SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Newly Patched Windows Zero-Day Exploited for Two Years

Microsoft on Tuesday patched a zero-day vulnerability in the Windows Win32 kernel that has been exploited since March 2023.
Microsoft security

A Windows zero-day vulnerability addressed by Microsoft with its March 2025 Patch Tuesday updates has been exploited in the wild since March 2023, ESET says.

The issue, tracked as CVE-2025-24983 (CVSS score of 7.0), is described as a use-after-free bug in the Win32 kernel subsystem that could allow attackers to elevate privileges to System.

“Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft notes on its advisory.

On Tuesday, the tech giant rolled out patches for CVE-2025-24983 and five other security defects marked as exploited. Overall, Microsoft released fixes for 57 vulnerabilities on March 2025 Patch Tuesday.

According to cybersecurity firm ESET, which was credited with finding and reporting the Win32 kernel subsystem vulnerability, attackers have been exploiting the flaw for two years.

The zero-day exploit targeting CVE-2025-24983, ESET said on X, was “first seen in the wild in March 2023”. The attackers executed the code on compromised systems using the PipeMagic backdoor.

“The exploit targets Windows 8.1 and Server 2012 R2. The vulnerability affects OSes released before Windows 10 build 1809, including still supported Windows Server 2016. It does not affect more recent Windows OSes such as Windows 11,” ESET explains.

The issue, the company notes, is that, in a certain scenario, when the WaitForInputIdle API is used, the Win32 process structure is dereferenced “one more time than it should”, resulting in a use-after-free.

Advertisement. Scroll to continue reading.

However, “a race condition must be won” for an attacker to reach the vulnerability, ESET also explains.

According to cybersecurity expert Andre Gironda, while the Nokoyawa ransomware group was previously seen using PipeMagic, Win32 functions have been abused by ransomware such as 3AM, BlackMatter, BlackSuit, and LockBit, as well as by adware, and malware associated with the SideWinder APT.

Related: Microsoft Flags Six Active Zero-Days, Patches 57 Flaws: Patch Tuesday

Related: Patch Tuesday: Critical Code Execution Bugs in Adobe Acrobat and Reader

Related: SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver

Related: Vulnerabilities Patched in Qualcomm, Mediatek Chipsets

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

SplxAI, a startup focused on securing AI agents, has announced new CISO Sandy Dunn.

Phillip Miller is joining tax preparation giant H&R Block as VP and CISO.

Linx Security has appointed Sarit Reiner Frumkes as Chief Technology Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.