUS, or Microsoft Configuration Manager.

Workarounds

  • Deploy redundant DHCP servers with failover or split-scope configurations to maintain availability if one server is disrupted
  • Use DHCP snooping and rate limiting on access switches to constrain malicious DHCP traffic from untrusted ports
  • Segment DHCP infrastructure behind firewall rules that permit DHCP traffic only from authorized VLANs and relay agents
  • Disable the DHCP Server role on hosts where it is not required to reduce attack surface

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.