Post Syndicated from Adam Barnett original https://www.rapid7.com/blog/post/em-patch-tuesday-november-2025

Microsoft is publishing 66 new vulnerabilities today, which is far fewer than we’ve come to expect in recent months. There’s a lone exploited-in-the-wild zero-day vulnerability, which Microsoft assesses as critical severity, although there’s apparently no public disclosure yet. Three critical remote code execution (RCE) vulnerabilities are patched today; happily, Microsoft currently assesses all three as less likely to see exploitation. Five browser vulnerabilities and a dozen or so fixes for Azure Linux (aka Mariner) have already been published separately this month, and are not included in the total.

Windows GDI+: critical 0-day RCE

Faced with a fresh stack of Patch Tuesday vulns, there are a few different ways to prioritize our analysis. Do we start with vulns exploited in the wild? Pre-authentication RCEs? The vuln with the highest CVSS base score? The vuln which is likely to affect just about every asset running Microsoft software? Any of these are sensible avenues of approach, and today, all roads lead to CVE-2025-60724. As the advisory notes, in the worst-case scenario, an attacker could exploit this vulnerability by uploading a malicious document to a vulnerable web service. The advisory doesn’t spell out the context of code execution, but if all the stars align for the attacker, the prize could be remote code execution as SYSTEM via the network without any need for an existing foothold. While this vuln almost certainly isn’t wormable, it’s clearly very serious and is surely a top priority for just about anyone considering how to approach this month’s patches.

The weakness underlying CVE-2025-60724 is CWE-122: Heap-based buffer overflow, a concept which celebrated its 50th birthday several years ago. As the authors of the original 1972 paper noted: “If the code makes use of an internal buffer, there is a possibility that a user could input enough data to overwrite other portions of the program’s private storage.” Regarding computer security in general, they opined that “this problem is neither hopeless nor solved. It is, however, perfectly clear […] that solutions to the problem will not occur spontaneously, nor will they come from the various well-intentioned attempts to provide security as an add-on to existing systems.”

Office: critical ACE

Once again, we find ourselves wondering: “when is remote code execution really remote?” CVE-2025-62199 describes a critical RCE vulnerability in Microsoft Office, where exploitation relies on the user downloading and opening a malicious file. The attacker is remote, and that’s enough to satisfy the definition, even if the action is taken on the local system by the unwitting user. Anyone hoping that the Preview Pane is not a vector will be sadly disappointed, and this certainly increases the probability of real-world exploitation, since there’s no need for the attacker to craft a way around those pesky warnings about enabling dangerous content. Just scrolling through a list of emails in Outlook could be enough.

Visual Studio: critical RCE

Some attacks are straightforward, with only a single step needed to reach the finish line. Others, like Visual Studio critical RCE CVE-2025-62214, require that the attacker execute a complex chain of events. In this case, exploitation demands multi-stage abuse of recent advances in Visual Studio AI development capabilities, including prompt injection, Agent interaction, and triggering a build. The advisory doesn’t describe the context of code execution. If the prize is simply code execution on an asset in the context of the user, there’s no obvious advancement for the attacker, since exploitation already requires code execution on the asset by the attacker or the targeted user. The brief description of the attack chain does mention that the attacker would need to trigger a build. On that basis, possible outcomes might include execution in an elevated context, or compromised build artifacts, although the advisory does not provide enough information to be certain either way.

SQL Server: critical EoP

SQL Server admins should take note of CVE-2025-59499, which describes an elevation of privilege (EoP) vulnerability. Although some level existing privileges are required, successful exploitation will permit an attacker to run arbitrary Transact-SQL (T-SQL) commands. T-SQL is the language which SQL Server databases and clients use to communicate with one another. Although the default configuration for SQL Server disables the xp_cmdshell functionality which allows direct callouts to the underlying OS, there’s more than one way to shine a penny, and the only safe assumption here is that exploitation will lead to code execution in the context of SQL Server itself. Patches are available for all supported versions of SQL Server.

Microsoft lifecycle update

Following the sweeping lifecycle changes seen in October 2025, Microsoft is taking it fairly easy this month. The only significant transition today is the end of support for Windows 11 Home and Pro 23H2. Unlike the demise of Windows 10, this much smaller change won’t affect most people; a small number of older CPUs might not make the cut, since Windows 11 24H2 introduces a requirement for a couple of newer CPU instruction sets. Microsoft provides lists of compatible Intel, AMD, and Qualcomm CPU series.

Summary charts

Summary tables

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Mariner Open Source Software vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Open Source Software vulnerabilities

Other vulnerabilities

SQL Server vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Windows ESU vulnerabilities

Windows Microsoft Office ESU vulnerabilities

Updates

• 2025-11-11: clarified the description of CVE-2025-62214.

