downgrade attacks Archives

Winsage

September 16, 2025

Microsoft says Windows September updates break SMBv1 shares

Microsoft has acknowledged that the September 2025 Windows security updates are causing connection difficulties with Server Message Block (SMB) v1 shares across various platforms, including Windows 11 versions 24H2, 23H2, and 22H2, and Windows 10 versions 22H2 and 21H2, as well as Windows Server 2025 and Windows Server 2022. The issue occurs when connecting to SMBv1 shares via the NetBIOS over TCP/IP (NetBT) protocol after installing the September 2025 update or later. Microsoft is working on a resolution and has provided a temporary workaround that involves enabling traffic on TCP port 445. SMBv1 has been largely phased out and officially deprecated since 2014, with Microsoft urging system administrators to eliminate support for it due to security vulnerabilities, especially after the 2017 leak of NSA exploits that targeted SMBv1.

Winsage

September 11, 2025

Microsoft Fixes 80 Flaws — Including SMB PrivEsc and Azure CVSS 10.0 Bugs

Microsoft addressed 80 vulnerabilities in its software, with eight classified as Critical and 72 as Important. None of these vulnerabilities have been exploited as zero-day threats. The vulnerabilities include 38 related to privilege escalation, 22 concerning remote code execution, 14 linked to information disclosure, and three associated with denial-of-service attacks. Notable vulnerabilities include CVE-2025-55234 (CVSS score: 8.8), which involves privilege escalation in Windows SMB, and CVE-2025-54914 (CVSS score: 10.0), a critical flaw affecting Azure Networking. Other significant vulnerabilities include CVE-2025-55232 (CVSS score: 9.8) in Microsoft HPC Pack and CVE-2025-54918 (CVSS score: 8.8) affecting Windows NTLM. Two additional privilege escalation vulnerabilities in Windows BitLocker were also identified. Microsoft recommends enabling TPM+PIN for BitLocker security and implementing the REVISE mitigation to prevent downgrade attacks. Other vendors, including Adobe, Cisco, and IBM, have also released security patches recently.

Tech Optimizer

May 27, 2025

BIOS and Bootloaders in the Crosshairs: Growing Firmware Threats

Hackers are increasingly targeting the startup sequence of systems, focusing on BIOS, UEFI, and bootloaders, which allows them to bypass traditional operating system defenses. Firmware threats often evade conventional security measures, providing attackers with a persistent foothold. Notable bootkits like BlackLotus, BootHole, and EFILock exploit vulnerabilities in boot components, even those protected by Secure Boot. Attackers can embed malicious code in firmware or replace legitimate bootloaders, maintaining control through OS reinstalls and hardware replacements. Common attack vectors include compromised storage, network connections, or console inputs during boot. Malicious code can execute before security software activates, and attackers may exploit misconfigured or outdated signature databases, as well as downgrade attacks on older firmware versions. To mitigate these threats, organizations should enforce Secure Boot policies, regularly update signature databases, and monitor boot behavior for anomalies.

Winsage

November 8, 2024

DEF CON 32 – Windows Downdate: Downgrade Attacks Using Windows Updates

The DEF CON 32 conference took place at the Las Vegas Convention Center and featured presentations on cybersecurity and technology, which are now available on the organization’s YouTube channel.

Winsage

October 28, 2024

Windows Update takeover lets an attacker revive a patched flaw

Microsoft's approach to security vulnerabilities has been criticized for not classifying scenarios where an attacker with administrative privileges can execute kernel-level code as critical vulnerabilities. SafeBreach researchers highlighted that this narrow definition leaves systems vulnerable to custom rootkits that can bypass essential security controls. They identified CVE-2024-21302, a privilege escalation vulnerability affecting the Windows virtualization stack, and CVE-2024-38202, which allows attackers to exploit the Windows Update process to disable security features like Driver Signature Enforcement and virtualization-based security. Microsoft is actively developing mitigations for these vulnerabilities and has released a security update for CVE-2024-38202 on October 15, with further updates planned for CVE-2024-21302.

Winsage

October 28, 2024

Windows kernel components can be installed to bypass defense systems

Cybersecurity experts have discovered a method that allows cybercriminals to bypass Windows security features, specifically Driver Signature Enforcement (DSE), enabling the installation of rootkits on fully updated systems. Alon Leviev from SafeBreach reported that the exploit involves downgrading specific Windows kernel components, making Windows 11 devices particularly vulnerable. Despite notifying Microsoft, no fix has been implemented, as the company stated the vulnerability does not breach a “security boundary” since administrator access is required for exploitation. Leviev presented this vulnerability at the Black Hat and DEF CON 2024 conferences, introducing a tool called Windows Downdate that can reactivate previously patched vulnerabilities. He demonstrated downgrading components on Windows 11 to bypass DSE and install rootkits that disable security software. A key part of his attack involved replacing the ci.dll file with an unpatched version, which requires a system restart and disguises the action as a routine update. Leviev also showed methods to disable Virtualization-Based Security (VBS) by modifying settings and files. Microsoft is working on a solution to block outdated system files and prevent downgrade attacks, but the timeline for this fix is uncertain due to the need for thorough testing. Leviev advises organizations to remain vigilant against downgrade attacks until a resolution is available.

