Windows vulnerabilities Archives

Winsage

December 8, 2025

Windows Autopatch Adds CVE Reporting to Boost Security Visibility

Microsoft has introduced a Common Vulnerabilities and Exposures (CVE) reporting capability within Windows Autopatch to improve security for IT teams. This tool provides an overview of Windows vulnerabilities addressed in recent updates, enabling device-specific tracking. Key features of the CVE report include a list of CVEs addressed in the past 90 days, tracking of patch compliance at the device level, links to Knowledge Base articles, filtering options, and near real-time updates. Administrators can access the CVEs report by navigating to the Microsoft Intune admin center and selecting the appropriate reports. The report includes CVE identifiers, severity scores, exploitation status, and details on devices needing updates. Organizations can enhance their response to vulnerabilities by utilizing various strategies, such as the Windows Autopatch update readiness feature and targeted fixes with the Security Copilot Vulnerability Remediation Agent.

Winsage

November 1, 2025

Two Windows vulnerabilities, one a 0-day, are under active exploitation

Two significant vulnerabilities in Windows have been identified: one is a zero-day vulnerability, undetected until March 2023, linked to 11 advanced persistent threat (APT) groups, and the other is a critical flaw that Microsoft has struggled to address. The zero-day vulnerability, labeled ZDI-CAN-25373 and later updated to CVE-2025-9491, originates from a flaw in the Windows Shortcut binary format and has been exploited in attacks across nearly 60 countries, with the U.S., Canada, Russia, and Korea being the most targeted. Microsoft has not released a patch for this vulnerability after seven months. A China-aligned threat group, UNC-6384, has been exploiting CVE-2025-9491 to target various European nations, using a remote access trojan called PlugX, which encrypts the binary file with RC4 until the final stage of the attack. Arctic Wolf noted that the coordinated targeting suggests a large-scale intelligence collection operation or multiple operational teams with shared tools.

Winsage

August 14, 2025

Microsoft fixed 100+ security flaws in Windows and Office this month

Microsoft has addressed 67 vulnerabilities in its supported Windows versions, including Windows 10, Windows 11, and Windows Server. Users on Windows 7 and Windows 8.1 have not received updates for some time. Upgrading to Windows 11 24H2 is recommended for continued protection. Two critical remote code execution (RCE) vulnerabilities are CVE-2025-53766, affecting the Graphics Device Interface API, and CVE-2025-50165, impacting the Windows Graphics Component. Both can be exploited by visiting a specially crafted website. Three critical vulnerabilities in Hyper-V include CVE-2025-48807, which allows code execution from a guest system to the host; CVE-2025-53781, which poses a data leak risk; and CVE-2025-49707, a spoofing vulnerability. Additionally, 12 vulnerabilities in the Routing and Remote Access Service (RRAS) have been addressed, with half classified as RCE vulnerabilities and the other half as data leaks. CVE-2025-53779, affecting Kerberos for Windows Server 2025, could allow an attacker to gain administrator rights under specific conditions, but is classified as medium risk.

Winsage

August 12, 2025

Windows DoS Flaws Enable DDoS Attacks on Domain Controllers

Researchers from SafeBreach Labs have identified four denial-of-service (DoS) vulnerabilities in Microsoft’s Windows operating system that could allow attackers to use publicly accessible Windows domain controllers in distributed denial-of-service (DDoS) attacks. These vulnerabilities exploit protocols such as Remote Procedure Call (RPC) and Lightweight Directory Access Protocol (LDAP), enabling the creation of stealthy botnets without authentication. The flaws arise from improper handling of RPC and LDAP requests in Windows Server environments, including versions up to 2025. One flaw allows unauthenticated users to trigger infinite loops, consuming system resources and facilitating reflection attacks. Microsoft released patches for these vulnerabilities in August 2025, but unpatched systems remain at risk. The vulnerabilities were disclosed at DEF CON 33, where proof-of-concept attacks were demonstrated. SafeBreach has labeled these flaws as “Win-DoS” due to their widespread applicability. Organizations are advised to audit network exposures and isolate domain controllers to mitigate risks. The increase in hyper-volumetric DDoS attacks highlights the urgency for proactive defenses, including automated mitigation tools and regular vulnerability scans. Experts recommend implementing stringent firewall rules to restrict RPC and LDAP exposure and using behavioral analytics to detect anomalous traffic.

