Hijacking

New CIFSwitch Vulnerability in Linux Enables Full Root Compromise

Key points :

The CIFSwitch vulnerability allows any local user without administrator privileges to gain full root access on Linux systems running cifs-utils 6.14 or later with CIFS enabled.
The vulnerability remained hidden in the Linux ecosystem since 2007 and was discovered using AI-based semantic graph analysis instead of traditional manual code review methods.
Security researchers confirmed successful exploitation on multiple Linux distributions, including Linux Mint, Kali Linux, Rocky Linux, AlmaLinux, CentOS Stream 9, and several SUSE Enterprise versions, with a public proof-of-concept (PoC) exploit now available.

CIFSwitch Vulnerability Details:

The newly discovered local privilege escalation (LPE) vulnerability, dubbed CIFSwitch, exposes a critical design flaw in the Linux kernel’s CIFS (Common Internet File System) client that has been latent since 2007.

The bug allows any low-privileged local user to elevate themselves to full root access by exploiting a missing validation check between the kernel CIFS subsystem and the userspace `cifs-utils` helper.

This vulnerability is especially concerning given that it is the fourth major Linux kernel privilege escalation requiring immediate action in just a matter of weeks, following recent flaws like “Copy Fail,” “Dirty Frag,” and “Fragnesia”. With a public Proof-of-Concept (PoC) already released, system administrators must act immediately to prevent unauthorized root access.

The root cause

The kernel lacks a `.vet_description` hook for the cifs_spnego_key_type. This omission means the kernel does not verify whether a request for a `cifs.spnego` key originated from the trusted CIFS subsystem or from a malicious user process.

An attacker can exploit this by calling `request_key()` or `add_key()` directly, forging the key description to include malicious parameters like `pid` and upcall_target.

How the Exploit Works

For exploitation requires a vulnerable kernel, a compatible cifs-utils version, and unprivileged user namespace creation. Many mainstream Linux distributions have been found vulnerable out-of-the-box when cifs-utils is present, while others require adjustments to Linux Security Module (LSM) policies.

Fake Request Creation:
An attacker with basic local access creates a fake cifs.spnego request and sends it to the Linux kernel.
Root Privilege Abuse:
The kernel automatically launches the cifs.upcall helper tool with root privileges, trusting the request as legitimate.
- Namespace Hijacking:
  By abusing Linux namespace settings, the attacker tricks the root process into operating inside an attacker-controlled environment.
Malicious Code Execution:
The attacker places a fake nsswitch.conf file and a malicious shared library inside this environment. When the root process performs a system lookup, it unknowingly loads and executes the attacker’s malicious code as root.
Full Root Access:
The public proof-of-concept exploit ultimately adds a NOPASSWD: ALL entry to the sudoers configuration, allowing the attacker to gain unrestricted root access to the Linux system.

Asim Manizada has published the full technical write-up (“CIFSwitch”) and the PoC exploit on GitHub to support defenders, maintainers, and incident responders in verifying mitigations and patch coverage.

Recommendation on security patches

The kernel patch introduces a vet_description hook for the CIFS.Spnego key type to verify that descriptions are requested under the CIFS client’s internal spnego_cred.

This measure prevents unprivileged userspace from posing as the kernel. Additional hardening is advised to ensure cifs-upcall does not blindly trust kernel-originated descriptions.

Administrators should urgently deploy the backported kernel patches and consider defense-in-depth measures such as disabling CIFS where unused, removing cifs-utils, and tightening request-key rules for cifs. spnego, and restricting unprivileged user namespaces.

Sources: cifs-utils – Cyber Web Spider Blog – News

Microsoft 0-Day Vulnerability Targeted by APT28 Hacking Group Infiltrating Sensitive Networks

APT28 attack executes when victims open malicious documents in Microsoft Office:

Elastic Releases Critical Security Updates for Kibana & Elasticsearch

Security Advisory:

Elastic has released security updates for Kibana and Elasticsearch.

Addressed 5 vulnerabilities, including 3 high-severity Cross-Site Scripting (XSS) issues

This also include one sensitive data exposure flaw, and one credential leakage issue

OEM	Elastic
Severity	High
CVSS Score	8.7
CVEs	CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

The most severe, CVE-2025-25009 (CVSS 8.7), affects Kibana’s case file upload functionality, potentially allowing attackers to execute arbitrary scripts. These vulnerabilities could allow data theft, session hijacking or privilege escalation in affected environments. Users & Administrators strongly advise to update to the patched versions immediately to mitigate risks.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Stored XSS Vulnerability via Case File Upload Vulnerability	CVE-2025-25009	Kibana	High	v8.18.8, v8.19.5, v9.0.8, v9.1.5
Kibana Cross Site Scripting (XSS) Vulnerability	CVE-2025-25017	Kibana	High
Kibana Stored Cross Site Scripting (XSS) Vulnerability	CVE-2025-25018	Kibana	High

Technical Summary

Elastic’s latest security patches fix several vulnerabilities in Kibana and Elasticsearch. These vulnerabilities could let attackers inject malicious code or gain access to sensitive information.

This could result in stolen data, taken-over user sessions, or even gaining higher access levels in the system. Although no active exploits have been reported, users are strongly advised to update immediately for protection to ensure optimal security and stability .

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-25009	Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4)	Stored XSS via malicious file uploads in case management, allowing JavaScript injection	Data Theft, Session Hijacking, Privilege Escalation
CVE-2025-25017	Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.3, 9.0.x ≤ 9.0.6, 9.1.x ≤ 9.1.3)	XSS in Vega visualization engine due to improper neutralization of inputs, enabling script execution	Malicious Script Execution
CVE-2025-25018	Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4)	Stored XSS in Kibana due to improper validation of specified type of input.	Session Compromise, Unauthorized Access

Other Vulnerabilities

In addition to the three high-severity flaws, Elastic patched 2 other vulnerabilities in the same Security Announcements release.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Sensitive Data Exposure in Audit Logging	CVE-2025- 37727	Elasticsearch	Medium	v8.18.8, v8.19.5, v9.0.8, v9.1.5
Credential Leakage in CrowdStrike Connector	CVE-2025- 37728	Kibana (CrowdStrike Connector)	Medium	v8.18.8 and higher

Recommendations:

Update Kibana and Elasticsearch immediately to the following versions

Kibana/Elasticsearch: v8.18.8, v8.19.5, v9.0.8, v9.1.5 or the latest version.

If unable to update immediately you can follow some workarounds below

For the CVE-2025-25009, For versions >= 7.12 to < 9.0 users can set “discover:searchFieldsFromSource: true” in Advanced Settings and there are no workarounds for 9.0+.

For the CVE-2025-25017, users can disable Vega visualizations but note that this will disable all Vega charts in Kibana.

For the CVE-2025-37727, users can set “xpack.security.audit.logfile.events.emit_request_body” to “false”.

Conclusion:
The Elastic security update addresses severe vulnerabilities in Kibana and Elasticsearch, including high-severity XSS issues that could enable attackers to compromise dashboards, steal data, or escalate privileges.

Although no exploitation has been reported but these vulnerabilities need immediate patching. Immediate action is essential to maintain system integrity and protect sensitive data in monitoring and logging environments.

References:

https://discuss.elastic.co/c/announcements/security-announcements/31

https://securityonline.info/elastic-fixes-multiple-high-severity-vulnerabilities-in-kibana-and-elasticsearch/

Windows 11 DLL Flaws Open Doors to Privilege Escalation!

Summary

Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.

DLL hijacking is a technique that exploits how Windows applications load DLLs.

OEM	Windows
Severity	HIGH
CVSS Score	7.3
CVEs	CVE-2025-24994, CVE-2025-24076
No. of Vulnerabilities Patched	02
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Cross Device Service Elevation of Privilege Vulnerability	CVE-2025-24076	Windows	HIGH	7.3
Windows Cross Device Service Elevation of Privilege Vulnerability	CVE-2025-24994	Windows	HIGH	7.3

Technical Summary

The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24076	Windows 11 Version 22H2, 22H3, 23H2, 24H2.	Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window.	Allows SYSTEM-level privilege escalation
CVE-2025-24994	Windows 11 Version 22H2, 22H3, 23H2, 24H2	Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable.	Allows user-to-user privilege escalation

Remediation:

Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems.

Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities.

Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes.

Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges.

Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files.

Conclusion:
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.

The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.

While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.

This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.