Winsage

October 28, 2024

Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A newly identified attack technique poses a risk to fully patched Windows systems by circumventing Microsoft's Driver Signature Enforcement (DSE), potentially enabling operating system downgrade attacks that allow malicious actors to load unsigned kernel drivers. This vulnerability is linked to two privilege escalation flaws in the Windows update mechanism, identified as CVE-2024-21302 and CVE-2024-38202, which can be exploited to revert updated systems to earlier versions with unpatched security weaknesses. A tool called Windows Downdate can hijack the Windows Update process, facilitating undetectable downgrades of critical OS components. The exploit takes advantage of a race condition to replace a verified security catalog file with a malicious version, allowing the loading of an unsigned kernel driver. The DSE bypass can be executed by downgrading the "ci.dll" library, but can be thwarted if Virtualization-Based Security (VBS) is active on the host. Attackers can disable VBS by manipulating registry keys, and the attack fails only if VBS is enabled with a UEFI lock and a "Mandatory" flag, which prevents booting if VBS files are corrupted. Microsoft has addressed the vulnerabilities in August and October 2024.

Winsage

October 26, 2024

New Windows Driver Signature bypass allows kernel rootkit installs

SafeBreach security researcher Alon Leviev has identified a vulnerability in the Windows operating system that allows attackers to downgrade kernel components, bypassing security measures like Driver Signature Enforcement (DSE). This vulnerability enables the installation of rootkits on fully patched systems. Leviev demonstrated that attackers can manipulate the Windows Update process to introduce outdated components without altering the system's patched status. He introduced a tool called Windows Downdate, which allows the creation of custom downgrades, exposing updated systems to previously patched vulnerabilities. Leviev's method, named "ItsNotASecurityBoundary," exploits a flaw in the DSE, allowing unsigned kernel drivers to be loaded and facilitating the deployment of rootkit malware. Despite Microsoft addressing the privilege escalation aspect of this vulnerability, it does not protect against downgrade attacks. Leviev's research shows that attackers can replace the 'ci.dll' file responsible for enforcing DSE with an unpatched version during the Windows Update process, thereby circumventing protections. He also discussed methods to disable Microsoft's Virtualization-based Security (VBS), which is designed to protect critical resources, by modifying registry keys. Leviev emphasizes the need for endpoint security tools to monitor downgrade procedures to mitigate these risks.

Winsage

August 28, 2024

Now available to all, Downdate tool silently downgrades Windows security patches | Tom’s Hardware

At the Black Hat 2024 conference, SafeBreach researcher Anon Leviev introduced a tool called Windows Downdate, which can silently reverse security patches on Windows 10, Windows 11, and Windows Server systems. This open-source Python program allows users to execute downgrade attacks, reintroducing previously patched vulnerabilities, including CVE-2024-21302 and CVE-2024-38202. The tool can bypass Windows Update, making it appear that the system is fully updated while it has been downgraded. Leviev demonstrated its use by reverting the Hyper-V hypervisor and other Windows components to earlier versions. Microsoft released a security update on August 7 for CVE-2024-21302 but has not yet issued a patch for CVE-2024-38202. Until a patch is available, Microsoft recommends users follow specific security guidelines to mitigate risks.

Winsage

August 28, 2024

Windows Downdate Attacks, Quick Share Vulnerability Exploit, and More: Hacker’s Playbook Threat Coverage Round-up: August 2024

SafeBreach's Hacker’s Playbook highlights emerging threats identified by SafeBreach Labs, allowing customers to run simulations against advanced threats. 1. Windows Downdate Attacks: Downgrade attacks can revert updated software to older versions, exploiting patched vulnerabilities. Research by Alon Leviev revealed a tool, Windows Downdate, that can commandeer the Windows Update process for undetectable downgrades. Two CVEs were issued: CVE-2024-21302 and CVE-2024-38202. 2. Quick Share Vulnerability Exploit: Research identified ten vulnerabilities in Google’s Quick Share, which could lead to remote code execution attacks. Two CVEs were issued: CVE-2024-38271 and CVE-2024-38272. Vulnerabilities include unauthorized file write and denial of service. 3. SafeBreach Coverage: SafeBreach has included attacks related to these vulnerabilities in its Hacker’s Playbook, such as Windows Downdate attacks and Quick Share download file accept bypass attacks. 4. Additional Threats: Coverage was added for threats like MagicRAT, Hesperbot Trojan, and Timitator Trojan, each with specific attack vectors documented. 5. Ransomware Assessment: SafeBreach offers a complimentary ransomware assessment, RansomwareRx, which includes training, assessment, attack simulation, and a custom report.