privilege escalation Archives

Winsage

May 22, 2025

Windows Server Flaw a Shortcut to Privilege Escalation

An unpatched vulnerability in Windows Server 2025, identified by Akamai researchers, is associated with a method called "BadSuccessor." This flaw, considered "trivial" to exploit and present in the default configuration, allows for privilege escalation and potential full domain compromise. The vulnerability arises from delegated managed service accounts (dMSA), which were intended to enhance security during the migration of legacy service accounts. However, dMSAs can inherit permissions from legacy accounts, enabling attackers to simulate a migration and gain access to the permissions and encryption keys of those accounts without verification. The attack requires prior permissions within an Active Directory organizational unit, indicating a previous breach. Akamai reported the vulnerability to Microsoft on April 1, but Microsoft classified its severity as "moderate." Akamai recommends organizations restrict the creation of dMSAs to mitigate risks associated with this vulnerability.

Winsage

May 21, 2025

New Windows Server 2025 Attack Compromises Any Active Directory User

A significant security flaw, named BadSuccessor, has been discovered in Windows Server 2025, posing a serious risk to Active Directory users. This privilege escalation vulnerability allows attackers to compromise any user in Active Directory and is alarmingly easy to exploit, requiring only basic permissions on any organizational unit. Currently, no patch is available for this vulnerability. In 91% of environments examined, users outside the domain admins group had the necessary permissions to execute the attack. The exploit leverages the delegated Managed Service Account (dMSA) feature, enabling attackers to take control of any principal within the domain. Microsoft has rated the vulnerability as moderate severity and plans to address it in a future update, noting that elevated user permissions are required for successful exploitation. Organizations are advised to identify and eliminate unnecessary permissions to mitigate potential threats.

Winsage

May 21, 2025

Active Directory DMSA Attack Detailed By Researchers

The delegated Managed Service Account (dMSA) feature in Windows Server 2025 has a privilege escalation vulnerability that allows attackers to compromise any user in an Active Directory (AD) environment. Research by Yuval Gordon revealed that in 91% of examined environments, users outside the domain admins group had the necessary permissions to exploit this vulnerability. The attack can be executed with benign permissions on any organizational unit (OU) and does not require actual migration of accounts. Gordon's technique, called “BadSuccessor,” enables an attacker controlling a dMSA object to inherit the permissions and keys of any user, including those with high privileges. Microsoft has acknowledged the vulnerability but categorized it as a Moderate severity issue. Akamai recommends limiting the creation of dMSAs and tightening permissions until a patch is released.

Winsage

May 21, 2025

Windows 11 Introduces Enhanced Administrator Protection to Strengthen Security Against Elevated Privilege Attacks

Microsoft has launched Administrator Protection for Windows 11, a feature designed to enhance cybersecurity by preventing privilege escalation attacks. This feature creates a security boundary around administrative operations, reducing the attack surface for cybercriminals. It introduces a hidden, system-managed local user account that generates isolated admin tokens, preventing user-level malware from compromising elevated processes. Administrator Protection eliminates auto-elevation functionality, requiring users to explicitly authorize administrative actions. It utilizes a System Managed Administrator Account (SMAA) that generates non-persistent admin tokens for specific tasks, which are discarded after use. The feature is currently available to Windows Insiders in the Canary channel and will expand to the Dev channel, with broader deployment expected in the 24H2 release. Compatibility challenges may arise in complex development environments, such as with Visual Studio.

Winsage

May 14, 2025

Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days

Microsoft has addressed 72 vulnerabilities in a recent update, including five classified as zero-days. This is the eighth consecutive month that Microsoft has tackled zero-day vulnerabilities without any being categorized as critical at the time of disclosure. The identified zero-days include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709, with CVSS scores ranging from 7.5 to 7.8. Two of these vulnerabilities are related to the Windows Common Log File Driver System (CLFS), which has been frequently targeted for exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has added all five zero-days to its Known Exploited Vulnerabilities (KEV) list. Experts suggest that some zero-day exploits may be linked to targeted espionage or financially motivated activities, including ransomware deployment. Additionally, Microsoft's update includes five critical vulnerabilities and 50 high-severity defects, with 18 vulnerabilities impacting Microsoft Office and three deemed “more likely” to be exploited. Eight vulnerabilities patched this month are considered “more likely” to be exploited, including two high-severity defects in Microsoft SharePoint Server.

