RCE Vulnerability Archives

Winsage

May 15, 2025

Windows Remote Desktop Gateway Vulnerability Let Attackers Trigger Dos Condition

The Microsoft Security Response Center (MSRC) has released critical security updates to address a significant vulnerability in the Windows Remote Desktop Gateway service, identified as CVE-2025-26677, which allows unauthorized attackers to cause denial of service (DoS) conditions. This vulnerability is rated as "High" severity with a CVSS score of 7.5 and affects multiple versions of Windows Server, including 2016, 2019, 2022, and 2025. Microsoft has provided security updates (KB5058383, KB5058392, KB5058385, and KB5058411) to rectify the issue. Additionally, another vulnerability, CVE-2025-29831, has been identified that could enable remote code execution (RCE) through a Use After Free weakness, also rated with a CVSS score of 7.5. This vulnerability requires user interaction, specifically an admin user to stop or restart the service, and affects Windows Server versions 2008 R2, 2012/R2, 2016, 2019, 2022, and 2025. Organizations are advised to prioritize patching both vulnerabilities and to review network configurations to limit exposure of Remote Desktop Gateway services. The vulnerabilities were discovered by security researchers from Kunlun Lab.

Winsage

March 13, 2025

Microsoft Patches a Whopping Seven Zero-Days in March

Microsoft's March Patch Tuesday revealed over 50 new vulnerabilities, including seven zero-day vulnerabilities, six of which are currently being exploited. Key vulnerabilities include: - CVE-2025-26633: Security feature bypass in Microsoft Management Console, CVSS score 7.0. - CVE-2025-24993: Remote code execution (RCE) vulnerability in Windows NTFS, CVSS score 7.8. - CVE-2025-24991: Information disclosure vulnerability in Windows NTFS, CVSS score 5.5. - CVE-2025-24985: RCE vulnerability in Windows Fast FAT File System Driver, CVSS score 7.8. - CVE-2025-24984: Information disclosure vulnerability in Windows NTFS, CVSS score 4.6. - CVE-2025-24983: Elevation of privilege (EoP) vulnerability in Windows Win32 Kernel Subsystem, CVSS score 7.0. - CVE-2025-26630: RCE vulnerability in Microsoft Access, CVSS score 7.8. This month's patch list includes 23 EoP and 23 RCE vulnerabilities, with all six critical vulnerabilities being RCEs. Notably, CVE-2025-24084 affects the Windows Subsystem for Linux (WSL2) kernel, and CVE-2025-26645 impacts the remote desktop client (RDP), allowing attackers to achieve remote code execution on vulnerable clients.

Winsage

March 10, 2025

Threat Actors Exploited PHP-CGI RCE Vulnerability To Attack Windows Machines

Cisco Talos has reported a series of cyberattacks exploiting a critical vulnerability in PHP (CVE-2024-4577) to target Windows systems, primarily affecting organizations in Japan since January 2025. The vulnerability allows attackers to execute arbitrary PHP code on servers running Apache with PHP-CGI. They use a Python script, “PHP-CGICVE-2024-4577RCE.py,” to send crafted POST requests and confirm exploitation through a specific MD5 hash. After gaining access, attackers deploy a PowerShell injector script to establish a connection with their command and control (C2) server and utilize Cobalt Strike plugins for post-exploitation activities, including modifying registry keys for persistence and clearing event logs to evade detection. They conduct lateral movement using reconnaissance tools and exploit Group Policy Objects to execute malicious scripts, ultimately extracting credentials with Mimikatz. The attackers have access to a pre-configured installer script on their C2 server, suggesting potential for future attacks.

Winsage

March 5, 2025

Windows KDC Proxy RCE Vulnerability Let Attackers Control The Server Remotely

A critical remote code execution vulnerability, designated as CVE-2024-43639, has been identified in Microsoft’s Windows Key Distribution Center (KDC) Proxy. This flaw arises from an integer overflow due to a missing validation check for Kerberos response lengths, allowing unauthenticated remote attackers to execute arbitrary code with the privileges of the target service. The vulnerability specifically affects KDC Proxy servers and was addressed in a November 2024 security update by implementing necessary length validation checks. Organizations using remote authentication services reliant on the KDC Proxy, such as RDP Gateway or DirectAccess, are particularly at risk. Immediate patching is advised, and monitoring for potential exploitation attempts is recommended.

Winsage

February 12, 2025

Microsoft Patch Tuesday February 2025 – 61 Vulnerabilities Fixed, 3 Actively Exploited in the Wild

Microsoft's February Patch Tuesday update addresses 61 vulnerabilities, including 25 critical Remote Code Execution (RCE) vulnerabilities. Three of these are zero-days, actively exploited before the update: 1. CVE-2023-24932: Secure Boot security feature bypass requiring physical access or administrative rights. 2. CVE-2025-21391: Windows Storage elevation of privilege vulnerability that could lead to data deletion. 3. CVE-2025-21418: Vulnerability in Windows Ancillary Function Driver for WinSock allowing privilege escalation. Critical vulnerabilities include: - CVE-2025-21376: Windows LDAP RCE vulnerability. - CVE-2025-21379: RCE vulnerability in DHCP Client Service. - CVE-2025-21381: RCE vulnerability in Microsoft Excel. The update also addresses additional vulnerabilities related to remote code execution, elevation of privilege, denial of service, security feature bypass, spoofing, and information disclosure across various Microsoft products. Microsoft advises immediate application of the updates to mitigate risks.

Winsage

December 11, 2024

Microsoft fixes zero-day security flaw in latest Windows update

Microsoft addressed 71 vulnerabilities in its December Patch Tuesday update, including a critical zero-day flaw. Of these, 59 vulnerabilities affect various versions of Windows, including Windows 10, Windows 11, and Windows Server. CVE-2024-49138 is a high-risk buffer overflow issue that allows privilege escalation and could enable full control over affected systems. Microsoft classified 16 Remote Code Execution (RCE) vulnerabilities as critical, with nine related to the Remote Desktop service. CVE-2024-49112 affects the Lightweight Directory Access Protocol (LDAP) and could allow code injection without user login. CVE-2024-49117 affects Hyper-V, allowing code execution from a guest system on the host system. Additionally, eight security vulnerabilities in Microsoft Office were resolved, including three RCE vulnerabilities. CVE-2024-49063 is the first identified security flaw in Microsoft's open-source AI project, Muzic. The next Patch Tuesday is scheduled for January 14, 2025.

Winsage

December 11, 2024

Microsoft Fixes Zero-Day, Critical RCEs in Patch Tuesday

A Windows zero-day security vulnerability, tracked as CVE-2024-49138 (CVSS 7.8), exists in the Windows Common Log File System (CLFS) Driver, allowing privilege escalation. This vulnerability can be exploited by manipulating log files or corrupting log data, potentially leading to SYSTEM-level privileges on Windows Server. Microsoft’s December 2024 Patch Tuesday update includes 71 patches, bringing the total for the year to 1,020, with 16 classified as critical. Among these, CVE-2024-49112 (CVSS 9.8) is a critical remote code execution (RCE) vulnerability in Windows LDAP, which can compromise Domain Controllers. CVE-2024-49117 (CVSS 8.8) affects Windows Hyper-V, allowing code execution on the host OS from a guest VM. Additionally, CVE-2024-49132 (CVSS 8.1) impacts Windows Remote Desktop Services, enabling RCE through a use-after-free memory condition. Other vulnerabilities include CVE-2024-49093 (CVSS 8.8), an elevation of privilege flaw in Windows Resilient File System (ReFS), and CVE-2024-49063, an RCE issue in the Musik project related to AI-generated music.

