Unveiling Hidden Preauth Vulnerabilities in Windows HTTP Services
Black Hat USA 2025 · Day 1 · Briefings
Researchers from CyberKoolun at Huazhong University of Science and Technology systematically mapped the Windows HTTP API service framework and uncovered a class of pre-authentication vulnerabilities — both logic-based denial-of-service bugs and remote code execution flaws — that affect Windows built-in HTTP services including UPnP, Remote Desktop Gateway, and the KDC Proxy. The findings include multiple CVEs and demonstrate that incorrect use of just a handful of HTTP API functions can permanently hang services or, in the right conditions, achieve RCE against unauthenticated clients. ---
AI review
Methodical vulnerability research against Windows built-in HTTP services that produced pre-auth RCE against the KDC Proxy and a write-what-where primitive in RDP Gateway — both unauthenticated, both affecting default Windows configurations. The systematic framework approach that generated multiple CVEs from a single API analysis pass is the real contribution.