zero-day vulnerability Archives

Winsage

April 13, 2025

Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed

Microsoft addressed over 120 vulnerabilities during its April 2025 Patch Tuesday, including a critical zero-day vulnerability (CVE-2025-29824) that is actively exploited. WinRAR users are urged to update to version 7.11 due to a vulnerability (CVE-2025-31334) that allows attackers to bypass Windows' Mark of the Web security feature. Chief Information Security Officers (CISOs) are experiencing security platform fatigue due to the proliferation of multiple security tools. President Donald Trump signed an Executive Order revoking security clearances for Chris Krebs and his colleagues at SentinelOne. Cyber crisis simulations are becoming essential for organizational preparedness against evolving cyber threats. Fortinet has released patches for vulnerabilities, including a critical flaw (CVE-2024-48887) in FortiSwitch appliances. WhatsApp users should update their Windows client app to fix a vulnerability (CVE-2025-30401) that could allow harmful code execution. Kevin Serafin, CISO at Ecolab, discussed aligning security initiatives with business objectives. There is a rise in compromised large language model (LLM) attacks and risks associated with AI autonomy. New open-source tools like the YES3 Scanner and APTRS have been developed to enhance security capabilities. The cybersecurity job market remains strong, with increasing demand for skilled professionals.

Winsage

April 13, 2025

Microsoft’s New Windows Update — 1 Billion Users Warned: Do Not Delete

Windows users are facing security challenges, including a zero-day vulnerability that threatens Windows passwords and hackers bypassing Windows Defender. Microsoft has discontinued VPN support for Windows Defender users and withdrawn security support for Windows 10. A new folder named "inetpub" was created following the April 8 Patch Tuesday updates as part of the fix for CVE-2025-21204, a vulnerability in the Windows Update Stack. This folder has raised concerns among users, prompting Microsoft to advise against deleting it. The creation of the inetpub folder is intended to enhance security, although its purpose remains unclear. Microsoft confirmed that the folder is created regardless of whether Internet Information Services (IIS) is installed on the user's device.

Winsage

April 10, 2025

Microsoft’s Free Upgrade Offer For 500 Million Windows Users

Microsoft has announced that Windows 10 will reach its end-of-life date on October 14, leaving approximately 750 million users vulnerable without critical security updates unless they opt for paid support. Currently, 53% of users, or around 240 million, are still on Windows 10 and may lack the hardware for a free upgrade to Windows 11. A critical zero-day vulnerability, CVE-2025-29824, poses risks to Windows 10 users, and Microsoft has indicated that outdated versions will not receive necessary security patches. Recent updates to Windows 10 have caused issues, including the removal of certain features and bugs affecting Outlook Calendar and Office 2016 applications.

Winsage

April 9, 2025

Microsoft patches zero-day actively exploited in string of ransomware attacks

Microsoft has addressed a zero-day vulnerability, CVE-2025-29824, exploited by the group Storm-2460, affecting the Windows Common Log File System (CLFS). This vulnerability has been linked to ransomware attacks on organizations in the U.S., Venezuela, Spain, and Saudi Arabia. Storm-2460 has targeted firms in the IT and real estate sectors in the U.S., a financial institution in Venezuela, a software company in Spain, and a retail business in Saudi Arabia. The exploitation allows attackers to escalate privileges from standard user accounts, facilitated by the PipeMagic malware, which has a CVSS score of 7.8. Microsoft has patched 32 CLFS vulnerabilities since 2022, with six exploited in the wild. This month's security update is Microsoft's fourth addressing over 100 vulnerabilities in the past year, with 18 affecting Microsoft Office products classified as high-severity.

Winsage

April 9, 2025

Exploitation of CLFS zero-day leads to ransomware activity

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) identified a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS), designated as CVE-2025-29824. This vulnerability has been exploited by the PipeMagic malware, attributed to the group Storm-2460, affecting organizations in various sectors across the U.S., Venezuela, Spain, and Saudi Arabia. Microsoft released security updates on April 8, 2025, to address this vulnerability. The exploit allows attackers with standard user privileges to escalate their access, and it was executed from a dllhost.exe process. The exploit utilizes memory corruption techniques and the RtlSetAllBits API to gain all privileges and inject processes into SYSTEM processes. Post-exploitation, the attackers injected a payload into winlogon.exe, leading to ransomware activity characterized by file encryption and the creation of ransom notes. Indicators of compromise include the creation of a CLFS BLF file at C:ProgramDataSkyPDFPDUDrv.blf, command lines associated with ransomware activities, and specific domains linked to PipeMagic. Microsoft advises applying security updates promptly and recommends strategies for mitigating ransomware threats, including enabling cloud-delivered protection and utilizing device discovery.

