Windows

Microsoft Defender Vulnerability Leveraged in 0-Day Attacks; Patches Rolled Out

Microsoft has released security updates to fix two vulnerabilities in Microsoft Defender that attackers were already exploiting in real-world zero-day attacks. This exploitation was confirmed by CISA, which has added the security flaws to its known exploited vulnerability(KEV) catalogue.

As per Microsoft, they addressed the two security defects in Microsoft Defender Antimalware Platform version 4.18.26040.7. According to the company, systems with Microsoft Defender disabled are not exploitable, even though Defender’s files remain on disk.

CVE-2026-41091, vulnerability affects older versions of the Microsoft Malware Protection Engine used by Microsoft antivirus and anti-malware products.

(CVE-2026-45498,) affects systems running the Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier.

CVE ID	Affected Product	Vulnerability Description	Potential Impact	Severity Rating
CVE-2026-41091	Microsoft Malware Protection Engine	Vulnerability affecting older versions of the Microsoft antivirus and anti-malware scanning engine	Privilege escalation allowing attackers to gain SYSTEM-level access	🔴 Critical
CVE-2026-45498	Microsoft Defender Antimalware Platform 4.18.26030.3011 and earlier	Vulnerability affecting Microsoft Defender and related endpoint protection platforms	Security risk impacting endpoint protection systems and enterprise security tools	🟠 High

CVE-2026-41091 vulnerability affects:

The flaw allows attackers to trick the antivirus engine into accessing files incorrectly.
By exploiting this weakness, attackers can gain SYSTEM-level privileges, which is the highest level of access on a Windows system.
With this access, attackers could potentially take full control of the affected device.

CVE-2026-45498 vulnerability affects:

Attackers can exploit the flaw to make affected Windows systems stop responding or crash. This creates a Denial-of-Service (DoS) condition, where the device or security service becomes unavailable temporarily.

As a result, users may experience:

System slowdowns or freezes
Security services stopping unexpectedly

CISA Adds the vulnerability in its KEV

For Malware attacks the vulnerability fits well and attackers are in advantageous position. In first to prevent detection if the system relies only on Microsoft endpoint protection and second to gain full control over the system.

On Wednesday, the United States Cybersecurity and Infrastructure Security Agency (CISA), added the two vulnerabilities, tracked as CVE-2026-41091 and CVE-2026-45498, to its Known Exploited Vulnerabilities (KEV) catalog, signaling that exploitation was detected in the wild.

Privilege Escalation Flaw:

The vulnerability CVE-2026-41091 is a Privilege Escalation (PE) flaw affecting mpengine.dll, a core component of the Microsoft Malware Protection Engine used by Microsoft Defender and other Microsoft security products.

mpengine.dll (Microsoft Malware Protection Engine) is responsible for:

Malware scanning
Threat detection
File inspection
Cleaning and remediation operations

The vulnerability arises from an improper link resolution before file access issue, commonly referred to as a link following vulnerability.
During scanning or file operations, the engine may improperly handle symbolic links, junctions, or reparse points before validating the target file path.
An attacker can exploit this behavior by crafting malicious file links that redirect privileged operations to unintended system locations.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

On Tuesday, also shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day flaw that allows attackers to access protected drives.

CISA gave federal agencies until June 3 to ensure mitigation measures are in place.

Threat Mitigation advice from Microsoft:

“For enterprise deployments as well as end users,” Microsoft said, “the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically,” and as such no action is required as the update that is now rolling out will get applied without user input.

Most Windows systems using Microsoft Defender are configured to update automatically. What happens if automatic updates are enabled, users usually do not need to manually install the security fix.

It is assumed Microsoft Defender should automatically download and apply the updated malware protection engine and required security update in the background.

One can ensure that all the latest updates are installed and configures device protection against the recently disclosed vulnerabilities.

The April 2026 vulnerabilities identified in Defender:

Few months back we have witnessed how a zero-day vulnerability in Microsoft Defender, dubbed “RedSun,” allowed an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems.

RedSun was the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as “Chaotic Eclipse”

For threat mitigation it was advised that security teams should closely watch for suspicious activity involving Microsoft Defender until Microsoft releases an official fix. Attackers may try to misuse certain Windows files and Defender processes to gain higher access or modify protected system files.

