Patchmangement

Security Advisory

Windows 11 DLL Flaws Open Doors to Privilege Escalation! 

Summary 

Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.

DLL hijacking is a technique that exploits how Windows applications load DLLs.

OEM Windows 
Severity HIGH 
CVSS Score 7.3 
CVEs CVE-2025-24994, CVE-2025-24076 
No. of Vulnerabilities Patched 02 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Windows Cross Device Service Elevation of Privilege Vulnerability  CVE-2025-24076 Windows  HIGH  7.3 
​Windows Cross Device Service Elevation of Privilege Vulnerability CVE-2025-24994 Windows HIGH 7.3 

Technical Summary 

The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24076  Windows 11 Version 22H2, 22H3, 23H2, 24H2.  Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window.   Allows SYSTEM-level privilege escalation 
CVE-2025-24994 Windows 11 Version 22H2, 22H3, 23H2, 24H2 Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable.  Allows user-to-user privilege escalation 

Remediation

  • Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems. 
  • Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities. 
  • Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes. 
  • Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges. 
  • Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files. 

Conclusion: 
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.

The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.  

While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.

This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.

References


 

Security Advisory

Windows Zero-Day Exploit NTLM Hash Disclosure via Malicious Files

Summary

OEMMicrosoft
SeverityHigh
CVEsNot Yet Assigned
Exploited in WildNo
Patch/Remediation AvailableNo
Advisory Version1.0
Vulnerability Zero-Day

Overview

A newly discovered NTLM vulnerability in Windows, allows attackers to obtain login credentials when a user view a malicious file in Windows Explorer. This issue affects all Windows versions, from Windows 7 and Server 2008 R2 to the most recent Windows 11 v24H2 and Server 2025.

Attackers can exploit this flaw by using shared network folders, USB drives, or previously downloaded malicious files, making credential theft easy and difficult to detect.

Vulnerability NameCVE IDProduct AffectedSeverityFix
             NTLM Hash Disclosure Vulnerability      Not Yet Assigned    Windows OS and Windows Server         High  Unofficial micropatch available via 0patch

Technical Summary

This vulnerability enables attackers to steal NTLM authentication credentials simply by having users view a malicious file in Windows Explorer. Unlike previous NTLM relay attack techniques that required users to execute files, this exploit works just by rendering the malicious file’s metadata in the Windows Explorer preview pane. Attackers can leverage this method in various ways:

  • Hosting a shared network folder containing the malicious file.
  • Distributing infected USB drives that trigger the attack when inserted.
  • Tricking users into downloading the malicious file from a compromised or attacker-controlled website.

Once the credentials are captured, attackers can use NTLM relay attacks to gain unauthorized access to internal systems, escalate privileges, and move laterally across the network.

CVE IDSystem AffectedVulnerability Technical DetailsImpact
  Not Assigned Yet  Windows 7 – Windows 11 v24H2, Server 2008 R2 – Server 2025Attackers can capture NTLM credentials when users view malicious files in Windows Explorer. Exploitation methods include shared folders, USB drives, or downloads.Credential theft, network compromise, and potential lateral movement.  

Recommendations

  • Microsoft Patch Awaited: The vulnerability has been reported to Microsoft, and an official security update is expected in the near future.
  • Unofficial Micropatch Available: Security researchers at 0patch have released an unofficial micropatch that mitigates this issue. The micropatch is available for all affected Windows versions and will remain free until an official fix is provided by Microsoft.

Steps to Apply 0patch Micropatch:

  1. Create a free account on 0patch Central.
  2. Install and register the 0patch Agent on affected systems.
  3. The micropatch is applied automatically without requiring a system reboot.

Security Best Practices

  • Disable NTLM authentication where possible.
  • Implement SMB signing to prevent relay attacks.
  • Restrict access to public-facing servers like Exchange to limit credential relaying risks.
  • Educate users to avoid interacting with unknown or suspicious files in shared folders and USB drives.

Conclusion

Although not classified as critical, this NTLM credential theft vulnerability is extremely harmful due to its ease of exploitation. Attackers can exploit NTLM hashes in relay attacks to compromise internal network resources.

Security researchers confirm that comparable flaws have been actively exploited in real-world assaults. Until an official Microsoft patch is available, organizations should prioritize applying the 0patch micropatch and following NTLM security best practices to reduce potential risks.

