Actively Exploited Vulnerabilities

Crow

 Actively Exploited Vulnerabilities

CVE-2025-24983 

Windows Win32 Kernel Subsystem Elevation of Privilege

  • CVSS: 7.0 

  • Exploitation: Attackers exploited a race condition to escalate privileges to SYSTEM-level access.

  • Context: Part of a broader campaign targeting kernel-level vulnerabilities for lateral movement in enterprise networks

  • Mitigation: Patched in March 2025 Patch Tuesday.

CVE-2025-26633

Microsoft Management Console Security Feature Bypass

  • CVSS: 7.0

  • Exploitation: Used by the EncryptHub ransomware group (Larva-208) to bypass security mechanisms. Attackers delivered malicious files via email attachments or links through instant messaging.

  • Impact: Enabled execution of arbitrary code without triggering standard security warnings.

CVE-2025-24985 & CVE-2025-24993

Windows Fast FAT/NTFS Remote Code Execution

  • CVSS: 7.8 (NTFS), 7.8 (Fast FAT)

  • Exploitation: Both were part of six zero-days actively exploited in ransomware campaigns. Attackers leveraged these flaws to overwrite system files or execute malicious payloads24.

Publicly Disclosed Vulnerabilities

CVE-2025-26630

Microsoft Access Remote Code Execution

  • CVSS: Not rated (publicly disclosed but not exploited).

  • Discovery: Found by Unpatched.ai as a use-after-free bug.

  • Attack Vector: Requires social engineering to trick users into opening malicious Access files1.

Critical Vulnerabilities with Exploit Potential

CVE-2025-24035 & CVE-2025-24045

Windows Remote Desktop Services (RDS) RCE

  • CVSS: 8.1 (both)

  • Technical Details

    • CVE-2025-24035: Caused by improper memory locking in RDS, allowing unauthorized network-based code execution.

    • CVE-2025-24045: Required attackers to win a race condition for exploitation.

  • Risk: Widely targeted due to RDS’s prevalence in enterprise environments.

CVE-2025-26645

Remote Desktop Client RCE

  • CVSS: 8.8

  • Mechanism: Exploited via relative path traversal when connecting to a malicious RDP server.

  • Impact: Enabled full system compromise without user interaction beyond initiating an RDP connection.

CVE-2025-24057

Microsoft Office RCE

  • CVSS: 7.8

  • Exploit Method: Heap-based buffer overflow triggered via malicious Office documents.

  • User Interaction: Required previewing a file in the Preview Pane, raising questions about attack practicality.

CVE-2025-24064

Windows DNS Server RCE

  • CVSS: 8.1

  • Technical Flaw: Use-after-free vulnerability in DNS Server handling crafted requests.

  • Urgency: Critical for organizations running on-premises DNS servers36.

CVE-2025-24084

Windows Subsystem for Linux (WSL2) Kernel RCE

  • CVSS: 8.4

  • Attack Vector: Required execution of a malicious binary within the WSL2 environment.

  • Scope: Highlighted risks in mixed Windows/Linux development setups.

Key Observations

  • Zero-Day Volume: Six vulnerabilities were actively exploited before patches arrived, reflecting heightened attacker sophistication.

  • Ransomware Focus: Exploited flaws in NTFS/FAT and Win32 Kernel were tied to ransomware campaigns.

  • Patch Urgency: Over 50% of March’s vulnerabilities were RCE or privilege escalation flaws, emphasizing the need for rapid deployment.

For organizations, prioritizing patches for CVE-2025-26645 (RDP Client), CVE-2025-24064 (DNS), and kernel-level flaws like CVE-2025-24983 is critical to mitigating large-scale breaches.




0 Comments

Hello, share your thoughts with us.