Winsage

May 10, 2025

Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network

Threat actors are exploiting Windows Remote Management (WinRM) to navigate through Active Directory environments stealthily, allowing them to bypass detection systems, escalate privileges, and deploy malicious payloads. WinRM operates on HTTP port 5985 and HTTPS port 5986, enabling remote command execution and management tasks. Attackers can gain access through compromised credentials and use WinRM-enabled PowerShell commands for reconnaissance, deploying payloads while evading detection. The attack chain includes initial access, reconnaissance, payload deployment, persistence, and lateral movement, often utilizing techniques that obfuscate malicious activities. Detecting such attacks is challenging due to the use of built-in Windows functionalities and encrypted channels. Recommended mitigation strategies include monitoring for unusual activity, restricting WinRM access, enforcing credential hygiene, and implementing advanced monitoring solutions.

Winsage

May 8, 2025

Windows 0-Day Vulnerability Exploited in Wild to Deploy Play ransomware

Threat actors associated with the Play ransomware operation exploited a zero-day vulnerability in Microsoft Windows, identified as CVE-2025-29824, before a patch was released on April 8, 2025. This vulnerability affects the Windows Common Log File System (CLFS) driver, allowing attackers to elevate their privileges to full system access. The Play ransomware group targeted an unnamed organization in the United States, likely gaining initial access through a public-facing Cisco Adaptive Security Appliance (ASA). During this intrusion, no ransomware payload was deployed; instead, the attackers used a custom information-stealing tool named Grixba. Microsoft attributed this activity to the threat group Storm-2460, known for deploying PipeMagic malware. The exploitation affected various sectors, including IT, real estate in the U.S., finance in Venezuela, software in Spain, and retail in Saudi Arabia. The vulnerability received a CVSS score of 7.8 and was addressed in Microsoft's April 2025 Patch Tuesday updates. The attack involved creating files in the path C:ProgramDataSkyPDF, injecting a DLL into the winlogon.exe process, extracting credentials from LSASS memory, creating new administrator users, and establishing persistence. The Play ransomware group has been active since June 2022 and employs double-extortion tactics. Organizations are urged to apply the security updates released on April 8, 2025, especially for vulnerable Windows versions, while Windows 11 version 24H2 is not affected due to existing security mitigations.

Winsage

May 7, 2025

Play ransomware affiliate leveraged zero-day to deploy malware

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, which has a CVSS score of 7.8 and is categorized as a "Use after free" vulnerability. This flaw allows an authorized attacker to elevate privileges locally and has been confirmed to be exploited in real-world attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities catalog in April. Microsoft addressed this vulnerability during its April Patch Tuesday security updates, acknowledging its exploitation in limited attacks targeting various sectors in the U.S. and Saudi Arabia. Researchers from Symantec reported that the Play ransomware gang used the CVE-2025-29824 exploit in an attack against a U.S. organization before the public disclosure and patching of the vulnerability. The attackers utilized the Grixba infostealer tool and initially exploited a public-facing Cisco ASA firewall to gain entry. They deployed tools to gather information, escalated privileges using the CVE-2025-29824 exploit, and executed malicious scripts to steal credentials. The exploit took advantage of race conditions in driver memory handling, allowing kernel access and manipulation of files. Before the patch was released, the exploit was reportedly used by multiple threat actors, and Microsoft linked it to other malware.

Winsage

May 7, 2025

Play ransomware exploited Windows logging flaw in zero-day attacks

The Play ransomware gang exploited a critical vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, to execute zero-day attacks, gaining SYSTEM privileges and deploying malware. Microsoft recognized this flaw and issued a patch during last month's Patch Tuesday. The gang targeted sectors including IT and real estate in the U.S., the financial sector in Venezuela, a Spanish software company, and retail in Saudi Arabia. They used the PipeMagic backdoor malware to deploy the CVE-2025-29824 exploit and install ransomware payloads. Symantec's Threat Hunter Team linked these activities to the Play ransomware-as-a-service operation, noting the use of the Grixba infostealer tool. The Play ransomware group, active since at least June 2022, employs double-extortion tactics and has compromised approximately 300 organizations globally as of October 2023. Notable victims include Rackspace, Arnold Clark, the City of Oakland, Dallas County, Antwerp, and Microchip Technology.

Winsage

April 23, 2025

Critical Flaw in Windows Update Stack Enables Code Execution and Privilege Escalation

A newly identified vulnerability in the Windows Update Stack, designated as CVE-2025-21204, allows attackers to execute arbitrary code and escalate privileges to SYSTEM level on affected machines. This critical security flaw arises from improper privilege separation and inadequate validation during the update orchestration process. Attackers can exploit it by creating harmful update packages or acting as man-in-the-middle on compromised networks. The vulnerability impacts any Windows system utilizing the vulnerable update mechanism, affecting both enterprise and consumer editions. Microsoft is working on a patch, and users are advised to monitor official channels for updates and apply patches promptly. Organizations should also restrict network access to update servers and monitor for suspicious update activities. The CVSS score for this vulnerability is 7.8 (High), indicating significant risk.