Patch Tuesday February 2025
CVE-2025-21418 - 7.8 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Top of the list for things to patch this month is a local privilege escalation that threat actors are actively exploiting in the wild. No information is provided on which threat actors or how they are using it, but what we do know is that an attacker exploiting this vulnerability will be able to gain SYSTEM-level permissions on the affected host. As this is a local exploit, it does mean that an attacker or malicious insider must already have access to the target machine, typically through a phishing attack, malicious document, or another remote code execution vulnerability. Despite its relatively low score of 7.8 compared to a Critical 9.8, local privilege escalation vulnerabilities are valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access. CVE-2025-21377 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability Another CVE to patch sooner rather than later is a zero-day that was discovered and disclosed in December 2024, with Microsoft announcing at the time that patches would not be available until 2025. Tracked as CVE-2025-21377, this vulnerability allows a threat actor to steal a victim's NTLM credentials by sending them a malicious file. The user doesn't have to open or run the executable, but simply viewing the file in Explorer could be enough to trigger the vulnerability. This specific vulnerability is known as an NTLM relay or pass-the-hash attack, and threat actors love this style of attack as it allows them to impersonate users in the network. If an attacker can collect your NTLM hash, they effectively have the encoded version of your password and can log in to workstations, servers, or other Microsoft servers as if they had your username and password. Preventing outbound SMB traffic can help limit the exposure, as this is such a prevalent technique Microsoft has specific guidance available on their website on Mitigating Pass-the-Hash (PtH) attacks CVE-2025-21400 - 8.0 - Microsoft SharePoint Server Remote Code Execution Vulnerability Microsoft SharePoint is a web-based platform that integrates with Microsoft Office, used to store, organize, and share information from any device. Details around this remote code execution vulnerability in SharePoint suggest that an attacker needs to be authenticated to exploit it. Exploiting this vulnerability requires a client to connect to a malicious, attacker-controlled server, and with this access, an attacker could achieve code execution on the client. In a network-based attack, if the attacker has access to a client that belongs to the “Site Owners” group, meaning they have full control of the client system, they can write injectable code to send to the SharePoint server that amounts to code execution. CVE-2025-21408 - 8.8 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability refers to a potential security issue that, if exploited, could allow an attacker to execute arbitrary code in the context of the current user. Vulnerabilities such as these are often attributed to the way Microsoft Edge (Chromium-based) handles objects in memory. In relation to this specific vulnerability, successful exploitation requires a victim user to click on a malicious link so that the attacker can initiate remote code execution (RCE) on Edge’s renderer process – which is part of a multi-process architecture that handles much of the code that runs on a webpage, including JavaScript, HTML, and CSS. The idea is that sites and sessions are isolated so the misbehavior of one site doesn’t affect another in the same browser session. An attacker could potentially do a number of things after exploiting this vulnerability, including injecting malicious scripts into the running browser session, exploiting cross-site-scripting (XSS) vulnerabilities, stealing credentials from browser sessions, or deploying script-based malware that can be used to gain access to the user's machine. Microsoft has released a patch for this vulnerability, which users are encouraged to download. CVE-2025-21391 - 7.1 - Windows Storage Elevation of Privilege Vulnerability In today’s Patch Tuesday release by Microsoft, we see two vulnerabilities listed as ‘exploited in the wild.’ One is a Windows Storage Elevation of Privilege Vulnerability, given the Common Vulnerabilities and Exposure ID number CVE-2025-21391. With a CVSS score of 7.1, the CVSS metrics outline that this vulnerability doesn't affect confidentiality, so no sensitive data can be accessed. However, it can severely affect data integrity and availability. The impact of this vulnerability is classified as an Escalation of Privilege, indicating that the successful exploitation could allow an attacker to assume higher privileges on the compromised system. However, Microsoft has outlined that if the attacker successfully exploited this vulnerability, they could only delete targeted files on a system. Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately. CVE-2025-21376 - 8.1 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability LDAP (Lightweight Directory Access Protocol) is a critical component of Windows environments, serving as the backbone for authentication, directory services, and centralized identity management. A recently disclosed critical vulnerability in Microsoft’s LDAP implementation poses a severe risk, allowing remote code execution due to a combination of race conditions, integer underflow, and heap-based buffer overflows. Exploiting this flaw requires an attacker to chain these exploits together by sending specially crafted requests to a vulnerable LDAP server, potentially gaining full control over the system. A compromise could lead to lateral movement, privilege escalation, and widespread network breaches because LDAP is integral to Active Directory, which underpins authentication and access control in enterprise environments. This