References:

Security Advisory

Apache NiFi Security Flaw Exposes MongoDB Credentials 

Security Advisory

A security vulnerability, CVE-2025-27017, has been identified in Apache NiFi.

These events retain usernames/passwords used for MongoDB authentication, violating credential isolation principles.

OEM Apache 
Severity Medium 
CVSS 6.9 
CVEs CVE-2025-27017 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A widely used data flow automation tool which allows unauthorized access to MongoDB credentials stored in provenance events. The Versions are affected from v1.13.0 to v2.2.0. In v2.3.0 the issue has been addressed. 

Vulnerability Name CVE ID Product Affected Severity 
 Apache NiFi Credential Exposure  CVE-2025-27017  Apache NiFi  Medium 

Technical Summary 

The vulnerability stems from Apache NiFi’s inclusion of MongoDB usernames and passwords in provenance event records.

Any authorized user with read access to these records can extract credentials information, leading to potential unauthorized access to MongoDB databases.  

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-27017   Apache NiFi 1.13.0 – 2.2.0   MongoDB credentials are stored in provenance events, allowing unauthorized extraction by users with read access.  Unauthorized access to MongoDB databases, potential data breaches.  

Remediation

  • Upgrade to Apache NiFi 2.3.0: The latest version removes credentials from provenance events, mitigating the vulnerability. 

General Recommendations: 

  • Restrict access to provenance data: Ensure only authorized personnel can view provenance records. 
  • Rotate MongoDB credentials: If affected versions were in use, change database credentials to prevent unauthorized access. 
  • Conduct security audits: Regularly review system logs and access controls to identify any unauthorized access attempts. 

Conclusion: 

This vulnerability poses a risk to organizations using Apache NiFi for data processing workflows involving MongoDB. Immediate action is recommended to upgrade to version 2.3.0 or later, restrict access to provenance data, and rotate credentials to mitigate any potential exposure. Organizations should implement stringent security measures to protect against similar vulnerabilities in the future.

This security flaw is particularly concerning because provenance events play a crucial role in auditing and monitoring data flows within NiFi. If left unpatched, this vulnerability could result in data breaches, unauthorized modifications, or even complete database compromise.

References: 

Security Advisory

High-Severity RCE Vulnerability in WinDbg (CVE-2025-24043) 

Security Advisory

A high-severity remote code execution (RCE) vulnerability exists in Microsoft’s WinDbg debugging tool and related .NET diagnostic packages.

The vulnerability poses severe supply chain risks, as WinDbg is widely embedded in CI/CD pipelines and enterprise developer toolchains.

Compromised debugging sessions could lead to lateral movement across networks, credential theft, persistent backdoor injections, and disruption of crash dump analysis workflows.

Microsoft confirmed no viable workarounds other than immediate patching, as the lack of certificate pinning in the affected packages worsens the risk, enabling attackers to leverage forged or stolen Microsoft Authenticode certificates.

OEM Microsoft 
Severity HIGH 
CVSS 7.5  
CVEs CVE-2025-24043 
Publicly POC Available No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This issue is caused by insufficient validation of cryptographic signatures in the SOS debugging extension, potentially allowing attackers with network access to execute arbitrary code. Microsoft has released patches to address the vulnerability. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2025-24043  Microsoft Windows   High 

Technical Summary 

The vulnerability arises from the SOS debugging extension’s failure to properly validate cryptographic signatures during debugging operations.

This enables attackers with authenticated network access to inject malicious debugging components, leading to arbitrary code execution with SYSTEM privileges. The attack vector leverages NuGet package integrations in Visual Studio and .NET CLI environments, increasing the risk of supply chain compromises. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-24043  WinDbg and associated .NET diagnostic packages   Flaw in cryptographic signature validation in the SOS debugging extension allows tampered components to be loaded.  Arbitrary code execution  

Remediation

  • Update Affected Packages: Ensure that all instances of affected NuGet packages are updated to the latest patched versions. Refer to the table below for the affected and patched versions. 
  •  Upgrade WinDbg: Make sure that WinDbg is updated to the most recent release available. 
  • Audit Dependencies: Review all .NET Core project dependencies to identify and replace vulnerable packages. 
  • Monitor Network Activity: Implement monitoring for any suspicious network activity related to windbg.exe. 
  • Enforce Security Policies: Apply security policies, such as Windows Defender Application Control, to prevent the execution of unsigned debugging components. 

