Exploited Vulnerabilities Archives

Winsage

March 26, 2025

Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code

Russian threat actors are exploiting a zero-day vulnerability in the Microsoft Management Console (MMC), identified as CVE-2025-26633, allowing them to bypass security features and execute harmful code. The hacking group Water Gamayun, also known as EncryptHub and Larva-208, is behind this campaign, using a weaponized version of the vulnerability called “MSC EvilTwin” to deploy various malicious payloads, including information stealers and backdoors. The vulnerability affects multiple Windows versions, particularly older systems like Windows Server 2016. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-26633 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch affected systems by April 1, 2025. Microsoft included this vulnerability in its March 2025 Patch Tuesday update. Recommended mitigations include applying security patches, restricting network access to MMC ports, and monitoring for unusual MMC activity.

AppWizard

March 25, 2025

Signal event: Why US and European officials rely on the messaging app

A recent incident involved The Atlantic's editor-in-chief in a Signal chat among senior officials from the Trump administration discussing military actions in Yemen. Signal was chosen for its robust security features, including end-to-end encryption that prevents interception by intermediaries. Signal operates as an independent non-profit, unlike WhatsApp, which is owned by Meta. Its popularity is growing in political circles, with recommendations from both the European Commission and Parliament for secure communications. The guidelines noted an increase in threats to telecommunications infrastructure and recommended Signal when corporate tools are unavailable. A recent leak of U.S. national defense plans was due to human error, not Signal's encryption flaws.

Winsage

March 22, 2025

Windows Shortcut Zero-Day Under Active Attack

A zero-day vulnerability in Windows shortcut (.lnk) files has been exploited by state-sponsored hacking groups since 2017, allowing attackers to execute arbitrary code on compromised systems. Microsoft has classified this vulnerability as “not meeting the bar servicing,” meaning no security updates will be issued. Trend Micro tracks it as ZDI-CAN-25373 and has linked it to cyber-espionage campaigns involving 11 nation-state actors from countries like North Korea, Iran, Russia, and China. Nearly 1,000 malicious .lnk samples exploiting this flaw have been identified, with many more potentially undetected. Attackers often use phishing emails to deliver these malicious files, which can download additional malware, granting full control over the compromised machine. Organizations are advised to scan their systems and implement security measures against this vulnerability.

Winsage

March 20, 2025

China, Russia, North Korea Hackers Exploit Windows Security Flaw

Almost a dozen state-sponsored threat groups from nations including China, Russia, Iran, and North Korea are exploiting a security vulnerability in Microsoft Windows, identified as ZDI-CAN-25373, to conduct espionage and gather sensitive information. This vulnerability affects how Windows handles .lnk files, allowing attackers to execute hidden malicious commands. Since 2017, these groups have targeted government, military, and critical infrastructure organizations globally, with 11 state-sponsored groups identified, primarily focusing on espionage (70%) and financial motives (20%). North Korea accounts for 45.5% of the exploitation, with Iran and Russia at 18.2% each, and China at 18.1%. The United States has experienced the most attacks (343 incidents), followed by Canada (39), Russia (25), and South Korea (23). Despite being notified, Microsoft does not plan to issue a patch for this vulnerability, categorizing it as "low severity."

Winsage

March 14, 2025

240 million Windows 10 users are vulnerable to six different hacker exploits

Windows 10 users are urged to download the latest update due to critical fixes for six actively exploited vulnerabilities affecting up to 240 million individuals. The U.S. Cyber Defense Agency advises updating systems before April 1st or turning off computers as a precaution. The vulnerabilities include: - CVE-2025-24993: Buffer overflow exploit. - CVE-2025-24991: Access to data from a malicious virtual hard disk. - CVE-2025-24984: Exploit requiring physical access to log sensitive information. - CVE-2025-26633: Bypass flaw in Microsoft Management Console. - CVE-2025-24985: Privilege escalation flaw after mounting a VHD. - CVE-2025-24983: System-level exploit for gaining top privileges on the Windows Kernel Subsystem. Over 600 organizations have been affected by these vulnerabilities. Microsoft will cease security updates for Windows 10 on October 14th, 2025, and users are encouraged to transition to Windows 11. Currently, there is a 60/40 split between Windows 10 and 11 users, with only 2% switching monthly. Approximately 240 million users have PCs incompatible with Windows 11, potentially leading to 1.1 billion pounds of computing equipment being discarded. The slow migration poses risks to user data security.