vulnerability follows a history of LDAP-related exploits, such as privilege escalation flaws and buffer overflow attacks, reinforcing the importance of securing directory services. Organizations must prioritize patching and hardening LDAP configurations to mitigate exploitation risks and protect their Windows infrastructure from potential attacks. This vulnerability represents a serious security risk to systems running vulnerable Microsoft LDAP servers. Due to its high value, attackers will spend more time creating an exploit for this vulnerability, which is an echoed theory by Microsoft, as it has been stated that this vulnerability is more likely to be exploited. Administrators are strongly urged to promptly apply the available security patches and implement recommended mitigation steps to protect against exploitation. CVE-2025-21379 - 7.1 - DHCP Client Service Remote Code Execution Vulnerability The DHCP Client Service is a crucial component in Windows environments, responsible for dynamically assigning IP addresses and network configurations to devices. A newly identified critical vulnerability in this service allows for remote code execution due to a Use After Free flaw, which can lead to memory corruption and arbitrary code execution. While the attack complexity is high, exploitation requires the attacker to position themselves in the network path between the target and its requested resource, executing a machine-in-the-middle (MITM) attack to intercept or manipulate DHCP responses. Additionally, the attack vector is classified as adjacent, meaning the attacker must be on the same local network segment, such as a shared Wi-Fi or Ethernet switch, making remote exploitation over a WAN infeasible. While this brings the criticality of the vulnerability down, it is still feasible for attackers to want to put this in their attacker's toolkit, and given DHCP’s fundamental role in network connectivity, a successful attack could compromise endpoint security, facilitate lateral movement, and enable further network exploitation. This vulnerability underscores the importance of securing DHCP communications through network segmentation, encryption, and prompt patching to mitigate potential threats. CVE-2025-21381 - 7.8 - Microsoft Excel Remote Code Execution Vulnerability Microsoft Excel is a widely used productivity tool in enterprise environments, making vulnerabilities within it highly valuable for attackers, especially for phishing and malware distribution. A newly disclosed critical vulnerability, CVE-2025-21381, allows for remote code execution due to an Untrusted Pointer Dereference flaw. This flaw occurs when a program accesses a memory location using a pointer that has not been properly validated and can be attacker-controlled. It can lead to memory corruption and arbitrary code execution when processing maliciously crafted Excel files. Exploiting this vulnerability would enable an attacker to execute malicious code on a victim’s system simply by convincing them to open a compromised document. This method is often used in spear-phishing campaigns and malware distribution, such as Emotet and Dridex. Excel vulnerabilities are particularly dangerous because Excel macros and embedded scripts have historically been a significant attack vector for APT groups, ransomware operators, and financial fraud campaigns, often bypassing traditional security defenses. Given its widespread use in corporate environments, this vulnerability highlights the ongoing risk posed by weaponized office documents, reinforcing the need for patching, disabling macros by default, and implementing advanced email filtering to prevent exploitation.Patch Tuesday December 2024
CVE-2024-49138 - 7.8 - Windows Common Log File System Driver Elevation of Privilege Vulnerability Top of the list of things to patch this cycle is a trio of vulnerabilities in the Windows Common Log File System Driver. Don't be fooled by their relatively low score of 7.8. At least one of these (CVE-2024-49138) is being actively exploited in the wild by threat actors, making it likely that the other two vulnerabilities will also be discovered. This vulnerability is a local privilege escalation, which means that an attacker must gain initial access to the host to gain SYSTEM-level privileges. With this higher level of permissions, the threat actor can move laterally across the network, dump credentials to pivot to a domain controller or even disable security tooling to avoid detection by a blue team. CVE-2024-49114 - 7.8 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability High on the list for patching should be CVE-2024-21310, a privilege escalation vulnerability in Cloud Files Mini Filter Driver. Listed as “exploitation more likely” by Microsoft, the patch notes have striking similarities to other vulnerabilities reported in the same component that are actively being exploited – and appearing on the CISA Known Exploited Vulnerabilities list late in 2023. This likely contributes to the “exploitation more likely,” as it is a proven and effective exploit for attackers and with existing public examples could make it faster to weaponise. If an attacker exploits this vulnerability, they can gain SYSTEM-level privileges on the local machine. This type of privilege escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like mimikatz that can then enable lateral movement or the compromise of domain accounts. CVE-2024-49093 - 8.8 - Windows Resilient File System (ReFS) Elevation of Privilege The Resilient File System (ReFS) is a modern file system developed by Microsoft, designed to provide enhanced data integrity, scalability, and fault tolerance compared to the New Technology File System (NTFS). Introduced with Windows Server 2012, ReFS is optimized for large-scale storage solutions, virtualization workloads, and environments requiring high data reliability. It incorporates features like integrity streams