CVE-2025-29969

Published May 13, 2025

Last updated a year ago

CVSS high 7.5
Msrpc
Windows Fundamentals

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-29969 is identified as a Time-of-check time-of-use (TOCTOU) race condition vulnerability found within Windows Fundamentals. This flaw, disclosed on May 13, 2025, affects a broad range of Microsoft Windows operating systems, including various versions of Windows Server (2008, 2012, 2016, 2019, 2022, 2025), Windows 10, and Windows 11. Successful exploitation of this vulnerability could allow an authorized attacker to execute code over a network. Microsoft addressed CVE-2025-29969 by releasing security updates as part of its May 2025 Patch Tuesday releases.

Description
Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
windows_10_1507, windows_10_1607, windows_10_1809, windows_10_21h2, windows_10_22h2, windows_11_22h2, windows_11_23h2, windows_11_24h2, windows_server_2008, windows_server_2012, windows_server_2016, windows_server_2019, windows_server_2022, windows_server_2022_23h2, windows_server_2025

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
5.9
Exploitability score
1.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-367

Social media

Hype score
Not currently trending

  1. EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969) https://t.co/HlpFwIFJ70 #cyber #threathunting #infosec

    @blueteamsec1

    22 Mar 2026

    782 Impressions

    4 Retweets

    5 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  2. EventLogin CVE-2025-29969 A flaw in the MS-EVEN protocol. Low-privileged users can write arbitrary files to a remote machine, effectively bypassing the need for an administrator account for remote file writes Source: https://t.co/d8OwtV3Z8m Research: https://t.co/IwYjeBzmpr h

    @HackingTeam77

    17 Mar 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. EventLogin — CVE-2025-29969 A flaw in the MS-EVEN protocol. Low-privileged users can write arbitrary files to a remote machine, effectively bypassing the need for an administrator account for remote file writes 🔗 Source: https://t.co/Zyd4CI6RvG 🔗 Research:

    @ksg93rd

    16 Mar 2026

    1063 Impressions

    4 Retweets

    23 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  4. SafeBreach Labs found CVE-2025-29969. This high-severity heap-based buffer overflow allows unauthenticated RCE in Trend Micro Apex One and Worry-Free Business Security products. Patches have been released. PS: Visit olivermaicher[.]eu

    @cybrmaker

    1 Mar 2026

    146 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. SafeBreach discovered CVE-2025-29969 in Microsoft Azure Site Recovery agent. This allows Local Privilege Escalation by loading a malicious DLL with SYSTEM privileges. Microsoft patched the flaw in June 2024. Update your ASR agents.

    @cybrmaker

    27 Feb 2026

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Top 5 Trending CVEs: 1 - CVE-2018-17144 2 - CVE-2025-29969 3 - CVE-2025-11730 4 - CVE-2026-21518 5 - CVE-2025-60021 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 Feb 2026

    133 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969): https://t.co/XwGKrXG07J #cybersecurity #informationsecurity #infosec #vulnerability #cve #windows #exploitation https://t.co/fxXCPUPzkU

    @blackstormsecbr

    21 Feb 2026

    111 Impressions

    2 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-29969 EventLogin A flaw in the MS-EVEN protocol. Low-privileged users can write arbitrary files to a remote machine, effectively bypassing the need for an administrator account for remote file writes https://t.co/otpejBHrCl #dfir #blueteam #redteam #pentesting #cve

    @co11ateral

    21 Feb 2026

    1871 Impressions

    15 Retweets

    39 Likes

    21 Bookmarks

    0 Replies

    0 Quotes

  9. EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969) https://t.co/P2dLQGXZXm

    @Dinosn

    20 Feb 2026

    824 Impressions

    0 Retweets

    9 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  10. Discovery & Analysis of CVE-2025-29969 https://t.co/nN8cpjcss8

    @_r_netsec

    20 Feb 2026

    517 Impressions

    2 Retweets

    6 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  11. Discovery & Analysis of CVE-2025-29969 https://t.co/0SOqskqryK https://t.co/hNltLVY1wW

    @secharvesterx

    20 Feb 2026

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. EventLog-in: Propagating With Weak Credentials Using the Eventlog Service in Microsoft Windows (CVE-2025-29969) https://t.co/sShgXMlb08 https://t.co/Jd2d8kP1e3

    @warthogtk

    19 Feb 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. New blog & exploit about CVE-2025-29969 - RCE by Yarin Aharoni @safebreach Labs. Findings allow: ---- * Checking arbitrary paths existence (unfixed!). * Writing files remotely (RCE). ---- On ALL Windows & Windows Server computers in the domain! Repo - https://t.co/Ygs0t7

    @oryair1999

    19 Feb 2026

    4125 Impressions

    26 Retweets

    66 Likes

    34 Bookmarks

    1 Reply

    0 Quotes

  14. New blog & exploit about CVE-2025-29969 - RCE by Yarin Aharoni @safebreach Labs. Findings allow: ---- * Checking arbitrary paths existence (unfixed!). * Writing files remotely (RCE). ---- On ALL Windows & Windows Server computers in the domain! Exploit - https://t.co/Ygs

    @oryair1999

    19 Feb 2026

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-29969 is an RPC #RemoteCodeExecution vulnerability, base score 7.5. Exploits a time-of-check time-of-use & affects Windows vers 2025, 2022, 2019, 2016, 2012 R2, 2012, 2008 R2 SP1, 2008 SP2; Win 11 22H2/23H2/24H2, Win 10 1607/1809/21H2/22H2. https://t.co/jrd1brZLjs

    @ZeroNLabs

    15 May 2025

    285 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  16. 🛡️ Windows just revealed a critical vulnerability—CVE-2025-29969—that’s like a race in reverse! Don’t let those pesky RPC conditions trip you up. Time to patch up your defenses! #WindowsForum #CyberSecurity #CVE2025 https://t.co/MBbTQeW9Ir

    @windowsforum

    14 May 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. CVE-2025-29969 Time-of-check time-of-use (toctou) race condition in Windows Fundamentals allows an authorized attacker to execute code over a network. https://t.co/9AgHdd397q

    @CVEnew

    13 May 2025

    226 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.CVE-2026-50507
  2. Uncontrolled resource consumption in HTTP/2 allows an unauthorized attacker to deny service over a network.CVE-2026-49160
  3. Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.CVE-2026-48583
  4. Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.CVE-2026-48578
  5. Protection mechanism failure in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.CVE-2026-48576

References

Sources include official advisories and independent security research.