Windows vulnerability Archives

Winsage

April 20, 2025

587 Windows Vulnerabilities — A Microsoft Security Record Breaker

Microsoft has reported a record number of 1,360 security vulnerabilities for its products in 2024, marking an 11% increase from 2023. This includes 587 vulnerabilities in Windows (33 classified as critical) and 684 in Windows Server (43 classified as critical). The increase in reported vulnerabilities suggests that security researchers are effectively identifying weaknesses, and Microsoft has invested over a million dollars in bounties to encourage this. The proactive communication and remediation process during Patch Tuesday enhances security, indicating that Microsoft is committed to addressing vulnerabilities rather than being indifferent to user security.

Winsage

April 19, 2025

Windows vulnerability with NTLM hash abuse exploited for phishing

A vulnerability in Windows, identified as CVE-2025-24054, is being exploited in phishing campaigns targeting government and private organizations. Initially considered low-risk, it was addressed in Microsoft's March 2025 Patch Tuesday updates. Following the release of these patches, Check Point observed a rise in exploitation attempts, particularly linked to the Russian group APT28. Attackers sent phishing emails with Dropbox links containing .library-ms files, which, when accessed, connected to an external SMB server controlled by the attackers, allowing interception of NTLM hashes. A subsequent wave of attacks involved .library-ms files sent as direct attachments, requiring minimal user interaction to exploit the vulnerability. The malicious ZIP archive also contained files exploiting older NTLM vulnerabilities. Check Point identified the attackers' SMB servers with specific IP addresses. Despite being classified as medium-severity, the vulnerability's potential impact is significant, prompting organizations to apply the March 2025 updates and consider disabling NTLM authentication if not essential.

Winsage

March 26, 2025

New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials

A critical vulnerability affecting various Windows operating systems, including Windows 7, Server 2008 R2, Windows 11 v24H2, and Server 2025, allows attackers to capture NTLM authentication credentials through interactions with malicious files in Windows Explorer. Exploitation can occur when users open shared folders, insert USB drives with malicious files, or view downloaded files. The vulnerability is similar to a previously patched flaw (CVE-2025-21377) but has not been fully documented. Security researchers have developed micropatches available for free until Microsoft releases a permanent fix. These micropatches support a wide range of Windows versions, including legacy and currently supported systems. The micropatches have been automatically distributed to affected systems with the 0patch Agent installed.

Winsage

March 26, 2025

0patch releases yet another free fix for yet another 0day vulnerability in Windows that Microsoft has not addressed

0patch has released micropatches for a critical SCF File NTLM hash disclosure vulnerability affecting all Windows versions from Windows 7 to Windows 11 and Windows Server editions from 2008 to 2025. This vulnerability allows attackers to obtain users' NTLM credentials by having them view a malicious file in Windows Explorer. 0patch operates on a subscription model and provides security fixes for unsupported Windows versions, as well as complimentary patches for unaddressed vulnerabilities. Specific details about the vulnerability are currently withheld, pending an official fix from Microsoft.

Winsage

March 18, 2025

New Windows zero-day exploited by 11 state hacking groups since 2017

At least 11 state-backed hacking groups from North Korea, Iran, Russia, and China have been exploiting a Windows vulnerability tracked as ZDI-CAN-25373 since 2017 for data theft and cyber espionage. Microsoft has classified this vulnerability as "not meeting the bar for servicing," meaning no security updates will be released. The flaw allows attackers to execute arbitrary code on affected Windows systems by concealing malicious command-line arguments within .LNK shortcut files, using padded whitespaces to evade detection. Nearly 70% of the analyzed attacks linked to this vulnerability were related to espionage, while 20% aimed for financial gain. Various malware payloads, including Ursnif, Gh0st RAT, and Trickbot, have been associated with these attacks. User interaction is required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file. Microsoft has not assigned a CVE-ID to this vulnerability but is tracking it internally as ZDI-CAN-25373. A Microsoft spokesperson mentioned that the company is considering addressing the flaw in the future.