to detect and repair data corruption, support for massive volumes and file sizes (up to 35 petabytes), and efficient data management through technologies like block cloning. While it lacks some NTFS features, such as file compression and encryption, ReFS is particularly suited for enterprise applications, such as Hyper-V storage and resilient storage spaces. It offers improved performance and reliability for mission-critical workloads. This vulnerability has been described as “exploitation more likely” by Microsoft and also said to have low attack complexity required to perform the attack. All the user has to do is execute the exploit in a low-privilege AppContainer, and they are able to execute code or access resources at a mich higher integrity level above the AppContainer. CVE-2024-49126 - 8.1 - Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability The Local Security Authority Subsystem Service (LSASS) is a critical system process in Microsoft Windows that enforces security policies and manages user authentication. It verifies users’ logging into a Windows system by handling credentials, such as passwords and security tokens, and interacts with Active Directory for domain authentication. LSASS also generates and manages access tokens that applications and services use to determine user permissions. This process runs with high privileges, making it a frequent target for attackers aiming to extract credentials from memory or perform lateral movement in a network using tools like the famous Mimikatz. Protecting LSASS is vital, and modern versions of Windows include features like Credential Guard and process isolation to mitigate risks associated with its exploitation. This vulnerability is a use-after-free vulnerability where the attacker has to take advantage of a race condition to get access to sensitive data that is not properly protected or locked, this requires no interaction from the user, nor does it require any special privileges to begin the attack. It is a remote code vulnerability affecting service accounts and an attacker can take advantage of this by triggering malicious code in the context of the server’s account through a network call. CVE-2024-49117 - 8.8 - Windows Hyper-V Remote Code Execution Vulnerability This vulnerability could be exploited by an attacker who has authenticated access to a guest virtual machine (VM). The attacker could send carefully crafted file operation requests to interact with the hardware resources allocated to the VM. This vulnerability has been tagged as “return of wrong status code,” which adds further context to the vulnerability by highlighting a potential miscommunication between components during an attack. If the underlying system incorrectly returns a status code suggesting that an operation was successful when it was not—or fails to indicate that an unexpected or malicious operation has occurred—it can facilitate exploitation. In this scenario, such miscommunication could obscure warning signs or error handling mechanisms that might otherwise mitigate the attack, making the vulnerability easier to exploit and harder to detect. Due the fact that hyper-v is baked into the Windows operating system so heavily, it is recommended to ensure you patch this even though it requires access to a guest OS running on a machine. CVE-2024-49112 - 9.8 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE) A significant flaw has been identified in the Lightweight Directory Access Protocol (LDAP) service on all versions of Windows since Windows 7 / Server 2008 R2 that can allow for an unauthenticated attacker with network access to gain code execution on the underlying server. LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function. Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required. Furthermore, they advise that exposure of this service either via the internet or to untrusted networks should be stopped immediately. They have said that an attacker can make a series of crafted calls to the LDAP service and gain access within the context of that service, which will be running with SYSTEM privileges. Because of the Domain Controller status of the machine account, it is assessed this will instantly allow the attacker to perform a DCSync attack and get access to all credential hashes within the domain. It is also assessed that an attacker will only need to gain low privileged access to a Windows host within a domain or a foothold within the network in order to exploit this service - gaining complete control over the domain. Discovery of how to exploit this condition will be of the utmost importance to attackers, especially ransomware operators, as complete control of a Domain Controller in an Active Directory environment can allow for access to every Windows machine as part of that domain and allow for the deployment of ransomware to every machine. Microsoft also suggests blocking access to ‘inbound RPC’ connections from untrusted networks, which may indicate that the vulnerability can be exploited by a number of RPC channels, not only via the standard LDAP ports. Environments which make use of Windows networks using Domain Controllers should patch this vulnerability as a matter of urgency and ensure that Domain Controllers are actively monitored for signs of exploitation. CVE-2024-49122 - 7.8 - Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability This December 2024 Patch Tuesday saw a vulnerability in Microsoft Message Queuing (MSMQ) being disclosed. Denoted as CVE-2024-49122, Microsoft has outlined this vulnerability as “exploitation more likely’ and as a “remote code execution” impact. MSMQ allows asynchronous communication between applications across various networks and systems by sending and reading messages from the queue. This vulnerability requires a high level of attack complexity and for the attacker to win a race condition. Successful exploitation can be achieved by sending a maliciously crafted MSMQ packet to a server, which will result in a remote code execution.Patch Tuesday November 2024