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/06/10/patch-tuesday-june-2025/

Microsoft is addressing 67 vulnerabilities this June 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for just one of the vulnerabilities published today, and that is reflected in CISA KEV. Separately, Microsoft is aware of existing public disclosure for one other freshly published vulnerability. Microsoft’s luck holds for a ninth consecutive Patch Tuesday, since neither of today’s zero-day vulnerabilities are evaluated as critical severity at time of publication. Today also sees the publication of eight critical remote code execution (RCE) vulnerabilities. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Windows WebDAV: zero-day RCE

Remember the WebDAV standard? It has been seven years since Microsoft has published a vulnerability in the Windows implementation of WebDAV, and today’s publication of CVE-2025-33053 is the first zero-day vulnerability on record. Originally dreamed up in the 1990s to support interactivity on the web, WebDAV may be familiar to Exchange admins and users of a certain vintage, since older versions of Exchange, up to and including Exchange Server 2010, supported WebDAV as a means for interacting with mailboxes and public folders.

It will surprise no one that Windows still more or less supports WebDAV, and that turns out to be a bit of a problem. Microsoft acknowledges Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation of CVE-2025-33053 to an APT, which they track as Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and the surrounding area.

Curiously, the Microsoft advisory does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default. The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control. Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2. On Server 2025, for instance, it’s still possible to install the WebDAV Redirector server feature, which then causes the WebClient service to appear.

SMB client: zero-day EoP

Publicly disclosed elevation of privilege (EoP) zero-day vulnerabilities that lead to SYSTEM are always going to be worth a closer look, and CVE-2025-33073 is no exception. The advisory sets out that the easiest path to exploitation simply requires the user to connect to a malicious SMB server controlled by the attacker. It’s not entirely clear from the advisory whether simply connecting is enough to trigger exploitation, or whether successful authentication is required, since there is currently conflicting language in two separate FAQ entries with almost-identical titles: “How could an attacker exploit this/the vulnerability?” It may well be that Microsoft will come back around and clarify this wording, but in the meantime the only safe assumption is that fortune favours the attacker.

Windows KDC Proxy: critical RCE

The Windows KDC Proxy Service (KPSSVC) receives a patch today for CVE-2025-33071, which describes a critical unauthenticated RCE vulnerability where exploitation is via abuse of a cryptographic protocol weakness. The good news is that only Windows Server assets configured as a Kerberos Key Distribution Center Proxy Protocol server — happily, this is not enabled as standard configuration for a domain controller — and exploitation requires that the attacker win a race condition. The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network. Patching this vulnerability should be top of mind for affected defenders this month.

Office preview pane: trio of critical RCEs

Microsoft expects that exploitation of three Office critical RCE vulns patched today is more likely. CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167 share several attributes: each was discovered by prolific researcher 0x140ce, who topped the MSRC 2025 Q1 leaderboard, and each includes the Preview Pane as a vector, which always ups the ante for defenders. Admins responsible for installations of Microsoft 365 Apps for Enterprise — also confusingly referred to as “Microsoft 365 for Office” in the advisory FAQ — will have to hang on, since patches for today’s vulnerabilities aren’t yet available for that particular facet of the Microsoft 365 kaleidoscope.

Microsoft lifecycle update

June is a quiet month for Microsoft product lifecycle changes. The next batch of significant Microsoft product lifecycle status changes are due in July 2025, when the SQL Server 2012 ESU program draws to a close, along with support for Visual Studio 2022 17.8 LTSC.

Summary charts

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Windows vulnerabilities

Windows ESU vulnerabilities

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/05/13/patch-tuesday-may-2025/

Microsoft is addressing 77 vulnerabilities this May 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for five of the vulnerabilities published today, and these are already reflected in CISA KEV. Separately, Microsoft is aware of existing public disclosure for two vulnerabilities published today. This is now the eight consecutive Patch Tuesday on which Microsoft has published zero-day vulnerabilities without evaluating any of them as critical severity at time of publication. Today also sees the publication of six critical remote code execution (RCE) vulnerabilities. Six browser vulnerabilities have already been published separately this month, and are not included in the total.

Windows Scripting Engine: zero-day RCE

In the majority of cases, the CVSSv3 base score provides a solid sense of the severity of a vulnerability. Sometimes, however, even a correct CVSS assessment can disguise the potential impact of a specific vulnerability. This arguably the case with CVE-2025-30397, a zero-day RCE vulnerability in the Windows Scripting Engine with a healthy but unremarkable CVSSv3 base score of 7.5. Microsoft is aware of exploitation in the wild. It’s certainly not the worst of the worst — we save that level of alarm for pre-authentication RCE with no requirement for user interaction —  and Microsoft assesses attack complexity as high, which is arguably correct. And yet…

The advisory FAQ for CVE-2025-30397 explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode, and then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the “Allow sites to be reloaded in Internet Explorer” option is enabled. Users who are most likely to require Internet Explorer compatibility mode in 2025 are surely users at enterprise organizations, where critical business workflows still depend on applications from the dinosaur days when Internet Explorer ruled the roost. No doubt the concept of a plan for migration of all of these applications exists, buried several layers deep in a dusty backlog, but Microsoft would hardly be offering IE compatibility mode until at least 2029 if it didn’t know that a huge swathe of its customer base demands it.

