CVE-2025-29969

Published May 13, 2025

Last updated a year ago

CVSS high 7.5
Msrpc
Windows Fundamentals

Overview

Description
Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
windows_10_1507, windows_10_1607, windows_10_1809, windows_10_21h2, windows_10_22h2, windows_11_22h2, windows_11_23h2, windows_11_24h2, windows_server_2008, windows_server_2012, windows_server_2016, windows_server_2019, windows_server_2022, windows_server_2022_23h2, windows_server_2025

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
5.9
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-367

Social media

Hype score
Not currently trending

  1. EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969) https://t.co/HlpFwIFJ70 #cyber #threathunting #infosec

    @blueteamsec1

    22 Mar 2026

    782 Impressions

    4 Retweets

    5 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  2. EventLogin CVE-2025-29969 A flaw in the MS-EVEN protocol. Low-privileged users can write arbitrary files to a remote machine, effectively bypassing the need for an administrator account for remote file writes Source: https://t.co/d8OwtV3Z8m Research: https://t.co/IwYjeBzmpr h

    @HackingTeam77

    17 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. EventLogin — CVE-2025-29969 A flaw in the MS-EVEN protocol. Low-privileged users can write arbitrary files to a remote machine, effectively bypassing the need for an administrator account for remote file writes 🔗 Source: https://t.co/Zyd4CI6RvG 🔗 Research:

    @ksg93rd

    16 Mar 2026

    1063 Impressions

    4 Retweets

    23 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  4. SafeBreach Labs found CVE-2025-29969. This high-severity heap-based buffer overflow allows unauthenticated RCE in Trend Micro Apex One and Worry-Free Business Security products. Patches have been released. PS: Visit olivermaicher[.]eu

    @cybrmaker

    1 Mar 2026

    146 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. SafeBreach discovered CVE-2025-29969 in Microsoft Azure Site Recovery agent. This allows Local Privilege Escalation by loading a malicious DLL with SYSTEM privileges. Microsoft patched the flaw in June 2024. Update your ASR agents.

    @cybrmaker

    27 Feb 2026

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Top 5 Trending CVEs: 1 - CVE-2018-17144 2 - CVE-2025-29969 3 - CVE-2025-11730 4 - CVE-2026-21518 5 - CVE-2025-60021 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 Feb 2026

    133 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969): https://t.co/XwGKrXG07J #cybersecurity #informationsecurity #infosec #vulnerability #cve #windows #exploitation https://t.co/fxXCPUPzkU

    @blackstormsecbr

    21 Feb 2026

    111 Impressions

    2 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-29969 EventLogin A flaw in the MS-EVEN protocol. Low-privileged users can write arbitrary files to a remote machine, effectively bypassing the need for an administrator account for remote file writes https://t.co/otpejBHrCl #dfir #blueteam #redteam #pentesting #cve

    @co11ateral

    21 Feb 2026

    1871 Impressions

    15 Retweets

    39 Likes

    21 Bookmarks

    0 Replies

    0 Quotes

  9. EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969) https://t.co/P2dLQGXZXm

    @Dinosn

    20 Feb 2026

    824 Impressions

    0 Retweets

    9 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  10. Discovery & Analysis of CVE-2025-29969 https://t.co/nN8cpjcss8

    @_r_netsec

    20 Feb 2026

    517 Impressions

    2 Retweets

    6 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. Discovery & Analysis of CVE-2025-29969 https://t.co/0SOqskqryK https://t.co/hNltLVY1wW

    @secharvesterx

    20 Feb 2026

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969) https://t.co/sShgXMlb08 https://t.co/Jd2d8kP1e3

    @warthogtk

    19 Feb 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. New blog & exploit about CVE-2025-29969 - RCE by Yarin Aharoni @safebreach Labs. Findings allow: ---- * Checking arbitrary paths existence (unfixed!). * Writing files remotely (RCE). ---- On ALL Windows & Windows Server computers in the domain! Repo - https://t.co/Ygs0t7

    @oryair1999

    19 Feb 2026

    4125 Impressions

    26 Retweets

    66 Likes

    34 Bookmarks

    1 Reply

    0 Quotes

  14. New blog & exploit about CVE-2025-29969 - RCE by Yarin Aharoni @safebreach Labs. Findings allow: ---- * Checking arbitrary paths existence (unfixed!). * Writing files remotely (RCE). ---- On ALL Windows & Windows Server computers in the domain! Exploit - https://t.co/Ygs

    @oryair1999

    19 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-29969 is an RPC #RemoteCodeExecution vulnerability, base score 7.5. Exploits a time-of-check time-of-use & affects Windows vers 2025, 2022, 2019, 2016, 2012 R2, 2012, 2008 R2 SP1, 2008 SP2; Win 11 22H2/23H2/24H2, Win 10 1607/1809/21H2/22H2. https://t.co/jrd1brZLjs

    @ZeroNLabs

    15 May 2025

    285 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  16. 🛡️ Windows just revealed a critical vulnerability—CVE-2025-29969—that’s like a race in reverse! Don’t let those pesky RPC conditions trip you up. Time to patch up your defenses! #WindowsForum #CyberSecurity #CVE2025 https://t.co/MBbTQeW9Ir

    @windowsforum

    14 May 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. CVE-2025-29969 Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network. https://t.co/9AgHdd397q

    @CVEnew

    13 May 2025

    226 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network.CVE-2026-33829
  2. Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network.CVE-2026-33827
  3. Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.CVE-2026-33826
  4. Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.CVE-2026-33824
  5. Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.CVE-2026-33104

References

Sources include official advisories and independent security research.