CVE-2024-49039 - 8.8 - Windows Task Scheduler Elevation of Privilege Vulnerability Microsoft has released an official patch for this vulnerability because the exploit code found is functional and has been used in the wild. The Windows Task Scheduler is a built-in utility in Microsoft Windows that allows organizations to automate and schedule tasks or scripts to run at specific times, during specific events, or under certain conditions. It enables users and administrators to automate repetitive tasks, making it easier to manage various operations on a computer or network. While a POC has not been publicly released for this vulnerability, exploitation has been detected. An attacker can perform this exploit as a low-privileged AppContainer and effectively execute remote procedure calls (RPCs) that should be available only to privileged tasks. It is unclear what RPCs are affected here, but it could give an attacker access to elevate privileges and execute code on a remote machine, as well as the machine in which they are executing the vulnerability. CVE-2024-5535 - 9.1 - OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread This OpenSSL vulnerability has been in OpenSSL since 2011 and has only recently been patched. Windows is releasing its fix for the Microsoft Defender Endpoint. It is rated 9.1 and has a few write-ups on the internet describing this vulnerability in depth. However, it does require the user to download a file from something like an email and have Defender “inspect” it to achieve code execution. CVE-2024-43639 - 9.8 - Windows Kerberos Remote Code Execution Vulnerability This is one of the most threatening CVEs from this patch release because it is related to Kerberos, an authentication protocol used heavily in Windows domain networks. The vulnerability allows an unauthenticated attacker to perform remote code execution against a vulnerable target inside a Windows domain. Windows domains are used in the majority of enterprise networks, and by taking advantage of a cryptographic protocol vulnerability, an attacker can perform privileged acts on a remote machine within the network, potentially giving them eventual access to the domain controller, which is the goal for many attackers when attacking a domain. CVE-2024-49033 - 7.5 - Microsoft Word Security Feature Bypass Vulnerability This vulnerability targets Microsoft Office Protected View, allowing an attacker to bypass this security feature designed to protect users from potentially unsafe files. Protected View is a read-only mode that restricts editing and certain functionality in files downloaded from untrusted sources, such as email attachments or web links, to prevent malicious actions. By exploiting this vulnerability, an attacker could craft a malicious Word document capable of bypassing Protected View, enabling harmful actions to run on the victim’s machine if opened. A successful attack requires several specific steps due to the high complexity of the environment-specific requirements, as indicated by a high CVSS Attack Complexity score (AC). Because user interaction is required (UI), the attacker cannot force the user to open the file; instead, they must convince the victim to click on the link and open the document, often using persuasive language or enticements. If the user opens the crafted file, the protections of Protected View will be bypassed, potentially allowing malware to execute commands such as traditional VBA code and compromise the system. Depending on the attacker's objectives and the victim's environment, this could result in data exposure, unauthorized access to sensitive information, or broader system compromise. CVE-2024-49019 - 7.8 - Active Directory Certificate Services Elevation of Privilege Vulnerability This Active Directory Certificate Services (AD CS) elevation of privilege vulnerability allows an attacker to gain domain administrator privileges if successfully exploited. The vulnerability exists in managing certificates issued by a PKI (Public Key Infrastructure) environment using certain misconfigured certificate templates. To determine if your PKI environment is vulnerable, check whether any certificates have been published using a version 1 certificate template where the source of the subject name is set to "Supplied in the request" and enroll permissions are granted to a broader group, such as domain users or domain computers. This is typically a misconfiguration, and certificates created from templates like the Web Server template could be affected. However, the Web Server template is not vulnerable by default because of its restricted enroll permissions. The vulnerability targets certificates created using a version 1 certificate template with "supplied in the request" as the subject name source. If these templates are not properly secured — according to the best practices outlined in Microsoft's Securing Certificate Templates documentation — attackers can abuse the template’s permissions and elevate their privileges, potentially gaining domain administrator access. This vulnerability has been slated as more likely to be exploited. Because it is related to Windows domains and is used heavily across enterprise organizations, it is very important to patch it and look for misconfigurations that could be left behind. CVE-2024-43451 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability This Microsoft Patch Tuesday release includes an NTLM Hash Disclosure Spoofing Vulnerability (CVE-2024-43451). Although tagged at a moderate severity level with a CVSS score of 6.5, it's important to note that details regarding this security vulnerability have been publicly disclosed, and instances of its exploitation have been confirmed. So users should take immediate action to mitigate potential risks. Further, the