Slovak cybersecurity firm ESET has identified a newly patched zero-day vulnerability within the Windows Win32 Kernel Subsystem, which has been actively exploited since March 2023. This security flaw, now designated as CVE-2025-24983, was reported to Microsoft by ESET researcher Filip Jurčacko and has been addressed in the recent Windows security updates released during this month’s Patch Tuesday.
The vulnerability stems from a use-after-free weakness, allowing attackers with low privileges to escalate their access to SYSTEM privileges without any user interaction. However, Microsoft has categorized these attacks as high complexity due to the requirement for threat actors to successfully navigate a race condition for exploitation.
According to ESET, the zero-day exploit targeting CVE-2025-24983 was “first seen in the wild” in March 2023, specifically on systems compromised by the PipeMagic malware. Notably, this exploit primarily affects older Windows versions, such as Windows Server 2012 R2 and Windows 8.1, which are no longer supported by Microsoft. Nevertheless, it also poses a risk to newer versions, including the still-supported Windows Server 2016 and Windows 10 systems running build 1809 and earlier.
ESET elaborated on the implications of the Use-After-Free (UAF) vulnerability, stating, “This can lead to software crashes, execution of malicious code (including remotely), privilege escalation, or data corruption.” The exploit was deployed via the PipeMagic backdoor, which is capable of exfiltrating sensitive data and granting remote access to compromised machines.
PipeMagic, initially discovered by Kaspersky in 2022, is notorious for its ability to harvest sensitive information, provide full remote access to infected devices, and facilitate the deployment of additional malicious payloads across victims’ networks. In 2023, Kaspersky observed its use in Nokoyawa ransomware attacks that exploited another Windows zero-day vulnerability related to privilege escalation in the Common Log File System Driver, tracked as CVE-2023-28252.
Federal agencies ordered to patch by April 1st
During the March 2025 Patch Tuesday, Microsoft also addressed five additional zero-day vulnerabilities that have been actively exploited:
- CVE-2025-24984 – Windows NTFS Information Disclosure Vulnerability
- CVE-2025-24985 – Windows Fast FAT File System Driver Remote Code Execution Vulnerability
- CVE-2025-24991 – Windows NTFS Information Disclosure Vulnerability
- CVE-2025-24993 – Windows NTFS Remote Code Execution Vulnerability
- CVE-2025-26633 – Microsoft Management Console Security Feature Bypass Vulnerability
In response to these vulnerabilities, CISA has added all six zero-days to its Known Exploited Vulnerabilities Catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies secure their systems by April 1st, in accordance with the Binding Operational Directive (BOD) 22-01. The U.S. cybersecurity agency cautioned, “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
While BOD 22-01 specifically pertains to FCEB agencies, CISA strongly encourages all organizations to mitigate their exposure to cyberattacks by prioritizing the timely remediation of vulnerabilities listed in the Catalog as part of their overall vulnerability management strategy.