RakshaOne from Intrucept helps simplify workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

SIEM Helps Detect Exploitation

Privilege Escalation Detection (CVE-2026-41091)

The SIEM can correlate:

Suspicious file write activity
Abnormal SYSTEM privilege assignments
Unexpected execution of privileged processes
Defender engine (mpengine.dll) anomalies
Unauthorized access attempts to protected system directories

DoS & Security Service Monitoring (CVE-2026-45498)

The SIEM can detect:

Unexpected Microsoft Defender crashes
Antimalware service restarts
Endpoint protection failures
Repeated system instability events
Disabled or unavailable Defender services

This helps security teams identify attempts to disrupt endpoint protection mechanisms

Sources: Security Update Guide – Microsoft Security Response Center

Sources:

DNS CNAME Used as Relay Attack for New Kerberos-PoC Released

A dangerous flaw in how Windows environments handle Kerberos service ticket requests one that significantly expands the practical attack surface for Kerberos relaying in Active Directory.

CrowdStrike Releases Security Updates for Falcon Sensor Windows Vulnerabilities

Summary : CrowdStrike recently disclosed and released patches for two medium-severity vulnerabilities affecting its Falcon sensor for Windows systems, identified as CVE-2025-42701 and CVE-2025-42706. These vulnerabilities allow attackers who already have code execution privileges on a targeted Windows host to delete arbitrary files, potentially destabilizing the Falcon sensor, other installed software, or even the operating system itself.

OEM	CrowdStrike
Severity	Medium
CVSS Score	6.5
CVEs	CVE-2025-42701, CVE-2025-42706
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Notably, Falcon sensors for macOS and Linux are not affected, Users & Administrator using falcon sensor for windows update to the latest version.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability	CVE-2025-42701	CrowdStrike Falcon Sensor for Windows	Medium	7.28.20008 and later 7.27.19909 7.26.19813 7.25.19707 7.24.19608 7.16.18637 (WIN7/2008 R2 only)
Origin Validation Logic Error Vulnerability	CVE-2025-42706	CrowdStrike Falcon Sensor for Windows	Medium

Technical Summary

The Falcon Sensor for Windows was found to contain security flaws that could permit a locally authenticated attacker with existing code execution privileges to delete arbitrary files on the affected system.

Race condition vulnerability caused by improper synchronization in the software’s operation timing, while the other vulnerability results from a logical error affecting file handling processes.

These issues could lead to significant disruption of security functions or system stability. Prompt remediation has been issued by CrowdStrike and there is currently no evidence of exploitation in active environments.

CVE ID	Platform Affected	Vulnerability Details	Impact
CVE-2025-42701	CrowdStrike Falcon Sensor for latest Windows, Windows 7, Windows Server 2008	Time-of-check Time-of-use (TOCTOU) race condition due to a timing gap in handling file operations, which allows an attacker with prior local code execution to delete arbitrary files on the host system.	Sensor disruption and file deletion.
CVE-2025-42706	CrowdStrike Falcon Sensor for latest Windows, Windows 7, Windows Server 2008	A logic error related to origin validation in the Falcon sensor’s file handling, enabling an attacker with existing code execution abilities to delete arbitrary files.	Sensor disruption and file deletion.

Recommendations

Update CrowdStrike Falcon Sensor for Windows to the following patched versions or latest one

7.28.20008, 7.27.19909, 7.26.19813, 7.25.19707, 7.24.19608,

7.16.18637 (for Windows 7/2008 R2 only)

Implement the following best practices to enhance overall security posture

Regularly monitor and apply security updates and patches promptly to all endpoint protection software.

Enforce the principle of least privilege by restricting user permissions and execution rights to minimize the risk from locally executed code.

Enable logging and continuous monitoring within the Falcon platform to detect any suspicious activities related to file deletions or sensor tampering.

Conclusion:
CrowdStrike identified and promptly addressed two vulnerabilities in widely used falcon endpoint protection sensor for Windows. These issues, if left unpatched, could allow an attacker with existing local access to disrupt system stability by deleting critical files.

There is no active exploitation has been detected & CrowdStrike already released the patches. Users are strongly encouraged to apply the latest patches and follow best security practices to maintain system integrity and resilience against potential threats.

References:

https://www.crowdstrike.com/en-us/security-advisories/issues-affecting-crowdstrike-falcon-sensor-for-windows/

https://cybersecuritynews.com/crowdstrike-falcon-windows-sensor-vulnerability/

Microsoft Patch Tuesday has 86 Fixes, 2-0Day Vulnerabilities

September 2025 Patch Tuesday update, addressing 86 security issues in products like Microsoft Windows, Microsoft Office etc.

