zero-day exploit Archives

Winsage

June 12, 2025

Microsoft Resolves Windows Server 2025 Restart Bug Disrupting Active Directory Connectivity

Microsoft released updates in June 2025 to address critical issues affecting Windows Server 2025 domain controllers, specifically authentication failures and network connectivity problems. The updates, encapsulated in KB5060842, resolved issues stemming from security update KB5055523, which altered certificate validation methods for Kerberos authentication. This change led to logging errors for self-signed certificates and affected Windows Hello for Business Key Trust deployments. Additionally, a separate issue prevented domain controllers from managing network traffic correctly after restarts, causing them to revert to standard firewall profiles. Microsoft provided a temporary workaround for administrators to manually restart network adapters until a permanent fix was implemented. The June updates addressed a total of 66 vulnerabilities, including 10 rated as Critical, and recommended immediate installation. Microsoft advised against setting the AllowNtAuthPolicyBypass registry key to ‘2’ for domain controllers using self-signed certificates until the latest updates were applied.

Winsage

June 10, 2025

Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day

Microsoft addressed 66 vulnerabilities in a recent Patch Tuesday update, including a critical zero-day exploit, CVE-2025-33053, which has been exploited by the espionage group Stealth Falcon against a defense contractor in Turkey. Stealth Falcon has targeted high-profile government and defense entities in the Middle East and Africa since 2012. CISA has added CVE-2025-33053 to its catalog of known exploited vulnerabilities. The group employs innovative infection methods, including WebDAV and multi-stage loaders. Many organizations may be at risk due to inadequate security measures for WebDAV, with estimates suggesting up to 80% of organizations could be vulnerable. The update also includes another critical vulnerability, CVE-2025-47966, allowing unauthorized access to sensitive information in Power Automate, as well as 17 vulnerabilities affecting Microsoft Office products, with three likely to be exploited.

AppWizard

May 14, 2025

Marbled Dust leverages zero-day in Output Messenger for regional espionage

Since April 2024, the threat actor Marbled Dust has been exploiting a zero-day vulnerability (CVE-2025-27920) in the Output Messenger chat application, targeting user accounts that have not applied necessary fixes. This exploitation has resulted in the collection of sensitive data from users in Iraq, specifically linked to the Kurdish military. Microsoft has high confidence in this assessment and notes that Marbled Dust conducts reconnaissance to identify potential targets using Output Messenger. Marbled Dust has successfully utilized this vulnerability to deploy malicious files and exfiltrate data. Microsoft notified the application’s developer, Srimax, about the vulnerability, leading to the release of a software update. A second vulnerability (CVE-2025-27921) was also found, but no exploitation of this second flaw has been observed. The zero-day vulnerability allows an authenticated user to upload malicious files to the server's startup directory. Marbled Dust has exploited this flaw to place a backdoor file, OMServerService.vbs, in the startup folder, enabling them to access communications and sensitive data indiscriminately. The attack chain begins with Marbled Dust gaining access to the Output Messenger Server Manager, likely through DNS hijacking or other credential interception techniques. Once inside, they exploit the vulnerability to drop malicious files, including a GoLang backdoor, which connects to a Marbled Dust command-and-control domain for data exfiltration. To mitigate this threat, Microsoft recommends updating to the latest version of Output Messenger, activating various security protections, and implementing rigorous vulnerability management strategies. Microsoft Defender XDR customers can identify potential threat activity through specific alerts related to Marbled Dust and utilize advanced hunting queries for detection. Indicators of compromise include traffic to the domain api.wordinfos[.]com, associated with Marbled Dust activities.

AppWizard

May 7, 2025

Google’s May 2025 Pixel update is here with bug fixes and a critical security patch

The May 2025 security update for Google Pixel devices began deployment on May 6, addressing a critical zero-day security vulnerability (CVE-2025-27363) and including three bug fixes along with 28 security patches. The rollout may take about one week to reach all devices, depending on models and carriers. The update prevents devices from reverting to older, vulnerable versions of the bootloader. It also resolves specific issues for Google Pixel 6 and newer devices, including improvements in microphone recording quality, resolution of Bluetooth pairing issues with certain smartwatches, and correction of secondary language display issues in quick settings. Users are advised to check for the update in the Settings app under System > Software update.

Winsage

March 28, 2025

Windows Users at Risk: New Zero-Day Exploit Steals Passwords Without Interaction

A newly uncovered zero-day vulnerability in Windows allows hackers to steal NTLM credentials simply by previewing a malicious file, affecting multiple Windows versions, including Windows 7 and Windows 11 v24H2. Microsoft has not yet issued a patch for this vulnerability, leaving millions of users exposed. The flaw was reported by security researcher Mitja Kolsek from ACROS Security, who noted that stolen credentials could lead to unauthorized access to networks. ACROS Security has created a temporary micro-patch available through its 0patch platform, which users are encouraged to implement. Additionally, a separate zero-day vulnerability identified in Google Chrome and other Chromium-based browsers allows attackers to bypass sandbox protection with a click on a malicious link, primarily targeting media organizations and government agencies in Russia. Users are advised to install the 0patch fix, avoid interacting with unfamiliar files, and update their browsers to protect against these threats.

Winsage

March 28, 2025

Mozilla warns Windows users of critical Firefox sandbox escape flaw

Mozilla released Firefox version 136.0.4 to address a critical security vulnerability, CVE-2025-2857, which could allow attackers to escape the browser's sandbox on Windows systems. This flaw, identified by developer Andrew McCreight, affects both standard and extended support releases of Firefox. Mozilla patched this issue in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1. The vulnerability is similar to a recent zero-day exploit in Google Chrome, CVE-2025-2783, which was used in cyber-espionage campaigns against Russian entities. Additionally, Mozilla previously addressed another zero-day vulnerability, CVE-2024-9680, exploited by the RomCom cybercrime group, allowing code execution within Firefox's sandbox. Earlier in the year, Mozilla responded to two zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition.

Winsage

March 12, 2025

Microsoft patches Windows Kernel zero-day exploited since 2023

ESET has identified a zero-day vulnerability in the Windows Win32 Kernel Subsystem, designated as CVE-2025-24983, which has been exploited since March 2023. This vulnerability, stemming from a use-after-free weakness, allows low-privileged attackers to escalate access to SYSTEM privileges without user interaction. It primarily affects older Windows versions, including Windows Server 2012 R2 and Windows 8.1, but also poses risks to newer versions like Windows Server 2016 and Windows 10 (build 1809 and earlier). The exploit was first seen in the wild in March 2023, targeting systems compromised by the PipeMagic malware. Microsoft has addressed this vulnerability in the recent Patch Tuesday updates. Additionally, five other zero-day vulnerabilities were also patched, and CISA has mandated that Federal Civilian Executive Branch agencies secure their systems by April 1st.

AppWizard

February 4, 2025

Google warns Android users of a zero-day software exploit causing instability

Google has warned Android users about a significant zero-day exploit, identified as CVE-2024-53104, that could cause software instability and allow attackers to manipulate devices. This vulnerability operates at the Linux kernel level and affects all Android devices, including the Galaxy S25 and S24. A fix is included in the February security patch, but OEMs must distribute it. Current reports indicate that exploitation attempts are limited, but users are urged to update their devices promptly. Additionally, another flaw affecting Qualcomm technology may grant remote access to devices, with no reported victims yet. In 2023, 97 zero-day vulnerabilities were exploited, a 50% increase from 2022, primarily impacting Android devices.

Tech Optimizer

December 18, 2024

Can Antivirus Software Protect Against Zero-Day Exploits?

The text discusses the increasing threat of cyberattacks due to reliance on digital devices without adequate protection, particularly antivirus software. It highlights the dangers of phishing and ransomware attacks, especially for businesses. Zero-day threats are described as vulnerabilities in software unknown to developers, which hackers exploit before a fix is available. Traditional antivirus systems primarily use signature-based detection and heuristic analysis, which are ineffective against zero-day exploits. To combat these threats, advanced strategies like Endpoint Detection and Response (EDR), artificial intelligence (AI), and Next-Generation Antivirus (NGAV) are being developed. A multi-layered security strategy is recommended, combining various tools and practices to enhance protection against cyber threats.

Winsage

December 7, 2024

New Windows 7 To 11 Warning As Zero-Day With No Official Fix Strikes

A zero-day vulnerability has been discovered by researchers at Acros Security, affecting all versions of Windows from 7 to 11 and Windows Server 2008 R2 and later. This vulnerability targets the Windows NT LAN Manager and allows attackers to obtain a user's NTLM credentials by having the user view a malicious file in Windows Explorer. Currently, there is no official patch from Microsoft. The 0patch platform has released a free "micropatch" for users to protect their systems until an official fix is available.