zero-day flaw Archives

Winsage

March 26, 2025

New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials

A critical vulnerability affecting various Windows operating systems, including Windows 7, Server 2008 R2, Windows 11 v24H2, and Server 2025, allows attackers to capture NTLM authentication credentials through interactions with malicious files in Windows Explorer. Exploitation can occur when users open shared folders, insert USB drives with malicious files, or view downloaded files. The vulnerability is similar to a previously patched flaw (CVE-2025-21377) but has not been fully documented. Security researchers have developed micropatches available for free until Microsoft releases a permanent fix. These micropatches support a wide range of Windows versions, including legacy and currently supported systems. The micropatches have been automatically distributed to affected systems with the 0patch Agent installed.

Winsage

March 26, 2025

New Windows 0-Day Vulnerability Let Remote Attackers Steal NTLM Credentials

A critical vulnerability affects all Windows operating systems from Windows 7 to Windows 11 v24H2 and Server 2025, allowing attackers to capture NTLM authentication credentials through malicious files viewed in Windows Explorer. Exploitation can occur when users open shared folders, insert USB drives with malicious files, or view previously downloaded files. The vulnerability is similar to a previously patched flaw (CVE-2025-21377) but has not been publicly documented. Security researchers have developed micropatches through 0patch to temporarily mitigate the issue, which will be available at no cost until Microsoft releases a permanent solution. The micropatches support various Windows versions, including legacy and currently supported systems, and can be automatically deployed without requiring system reboots.

Winsage

March 14, 2025

Windows 11 24H2’s March update is riddled with failures and crashes

Microsoft released update KB5053598 for Windows 11 24H2 to enhance security by addressing critical vulnerabilities. Users are experiencing installation challenges, with common error codes such as 0x800f0993, 0x800F081F, 0x80070032, and 0xC004F211 indicating failures. The installation process often stalls at various percentages, and some users report the update uninstalling itself after reaching nearly complete progress. Additionally, those who successfully install the update face issues like the Blue Screen of Death, booting problems, and disconnections when using Remote Desktop Protocol (RDP). Microsoft has not acknowledged these issues or provided a resolution, and no workarounds are available. Users are advised to roll back the update to restore system stability. The update aimed to address significant security vulnerabilities, including the zero-day flaw CVE-2025-24983.

Winsage

March 11, 2025

Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws

Microsoft released security updates on March 2025 Patch Tuesday, addressing 57 vulnerabilities, including six classified as critical related to remote code execution. The vulnerabilities are categorized as follows: 23 Elevation of Privilege, 3 Security Feature Bypass, 23 Remote Code Execution, 4 Information Disclosure, 1 Denial of Service, and 3 Spoofing. The updates specifically address six actively exploited zero-day vulnerabilities and one publicly disclosed zero-day vulnerability. The zero-day vulnerabilities include: 1. CVE-2025-24983 - Elevation of Privilege in Windows Win32 Kernel Subsystem. 2. CVE-2025-24984 - Information Disclosure in Windows NTFS. 3. CVE-2025-24985 - Remote Code Execution in Windows Fast FAT File System Driver. 4. CVE-2025-24991 - Information Disclosure in Windows NTFS. 5. CVE-2025-24993 - Remote Code Execution in Windows NTFS. 6. CVE-2025-26633 - Security Feature Bypass in Microsoft Management Console. The publicly disclosed zero-day is: - CVE-2025-26630 - Remote Code Execution in Microsoft Access. A comprehensive list of resolved vulnerabilities includes various CVE IDs and their respective titles and severities, with several vulnerabilities affecting Microsoft Office products, Windows components, and Azure services.

Winsage

December 11, 2024

Microsoft fixes zero-day security flaw in latest Windows update

Microsoft addressed 71 vulnerabilities in its December Patch Tuesday update, including a critical zero-day flaw. Of these, 59 vulnerabilities affect various versions of Windows, including Windows 10, Windows 11, and Windows Server. CVE-2024-49138 is a high-risk buffer overflow issue that allows privilege escalation and could enable full control over affected systems. Microsoft classified 16 Remote Code Execution (RCE) vulnerabilities as critical, with nine related to the Remote Desktop service. CVE-2024-49112 affects the Lightweight Directory Access Protocol (LDAP) and could allow code injection without user login. CVE-2024-49117 affects Hyper-V, allowing code execution from a guest system on the host system. Additionally, eight security vulnerabilities in Microsoft Office were resolved, including three RCE vulnerabilities. CVE-2024-49063 is the first identified security flaw in Microsoft's open-source AI project, Muzic. The next Patch Tuesday is scheduled for January 14, 2025.

Winsage

December 7, 2024

All Windows 11, 10, Server versions affected by a new zero day, unofficial patch out

Windows 11's latest feature update, version 24H2, is being extended to more systems. A new zero-day vulnerability discovered by cybersecurity firm 0patch affects all Windows clients, including Windows 11 version 24H2 and various server editions, allowing attackers to steal NTLM credentials by having users view a malicious file in Windows Explorer. The vulnerability impacts all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2022. Windows Server 2025 is currently undergoing compatibility testing and is not yet affected. Microsoft is phasing out NTLM and encourages users to transition to more secure alternatives. Users can obtain a patch for the vulnerability by registering for a free account at 0patch Central.

Winsage

December 4, 2024

PoC Exploit Released for Windows Task Scheduler Zero-day Flaw, Exploited in Wild

A proof-of-concept (PoC) exploit has been released for a critical zero-day vulnerability in the Windows Task Scheduler, designated as CVE-2024-49039, which has a high CVSS score of 8.8. This privilege escalation flaw allows attackers to execute arbitrary code on affected systems with potential for zero-click exploitation. The exploitation of this vulnerability has been traced back to the Russia-aligned threat actor RomCom. Between October 10 and November 4, 2024, potential victims were mainly in Europe and North America, with some regions having up to 250 affected targets. The PoC exploit, available on GitHub, targets the WPTaskScheduler.dll component and demonstrates the ability to bypass restricted token sandboxes. Microsoft has released a patch for CVE-2024-49039, modifying the RPC Interface Security in WPTaskScheduler.dll to require at least Medium Integrity for access. Security experts recommend that Windows users and administrators apply the latest updates and adopt defense-in-depth strategies.

Winsage

December 2, 2024

Windows Server 2012 0-day Vulnerability Let Attackers Bypass Security Checks

A significant security vulnerability has been identified in Windows Server 2012 and Server 2012 R2, allowing attackers to bypass security measures enforced by the Mark of the Web (MotW) feature. This zero-day flaw has existed for over two years and affects certain file types, posing a risk even to fully updated systems and those with Extended Security Updates. The vulnerability was discovered by 0patch security researchers and reported to Microsoft, which has developed free micropatches to mitigate the issue until an official fix is released. The affected systems include Windows Server 2012 and 2012 R2, both updated to October 2023, and those with Extended Security Updates. Free micropatches are available for immediate protection on systems with the 0patch Agent. Security experts recommend applying the micropatches, monitoring for official updates from Microsoft, considering upgrades to supported server versions, and implementing additional security measures.

Winsage

November 14, 2024

Microsoft patches Windows zero-day exploited in attacks on Ukraine

Suspected Russian hackers are exploiting a zero-day vulnerability in Windows, identified as CVE-2024-43451, which is an NTLM Hash Disclosure spoofing vulnerability. ClearSky security researchers discovered that the vulnerability allows attackers to steal a logged-in user's NTLMv2 hash by manipulating connections to a server they control. The malicious campaign was first detected in June, using phishing emails with links that download an Internet shortcut file from a compromised server. User interaction with the URL file can trigger the vulnerability, enabling the download of malware like SparkRAT. ClearSky reported the findings to Ukraine's Computer Emergency Response Team (CERT-UA), linking the attacks to a Russian-affiliated threat group known as UAC-0194. Microsoft patched the vulnerability during the November 2024 Patch Tuesday and confirmed that user interaction is necessary for exploitation. The vulnerability affects all supported versions of Windows, including Windows 10 and later. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities Catalog, requiring organizations to secure affected systems by December 3.

Winsage

August 19, 2024

Microsoft Patches Zero-Day Flaw Exploited by North Korea’s Lazarus Group

A security vulnerability in Microsoft Windows, identified as CVE-2024-38193, has been exploited by the Lazarus Group, a state-sponsored entity linked to North Korea. This privilege escalation bug, categorized within the Windows Ancillary Function Driver (AFD.sys) for WinSock, has a CVSS score of 7.8. Microsoft stated that successful exploitation could grant SYSTEM privileges. The flaw was discovered by researchers Luigino Camastra and Milánek from Gen Digital, who reported that it allowed unauthorized access to sensitive system areas. The attacks utilized a rootkit named FudModule, which evades detection, and were delivered through a remote access trojan known as Kaolin RAT. This incident follows a similar vulnerability, CVE-2024-21338, also exploited by the Lazarus Group, which involved the AppLocker driver (appid.sys) and allowed arbitrary code execution.