This includes two publicly known zero-day bugs in the Windows SMB Server and another in Newtonsoft.Json. Here are the CVE addressed for Microsoft & non-Microsoft.

Organizations are strongly encouraged to prioritize patching of systems tied to network services, virtualization and productivity tools to mitigate risks of exploitation.

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-09-09
No. of Patches	86
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Here are the CVE addressed for Microsoft & non-Microsoft

81 Microsoft CVEs addressed

5 non-Microsoft CVEs addressed

Breakdown of September 2025 Vulnerabilities

41 Elevation of Privilege (EoP)

22 Remote Code Execution (RCE)

16 Information Disclosure

4 Denial of Service (DoS)

2 Security Feature Bypass

1 Spoofing

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows SMB Elevation of Privilege Vulnerability	CVE-2025-55234	Windows Server, Windows 10, 11	High	8.8
Improper Handling of Exceptional Conditions in Newtonsoft.Json	CVE-2024-21907	Microsoft SQL Server	High	7.5

Technical Summary

September 2025 Patch Tuesday includes security updates addressing denial-of-service and privilege escalation vulnerabilities in commonly used libraries and services.

One of the publicly disclosed zero-day CVE-2024-21907 affects the popular .NET library Newtonsoft.Json, where deserialization of crafted JSON can lead to application crashes.

Additionally, CVE-2025-55234 highlights a potential for relay attacks in SMB Server configurations that lack hardening measures such as signing and Extended Protection for Authentication (EPA). Microsoft advises assessing current SMB deployments using new audit capabilities introduced in this month’s updates.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-55234	Microsoft SMB Server	Lack of hardening (signing & EPA) in SMB Server can allow attackers to perform relay attacks, potentially resulting in elevation of privilege.	Privilege Escalation
CVE-2024-21907	Newtonsoft.Json < 13.0.1	Improper handling of crafted input to JsonConvert.DeserializeObject may trigger a StackOverflowException, leading to a denial-of-service condition.	Denial of Service

Source: Microsoft and NVD

In addition to the publicly disclosed zero day vulnerability, several other Critical & High severity issues were addressed

CVE‑2025‑55232: Microsoft High Performance Compute Pack (HPC), deserialization of untrusted data vulnerability enabling unauthorized remote code execution over a network interface.

CVE‑2025‑54918: Windows NTLM, improper authentication vulnerability that enables elevation of privilege over a network, with potential for lateral movement across enterprise systems.

CVE‑2025‑54110: Windows Kernel, integer overflow vulnerability allowing local privilege escalation through exploitation of kernel memory operations.

CVE‑2025‑54098: Windows Hyper-V, improper access control flaw permitting local privilege escalation from guest to host in virtualized environments.

CVE‑2025‑54916: Windows NTFS, stack-based buffer overflow vulnerability enabling local attackers to execute arbitrary code with elevated privileges.

Key Affected Products and Services

The September 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services:

Windows Core and Security Components

Includes updates for Windows Kernel, NTFS, TCP/IP, Defender Firewall, LSASS, BitLocker, NTLM, Win32K, and RRAS (Routing and Remote Access Service), with several vulnerabilities rated CVSS 8.8 or higher.

Microsoft Office Suite

Patches released for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, especially through Preview Pane vectors.

Azure and Cloud Services

Fixes affect Azure Virtual Machine Agent, Azure Arc, and High-Performance Compute Pack (HPC).

Virtualization and Hyper-V

Multiple vulnerabilities in Hyper‑V and Virtual Hard Drive components, including privilege escalation and denial-of-service risks.

Developer and Management Tools

Patches applied to PowerShell, AutoZone, Windows Management Services and Capability Access Management, addressing local privilege escalation.

Communication & File Services

Updates cover SMB, SMBv3, MSMQ and Connected Devices Platform, with critical RCE and lateral movement vectors in enterprise environments.

Browsers and Web Technologies

Microsoft Edge (Chromium-based) updates, along with republished Chrome CVEs for continued coverage of known browser threats.

Remediation:

Apply Patches Promptly: Install the September 2025 security updates immediately to mitigate risks.

Conclusion:
Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities, including several critical and high rated issues across Windows, Office, Hyper-V and Azure components etc.

Notably, multiple flaws affect Windows Routing and Remote Access Service (RRAS), SQL Server, and Microsoft High Performance Compute Pack (HPC), with potential for remote code execution (RCE) and privilege escalation.

Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.

“SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks,” explains Microsoft.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Sep

https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/

Microsoft Patch Tuesday August Patches 119 Vulnerabilities; Publicly Disclosed Kerberos Zero‑Day

Microsoft Patch Tuesday : Key points:

119 vulnerabilities discovered & 13 are classified as Critical rating meaning as per Microsoft’ they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

CVE-2025-53779 is Windows Kerberos Elevation of Privilege Vulnerability

The vulnerabilities fall into multiple categories, including Remote Code Execution (RCE), Elevation of Privilege (EoP), Information Disclosure, Spoofing, Denial of Service (DoS), and Tampering. Below is a detailed breakdown of the vulnerabilities by category, along with key insights for organizations to prioritize their patching efforts.

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-08-12
No. of Patches	119
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Microsoft has released security updates addressing 119 vulnerabilities in the August 2025 Patch Tuesday cycle, including one publicly disclosed zero-day in Windows Kerberos. Of these, 13 are classified as Critical, covering a wide range of products such as Windows components, Office, Azure, Exchange and SharePoint.

111 Microsoft CVEs addressed

8 non-Microsoft CVEs addressed

Breakdown of August 2025 Vulnerabilities

44 Elevation of Privilege Vulnerabilities

35 Remote Code Execution Vulnerabilities

18 Information Disclosure Vulnerabilities

9 Spoofing Vulnerabilities

4 Denial of Service Vulnerabilities

1 Tampering vulnerabilities

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Kerberos Elevation of Privilege Vulnerability	CVE-2025-53779	Windows Server 2025	High	7.2

Technical Summary

The August 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-53779 in Windows Kerberos.

This elevation of privilege flaw, related to improper path handling in domain-managed service accounts (dMSA), could allow a local attacker to gain domain administrator privileges.

Microsoft also patched several critical Remote Code Execution (RCE) vulnerabilities across Windows Graphics, GDI+, Office, DirectX, and Hyper-V. Many of these vulnerabilities require minimal or no user interaction, such as simply opening a file in the preview pane or processing crafted image or network messages, making them high-risk for enterprise environments.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-53779	Microsoft Windows Server 2025	Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network.	Privilege escalation

Source: Microsoft and NVD

In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed:

CVE‑2025‑50165 and CVE‑2025‑53766: Graphics-related RCEs, particularly vulnerable due to their ability to execute code without user interaction and potential wormable behavior.

CVE‑2025‑53792: Azure Portal, privilege escalation vulnerability, critical impact on cloud administration surface.

CVE‑2025‑50171: Remote Desktop Server, allows remote code execution over RDP.

CVE‑2025‑53778: Windows NTLM, elevation of privilege exploitation includes lateral movement across enterprise networks.

CVE‑2025‑53786: Microsoft Exchange Server, hybrid environment vulnerability with potential for cloud environment hijacking.

Key Affected Products and Services

The vulnerabilities addressed in August 2025 impact a wide range of Microsoft products and services, including:

Windows Core and Authentication Systems

Includes fixes in Windows Server (Kerberos), Windows Graphics Component, GDI+, DirectX Graphics Kernel, NTLM, Hyper‑V, MSMQ, Remote Desktop and more.

Microsoft Office Suite and Productivity Tools

Microsoft Office and Word, notably through Preview Pane RCE flaws, as well as SharePoint (RCE and EoP), Exchange Server (Privilege Escalation in hybrid setups) and Teams.

Cloud and Azure Ecosystem

Critical issues in Azure Virtual Machines (spoofing and info disclosure), Azure Stack Hub and potentially Azure Portal.

Virtualization and Hypervisor Technologies

Updates include vulnerabilities in Hyper‑V (RCE and privilege escalation) and DirectX graphics kernel components relevant to virtualization.

Development Tools

Fixes include vulnerabilities affecting Visual Studio and GitHub Copilot, reinforcing development environments.

Messaging and Queuing Services

Includes a critical RCE in Microsoft Message Queuing (MSMQ).

Browsers:
Microsoft Edge (Chromium-based).

Remediation:

Apply Patches Promptly: Install the August 2025 security updates immediately to mitigate risks.

Conclusion:

Microsoft’s August 2025 Patch Tuesday, disclosed zero-day CVE-2025-53779 is another privilege escalation flaw in Windows Kerberos that stems from a case of relative path traversal. Akamai researcher Yuval Gordon has been credited with discovering and reporting the bug.

Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Aug

https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2025-patch-tuesday-fixes-one-zero-day-107-flaws

https://www.rapid7.com/blog/post/patch-tuesday-august-2025/

Windows Update Stack Privilege Escalation Vulnerability (CVE-2025-21204) – PoC Released

The flaw, disclosed by researchers at Cyberdom Blog, poses a significant risk to millions of Windows users and organizations relying on windows.

OEM	Windows
Severity	HIGH
CVSS Score	7.8
CVEs	CVE-2025-21204
POC Available	Yes
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

A high-severity vulnerability in the Windows Update Stack, CVE-2025-21204, enables local attackers to escalate privileges to SYSTEM level by exploiting trusted path abuse through symbolic links. The flaw affects various versions of Windows 10, Windows 11, and Windows Server.

A working proof-of-concept (PoC) exploit has been publicly released by security researcher Elli Shlomo, increasing the urgency to patch. The issue is addressed in the April 2025 cumulative update KB5055523.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Update Stack Privilege Escalation	CVE-2025-21204	Windows	HIGH	7.8

Technical Summary

The vulnerability lies in how Windows Update processes such as MoUsoCoreWorker.exe and UsoClient.exe, which run with SYSTEM privileges, handle directory junctions. Attackers can delete the legitimate Tasks directory under C:\ProgramData\Microsoft\UpdateStack and replace it with a symbolic link pointing to an attacker-controlled path. This allows the execution of arbitrary code as SYSTEM without triggering traditional security mechanisms.

A public PoC developed by Elli Shlomo demonstrates this exploit using only native Windows features—no external binaries or code injection required.

This opens the door for a range of attacks, including installing persistent malware, disabling security tools, or accessing sensitive data.

CVE ID	System Affected	Vulnerability Details	Exploit Prerequisites	Impact
CVE-2025-21204	Windows 10 (10.0.10240.0 < 10.0.10240.20978, etc.), Windows 11, Server	Misuse of NTFS junctions allows local attackers to redirect C:\ProgramData\Microsoft\UpdateStack\Tasks to attacker-controlled locations. SYSTEM-level update processes follow these junctions and execute unauthorized code.	Attackers must have local access and limited user privileges; no user interaction required	Local privilege escalation, Code execution

Source: Cyberdom

Recommendations:

Apply the April 2025 cumulative update (KB5055523) immediately.

Restrict ACLs on C:\ProgramData\Microsoft\UpdateStack.

Use AppLocker or WDAC to block symbolic link creation in sensitive directories.

Monitor file operations involving UpdateStack and inetpub, regardless of IIS presence.

Detect attempts to create NTFS junctions targeting update directories.

Conclusion:
CVE-2025-21204 is an example of a rather low-level and impactful threat doing trusted path abuse rather than complex memory corruption. This vulnerability demonstrates how attackers will exploit trust assumptions built into the operating system via native components.

The only defenses available are to immediately patch and harden directory access controls to stop this low-level and minimally visible localized privilege escalation.

References:

https://cyberdom.blog/abusing-the-windows-update-stack-to-gain-system-access-cve-2025-21204/

https://raw.githubusercontent.com/eshlomo1/CloudSec/refs/heads/main/Attacking%20the%20Cloud/CVE-2025-21204/Exploit-CVE2025-UpdateStackLPE-NonAdmin.ps1

https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr

Windows 11 DLL Flaws Open Doors to Privilege Escalation!

Summary

Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.

DLL hijacking is a technique that exploits how Windows applications load DLLs.

OEM	Windows
Severity	HIGH
CVSS Score	7.3
CVEs	CVE-2025-24994, CVE-2025-24076
No. of Vulnerabilities Patched	02
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Cross Device Service Elevation of Privilege Vulnerability	CVE-2025-24076	Windows	HIGH	7.3
Windows Cross Device Service Elevation of Privilege Vulnerability	CVE-2025-24994	Windows	HIGH	7.3

Technical Summary

The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24076	Windows 11 Version 22H2, 22H3, 23H2, 24H2.	Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window.	Allows SYSTEM-level privilege escalation
CVE-2025-24994	Windows 11 Version 22H2, 22H3, 23H2, 24H2	Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable.	Allows user-to-user privilege escalation

Remediation:

Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems.

Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities.

Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes.

Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges.

Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files.

Conclusion:
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.

The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.

While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.

This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.

