code execution Archives

Winsage

May 14, 2025

Microsoft Confirms Windows Is Under Attack — You Must Act Now

Microsoft has confirmed multiple zero-day vulnerabilities being actively targeted by malicious actors. One significant vulnerability is CVE-2025-30397, a memory corruption flaw in the Windows scripting engine that affects all versions of Windows and allows code execution over the network. It has a CVSS score of 7.8 and is considered critical. Successful exploitation requires the target to use Edge in Internet Explorer Mode and for the user to click a malicious link. Other vulnerabilities include: - CVE-2025-32709: An elevation of privilege vulnerability in the Windows ancillary function driver for WinSock, affecting Windows Server 12 and later. - CVE-2025-32701 and CVE-2025-32706: Vulnerabilities in the Windows Common Log File Driver System that could allow local attackers to gain system privileges, affecting all versions of Windows. - CVE-2025-30400: An elevation of privilege vulnerability in the Windows desktop window manager, affecting Windows 10, Server 2016, and later OS versions. Windows users are urged to update their systems with the latest security patches immediately.

Winsage

May 14, 2025

Patch Tuesday for May: Five zero day vulnerabilities CISOs should focus on

A vulnerability identified as CVE-2025-30397 can be exploited when Microsoft Edge is in “Internet Explorer” mode, which is typically not the default setting but may be necessary for certain users. Another vulnerability, CVE-2025-29831, can only be exploited during a restart of the Remote Desktop Protocol (RDP) service. SAP has released 18 Security Notes to address various vulnerabilities, including critical authorization issues, remote code execution, information disclosure, and cross-site scripting.

Winsage

May 14, 2025

Microsoft Scripting Engine 0-Day Vulnerability Enables Remote Code Execution Over Network

Microsoft has identified a memory corruption vulnerability in its Scripting Engine, designated as CVE-2025-30397. This vulnerability allows unauthorized remote code execution and is classified as “Important” under CWE-843 (Type Confusion). It was disclosed in the May 2025 Patch Tuesday updates and arises from improper handling of resource types. Exploitation occurs when a user clicks a specially crafted URL in Microsoft Edge's Internet Explorer Mode, potentially compromising system confidentiality, integrity, and availability. Although the attack complexity is high, successful exploitation has been confirmed in the wild. Microsoft has issued patches for all supported Windows versions, and users are advised to apply these updates and consider disabling Internet Explorer Mode to reduce risk.

Winsage

May 14, 2025

Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days

Microsoft has addressed 72 vulnerabilities in a recent update, including five classified as zero-days. This is the eighth consecutive month that Microsoft has tackled zero-day vulnerabilities without any being categorized as critical at the time of disclosure. The identified zero-days include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709, with CVSS scores ranging from 7.5 to 7.8. Two of these vulnerabilities are related to the Windows Common Log File Driver System (CLFS), which has been frequently targeted for exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has added all five zero-days to its Known Exploited Vulnerabilities (KEV) list. Experts suggest that some zero-day exploits may be linked to targeted espionage or financially motivated activities, including ransomware deployment. Additionally, Microsoft's update includes five critical vulnerabilities and 50 high-severity defects, with 18 vulnerabilities impacting Microsoft Office and three deemed “more likely” to be exploited. Eight vulnerabilities patched this month are considered “more likely” to be exploited, including two high-severity defects in Microsoft SharePoint Server.

AppWizard

May 13, 2025

Turkish spies caught exploiting zero-day for over a year

Microsoft reported that Turkish espionage operatives have been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger app to gather intelligence on the Kurdish military in Iraq. This operation, attributed to the group Marbled Dust, began in April 2024. The vulnerability is a directory traversal flaw in version 2.0.62 of the app, and many users have not yet updated to the patched version released in December. Marbled Dust has used this flaw to access sensitive user data and deploy malicious files within the Output Messenger server. The group has a history of targeting entities opposing Turkish interests and has evolved its tactics by leveraging this vulnerability for unauthorized access. Srimax and Microsoft are advising users to upgrade to version V2.0.63 to mitigate the risks associated with the exploit.

AppWizard

May 11, 2025

Scrutinizing the security of messaging apps continues.

