CVE-2025-53805: Windows 11 22h2 DOS Vulnerability

CVE-2025-53805 Overview

CVE-2025-53805 is an out-of-bounds read vulnerability [CWE-125] in Windows Internet Information Services (IIS). The flaw allows an unauthenticated remote attacker to trigger a denial of service condition over the network. Microsoft disclosed the issue on September 9, 2025, affecting multiple supported versions of Windows 11 and Windows Server.

The vulnerability requires no privileges and no user interaction. Successful exploitation reads memory outside the bounds of allocated buffers within the IIS worker process, causing the service to crash. Confidentiality and integrity are not impacted, but availability of hosted web applications is.

Critical Impact

An unauthenticated network attacker can crash IIS-hosted services on affected Windows systems, disrupting web applications and APIs without requiring credentials or user interaction.

Affected Products

• Microsoft Windows 11 (22H2, 23H2, 24H2)
• Microsoft Windows Server 2022 and Server 2022 23H2
• Microsoft Windows Server 2025

Discovery Timeline

• 2025-09-09 - CVE-2025-53805 published to NVD by Microsoft
• 2025-10-02 - Last updated in NVD database

Technical Details for CVE-2025-53805

Vulnerability Analysis

The vulnerability is classified as an out-of-bounds read [CWE-125] in the Windows Internet Information Services (IIS) component. IIS is Microsoft's web server platform used to host websites, web applications, and REST APIs on Windows Server and Windows desktop systems.

An out-of-bounds read occurs when code reads data past the end, or before the beginning, of an allocated buffer. When IIS processes a malformed network request, it dereferences memory outside the expected buffer boundary. This produces an access violation that terminates the worker process serving HTTP requests.

Because the attack vector is network-based and requires neither authentication nor user interaction, any reachable IIS endpoint is exposed. The scope is unchanged and only the availability impact is high. Confidentiality and integrity remain unaffected by this specific flaw.

Root Cause

The root cause is missing or incorrect bounds checking when IIS parses attacker-supplied input from an incoming HTTP request. Without strict length validation against allocated buffer sizes, the parser reads beyond the intended memory region. Microsoft has not published low-level technical specifics beyond the advisory.

Attack Vector

An attacker sends a crafted HTTP request to an exposed IIS service over the network. Processing the malformed request triggers the out-of-bounds read in the IIS worker process. The worker terminates, dropping all in-flight connections and rendering hosted sites unreachable until the process restarts. Repeated requests can sustain the denial of service condition.

No public proof-of-concept exploit is currently associated with this CVE, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Microsoft Security Advisory for vendor guidance.

Detection Methods for CVE-2025-53805

Indicators of Compromise

• Unexpected crashes or restarts of the IIS worker process (w3wp.exe) recorded in the Windows Application event log.
• Windows Error Reporting (WER) entries referencing access violations within IIS modules.
• Spikes in HTTP 5xx responses or sudden connection resets from IIS-hosted endpoints.
• Inbound HTTP requests containing malformed headers or oversized fields immediately preceding worker process termination.

Detection Strategies

• Monitor Windows Event IDs 1000 and 1001 for w3wp.exe faults and correlate with inbound request logs from IIS (%SystemDrive%\inetpub\logs\LogFiles).
• Alert on repeated IIS application pool recycles within short time windows, which can indicate exploitation attempts.
• Inspect WAF and reverse proxy logs for anomalous HTTP request patterns targeting IIS endpoints from a small set of source IPs.

Monitoring Recommendations

• Forward IIS access logs, HTTPERR logs, and Windows Application event logs to a centralized SIEM for correlation.
• Establish a baseline for application pool restart frequency and alert on deviations.
• Track CPU, memory, and connection count metrics for IIS hosts to identify availability degradation in real time.

How to Mitigate CVE-2025-53805

Immediate Actions Required

• Apply the Microsoft security update referenced in the Microsoft Security Advisory to all affected Windows 11 and Windows Server systems.
• Inventory all internet-facing IIS instances and prioritize patching of externally reachable servers.
• Place IIS hosts behind a web application firewall capable of dropping malformed HTTP requests until patching completes.

Patch Information

Microsoft has issued patches for all affected products through its standard Patch Tuesday channel. Administrators should obtain the relevant cumulative update from Windows Update, WSUS, or the Microsoft Update Catalog. Verify update installation by checking the system's installed update history and confirming the build number matches the post-patch revision listed in the advisory.

Workarounds

• Restrict access to IIS endpoints using network access control lists, host-based firewalls, or VPN-only access where feasible.
• Configure IIS request filtering to reject requests with abnormal header sizes, lengths, or unsupported verbs.
• Enable rapid application pool recycling and automatic worker process restart to reduce downtime if exploitation occurs before patching.

# Configuration example: enable IIS request filtering limits via appcmd
appcmd set config /section:requestFiltering /requestLimits.maxAllowedContentLength:30000000
appcmd set config /section:requestFiltering /requestLimits.maxUrl:4096
appcmd set config /section:requestFiltering /requestLimits.maxQueryString:2048