The table below outlines the affected and patched versions of the relevant packages: 

Package Name Affected Version Patched Version 
dotnet-sos < 9.0.607501 9.0.607501 
dotnet-dump < 9.0.557512 9.0.607501 
dotnet-debugger-extensions 9.0.557512 9.0.607601 

Conclusion: 

CVE-2025-24043 highlights the need to secure developer toolchains, as debugging environments are becoming more targeted in cyberattacks. Organizations using .NET diagnostics should quickly apply patches and implement strict security measures to reduce the risk of exploitation. With no effective workarounds available, postponing remediation heightens the chances of an attack. Prompt action is essential to safeguard critical development and production environments. 

The security impact extends beyond developers, as the exploitation of debugging tools could facilitate attacks on production infrastructure.

Additional security measures include certificate transparency logging for NuGet packages and enforcing Windows Defender Application Control (WDAC) policies to restrict unsigned debugger extensions. While no active exploits have been reported, the patching window is critical, and organizations using .NET diagnostics must act immediately before threat actors weaponize the vulnerability.

References: 

  • https://securityonline.info/windbg-remote-code-execution-vulnerability-cve-2025-24043-exposes-critical-security-risk/ 

Security Advisory

Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems 

CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.

OEM Microsoft 
Severity High 
CVSS 7.8 
CVEs CVE-2018-8639 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview on Vulnerability

The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat. 

Vulnerability Name CVE ID Product Affected Severity 
 Privilege Escalation Vulnerability  CVE-2018-8639  Windows  High 

Technical Summary 

The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.

Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2018-8639 Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019  Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation. System compromise, unauthorized access, potential malware persistence 

Remediation

  • Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk. 
  • Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.  

General Recommendations: 

  • Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches. 
  • Adopting the principle of least privilege (PoLP) to limit user access. 
  • Continuous monitoring of anomalous kernel-mode activities. 

Conclusion: 

Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2018-8639  
  • https://github.com/ze0r/CVE-2018-8639-exp 

Security Advisory

Wazuh Server Vulnerability (CVE-2025-24016) Exposes Systems to RCE Attacks

Wazuh Server Vulnerability

Continue Reading
Security Advisory

Critical WordPress Security Flaw in Everest Forms Plugin 

UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin

Continue Reading
Security Advisory

Active Exploitation of Microsoft Outlook RCE Vulnerability (CVE-2024-21413) 

A critical remote code execution (RCE) vulnerability, CVE-2024-21413, affecting Microsoft Outlook has been actively exploited.

CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.

OEM Microsoft 
Severity Critical 
CVSS 9.8 
CVEs CVE-2024-21413 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The flaw allows attackers to bypass security protections, leading to NTLM credential theft and arbitrary code execution. The vulnerability is critical, and Microsoft has released patches to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2024-21413  Microsoft  Critical 

Technical Summary 

The CVE-2024-21413 vulnerability arises due to improper input validation in Microsoft Outlook when handling emails containing malicious links. Exploitation of this flaw enables attackers to bypass Protected View, a security feature designed to prevent execution of harmful content embedded in Office files. 

By manipulating URLs with the file:// protocol and inserting an exclamation mark followed by arbitrary text, attackers can evade Outlook’s built-in security measures, tricking users into opening malicious Office files in editing mode instead of read-only mode. The Preview Pane also serves as an attack vector, enabling zero-click exploitation. Here is the POC also available for this vulnerabilty. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-21413 Microsoft Office LTSC 2021, Microsoft 365 Apps, 
Microsoft Outlook 2016, Microsoft Office 2019   		Exploits improper input validation to bypass Outlook security protections using manipulated hyperlinks.  NTLM credential theft, remote code execution, potential full system compromise  

Remediation

  1. Apply Security Patches: Ensure that all the Microsoft Office products are updated with the latest security patches. 
  1. Disable NTLM Authentication: Where feasible, reduce reliance on NTLM authentication to prevent credential theft. 

General Remediation: 

  1. Monitor Network Activity: Watch unusual outbound connections to attacker-controlled servers. 
  1. User Awareness Training: Educate employees on recognizing phishing attempts and avoiding click on suspicious links or attachments. 
  1. Enable Advanced Threat Protection: Use security tools like Microsoft Defender to enhance security monitoring and detection. 
  1. Regularly Update Software: Maintain a routine patching schedule to ensure all systems are protected against known vulnerabilities. 
  1. Restrict Macros and External Content: Configure Microsoft Office to block macros and disable automatic external content execution. 