Winsage

November 13, 2024

Zero Day Initiative — The November 2024 Security Update Review

Microsoft has addressed a limited number of critical vulnerabilities, including two related to privilege escalation: one associated with VMSwitch that allows low-privileged users on a guest OS to execute code with SYSTEM privileges on the host OS, and another in a cloud service that has been mitigated. The updates include over 50 code execution vulnerabilities, primarily affecting SQL Server, with CVE-2024-49043 requiring urgent attention for updates to OLE DB Driver versions 18 or 19. Several vulnerabilities in Office components were identified, and the Telephony service revealed six remote code execution vulnerabilities, notably an SMBv3 vulnerability that can exploit a malicious SMB client against an affected SMB server in SMB over QUIC configurations. A CVSS 9.9 rated vulnerability in Azure CycleCloud could allow root-level access, and an RCE vulnerability in TouchGeo was also identified. Over two dozen fixes for privilege escalation vulnerabilities were released, including USB Video Class System vulnerabilities requiring physical access and vulnerabilities in Azure Database for PostgreSQL that could grant SuperUser privileges. Two Security Feature Bypass vulnerabilities were addressed, one in Word and another in Windows Defender Application Control. Two spoofing vulnerabilities were identified in Exchange Server and DNS, and four denial-of-service vulnerabilities were reported, including one in Hyper-V that could facilitate cross-VM attacks. The final Patch Tuesday of 2024 is scheduled for December 10.

Winsage

October 8, 2024

5 CVEs in Microsoft’s October Update to Patch Immediately

Microsoft's October security update has revealed 117 vulnerabilities, including two actively exploited flaws (CVE-2024-43573 and CVE-2024-43572) and three publicly disclosed but unexploited bugs (CVE-2024-6197, CVE-2024-20659, and CVE-2024-43583). Of the total vulnerabilities, 46 allow remote code execution (RCE) and 28 enable privilege escalation. The update is the third largest of the year, following April's 147 and July's 139 disclosed vulnerabilities. CVE-2024-43573 is a spoofing vulnerability in MSHTML, while CVE-2024-43572 is an RCE flaw in the Microsoft Management Console. The three unexploited vulnerabilities include CVE-2024-6197, an RCE in cURL; CVE-2024-20659, a security bypass in Windows Hyper-V; and CVE-2024-43583, an elevation of privilege vulnerability in WinLogon. Additionally, three critical RCE vulnerabilities have been identified: CVE-2024-43468 in Microsoft Configuration Manager, CVE-2024-43582 in the Remote Desktop Protocol (RDP) server, and CVE-2024-43488 in the Visual Studio Code extension for Arduino Remote. CVE-2024-43533 is a high-severity RDP bug that allows arbitrary code execution on client machines.

Winsage

August 14, 2024

Patch Tuesday: 6 Microsoft fixes for flaws already exploited

Microsoft has addressed 102 vulnerabilities in its product suite, with six under active exploitation and four publicly disclosed but not exploited. The most critical vulnerabilities include CVE-2024-38189 (RCE in Microsoft Project, CVSS 8.8), CVE-2024-38178 (Scripting Engine Memory Corruption, CVSS 7.5), and CVE-2024-38193 (Elevation of Privilege, CVSS 7.8). Other vulnerabilities include CVE-2024-38106 and CVE-2024-38107, both leading to privilege escalation. Microsoft has flagged four publicly disclosed vulnerabilities for immediate attention: CVE-2024-38200 (Office Spoofing, CVSS 6.5), CVE-2024-38199 (LPD Service RCE, CVSS 9.8), CVE-2024-21302 (Secure Kernel Mode Elevation, CVSS 6.7), and CVE-2024-38202 (Update Stack Elevation, CVSS 7.3). Adobe has addressed 71 CVEs across its products, with no known exploits reported. SAP released 25 patches, including CVE-2024-41730 (denial of service in BusinessObjects, CVSS 9.8). Intel issued 43 advisories, with nine classified as high-severity flaws affecting various products, including Ethernet Controllers and BIOS Firmware.