References:

https://securityonline.info/windows-11-privilege-escalation-flaws-uncovered-cve-2025-24076-and-cve-2025-24994/

https://blog.compass-security.com/2025/04/3-milliseconds-to-admin-mastering-dll-hijacking-and-hooking-to-win-the-race-cve-2025-24076-and-cve-2025-24994/

https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar

April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday

Summary of Microsoft April Patch Tuesday

Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.

126 Microsoft CVEs addressed
9 non-Microsoft CVEs included

Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-04-08
No. of Vulnerabilities Patched	135
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.

The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.

On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability]	CVE-2025-29824	Windows	High	7.8
Remote Desktop Gateway Service RCE Vulnerability	CVE-2025-27480 CVE-2025-27482	Windows	High	8.1
LDAP Service RCE Vulnerability	CVE-2025-26663	Windows	High	8.1
LDAP Client RCE Vulnerability	CVE-2025-26670	Windows	High	8.1

Technical Summary

The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-29824	Windows 10/11, Windows Server	An elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges.	Elevation of Privilege
CVE-2025-27480 CVE-2025-27482	Windows RDS	Race condition in Remote Desktop Gateway; triggers use-after-free allowing code execution	Remote Code Execution
CVE-2025-26663	Windows LDAP	Crafted LDAP call causes use-after-free, leading to arbitrary code execution	Remote Code Execution
CVE-2025-26670	Windows TCP/IP	Memory mismanagement during DHCPv6 handling, complex exploit chain.	Remote Code Execution

Source: Microsoft & NVD

In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:

CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 – Office Use-After-Free RCE Vulnerability

These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.

CVE-2025-27752 – Excel Heap Overflow RCE Vulnerability

An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.

CVE-2025-29791 – Excel Type Confusion RCE Vulnerability

This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.

CVE-2025-26686 – Windows TCP/IP RCE Vulnerability

Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.

CVE-2025-27491 – Windows Hyper-V RCE Vulnerability

This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.

Remediation:

Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.

General Recommendations:

Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.

“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.

Conclusion:

The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.

Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.

IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr

Spoofing Vulnerability in WhatsApp Desktop for Windows

Summary

Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .

Overview

The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Spoofing Vulnerability	CVE-2025-30401	WhatsApp Desktop for Windows	Medium	2.2450.6

Technical Summary

The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables.

Example Scenario:

An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code.

This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-30401	WhatsApp Desktop for Windows (<2.2450.6)	MIME type used for display, but file extension used for execution. A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe).	Remote Arbitrary code execution

Remediation:

Official Patch Available: The vulnerability has been resolved by Meta (formerly Facebook). Users should update WhatsApp for Windows to version 2.2450.6 or latest version.

Conclusion:

CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.

Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise.

Be careful when you click attachments.

References:

https://www.facebook.com/security/advisories/cve-2025-30401

https://cybersecuritynews.com/whatsapp-for-windows-vulnerability/

Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems

CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.

OEM	Microsoft
Severity	High
CVSS	7.8
CVEs	CVE-2018-8639
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview on Vulnerability

The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat.

Vulnerability Name	CVE ID	Product Affected	Severity
Privilege Escalation Vulnerability	CVE-2018-8639	Windows	High

Technical Summary

The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.

Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2018-8639	Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019	Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation.	System compromise, unauthorized access, potential malware persistence

Remediation:

Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk.

Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.

General Recommendations:

Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches.

Adopting the principle of least privilege (PoLP) to limit user access.

Continuous monitoring of anomalous kernel-mode activities.

Conclusion:

Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk.

References:

https://nvd.nist.gov/vuln/detail/cve-2018-8639

https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exploited-vulnerabilities-catalog

https://github.com/ze0r/CVE-2018-8639-exp

Microsoft Defender Vulnerability Leveraged in 0-Day Attacks; Patches Rolled Out

SIEM Helps Detect Exploitation

Privilege Escalation Detection (CVE-2026-41091)

DoS & Security Service Monitoring (CVE-2026-45498)

DNS CNAME Used as Relay Attack for New Kerberos-PoC Released

CrowdStrike Releases Security Updates for Falcon Sensor Windows Vulnerabilities

Microsoft Patch Tuesday has 86 Fixes, 2-0Day Vulnerabilities

Microsoft Patch Tuesday August Patches 119 Vulnerabilities; Publicly Disclosed Kerberos Zero‑Day

Windows Update Stack Privilege Escalation Vulnerability (CVE-2025-21204) – PoC Released

Windows 11 DLL Flaws Open Doors to Privilege Escalation!

April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday

Spoofing Vulnerability in WhatsApp Desktop for Windows

Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives