Microsoft 0-Day Vulnerability Targeted by APT28 Hacking Group Infiltrating Sensitive Networks
APT28 attack executes when victims open malicious documents in Microsoft Office:
Continue ReadingHijacking
Elastic Releases Critical Security Updates for Kibana & Elasticsearch
Security Advisory:
Elastic has released security updates for Kibana and Elasticsearch.
Addressed 5 vulnerabilities, including 3 high-severity Cross-Site Scripting (XSS) issues
This also include one sensitive data exposure flaw, and one credential leakage issue
| OEM | Elastic |
| Severity | High |
| CVSS Score | 8.7 |
| CVEs | CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The most severe, CVE-2025-25009 (CVSS 8.7), affects Kibana’s case file upload functionality, potentially allowing attackers to execute arbitrary scripts. These vulnerabilities could allow data theft, session hijacking or privilege escalation in affected environments. Users & Administrators strongly advise to update to the patched versions immediately to mitigate risks.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Stored XSS Vulnerability via Case File Upload Vulnerability | CVE-2025-25009 | Kibana | High | v8.18.8, v8.19.5, v9.0.8, v9.1.5 |
| Kibana Cross Site Scripting (XSS) Vulnerability | CVE-2025-25017 | Kibana | High | |
| Kibana Stored Cross Site Scripting (XSS) Vulnerability | CVE-2025-25018 | Kibana | High |
Technical Summary
Elastic’s latest security patches fix several vulnerabilities in Kibana and Elasticsearch. These vulnerabilities could let attackers inject malicious code or gain access to sensitive information.
This could result in stolen data, taken-over user sessions, or even gaining higher access levels in the system. Although no active exploits have been reported, users are strongly advised to update immediately for protection to ensure optimal security and stability .
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-25009 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) | Stored XSS via malicious file uploads in case management, allowing JavaScript injection | Data Theft, Session Hijacking, Privilege Escalation |
| CVE-2025-25017 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.3, 9.0.x ≤ 9.0.6, 9.1.x ≤ 9.1.3) | XSS in Vega visualization engine due to improper neutralization of inputs, enabling script execution | Malicious Script Execution |
| CVE-2025-25018 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) | Stored XSS in Kibana due to improper validation of specified type of input. | Session Compromise, Unauthorized Access |
Other Vulnerabilities
In addition to the three high-severity flaws, Elastic patched 2 other vulnerabilities in the same Security Announcements release.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Sensitive Data Exposure in Audit Logging | CVE-2025- 37727 | Elasticsearch | Medium | v8.18.8, v8.19.5, v9.0.8, v9.1.5 |
| Credential Leakage in CrowdStrike Connector | CVE-2025- 37728 | Kibana (CrowdStrike Connector) | Medium | v8.18.8 and higher |
Recommendations:
Update Kibana and Elasticsearch immediately to the following versions
- Kibana/Elasticsearch: v8.18.8, v8.19.5, v9.0.8, v9.1.5 or the latest version.
If unable to update immediately you can follow some workarounds below
- For the CVE-2025-25009, For versions >= 7.12 to < 9.0 users can set “discover:searchFieldsFromSource: true” in Advanced Settings and there are no workarounds for 9.0+.
- For the CVE-2025-25017, users can disable Vega visualizations but note that this will disable all Vega charts in Kibana.
- For the CVE-2025-37727, users can set “xpack.security.audit.logfile.events.emit_request_body” to “false”.
Conclusion:
The Elastic security update addresses severe vulnerabilities in Kibana and Elasticsearch, including high-severity XSS issues that could enable attackers to compromise dashboards, steal data, or escalate privileges.
Although no exploitation has been reported but these vulnerabilities need immediate patching. Immediate action is essential to maintain system integrity and protect sensitive data in monitoring and logging environments.
References:
Windows 11 DLL Flaws Open Doors to Privilege Escalation!
Summary
Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.
DLL hijacking is a technique that exploits how Windows applications load DLLs.
| OEM | Windows |
| Severity | HIGH |
| CVSS Score | 7.3 |
| CVEs | CVE-2025-24994, CVE-2025-24076 |
| No. of Vulnerabilities Patched | 02 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Cross Device Service Elevation of Privilege Vulnerability | CVE-2025-24076 | Windows | HIGH | 7.3 |
| Windows Cross Device Service Elevation of Privilege Vulnerability | CVE-2025-24994 | Windows | HIGH | 7.3 |
Technical Summary
The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24076 | Windows 11 Version 22H2, 22H3, 23H2, 24H2. | Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window. | Allows SYSTEM-level privilege escalation |
| CVE-2025-24994 | Windows 11 Version 22H2, 22H3, 23H2, 24H2 | Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable. | Allows user-to-user privilege escalation |
Remediation:
- Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems.
- Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities.
- Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes.
- Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges.
- Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files.
Conclusion:
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.
The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.
While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.
This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.
References:
Recent Comments