Microsoft advisory released today outlines that the CVE-2024-43451 only needs minimal user interaction with a malicious file, which can include either clicking or inspecting it. This action could disclose a user's NTMLv2 hash to the attacker, potentially compromising confidentiality and allowing the hacker to authenticate as the user. The affected versions are all of the supported versions of Microsoft Windows. CVE-2024-43642 – 7.5 - Windows SMB Denial of Service Vulnerability Microsoft has flagged a new security vulnerability, CVE-2024-43642, in its Windows Server Message Block (SMB). SMB is a network protocol primarily used for sharing access to files, printers, serial ports, and other communications between nodes on a network. This vulnerability could potentially lead to a Denial of Service (DoS), which, if exploited, could disrupt the normal functioning of a service or system. The vulnerability follows the 'Use-After-Free' threat model, categorized as CWE-416. It indicates that specific program operations could cause memory spaces to be improperly accessed after being freed. According to Microsoft's rubric, with a CVSS v3.1 score of 7.5/6.5, this vulnerability is assigned an 'Important' severity rating, pointing towards the potential for considerable affected system disruption and possible downtime. CVE-2024-43602 – 9.9 – Azure CycleCloud Remote Code Execution Vulnerability CVE-2024-43502 is related to Azure CycleCloud, an orchestration and management tool often used for High-Performance Computing (HPC). This vulnerability entails an instance of CWE-285: 'Improper Authorization' and carries a CVSS rating of 9.9/8.6. At the time of writing, Microsoft's exploitability assessment on this one is ‘Exploitation Less Likely’, albeit the attack complexity is outlined as Low. To exploit this vulnerability, an attacker with basic user permissions could send specially crafted requests to alter the configuration of an Azure CycleCloud cluster, thereby gaining root-level permissions. Consequently, the attacker could execute commands on any Azure CycleCloud cluster within the instance and, in specific scenarios, compromise administrative credentials. Despite this, the vulnerability is currently unexploited.Patch Tuesday October 2024
CVE-2024-43572 - 7.8 - Microsoft Management Console Remote Code Execution Vulnerability Top of the list for patching should be a vulnerability in the Microsoft Management Console. While the CVSS score is not the highest in the patch notes, it is being actively exploited in the wild by threat actors and warrants immediate attention. While the notes say “Remote code execution” this vulnerability requires user interaction and some degree of social engineering. To exploit this vulnerability an attacker must craft a malicious .msc file that, if opened, will run arbitrary code or commands that allow a threat actor to compromise the host. This file would typically be sent via email as an attachment or as a link to a download. After patching, security teams and threat hunters should proactively check historical logs for indicators of these files being sent and received. Organizations not able to deploy patches quickly across their organization should add additional monitoring and blocking rules targeting these file extensions. The fix deployed by Microsoft prevents untrusted msc files from being executed. CVE-2024-43609 - 6.5 - Microsoft Office Spoofing Vulnerability While not actively exploited in the wild, CVE-2024-43609 should be one to pay closer attention to as Micorosft has listed this one as “Exploitation More Likely”. This vulnerability affects Microsoft office and allows an attacker to gain access to the NTLM credentials of any user interacting with the documents. If an attacker is able to read the NTLM hash, they can use this in a common attack known as “Pass the Hash,” where the attacker could authenticate as the user without knowing their password, which is where the “spoofing” part of the vulnerability description comes from. This type of attack is frequently exploited by threat actors in the wild, leading to remote exploitation. Organizations should follow Microsoft Guidance on blocking outbound SMB ports and configuring Network security policies related to NTLM traffic. CVE-2024-43573 - 6.5 - Windows MSHTML Platform Spoofing Vulnerability This vulnerability has been discovered within the MSHTML platform used by certain Microsoft applications, including Internet Explorer mode in Microsoft Edge. The vulnerability allows an attacker to trick users into viewing malicious web content, which could appear legitimate due to the way the platform handles certain web elements. Once a user is deceived into interacting with this content (typically through phishing attacks), the attacker can potentially gain unauthorized access to sensitive information or manipulate web-based services. Importantly, this attack requires no special permissions or knowledge of the user’s system, making it relatively easy for cybercriminals to execute. Rated at 6.5 out of 10 in severity, the vulnerability has already been exploited by attackers, making it a serious concern for large organisations that still rely on legacy web applications within their environment. For example, many larger and more mature organizations may still use Internet Explorer due to the need for compatibility with certain internal applications. Despite Internet Explorer being retired on many platforms, its underlying MSHTML technology remains active and vulnerable. This creates a risk for employees using these older systems as part of their everyday work, especially if they are accessing sensitive data or performing financial transactions online. To address this issue, Microsoft includes fixes for the MSHTML platform in its Internet Explorer Cumulative Updates. It’s crucial for businesses, especially those with legacy systems, to ensure they apply these updates regularly to remain protected from potential attacks. CVE-2024-43582 - 8.1 - Remote Desktop Protocol Server Remote Code Execution Vulnerability This use-after-free vulnerability in the Remote Desktop Protocol (RDP) service affecting Windows Server and Client from versions 2019 and 10 (1809) onwards which can lead to Remote Code execution, has been patched by Microsoft. Little information is known about the vulnerability, except that it can be exploited by an unauthenticated attacker sending a malformed packet to a RPC host. This could lead to execution with the same permissions as the RPC service. It is assessed that if this description refers to the RPCSS service that whilst the service runs with the permissions of NETWORK SERVICE, privilege to SYSTEM after the fact would be trivial due to permissions afforded to that account and the use of ‘potato’ exploits. It should be assumed that any successful exploitation of this vulnerability will lead to complete compromise of the targeted system and in environments where RDP is heavily used to system management, or where Remote Desktop Gateway (RDG) is used (RDG does allow RPC interaction via HTTP/S) to give users access to secure environments, patching should be considered a priority. Vulnerabilities in RDP are quite rare in nature and Microsoft believes that exploitation is difficult and less likely, but now that details of an issue have been released and experts begin the process of reversing the newly released patches, however it may only be a matter of time before in the wild exploitation is seen. An exploit of this nature will be highly prized by Ransomware Groups, because it allows an attacker total compromise of a system without knowledge of any credentials and, could help them reach high value targets, such as Domain Controllers. It can be used to launch the destructive phase of an attack across the entire domain. CVE-2024-43583 - 6.8 - Winlogon Elevation of Privilege Vulnerability This vulnerability has been identified in the Winlogon process. Winlogon is responsible for handling secure user logins in Windows. This vulnerability, rated 6.8 out of 10 in severity, allows an attacker with local access to a machine to elevate their privileges to SYSTEM level, which is the highest level of access in Windows. This could enable the attacker to take full control of the affected system, manipulate settings, access sensitive data, or install malicious software. Although it is quite uncertain due to the lack of information provided by Microsoft, the local nature of this vulnerability means that the attacker needs physical access to the machine or to be already logged in, making it similar to kiosk breakout scenarios where restricted environments can be bypassed. This makes it a concern for public kiosks, shared computers, or any device that restricts user access but could still be exploited by someone with local access. To protect against this vulnerability, it’s important to ensure that a Microsoft first-party Input Method Editor (IME) is enabled on your device. IMEs are used to input complex characters during the sign-in process, and third-party IMEs could be vulnerable to attack. This is particularly relevant when installing language packs for your keyboard, as some third-party IMEs can be exploited during login. By using a Microsoft IME, one can minimize the risk of this vulnerability being exploited during the sign-in process.Patch Tuesday September 2024
CVE-2024-43491 - 9.8 - Microsoft Windows Update Remote Code Execution Vulnerability Kev Breen, Senior Director Threat Research, Immersive Labs Top of the list for patches this month is a CVE in the windows update mechanism. Tracked as CVE-2024-43491 this one comes in at a 9.8 out of 10 and is marked as “Exploitation Detected”. This specific vulnerability impacted the Windows update system in a way that security patches for some components were rolled back to a vulnerable state and will have remained in a vulnerable state since March 2024. Some of these components were known to be exploited in the wild in the past, meaning attackers could still exploit them despite Windows update saying it is fully patched. The root cause of this issue is that on specific versions of Windows 10, the build version numbers that are checked by the update service were not properly handled in the code. The notes from Microsoft say that the “build version numbers crossed into a range that triggered a code defect.” This implies that there was an integer overflow vulnerability that meant optional components were detected as “Not Applicable” and therefore reverted back to their original unpatched versions. There are a lot of caveats to this one, so it’s worth checking the Official Notes. The short version is that Some versions of Windows 10 with optional components enabled was left in a vulnerable state. CVE-2024-38217 - 5.4 - Windows Mark of the Web Security Feature Bypass Vulnerability Kev Breen, Senior Director Threat Research, Immersive Labs Mark of the Web (MoTW) has been a popular target for threat actors in recent months and this month is no different. Mark of the Web is a feature in Microsoft that tags files downloaded from the internet and if a user tries to run a file with this mark then the operating system will step in to warn or block the action from taking place. It is important to note that this vulnerability alone is not enough for an attacker to compromise a user’s workstation and would be used in conjunction with something like a spear phishing attack that delivers a malicious file. In-depth defence is the key mitigation here; organizations should not rely solely on features like Mark of the Web to protect them. To exploit this vulnerability, an attacker needs to host a specially crafted file on a web server and then socially engineering the user into opening the file typically by sending a link via email or message service. CVE-2024-38014 - 7.8 - Windows Installer Elevation of Privilege Vulnerability Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs This vulnerability has been exploited in the wild and has been assigned a CVSS score of 7.8. Much like many of the other Windows Installer elevation of privilege vulnerabilities such as the InstallerFileTakeOver vulnerability, when an attacker exploits it, they will gain full SYSTEM level privileges. As with many of the previous vulnerabilities that took advantage of the Windows Installer service, attackers will continue to use this vulnerability for the foreseeable future, therefore it is worth patching as soon as possible. Many of the versions this vulnerability affects is the new to release WIndows 11 24H2, however if you have any Copilot+ devices, they are now publicly available and will need to be patched to defend against this vulnerability. CVE-2024-38226 - 7.3 - Microsoft Publisher Security Feature Bypass Vulnerability Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs This vulnerability has been exploited in the wild and has been assigned a CVSS score of 7.3. Due to this being a security feature bypass, threat actors will likely use this vulnerability as part of their attack chain in Microsoft Publisher phishing documents. An attack could bypass the Office suites macro warning which is used as a last line of defence for users to keep them from enabling macros in documents - a common attack method used by threat actors around the world. If this warning does not show the successful phishing attempts will likely increase. CVE-2024-38220 - 9.0 - Azure Stack Hub Elevation of Privilege Vulnerability Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs Azure Stack Hub is a hybrid cloud platform from Microsoft that allows you to run Azure services from your own data center. It essentially extends Azure's public cloud capabilities to on-premises infrastructure, enabling organizations to build, deploy, and manage applications in a consistent way across both public and private clouds. This vulnerability means an attacker can gain unauthorized access to a business’s internal resources, content, and applications; however, it is required to be authenticated and also wait for a victim user to initiate a connection - likely by accident or through social engineering. CVE-2024-38241 & CVE-2024-38242 -- Kernel Streaming Service Driver Elevation of Privilege Vulnerability Ben McCarthy, Lead Cyber Security Engineer, Immersive Labs Kernel vulnerabilities like CVE-2024-38241 often arise due to flaws in low-level system components such as device drivers, including the Kernel Streaming Service Driver, which is responsible for handling audio and video streaming in Windows. The Windows kernel is a critical part of the operating system, managing core system resources and ensuring secure interactions between hardware and software. Vulnerabilities in the kernel or its drivers can be particularly dangerous because they typically run with high privileges, meaning that exploiting these flaws could allow attackers to bypass security controls, execute arbitrary code, or escalate their privileges to gain control over the entire system. Kernel streaming service drivers, in particular, are designed to efficiently process and stream multimedia data, making them a common target for vulnerabilities due to their complexity and the need for real-time processing. Issues such as improper input validation (like in CVE-2024-38241) are common, where malicious inputs can be exploited to manipulate the kernel's behavior, leading to the elevation of privileges.Patch News Day, August 2024
CVE-2024-38189 - 8.8 - Microsoft Project Remote Code Execution Vulnerability One of 6 CVEs being actively exploited in the wild with Microsoft saying “Exploitation Detected” CVE-2024-38189 impacts Microsoft Office Project files. An attacker can create a malicious Office Project and send it to the victim either as an attachment, in an email, or as a link to a file hosted on a website. If a victim downloads and opens the attachment, the attacker is able to execute code on the target host. This is not dissimilar to many common phishing attacks where threat actors will name their weaponized documents to play on human social behaviors, socially engineering them into opening the file. Examples include fake invoices, internal salary documents, and even thematic lures for individuals in more targeted attacks. In terms of mitigation, Microsoft suggests organizations “block macros from running in Office files from the Internet” policy will prevent the exploit from being successful. Organizations not able to patch this vulnerability quickly should review this policy and ensure it is enabled. CVE-2024-38213 - 6.5 - Windows Mark of the Web Security Feature Bypass Vulnerability One of 6 CVEs being actively exploited in the wild with Microsoft saying “Exploitation Detected” CVE-2024-38213 affects the Windows Mark of the web (MoTW) feature. This feature is designed as an extra layer of defense-in-depth by “marking” files that are downloaded from the internet as untrusted. This is commonly seen as the SmartScreen “Windows protected your PC” popup that can be seen when opening files that contain this “Mark of the Web”. This vulnerability is not exploitable on its own and is typically seen as part of an exploit chain, for example, modifying a malicious document or exe file to include this bypass before sending the file via email or distributing on compromised websites. CVE-2024-38178 - 7.5 - Scripting Engine Memory Corruption Vulnerability One of 6 CVEs being actively exploited in the wild with Microsoft saying “Exploitation Detected” CVE-2024-38178 affects the Windows Edge browser when it is operating in “Internet Explorer Mode.” While this is not the default mode for most users, this exploit being actively exploited suggests that there are occasions in which the attacker can set this or has identified