2-year-old Windows Kernel 0-day Vulnerability Exploited in the Wild


Microsoft has patched a critical Windows Kernel vulnerability that has been actively exploited for nearly two years. 

The vulnerability, tracked as CVE-2025-24983, was included in the company’s March 2025 Patch Tuesday release in March.

According to cybersecurity firm ESET, which discovered and reported the vulnerability, attackers have been exploiting this flaw in the wild since March 2023, making it one of the longest-running active exploits before remediation.

Windows Kernel Vulnerability

The vulnerability exists in the Windows Win32 Kernel Subsystem and has been classified as a use-after-free (UAF) weakness that allows attackers with low privileges to elevate to SYSTEM privileges without requiring user interaction. 

Despite its significant impact, Microsoft has rated the vulnerability as “Important” rather than “Critical” due to the high complexity of exploitation, which requires attackers to win a race condition.

“The vulnerability is a use-after-free in Win32k driver,” ESET explained in their technical analysis. 

“In a certain scenario achieved using the WaitForInputIdle API, the W32PROCESS structure gets dereferenced one more time than it should, causing UAF. To reach the vulnerability, a race condition must be won.”

ESET researcher Filip Jurčacko, who discovered the exploit, found that it was being delivered through a sophisticated backdoor known as PipeMagic.

This backdoor, first identified in 2022, is a plugin-based trojan capable of exfiltrating sensitive data and providing attackers with full remote access to compromised devices. 

The malware creates a named pipe in the format “.pipe1.” for receiving encoded payloads and communicating with command-and-control servers.

Notably, the exploit primarily targeted older Windows versions, including Windows Server 2012 R2 and Windows 8.1, which Microsoft no longer supports. 

However, the vulnerability also affects newer but still older Windows versions, including Windows Server 2016 and Windows 10 systems running build 1809 and earlier.

Risk Factors Details
Affected Products Windows 10 for 32-bit SystemsWindows 10 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 Version 1607 for x64-based SystemsWindows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2012Windows Server 2012 (Server Core installation)Windows Server 2012 R2Windows Server 2012 R2 (Server Core installation)Windows Server 2016Windows Server 2016 (Server Core installation)
Impact Elevation of Privilege, complete system control, execution of arbitrary code with highest privileges
Exploit Prerequisites Local authentication Attacker must, win a race condition, run a specially crafted program, No user interaction required 
CVSS 3.1 Score 7.0 (Important)

The March 2025 Patch Tuesday included fixes for a total of 57 vulnerabilities, with six of them being zero-days actively exploited in the wild. Among these, CVE-2025-24983 stands out due to its lengthy exploitation period. 

Other significant vulnerabilities patched in this release included CVE-2025-26633 (a security feature bypass in Microsoft Management Console), CVE-2025-24985 (a remote code execution flaw in Windows Fast FAT File System Driver), and CVE-2025-24993 (a remote code execution vulnerability in Windows NTFS).

Organizations using affected Windows versions are strongly urged to apply the security updates immediately. 

This incident highlights the persistent threat posed by kernel-level vulnerabilities and the importance of timely security updates, even for systems approaching end-of-life. 

Security researchers continue to emphasize that privilege escalation vulnerabilities like CVE-2025-24983 remain valuable tools for attackers seeking to establish persistence within compromised networks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free. 



Source link