Conclusion: 

The exploitation of CVE-2024-21413 underscores the ongoing threat posed by improperly validated inputs in widely used enterprise software. With this vulnerability being actively exploited and the POC publicly available, organizations must prioritize patching, strengthen monitoring, and follow best security practices to minimize risks. CISA has included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action. 

References: 

Security Advisory

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw 

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw 

A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution.

Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.

This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates. 

OEM Apple 
Severity Critical 
CVSS 9.8 
CVEs CVE-2025-24118 
Exploited in Wild No 
Publicly POC Available Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A proof-of-concept (PoC) exploit is publicly available, making it critical for users to apply the patch on priority. The vulnerability arises from a race condition in Apple’s XNU kernel due to improper handling of per-thread credentials in read-only structures.

Vulnerability Name CVE ID Product Affected Severity 
 Race Condition Vulnerability  CVE-2025-24118   Apple  Critical 

Technical Summary 

This issue results from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings and memcpy behavior, leading to unauthorized credential modification. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-24118  macOS Sonoma prior to 14.7.3  
macOS Sequoia prior to 15.3 
iPadOS prior to 17.7.4   		A concurrency issue in XNU kernel allows corruption of a thread’s kauth_cred_t credential pointer through a non-atomic memory update. This results in a time-of-check to time-of-use (TOCTOU) race condition. Privilege escalation, memory corruption, potential kernel-level code execution  

Remediation

  • Patch Installation: Users should upgrade to macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4 to mitigate the risk. 

Conclusion: 

CVE-2025-24118 is a critical race condition vulnerability in Apple’s XNU kernel that allows local attackers to escalate privileges and compromise system integrity. Users and organizations are strongly advised to apply the latest patches provided by Apple to protect against potential exploits.

References: 

Security Advisory

Critical Authentication Bypass Vulnerability in CybersFortinet Products Under Active Exploitation

Summary

Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products. 

A critical Zero-day vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an “Authentication Bypass Using an Alternate Path or Channel” vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication.

OEMFortinet
SeverityCritical
CVSS9.6
CVEsCVE-2024-55591
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

According to data from the Shadowserver Foundation, almost 50,000 devices are still unpatched as of January 20, 2025.

The vulnerability, which has been actively exploited since November 2024, enables unauthenticated attackers to obtain super-admin privileges through specially crafted requests to the Node.js websocket module. Although patches have been released, but a large number of devices remain exposed and vulnerable.

Vulnerability NameCVE IDProduct AffectedSeverity
  Authentication Bypass Vulnerability  CVE-2024-55591  FortiOS and FortiProxy  Critical

Technical Summary

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. Exploiting this flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js websocket module. This can lead to unauthorized administrative access, enabling attackers to modify firewall configurations, extract credentials, and move laterally within compromised environments.

Impact by Region (Unpatched Devices)

  • Asia: 20,687 devices
  • North America: 12,866 devices
  • Europe: 7,401 devices
CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2024-55591FortiOS 7.0.0 – 7.0.16, FortiProxy 7.0.0 – 7.0.19, FortiProxy 7.2.0 – 7.2.12Crafted requests to Node.js WebSocket module bypass authentication and allow attackers to gain super-admin privileges.Unauthorized administrative access, credential extraction, and lateral movement.

Remediation:

  1. Upgrade Firmware:
  2. FortiOS: Update to version 7.0.17 or latest
  3. FortiProxy: For 7.0.x version update to v7.0.20 or latest and for 7.2.x version update to v7.2.13 or latest
  • Restrict Administrative Interface Access:
  • Disable HTTP/HTTPS interfaces or limit access to trusted IP addresses using local-in policies.
  • Enable Multi-Factor Authentication (MFA):
  • Enforce MFA on all administrative accounts to reduce the risk of unauthorized access.
  • Monitor Suspicious Activities:
  • Check for unauthorized admin accounts, suspicious logins, or unexpected changes in firewall configurations.

Conclusion:

The exploitation of CVE-2024-55591 underscores the critical importance of timely patch management and robust security practices. Organizations using Fortinet products should act swiftly to apply the necessary updates and implement recommended security measures to protect their networks from potential attacks.

References:

Hashtags

Scroll to top