elevated privileges Archives

Winsage

July 8, 2025

Silverfort uncovers critical Netlogon flaw affecting Windows domain controllers

A vulnerability identified as “NOTLogon” (CVE-2025-47978) has been discovered in Microsoft Corp.'s Netlogon protocol, allowing low-privilege machines to remotely crash Windows domain controllers, disrupting Active Directory services. This flaw arises from issues in the Network Ticket Logon feature introduced in late 2024, specifically in the NetrLogonSamLogonEx RPC call processing malformed inputs in the AdditionalTicket buffer. An empty or improperly formatted ticket can crash the domain controller’s LSASS process, leading to a system reboot. The vulnerability does not grant elevated privileges or allow credential theft but can cause denial-of-service attacks that halt user logins and restrict access to enterprise systems. The discovery utilized AI-assisted techniques to analyze differences in Netlogon specifications. Organizations are advised to apply the July 2025 security update, audit machine account usage, restrict machine account creation, and segment network access to protect domain controllers.

Winsage

June 25, 2025

New FileFix Exploit Uses Windows File Explorer to Run Malicious Commands

A newly identified exploit called "FileFix" manipulates Windows File Explorer to execute harmful commands while remaining within a web browser. Developed by security researcher mr.d0x, it builds on the ClickFix social engineering attack. FileFix uses the file upload feature on websites, prompting users to copy a malicious PowerShell command disguised as a file path. When users paste this path into the File Explorer address bar, it executes the command without their knowledge. The attack exploits familiar workflows, bypassing user skepticism and does not require elevated privileges or complex malware. Security experts warn that FileFix could enable the delivery of infostealers, ransomware, or other malware, posing a significant risk to individuals and organizations. Users are advised to be cautious of instructions to copy and paste file paths from unfamiliar sources, monitor for suspicious processes initiated by browsers, and keep security software updated.

Winsage

May 22, 2025

Windows Server Flaw a Shortcut to Privilege Escalation

An unpatched vulnerability in Windows Server 2025, identified by Akamai researchers, is associated with a method called "BadSuccessor." This flaw, considered "trivial" to exploit and present in the default configuration, allows for privilege escalation and potential full domain compromise. The vulnerability arises from delegated managed service accounts (dMSA), which were intended to enhance security during the migration of legacy service accounts. However, dMSAs can inherit permissions from legacy accounts, enabling attackers to simulate a migration and gain access to the permissions and encryption keys of those accounts without verification. The attack requires prior permissions within an Active Directory organizational unit, indicating a previous breach. Akamai reported the vulnerability to Microsoft on April 1, but Microsoft classified its severity as "moderate." Akamai recommends organizations restrict the creation of dMSAs to mitigate risks associated with this vulnerability.

Winsage

May 21, 2025

Windows 11 Introduces Enhanced Administrator Protection to Strengthen Security Against Elevated Privilege Attacks

Microsoft has launched Administrator Protection for Windows 11, a feature designed to enhance cybersecurity by preventing privilege escalation attacks. This feature creates a security boundary around administrative operations, reducing the attack surface for cybercriminals. It introduces a hidden, system-managed local user account that generates isolated admin tokens, preventing user-level malware from compromising elevated processes. Administrator Protection eliminates auto-elevation functionality, requiring users to explicitly authorize administrative actions. It utilizes a System Managed Administrator Account (SMAA) that generates non-persistent admin tokens for specific tasks, which are discarded after use. The feature is currently available to Windows Insiders in the Canary channel and will expand to the Dev channel, with broader deployment expected in the 24H2 release. Compatibility challenges may arise in complex development environments, such as with Visual Studio.

Winsage

April 24, 2025

Microsoft mystery folder fix might need a fix of its own

Microsoft's recent patch for CVE-2025-21204 inadvertently reintroduced the inetpub folder at c:inetpub as part of its mitigation strategy, raising concerns among system administrators. Security researcher Kevin Beaumont discovered that this folder created a new vulnerability when he used the mklink command with the /j parameter to redirect the folder to a system executable (notepad.exe). This allowed standard users to prevent Windows updates without administrative rights, as the command could be executed on default-configured systems. Beaumont has notified Microsoft of this vulnerability, but the company has not yet responded.