Customs and Border Protection (CBP) and the White House are facing scrutiny over security vulnerabilities in their messaging application. Hacktivists breached GlobalX, the airline handling U.S. deportation flights, exposing sensitive flight manifests. The FBI warned about threats exploiting outdated routers. Pearson confirmed a cyberattack compromising customer data. Research shows cybercriminals are using Windows Remote Management (WinRM) for lateral movements in Active Directory environments. A new email attack campaign is delivering a Remote Access Trojan (RAT) via malicious PDF invoices. A zero-day vulnerability in SAP NetWeaver allows remote code execution, affecting multiple sectors. An Indiana health system reported a data breach affecting nearly 263,000 individuals.

Winsage

April 30, 2025

Unpatched Windows Shortcut Vulnerability Let Attackers Execute Remote Code

Security researcher Nafiez has discovered a vulnerability in Windows LNK files that allows remote code execution without user interaction. Microsoft has chosen not to address this issue, stating it does not meet their security servicing criteria. The vulnerability exploits specific components of LNK files, enabling attackers to create malicious shortcuts that initiate silent network connections when a user accesses a folder containing them. The exploit involves manipulating the HasArguments flag, EnvironmentVariableDataBlock, and embedding UNC paths. Microsoft defends its inaction by citing the Mark of the Web (MOTW) feature as adequate protection, despite concerns from security experts about its effectiveness. Previous vulnerabilities in LNK files have been addressed by Microsoft, and the availability of proof-of-concept code raises fears of potential exploitation by malicious actors.

Winsage

April 23, 2025

Critical Flaw in Windows Update Stack Enables Code Execution and Privilege Escalation

A newly identified vulnerability in the Windows Update Stack, designated as CVE-2025-21204, allows attackers to execute arbitrary code and escalate privileges to SYSTEM level on affected machines. This critical security flaw arises from improper privilege separation and inadequate validation during the update orchestration process. Attackers can exploit it by creating harmful update packages or acting as man-in-the-middle on compromised networks. The vulnerability impacts any Windows system utilizing the vulnerable update mechanism, affecting both enterprise and consumer editions. Microsoft is working on a patch, and users are advised to monitor official channels for updates and apply patches promptly. Organizations should also restrict network access to update servers and monitor for suspicious update activities. The CVSS score for this vulnerability is 7.8 (High), indicating significant risk.

Winsage

April 22, 2025

Critical Windows Update Stack Vulnerability Allows Code Execution & Privilege Escalation

A security vulnerability identified as CVE-2025-21204 has been discovered in the Windows Update Stack, allowing local attackers to execute unauthorized code and escalate privileges to SYSTEM-level access. This vulnerability, with a CVSS score of 7.8 (High), affects Windows 10 versions 1507, 1607, and 1809, among likely other supported Windows 10/11 and Windows Server versions. The flaw arises from a design issue where Windows Update processes do not properly follow directory junctions, enabling attackers with limited user privileges to redirect trusted paths to locations containing malicious code. Microsoft has introduced a mitigation strategy in its April 2025 cumulative update, which includes creating a new folder at the root of system drives and implementing detection rules for suspicious junction creations. Organizations are advised to apply the April 2025 security updates, restrict ACLs on specific directories, prevent symbolic link creation, and monitor file creation activities in certain directories.

Winsage

April 22, 2025

These 7 WSL programs changed how I use Windows

Windows users previously faced challenges using Linux tools via virtual machines until the introduction of the Windows Subsystem for Linux (WSL), which was further improved with WSL2. WSL2 integrates a lightweight virtual machine into Windows, allowing users to run Linux applications seamlessly. Runtipi and CasaOS can be easily set up on WSL2 to host self-service applications without complex configurations. Visual Studio Code (VS Code) offers a WSL extension that enables code execution directly in Linux distributions from Windows, enhancing the coding experience. Gigolo is a frontend for managing network shares, which can also be integrated into Windows 11 through WSL2. Ansible can automate the provisioning of virtual machines and containers on WSL2, making it easier for users engaged in DIY projects. Rsync can be installed via WSL2 for efficient file synchronization and backups on Windows. Podman Desktop allows Windows users to explore container runtimes using WSL2, providing a GUI for managing containers. Lastly, WSL2 enables users to access the Linux terminal and run various Linux distributions directly within Windows 11.