Winsage

April 9, 2025

Windows Common Log File System 0-Day Vulnerability Exploited in the Wild

A critical zero-day vulnerability in the Windows Common Log File System (CLFS) driver, identified as CVE-2025-29824, is actively exploited, allowing attackers to elevate privileges to SYSTEM level and compromise system integrity. This flaw arises from a use-after-free issue within the CLFS driver, enabling local attackers to execute malicious code. Microsoft is aware of the exploitation and is working on a security update, but no immediate patch is available. The vulnerability affects multiple versions of Windows 10, including x64-based and 32-bit systems, and can lead to privilege escalation, data breaches, operational disruption, and malware deployment. Microsoft has classified this vulnerability as "Important" and urges organizations to apply patches promptly once available.

Winsage

April 9, 2025

Microsoft: Windows CLFS zero-day exploited by ransomware gang

Microsoft reported that the RansomEXX ransomware gang has been exploiting a critical zero-day vulnerability in the Windows Common Log File System, identified as CVE-2025-29824, allowing them to gain SYSTEM privileges on targeted systems. This vulnerability stems from a use-after-free flaw and affects organizations in various sectors, including IT and real estate in the US, financial institutions in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft has released security updates for most affected Windows versions but has postponed patches for Windows 10 x64 and 32-bit systems. Customers running Windows 11, version 24H2, are not vulnerable to the exploitation. The RansomEXX group, also known as Storm-2460, uses the PipeMagic backdoor malware to facilitate the exploitation of CVE-2025-29824, alongside ransomware payloads. The group has targeted high-profile organizations, including GIGABYTE, Konica Minolta, the Texas Department of Transportation, Brazil's court system, Montreal's STM public transport system, and government software provider Tyler Technologies.

Winsage

April 8, 2025

Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824)

April 2025 Patch Tuesday introduced fixes for over 120 vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) that is actively exploited. CVE-2025-29824 is a user-after-free vulnerability in the Windows Common Log File System (CLFS), allowing privilege escalation to SYSTEM on compromised Windows machines. Microsoft has patched 32 CLFS vulnerabilities since 2022, with six exploited in the wild. Updates for Windows 10 are not yet available. Other notable vulnerabilities include CVE-2025-26663 and CVE-2025-26670, both unauthenticated user-after-free vulnerabilities in Windows LDAP, and CVE-2025-27480 and CVE-2025-27482 in Windows Remote Desktop Services. None of these vulnerabilities have been patched for Windows 10 systems, but updates are forthcoming. Microsoft reversed its decision to discontinue driver update synchronization to WSUS servers, confirming that WSUS will continue to synchronize driver updates.

Winsage

March 29, 2025

Hackers Bypass Windows Defender Security—What You Need To Know

Elite red team hackers have revealed a significant vulnerability in the Windows ecosystem, specifically a method to bypass Windows Defender Application Control (WDAC), which is designed to restrict application execution to trusted software. Bobby Cooke from IBM X-Force Red confirmed that the Microsoft Teams application was successfully targeted to bypass WDAC, allowing the execution of a Command and Control payload. The techniques used included utilizing "Living Off The Land Binaries" (LOLBINS), side-loading a trusted application with an untrusted dynamic linked library, exploiting a custom exclusion rule from a client WDAC policy, and discovering a new execution chain within a trusted application. Microsoft acknowledged awareness of the WDAC bypass report and stated they would take action as needed to protect customers.

Winsage

March 28, 2025

Windows Users at Risk: New Zero-Day Exploit Steals Passwords Without Interaction

A newly uncovered zero-day vulnerability in Windows allows hackers to steal NTLM credentials simply by previewing a malicious file, affecting multiple Windows versions, including Windows 7 and Windows 11 v24H2. Microsoft has not yet issued a patch for this vulnerability, leaving millions of users exposed. The flaw was reported by security researcher Mitja Kolsek from ACROS Security, who noted that stolen credentials could lead to unauthorized access to networks. ACROS Security has created a temporary micro-patch available through its 0patch platform, which users are encouraged to implement. Additionally, a separate zero-day vulnerability identified in Google Chrome and other Chromium-based browsers allows attackers to bypass sandbox protection with a click on a malicious link, primarily targeting media organizations and government agencies in Russia. Users are advised to install the 0patch fix, avoid interacting with unfamiliar files, and update their browsers to protect against these threats.