Winsage

April 24, 2025

Windows 11’s crucial new ‘inetpub’ folder is laughably easy to hack

A new folder named "inetpub" appeared on many Windows PCs after an April update, initially thought to be a glitch. Microsoft later stated that this folder was introduced to enhance Windows security by addressing the CVE-2025-21204 vulnerability. However, security researcher Kevin Beaumont revealed that the inetpub folder could allow attackers to bypass critical security updates. Beaumont proposed creating a junction point in the C: directory to prevent the inetpub folder's creation, which would also block the installation of the April update and subsequent security updates, leaving PCs vulnerable. This situation could lead to error messages and failed update rollbacks, with attackers able to exploit these issues without elevated privileges. Beaumont has informed Microsoft about the problem, but a response has not yet been received.

Winsage

April 19, 2025

Microsoft is deprecating a ‘revolutionary’ virtualization-based security feature for older versions of Windows 11

Microsoft has announced the deprecation of Virtualization-based Security (VBS) enclaves, a feature introduced in July 2024, in Windows 11 23H2 and earlier versions, as well as in Windows Server 2022 and its predecessors. Support for VBS enclaves will continue in Windows Server 2025 and future versions. VBS enclaves were designed to create secure memory spaces using Microsoft's Hyper-V hypervisor, enhancing security for specific application components. The decision to phase out VBS enclaves may be influenced by the rapid development cycle of Windows 11. Users are expected to transition to newer releases as support for Windows 11 23H2 ends in November. Enterprise customers relying on VBS enclaves may face disruptions if the feature is completely removed.

Winsage

April 17, 2025

Hackers Exploiting NTLM Spoofing Vulnerability in Wild to Compromise Systems

Cybercriminals are exploiting a vulnerability in Windows systems known as CVE-2025-24054, which involves NTLM hash disclosure through spoofing techniques. This flaw allows attackers to leak NTLM hashes, leading to privilege escalation and lateral movement within networks. It is triggered when a user extracts a ZIP archive containing a malicious .library-ms file, causing Windows Explorer to initiate SMB authentication requests that expose NTLMv2-SSP hashes. Exploitation of this vulnerability began shortly after a security patch was released on March 11, 2025, with campaigns targeting government and private institutions in Poland and Romania. These campaigns utilized spear-phishing emails containing malicious ZIP archives, which, when interacted with, leaked NTLM hashes. The malicious files included various types designed to initiate SMB connections to attacker-controlled servers, allowing for pass-the-hash attacks and privilege escalation. The stolen hashes were sent to servers in several countries, indicating potential links to state-sponsored groups. One campaign involved Dropbox links that exploited the vulnerability upon user interaction. Microsoft has recommended immediate patching, enhancing network defenses, user education, network segmentation, and regular security audits to mitigate risks associated with this vulnerability.

Winsage

April 9, 2025

Windows Common Log File System 0-Day Vulnerability Exploited in the Wild

A critical zero-day vulnerability in the Windows Common Log File System (CLFS) driver, identified as CVE-2025-29824, is actively exploited, allowing attackers to elevate privileges to SYSTEM level and compromise system integrity. This flaw arises from a use-after-free issue within the CLFS driver, enabling local attackers to execute malicious code. Microsoft is aware of the exploitation and is working on a security update, but no immediate patch is available. The vulnerability affects multiple versions of Windows 10, including x64-based and 32-bit systems, and can lead to privilege escalation, data breaches, operational disruption, and malware deployment. Microsoft has classified this vulnerability as "Important" and urges organizations to apply patches promptly once available.

Winsage

March 12, 2025

CISA Warns of Microsoft Windows Win32 Kernel Subsystem Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has identified a vulnerability in the Microsoft Windows Win32 kernel subsystem, designated as CVE-2025-24983. This use-after-free vulnerability in the Win32k component could allow an authorized attacker to elevate privileges locally. It is categorized under Common Weakness Enumeration (CWE) 416. CISA recommends users apply Microsoft’s mitigation instructions, follow Binding Operational Directive (BOD) 22-01 for cloud services, and discontinue use of affected products if necessary. The deadline for addressing this vulnerability is April 1, 2025.