an organization (or user) that has this configuration. Internet Explorer Mode is used where old websites or applications were built specifically for Internet Explorer and are not supported by modern HTML5 browsers like Chromium-based browsers. For these sites and applications, organizations or users can enable this legacy mode to maintain compatibility with these applications. If the Edge browser is in a vulnerable configuration then all an attacker needs to do is convince a user to click on a specially crafted URL or in some way redirect them to a vulnerable site. Doing so would allow a remote attacker to gain code execution on the victim machine allowing them to run commands, deploy new malware or other living on the land techniques to avoid detection while they enumerate the host and network. CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 Elevation of Privilege Vulnerabilities Three of 6 CVEs being actively exploited in the wild with Microsoft saying “Exploitation Detected” are local privilege escalation vulnerabilities. Tracked as CVE-2024-38106, CVE-2024-38107 and CVE-2024-38193 they all impact different components of the core operations system. The Windows Kernel, Power Management Features, and the Ancillary Function Driver for WinSock, respectively. As a local priv-esc vulnerability, an attacker would already need to have gained code execution on the victim machine, either through lateral movement or another exploit for example a malicious document. An attacker able to exploit this vulnerability would gain “SYSTEM” privileges on the host. This is the highest level of access for the local machine and would enable an attacker to perform other actions like disabling security tools or dumping credentials to move laterally across the network or gain domain-level access.Patch Tuesday July 2024
CVE-2024-38080: Windows Hyper-V Elevation of Privilege Vulnerability (CVSS 7.8) Kev Breen, Senior Director Threat Research, Immersive Labs There is very little information available about this vulnerability. The only information Microsoft provides is: “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges” and “exploitation detected”. This means that threat actors are actively exploiting this vulnerability against organizations, making it a critical vulnerability to patch. Threat hunters would benefit from additional details to determine whether they’ve already been compromised by it. CVE-2024-38023 & CVE-2024-38024: Microsoft SharePoint Server Remote Code Execution Vulnerability Kev Breen, Senior Director Threat Research, Immersive Labs A pair of patches for the SharePoint server should be high on the list to patch. While not actively being exploited, Microsoft has listed these as more likely to be exploited. A mitigating factor is that an attacker must have authenticated access as a user with site owner permissions to take advantage of this vulnerability. It should be easy for threat hunters and network defenders to audit and proactively limit the attack surface. The notes identify that to trigger the vulnerability, an attacker must upload a specially crafted file and then perform several HTTP requests against the SharePoint API to trigger a deserialization, gaining code execution on the underlying server. CVE-2024-38112: Windows MSHTML Platform Spoofing Vulnerability (CVSS 7.5) Rob Reeves, Principal Cyber Security Engineer, Immersive Labs MSHTML (also known as Trident) is the proprietary browser engine of Microsoft's Internet Explorer web browser. This vulnerability has been actively exploited in the wild, but details are scarce – Microsoft only describes it as a “spoofing” vulnerability, which requires social engineering to convince a user to execute a delivered file. The vulnerability likely might lead to remote code execution (RCE). Because of its linking to CWE-668: Exposure of Resource to Wrong Sphere, and in the event of successful exploitation, it could lead to a complete compromise of confidentiality, integrity, and availability. The CVSS score of only 7.5 is because it’s difficult to exploit, possibly only due to the complexity of the attack itself. But without further information from Microsoft or the original reporter (Haifei Li from CheckPoint), it’s difficult to give specific guidance. Exploitation also likely requires the use of an “attack chain” of exploits or programmatic changes on the target host, because of the description: “Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.” Despite the lack of details in the initial advisory, this vulnerability affects all hosts from Windows Server 2008 R2 onwards, including clients. Due to active exploitation in the wild, this vulnerability should be prioritized for patching. CVE-2024-38021: Microsoft Office Remote Code Execution Vulnerability Kev Breen, Senior Director Threat Research, Immersive Labs Another vulnerability high on the list of things to patch affects Microsoft Office, meaning the end user estate is vulnerable to exploitation, and the attack surface for threat actors is large. All an attacker needs to do is send an email or instant message en-masse that contains a link to a site the attacker controls. If users click this specially crafted link, it will bypass the protected view protocol which can leak the user's NTLM credentials. This NTLM hash can be used like a password in a style of attack known as NTLM relay or pass the hash. Suppose an attacker can gain access to this hash – they’d be able to authenticate to other services or even run commands remotely, gaining full access to the compromised host with the same permissions as the user clicking the link.Patch Tuesday June 2024
On the second Tuesday of each month, Microsoft release their security patches for vulnerabilities found in their products. Each month, Immersive Labs' Cyber Threat Research Team review these patch notes for any standout vulnerabilities. You can find their thoughts and findings here.
