CVE-2025-32709

What is the Windows Ancillary Function Driver (AFD)?

The Ancillary Function Driver for WinSock (afd.sys) is a core Windows kernel driver that implements the user-mode socket programming interface. It acts as the bridge between user-space socket calls (WSASocket, connect, send, recv) and the underlying network stack (TCP/IP). afd.sys runs in kernel mode and handles all socket I/O request packets (IRPs) from any process. Because it is reachable from unprivileged user accounts through standard socket operations, vulnerabilities in AFD are highly exploitable for local privilege escalation.

Overview

CVE-2025-32709 is a use-after-free (CWE-416) in afd.sys that allows a locally authenticated attacker with standard user privileges to escalate to administrator. It was disclosed as a zero-day in the May 2025 Patch Tuesday, meaning exploitation was confirmed in the wild before the fix was released. CISA added it to the KEV catalog the same day as the patch, with a 21-day mandatory remediation deadline.

Affected Versions

Technical Details

The use-after-free (CWE-416) occurs in afd.sys during the processing of socket I/O requests. A race condition or improper reference counting allows kernel memory to be freed while a pointer to it is still held in a related data structure. By carefully controlling the allocation and freeing of socket objects — reachable from user space through standard WinSock API calls — an attacker can trigger a use-after-free that corrupts kernel data structures.

Exploiting the freed memory allows the attacker to overwrite kernel data (such as process token privileges) to escalate from a standard user account to administrator or SYSTEM level. The low attack complexity (AC:L) and privilege requirement (PR:L — just any user account) make this straightforwardly exploitable on any multi-user Windows system.

Discovery

Microsoft's advisory noted active exploitation in the wild before patch release; the specific reporter was not disclosed publicly.

Exploitation Context

Confirmed zero-day exploitation before May 13, 2025. CISA added the vulnerability to the KEV catalog immediately on patch day. Local privilege escalation vulnerabilities of this type are used to elevate initial access (such as that obtained through phishing or malware delivery) from a standard user context to administrator, enabling full system compromise.

Remediation

1. Apply the May 2025 cumulative update for your Windows version. This is the only fix; no workaround is available.
2. Prioritize on systems with multiple local users or those accessible via RDP, where a low-privilege attacker is more likely to have a local foothold.
3. Enable Windows Defender Credential Guard and virtualization-based security where possible — these reduce the impact of kernel-level compromises.
4. Audit for signs of prior compromise: look for unexpected privilege escalation events in Windows Security event log (Event ID 4672, 4673) before the patch was applied.