A local elevation-of-privilege flaw in the Windows MBT Transport driver—the kernel component behind NetBIOS over TCP/IP—can hand attackers full SYSTEM rights, and while Microsoft’s July 2025 security update patches it, duplicate CVE identifiers are muddying the response for enterprise defenders.

Microsoft’s Security Update Guide lists CVE-2025-55230 as a high‑risk EoP caused by an untrusted pointer dereference in netbt.sys. Yet independent trackers and the ZeroPath blog pin the same fix to CVE-2025-47996, calling it an integer underflow. Administrators are left to reconcile two CVEs for one fix, a confusion that can slow patch deployment at a time when speed matters most. This article clarifies the vulnerability, provides detection guidance, and gives a step‑by‑step remediation plan.

The Vulnerability: An Untrusted Pointer Dereference or Integer Underflow?

Both the forum analysis and external write‑ups agree on one point: the MBT Transport driver (netbt.sys) contains a flaw that allows a local, authenticated attacker to escalate to SYSTEM. The disagreement lies in the technical label.

Microsoft’s official advisory for CVE-2025-55230 states the vulnerability stems from an “untrusted pointer dereference.” In parallel, the ZeroPath blog and other sources describe CVE-2025-47996 as an integer underflow in the same driver, with the same impact—local privilege escalation. Why two CVEs? During initial propagation, vendors sometimes split or renumber related issues, leading to mismatches between the authoritative MSRC record and third‑party trackers. Both bugs result in memory corruption that can be weaponized for escalation.

An untrusted pointer dereference means the kernel reads or writes to a memory location derived from user‑supplied data without sufficient validation. An integer underflow happens when arithmetic wraps around, producing an unexpectedly small allocation. These are different root causes but can lead to the same outcome: a corrupted buffer, followed by the ability to overwrite critical kernel structures.

Regardless of the label, the netbt.sys driver is a prime target. It runs in kernel mode, is accessible through common user‑mode APIs and IOCTLs, and still ships in Windows 10, Windows 11, and Windows Server to support legacy NetBIOS services. Attackers with local code execution can repeatedly probe this attack surface, using heap spraying or other deterministic techniques to turn a crash into a reliable privilege escalation.

Affected Systems and Patch Deployment

Microsoft’s July 2025 Patch Tuesday updates contain the fix. While the MSRC entry for CVE-2025-55230 does not list specific KB numbers in public summaries, it provides per‑SKU mappings when queried through the update guide. Third‑party databases confirm that the cumulative updates for multiple Windows 10 and 11 feature releases and Windows Server versions include the patched netbt.sys driver. Administrators must consult the MSRC portal to find the correct update for their build.

Deploying this patch should be prioritized for systems where low‑privileged users can execute code:
- Remote Desktop / VDI hosts
- Developer workstations
- Shared administrative consoles
- Hyper‑V hosts with untrusted management access

After deployment, verify that netbt.sys has been updated. Check the file version and timestamp; a change from the pre‑patch version confirms the fix is in place.

Why the CVE Confusion Matters

Enterprise patch managers often rely on CVE numbers to automate deployment via tools like Microsoft’s Update Catalog or third‑party scanners. If a scanner looks for CVE-2025-47996 but the official MSRC page only references CVE-2025-55230, it might miss the update or flag it incorrectly. This disconnect can lead to systems being thought patched when they are not, or to unnecessary manual audits. Until NVD and other databases cross‑index the two identifiers, security teams should treat both CVE‑2025-55230 and CVE‑2025-47996 as referring to the same MBT Transport driver fix. Use the MSRC entry as the authoritative source for KB mappings, but also monitor Rapid7, BleepingComputer, and other outlets for updates on the CVE correlation.

Exploit Primitives: From Crash to SYSTEM

Local kernel exploits are not trivial, but the barrier is lower than for remote attacks. An attacker who can run code as a standard user—through phishing, a malicious document, or a compromised dev tool—can attempt to trigger the bug. The steps are well understood:

  1. Trigger the bug to corrupt memory. Craft a specific IOCTL call or packet sequence that causes the underflow or pointer mishandling.
  2. Control the heap layout. Use kernel pool spraying to place shellcode or a fake object at a known address.
  3. Overwrite security-sensitive data. Replace a process token or a function pointer in a critical structure, thereby granting the attacker SYSTEM privileges.

Successful exploitation gives the attacker full control of the machine, enabling credential theft, persistence, and lateral movement. The entire chain can be scripted and executed in seconds on unpatched systems, making this a time‑sensitive patch priority.

Detection and Monitoring Recommendations

Kernel‑level attacks leave subtle footprints. EDR and SIEM rules should be tuned to catch:

  • Repeated, rapid DeviceIoControl calls targeting MBT or NetBT interfaces by non‑privileged processes.
  • Anomalies in kernel memory allocations around netbt.sys execution (monitored via Defender for Endpoint or third‑party kernel sensors).
  • Post‑escalation indicators: unexpected LSASS access, unsigned driver loads, new persistence entries, or C2 beacons.

If you suspect a host has been exploited, collect volatile memory and kernel crash dumps, then isolate and reimage the machine. Kernel implants can withstand a simple reboot, so forensic capture before wiping is essential.

Mitigation Strategies for Unpatched Systems

When immediate patching is not possible, reduce the attack surface:

  • Disable NetBIOS over TCP/IP on endpoints that do not need it. This can be done via DHCP options, the network adapter’s WINS tab, or Group Policy. Test carefully, as some legacy applications rely on NetBIOS name resolution.
  • Enforce application control. Use AppLocker or Windows Defender Application Control to prevent untrusted executables from running.
  • Enable Memory Integrity (HVCI) to raise the bar for kernel exploitation.
  • Restrict administrative privileges and ensure users operate with minimal rights.

These workarounds are not a substitute for the patch but buy time for controlled rollouts.

Step‑by‑Step Remediation Checklist

  1. Identify vulnerable systems. Use the MSRC Security Update Guide to map your Windows builds to the correct KB. Prioritize RDS/VDI, dev, and admin workstations.
  2. Test the update. Deploy to a pilot group and verify application functionality. Confirm netbt.sys version change.
  3. Roll out broadly. Use your standard patch management tooling; if possible, force reboot after installation to ensure the kernel driver is replaced.
  4. Validate. Post‑deployment, scan for the new netbt.sys file version and ensure no rollbacks occurred.
  5. For systems that cannot be patched immediately: implement one or more of the surface‑reduction steps above and increase monitoring.
  6. Incident response prep. If an exploit is suspected, engage your IR team for kernel‑level forensic capture.

Conclusion

Microsoft’s July 2025 patch for the MBT Transport driver closes a local privilege escalation path that is all too common in kernel networking components. Whether you track it as CVE‑2025‑55230 (MSRC) or CVE‑2025‑47996 (public trackers), the fix is the same cumulative update. The CVE confusion underscores the need for security teams to cross‑reference multiple sources and act on the authoritative guidance from Microsoft. Given the exploitability of such bugs once the patch reverse‑engineering begins, treat this update as critical for any Windows system that retains the NetBIOS stack. Patch quickly, verify thoroughly, and harden your detection rules to catch future attacks against kernel drivers.