remote code execution Archives

Winsage

May 28, 2025

Microsoft surprises with emergency patch KB5061977 for Windows 11 24H2

On May 27, Microsoft released an out-of-band update, KB5061977, for Windows 11 version 24H2, elevating the operating system build to 26100.4066. This emergency patch addresses a security vulnerability currently being exploited, likely related to remote code execution or privilege escalation. The update is available through Windows Update, Windows Update for Business, WSUS, and the Microsoft Update Catalog. Organizations are urged to prioritize its installation, especially on publicly accessible or critical systems. The update focuses on security and reliability improvements, with no new features introduced. The issuance of this update outside regular maintenance windows presents challenges for IT administrators, emphasizing the need for proactive patch management strategies.

Winsage

May 20, 2025

Securing the Model Context Protocol: Building a safer agentic future on Windows

The Model Context Protocol (MCP) is a lightweight, open protocol functioning as JSON-RPC over HTTP, facilitating standardized discovery and invocation of tools. MCP defines three roles: MCP Hosts (applications accessing capabilities), MCP Clients (initiators of requests), and MCP Servers (services exposing functionalities). Windows 11 will incorporate MCP to enable developers to create intelligent applications leveraging generative AI. An early preview of MCP capabilities will be available for developer feedback. MCP introduces security risks, including cross-prompt injection, authentication gaps, credential leakage, tool poisoning, lack of containment, limited security review, registry risks, and command injection. To address these, Windows 11's MCP Security Architecture will establish security requirements for MCP servers, ensuring user safety and transparency, enforcing least privilege, and implementing security controls like proxy-mediated communication, tool-level authorization, a central server registry, and runtime isolation. MCP servers must comply with security requirements, including mandatory code signing, unchanged tool definitions at runtime, security testing, mandatory package identity, and declared privileges. An early private preview of MCP server capability will be offered to developers post-Microsoft Build for feedback, with a secure-by-default enforcement strategy planned for broader availability. Microsoft aims to enhance defenses continuously and collaborate with partners to bolster MCP's security framework.

Winsage

May 19, 2025

Windows Remote Desktop Gateway UAF Vulnerability Allows Remote Code Execution

A critical vulnerability, designated as CVE-2025-21297, has been identified in Microsoft’s Remote Desktop Gateway (RD Gateway) due to a use-after-free (UAF) bug linked to concurrent socket connections during the service's initialization. This flaw, located in the aaedge.dll library within the CTsgMsgServer::GetCTsgMsgServerInstance function, allows multiple threads to overwrite a global pointer, leading to potential arbitrary code execution. The vulnerability affects multiple versions of Windows Server, including 2016, 2019, 2022, and 2025. Microsoft released security updates in May 2025 to address the issue, implementing mutex-based synchronization. The updates are KB5050011 for Windows Server 2016, KB5050008 for Windows Server 2019, KB5049983 for Windows Server 2022, and KB5050009 for Windows Server 2025. Security experts recommend applying these patches promptly and monitoring RD Gateway logs for unusual activity.

Winsage

May 15, 2025

Windows Remote Desktop Vulnerability Let Attackers Execute Malicious Code Over Network

Microsoft's May 2025 Patch Tuesday addressed 72 vulnerabilities in Windows Remote Desktop services, including two critical vulnerabilities, CVE-2025-29966 and CVE-2025-29967, which are heap-based buffer overflow issues. These flaws allow unauthorized attackers to execute arbitrary code over a network, posing significant risks. The vulnerabilities have been rated as "Critical" and classified under CWE-122. They affect various versions of Windows operating systems utilizing Remote Desktop services. Although there have been no reported active exploitations, experts warn of the potential dangers, urging users to apply patches immediately. The update also addressed five actively exploited zero-day vulnerabilities in other Windows components. Patches are available through Windows Update, WSUS, and the Microsoft Update Catalog.

Winsage

May 15, 2025

Windows Remote Desktop Gateway Vulnerability Let Attackers Trigger Dos Condition

The Microsoft Security Response Center (MSRC) has released critical security updates to address a significant vulnerability in the Windows Remote Desktop Gateway service, identified as CVE-2025-26677, which allows unauthorized attackers to cause denial of service (DoS) conditions. This vulnerability is rated as "High" severity with a CVSS score of 7.5 and affects multiple versions of Windows Server, including 2016, 2019, 2022, and 2025. Microsoft has provided security updates (KB5058383, KB5058392, KB5058385, and KB5058411) to rectify the issue. Additionally, another vulnerability, CVE-2025-29831, has been identified that could enable remote code execution (RCE) through a Use After Free weakness, also rated with a CVSS score of 7.5. This vulnerability requires user interaction, specifically an admin user to stop or restart the service, and affects Windows Server versions 2008 R2, 2012/R2, 2016, 2019, 2022, and 2025. Organizations are advised to prioritize patching both vulnerabilities and to review network configurations to limit exposure of Remote Desktop Gateway services. The vulnerabilities were discovered by security researchers from Kunlun Lab.