Winsage

February 14, 2025

Microsoft Windows GUI 0-Day Vulnerability Actively Exploited in the Wild

A vulnerability in Microsoft Windows, identified by ClearSky Cyber Security, is being actively exploited by the Chinese APT group Mustang Panda. This low-severity vulnerability affects how Windows processes files from compressed RAR archives, making extracted files invisible in the Windows Explorer GUI while still accessible via command-line tools. Mustang Panda uses this vulnerability to hide malicious files within archives, facilitating stealthy attacks through phishing campaigns. Despite its exploitation, Microsoft has rated the vulnerability as low-severity, which may indicate limited potential damage. Cybersecurity experts warn that such vulnerabilities can have significant implications when used in larger attack strategies.

Winsage

February 5, 2025

Microsoft addresses Windows vulnerability with PowerShell script

Microsoft has introduced a PowerShell script, KB5053484, to address the 2023 BlackLotus Secure Boot vulnerability (CVE-2023-24932) in Windows operating systems. This update targets Windows-bootable media and aligns with the new Secure Boot Certificate Authority (CA) released in February 2024, replacing the outdated CA from 2011. The BlackLotus vulnerability allows attackers to bypass Secure Boot in Windows 10 and 11, potentially injecting harmful code at the UEFI level. The update is available immediately to enhance security against this threat.

Winsage

December 17, 2024

US government warns federal agencies to patch dangerous Windows kernel bug

The US Cybersecurity and Infrastructure Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: 1. Microsoft Windows Kernel-Mode Driver Untrusted Pointer Dereference Vulnerability (CVE-2024-35250) - Severity score: 7.8. 2. Adobe ColdFusion improper access control vulnerability (CVE-2024-20767) - Severity score: 7.4, affecting ColdFusion versions 2023.6, 2021.12, and earlier. CISA has set a deadline of January 6, 2025, for federal agencies to address these vulnerabilities.

Winsage

December 16, 2024

Windows kernel bug now exploited in attacks to gain SYSTEM privileges

The Cybersecurity and Infrastructure Security Agency (CISA) has warned U.S. federal agencies about a critical Windows kernel vulnerability, CVE-2024-35250, which allows local attackers to elevate their privileges to SYSTEM level. This vulnerability is linked to the Microsoft Kernel Streaming Service (MSKSSRV.SYS) and was exploited during the Pwn2Own Vancouver 2024 competition. Microsoft issued a patch for this vulnerability in June 2024, but proof-of-concept exploit code appeared on GitHub four months later. CISA has also flagged a critical Adobe ColdFusion vulnerability, CVE-2024-20767, which allows unauthenticated remote attackers to access sensitive files. Over 145,000 ColdFusion servers are exposed to the Internet. Both vulnerabilities are listed in CISA's Known Exploited Vulnerabilities catalog, and federal agencies must secure their networks by January 6 under the Binding Operational Directive (BOD) 22-01.

Winsage

November 30, 2024

Windows Warning As New 0-Click Backdoor Russian Cyber Attack Confirmed

Security researchers have confirmed a cyber attack attributed to the Russian state-sponsored threat group RomCom, exploiting two zero-day vulnerabilities in Mozilla Firefox and Windows operating systems. The vulnerabilities are CVE-2024-9680, a use-after-free memory flaw in Firefox, and CVE-2024-49039, a privilege escalation flaw in Windows. The attack primarily affects users in Europe and North America and allows for the installation of a backdoor on Windows systems without user interaction. RomCom has expanded its focus to include industries such as pharmaceuticals, insurance, and legal sectors in the US and Germany. Mozilla and Microsoft have released patches to address these vulnerabilities, with Mozilla patching Firefox within a day and Microsoft addressing the Windows vulnerability in the latest Patch Tuesday updates. Experts warn that organizations must keep their software updated to mitigate ongoing risks from RomCom attackers.