Winsage

August 11, 2025

New ‘Win-DoS’ Zero-Click Vulnerabilities Turns Windows Servers/Endpoints, Domain Controllers Into DDoS Botnet

Researchers Yair and Shahak Morag from SafeBreach Labs introduced a new category of denial-of-service (DoS) attacks called the “Win-DoS Epidemic” at DEF CON 33. They identified four new vulnerabilities in Windows DoS and one zero-click distributed denial-of-service (DDoS) flaw, classified as “uncontrolled resource consumption.” The vulnerabilities include: - CVE-2025-26673 (CVSS 7.5): High-severity DoS vulnerability in Windows LDAP. - CVE-2025-32724 (CVSS 7.5): High-severity DoS vulnerability in Windows LSASS. - CVE-2025-49716 (CVSS 7.5): High-severity DoS vulnerability in Windows Netlogon. - CVE-2025-49722 (CVSS 5.7): Medium-severity DoS vulnerability in Windows Print Spooler, requiring an authenticated attacker on an adjacent network. These vulnerabilities can incapacitate Windows endpoints or servers, including Domain Controllers (DCs), potentially allowing for the creation of a DDoS botnet. The researchers also discovered a DDoS technique called Win-DDoS that exploits a flaw in the Windows LDAP client’s referral process, enabling attackers to redirect DCs to a victim server for continuous redirection. This method can leverage public DCs globally, creating a large, untraceable DDoS botnet without specialized infrastructure. Additionally, the researchers examined the Remote Procedure Call (RPC) protocol and found three new zero-click, unauthenticated DoS vulnerabilities that can crash any Windows system. They also identified another DoS flaw exploitable by any authenticated user on the network. The researchers released tools named “Win-DoS Epidemic” to exploit these vulnerabilities, highlighting the need for organizations to reassess their security measures regarding internal systems and services like DCs.

Winsage

June 25, 2025

Microsoft Confirms Windows 11 Updates Broken — Fix Now, Here’s How

Microsoft is facing challenges due to a system takeover attack and a secure boot bypass vulnerability affecting Windows users. They have advised users to update their systems immediately. However, Windows 11 version 24H2 users may experience issues with the "Scan for Updates" function, particularly if they have not installed the May non-security preview update, KB5058499. Microsoft recommends installing KB5058499 or the KB5062324 configuration update, which is being rolled out gradually. Users can check for updates by adjusting their settings and restarting their systems.

Winsage

May 15, 2025

Microsoft Copilot+ Recall: who should disable it, and how

Microsoft's Recall feature for Copilot+ PCs was initially announced a year ago but delayed due to privacy concerns raised by cybersecurity experts. The updated version was released in April 2025 for Windows Insider Preview builds and rolled out more broadly in May. Key updates include requiring user permission for activation, encrypting database files with hardware-based Trusted Platform Module (TPM), and implementing a filter to prevent saving sensitive information. Recall is enabled on a per-user basis, can be uninstalled, does not require a Microsoft account, and processes data locally. However, it still has vulnerabilities, such as allowing access with a regular Windows PIN after initial biometric authentication and failing to consistently filter sensitive data. Recall can log interactions during calls and capture self-destructing messages, posing privacy risks. It can impact performance and battery life, especially during gaming. Users handling sensitive data or frequently using video conferencing may want to disable or remove Recall. Instructions for disabling or removing Recall are provided, along with precautions for those who choose to use it.

Winsage

April 20, 2025

587 Windows Vulnerabilities — A Microsoft Security Record Breaker

Microsoft has reported a record number of 1,360 security vulnerabilities for its products in 2024, marking an 11% increase from 2023. This includes 587 vulnerabilities in Windows (33 classified as critical) and 684 in Windows Server (43 classified as critical). The increase in reported vulnerabilities suggests that security researchers are effectively identifying weaknesses, and Microsoft has invested over a million dollars in bounties to encourage this. The proactive communication and remediation process during Patch Tuesday enhances security, indicating that Microsoft is committed to addressing vulnerabilities rather than being indifferent to user security.

Winsage

March 12, 2025

Critical Windows Warning As 6 Zero-Day Attacks Confirmed—Update Now

In March, Microsoft confirmed six zero-day vulnerabilities in its Patch Tuesday security announcement, marking an increase from five reported in January and February combined. The March update includes a total of 57 Common Vulnerabilities and Exposures (CVEs), with all six zero-days classified as critical. These vulnerabilities can be addressed with a single cumulative update, requiring no additional configuration steps post-patch. The zero-days affect critical components such as the Microsoft Management Console, NTFS, Fast FAT, and the Win32 Kernel Subsystem. The specific vulnerabilities are: 1. CVE-2025-26633: Security feature bypass in the Microsoft Management Console, requiring social engineering to exploit. 2. CVE-2024-24993: Heap-based buffer overflow in Windows NTFS, allowing unauthorized code execution through a specially crafted virtual hard disk. 3. CVE-2025-24991: Information disclosure vulnerability affecting Windows 10 to 11 and Server 2008 to 2025, deemed critical. 4. CVE-2025-24985: Vulnerability in the Windows fast FAT file system driver, posing a risk of remote code execution via a specially crafted virtual hard disk. 5. CVE-2025-24983: Elevation of privilege vulnerability in the Windows Win32 kernel subsystem, potentially granting unauthorized access to sensitive data. 6. CVE-2025-24984: Another information disclosure vulnerability in Windows NTFS, also affecting the same range of Windows editions and considered critical.