Winsage

May 14, 2025

Microsoft’s ‘Patch Tuesday’ Update Fixes Seven Zero-Day Exploits

Microsoft's latest Patch Tuesday update addresses 72 security vulnerabilities, including five critical zero-day vulnerabilities. Four of these zero-days are elevation of privilege flaws: - CVE-2025-32701 and CVE-2025-32706 target the Windows Common Log File System Driver. - CVE-2025-30400 affects the Microsoft DWM Core Library. - CVE-2025-32709 involves the Windows Ancillary Function Driver for WinSock. These vulnerabilities allow attackers to gain SYSTEM privileges locally. The fifth zero-day, CVE-2025-30397, is a remote code execution vulnerability in the Microsoft Scripting Engine, which can be exploited through malicious links in Microsoft Edge or Internet Explorer. CVE-2025-30397, CVE-2025-32701, and CVE-2025-30400 were discovered by the Microsoft Threat Intelligence Center, while CVE-2025-32706 was disclosed by the Google Threat Intelligence Group and CrowdStrike, and CVE-2025-32709 was reported by an anonymous researcher. Additionally, a publicly disclosed spoofing flaw in Microsoft Defender, CVE-2025-26685, allows unauthenticated attackers with local network access to impersonate another account. The final zero-day, CVE-2025-32702, is a remote code execution vulnerability in Visual Studio.

Winsage

May 14, 2025

Patch Tuesday for May: Five zero day vulnerabilities CISOs should focus on

A vulnerability identified as CVE-2025-30397 can be exploited when Microsoft Edge is in “Internet Explorer” mode, which is typically not the default setting but may be necessary for certain users. Another vulnerability, CVE-2025-29831, can only be exploited during a restart of the Remote Desktop Protocol (RDP) service. SAP has released 18 Security Notes to address various vulnerabilities, including critical authorization issues, remote code execution, information disclosure, and cross-site scripting.

Winsage

May 14, 2025

Microsoft Scripting Engine 0-Day Vulnerability Enables Remote Code Execution Over Network

Microsoft has identified a memory corruption vulnerability in its Scripting Engine, designated as CVE-2025-30397. This vulnerability allows unauthorized remote code execution and is classified as “Important” under CWE-843 (Type Confusion). It was disclosed in the May 2025 Patch Tuesday updates and arises from improper handling of resource types. Exploitation occurs when a user clicks a specially crafted URL in Microsoft Edge's Internet Explorer Mode, potentially compromising system confidentiality, integrity, and availability. Although the attack complexity is high, successful exploitation has been confirmed in the wild. Microsoft has issued patches for all supported Windows versions, and users are advised to apply these updates and consider disabling Internet Explorer Mode to reduce risk.

Winsage

May 14, 2025

Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days

Microsoft has addressed 72 vulnerabilities in a recent update, including five classified as zero-days. This is the eighth consecutive month that Microsoft has tackled zero-day vulnerabilities without any being categorized as critical at the time of disclosure. The identified zero-days include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709, with CVSS scores ranging from 7.5 to 7.8. Two of these vulnerabilities are related to the Windows Common Log File Driver System (CLFS), which has been frequently targeted for exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has added all five zero-days to its Known Exploited Vulnerabilities (KEV) list. Experts suggest that some zero-day exploits may be linked to targeted espionage or financially motivated activities, including ransomware deployment. Additionally, Microsoft's update includes five critical vulnerabilities and 50 high-severity defects, with 18 vulnerabilities impacting Microsoft Office and three deemed “more likely” to be exploited. Eight vulnerabilities patched this month are considered “more likely” to be exploited, including two high-severity defects in Microsoft SharePoint Server.

AppWizard

May 13, 2025

Turkish spies caught exploiting zero-day for over a year

Microsoft reported that Turkish espionage operatives have been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger app to gather intelligence on the Kurdish military in Iraq. This operation, attributed to the group Marbled Dust, began in April 2024. The vulnerability is a directory traversal flaw in version 2.0.62 of the app, and many users have not yet updated to the patched version released in December. Marbled Dust has used this flaw to access sensitive user data and deploy malicious files within the Output Messenger server. The group has a history of targeting entities opposing Turkish interests and has evolved its tactics by leveraging this vulnerability for unauthorized access. Srimax and Microsoft are advising users to upgrade to version V2.0.63 to mitigate the risks associated with the exploit.