CVE-2025-62217
afd.sys -- elevation of privilege via WinSock operations
Summary
| Field | Value |
|---|---|
| Driver | afd.sys |
| Vulnerability Class | Elevation of Privilege |
| CVSS | 7.8 |
| Exploited ITW | No |
| Patch Date | November 11, 2025 |
Root Cause
CVE-2025-62217 is the fifth afd.sys vulnerability tracked in KernelSight for 2025, patched alongside CVE-2025-60719 and CVE-2025-62213 in the November 2025 cycle. The exact root cause has not been publicly detailed beyond Microsoft's advisory classification as an elevation of privilege vulnerability.
What is known is that the vulnerability is reachable through WinSock operations, meaning any local user with the ability to create sockets can trigger it. The Ancillary Function Driver processes these operations in kernel context, and some code path within the driver contains a flaw that allows a local attacker to corrupt kernel state and escalate to SYSTEM.
Given that three afd.sys vulnerabilities were patched in the same cycle (CVE-2025-60719, CVE-2025-62213, and this one), it is likely that Microsoft conducted a focused audit of the driver and found multiple issues. The other two are documented use-after-free and race condition bugs, so CVE-2025-62217 may represent a different vulnerability class within the same driver.
Exploitation
The attacker performs crafted WinSock operations that trigger the vulnerability in afd.sys. The specific operations and the resulting corruption depend on the undisclosed root cause. The end result is SYSTEM-level privilege escalation from a standard user account.
Exploitation Primitive
Crafted WinSock operation -> afd.sys kernel vulnerability
-> kernel state corruption -> SYSTEM
Broader Significance
Three afd.sys patches in a single cycle underscores how productive this driver is as a vulnerability source. The AFD driver is present on every Windows system, reachable from any user account, and processes complex concurrent operations on kernel objects. Each of these properties makes it attractive to vulnerability researchers, and the stream of CVEs in 2025 (CVE-2025-49661, CVE-2025-49762, CVE-2025-53147, CVE-2025-53718, CVE-2025-60719, CVE-2025-62213, and CVE-2025-62217) suggests the driver will continue to be a reliable source of kernel EoP bugs for the foreseeable future.