Winsage

March 12, 2025

CISA Warns of Microsoft Windows Management Console (MMC) Vulnerability Exploited in Wild

CISA has identified a critical vulnerability in Microsoft Windows Management Console (MMC), designated as CVE-2025-26633, which allows remote attackers to execute arbitrary code due to improper input sanitization. This vulnerability is included in CISA's Known Exploited Vulnerabilities catalog, and federal agencies must address it by April 2, 2025, as per Binding Operational Directive 22-01. Microsoft has released an out-of-band patch on March 10, 2025, to improve input validation in mmc.exe. Organizations are advised to prioritize patching, restrict MMC access, and monitor for exploitation.

Winsage

March 12, 2025

Microsoft patches Windows Kernel zero-day exploited since 2023

ESET has identified a zero-day vulnerability in the Windows Win32 Kernel Subsystem, designated as CVE-2025-24983, which has been exploited since March 2023. This vulnerability, stemming from a use-after-free weakness, allows low-privileged attackers to escalate access to SYSTEM privileges without user interaction. It primarily affects older Windows versions, including Windows Server 2012 R2 and Windows 8.1, but also poses risks to newer versions like Windows Server 2016 and Windows 10 (build 1809 and earlier). The exploit was first seen in the wild in March 2023, targeting systems compromised by the PipeMagic malware. Microsoft has addressed this vulnerability in the recent Patch Tuesday updates. Additionally, five other zero-day vulnerabilities were also patched, and CISA has mandated that Federal Civilian Executive Branch agencies secure their systems by April 1st.

Winsage

March 12, 2025

Microsoft Attacks—240 Million Windows Users Must Act Before It’s Too Late

Microsoft has released its latest Patch Tuesday updates, addressing six actively exploited vulnerabilities among a total of 67 Common Vulnerabilities and Exposures (CVEs). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned users to update their systems by April 1st or consider turning off their devices. The update includes 56 new CVEs across various platforms, with six rated as critical and already being exploited. Approximately 800 million users are still on Windows 10, which will stop receiving security updates after October 14, 2025. An estimated 240 million users may not be able to upgrade to Windows 11 for free. Windows 10's market share has declined below 60%, while Windows 11 approaches a 40% share. Microsoft has stated that only fully licensed Windows 10 machines capable of supporting Windows 11 will be eligible for the upgrade. The urgency for users with non-upgradable Windows 10 devices is emphasized due to the increasing number of exploited vulnerabilities.

Winsage

March 4, 2025

Feds add Windows, router vulnerabilities to actively exploited list

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its list of actively exploited vulnerabilities, highlighting several critical exploits. Key vulnerabilities include: - CVE-2023-20118: Affects specific Cisco Small Business Router models (RV016, RV042, RV042G, RV082, RV320, RV325), allowing hackers to remotely execute arbitrary commands via specially crafted HTTP requests, potentially granting root-level privileges. - CVE-2023-20025: Could enable hackers to bypass admin credential requirements for CVE-2023-20118. - CVE-2018-8639: Affects various Windows operating systems (Windows 7, Windows Server 2012 R2, Windows 10) due to the Win32k component's failure to manage memory objects, allowing local attackers to execute arbitrary code in kernel mode. Neither Microsoft nor Cisco has issued specific security advisories regarding these vulnerabilities.

Winsage

March 4, 2025

CISA tags Windows, Cisco vulnerabilities as actively exploited

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for U.S. federal agencies to enhance their defenses against cyberattacks targeting vulnerabilities in Cisco and Windows systems. Two specific vulnerabilities have been identified: 1. CVE-2023-20118, which allows attackers to execute arbitrary commands on certain VPN routers, requiring valid administrative credentials for exploitation. This vulnerability can be combined with CVE-2023-20025, an authentication bypass that grants root privileges to attackers. Cisco acknowledged this issue in an advisory in January 2023, with proof-of-concept exploit code publicly available. 2. CVE-2018-8639, a Win32k elevation of privilege flaw that allows local attackers to execute arbitrary code in kernel mode, enabling data manipulation and unauthorized account creation. Microsoft issued a security advisory regarding this vulnerability in December 2018, affecting both client and server platforms. CISA has added both vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to secure their networks against these vulnerabilities by March 23, as per the Binding Operational Directive 22-01. Additionally, CISA has alerted federal agencies to another critical vulnerability, CVE-2024-21413, in Microsoft Outlook, requiring patches by February 27.