If the pre-requisite conditions are already conveniently in place on the target asset thanks to a well-meaning corporate IT policy, attack complexity is suddenly nice and low. If this vulnerability didn’t have that requirement for environment preparation, the CVSS base score would then be 8.8, which is as close to critical as you can get without actually stepping over the line. As Rapid7 has previously noted on a number of occasions, the MSHTML/Trident scripting engine is still present in Windows; this is true even for assets which have only ever run versions of Windows released well after the end of support for Internet Explorer 11 back in June 2022.

Common Log File System: zero-day EoPs

Neither CVE-2025-32701 nor CVE-2025-32706 are the first zero-day vulnerabilities in the Windows Common Log File Driver System; indeed, they are the latest members of an ongoing dynasty where exploitation typically leads to elevation of privilege to SYSTEM. Credit where credit is due: recent disclosures by Microsoft’s own Threat Intelligence Center (MSTIC), including this month’s CVE-2025-32701, demonstrate that Microsoft is putting serious effort into detecting and rooting out CLFS exploitation. Of course, since Microsoft is aware of exploitation in the wild, we know that someone else got there first, and there’s no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.

Windows Desktop Window Manager: zero-day EoP

If proof were needed that elevation of privilege to SYSTEM will never go out of style, today sees the publication of CVE-2025-30400, which is a zero-day vulnerability in the Windows Desktop Window Manager (DWM). As it happens, tomorrow marks the one-year anniversary of CVE-2024-30051, a previous zero-day EoP vulnerability in DWM.

Visual Studio: zero-day RCE

Today, all current versions of Visual Studio 2022 and 2019 receive patches for CVE-2025-32702, a zero-day RCE where exploitation requires the user to download and open a malicious file. There is nothing obviously remarkable about this, although Microsoft is aware of public disclosure. As usual for a malicious file/link vuln, the word Remote here refers to the location of the attacker, even though exploitation is set in motion by local user action.

Ancillary Function Driver for Winsock: zero-day EoP

Regular Patch Tuesday watchers will recognize the Ancillary Function Driver for Winsock, which is the site of CVE-2025-32709, an elevation of privilege vulnerability for which Microsoft is aware of exploitation. In something of a break with tradition for Patch Tuesday zero-day EoP vulnerabilities, exploitation only leads to administrator privileges rather than all the way to SYSTEM, but no attacker is going to waste too many cycles feeling sad about that.

Defender for Identity: situationally-ironic zero-day spoofing

Today sees the publication of CVE-2025-26685, a zero-day spoofing vulnerability in Microsoft Defender for Identity. The advisory provides puzzle pieces which don’t by themselves add up to anything like a full explanation of the vulnerability; no action is required for remediation, but you can render yourself vulnerable if you insist by opening a case with Microsoft Support to re-enable the legacy NTLM authentication method.

However, the FAQ does offer a link to an article published yesterday: Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity. This solid piece of documentation is part of the overall Defender for Identity administration guide, and explains that the lateral movement path detection feature can itself potentially be exploited by an adversary to obtain an NTLM hash.

Exploitation relies on achieving fallback from Kerberos to NTLM; the compromised credentials in this case would be those of the Directory Service Account for Defender for Identity. The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods; at time of writing, the Defender for Identity What’s new? page doesn’t yet describe the 3.x release, but this will presumably receive an update soon.

Microsoft lifecycle update

The next batch of significant Microsoft product lifecycle status changes are due in July 2025, when SQL Server 2012 ESU program draws to a close, along with support for Visual Studio 2022 17.8 LTSC.

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Azure Windows vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Microsoft Office ESU Windows vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/04/08/patch-tuesday-april-2025/

Microsoft is addressing 121 vulnerabilities this April 2025 Patch Tuesday, which is more than twice as many as last month. Microsoft has evidence of in-the-wild exploitation for just one of the vulnerabilities published today, which is already reflected in CISA KEV. Once again, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication, so that’s now a seven month unbroken streak. Today also sees the publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

CLFS: zero-day EoP

The Windows Common Log File System (CLFS) Driver is firmly back on our radar today with CVE-2025-29824, a zero-day local elevation of privilege vulnerability. First, the good news: the Acknowledgements section credits the Microsoft Threat Intelligence Center, so the exploit was successfully reproduced by Microsoft; the less-good news is that someone other than Microsoft was first to discover the exploit, because otherwise Microsoft wouldn’t be listing CVE-2025-29824 as exploited in the wild. The advisory does not specify what privilege level is achieved upon successful exploitation, but it’ll be SYSTEM, because that’s the prize for all the other CLFS elevation of privilege zero-day vulnerabilities. As usual, some form of less-privileged local access is a pre-requisite, but attack complexity is low, so this is the sort of vulnerability which goes into any standard break-and-enter toolkit. Given the long history of similar vulnerabilities, it would be more surprising if exploit code wasn’t publicly available in the not-too-distant future. Although December 2024 Patch Tuesday seems as though it must have been a very long time ago, any standard calendar will tell us that only 119 days have elapsed since the last zero-day CLFS local elevation of privilege. Rapid7 discussed the history of CLFS zero-day elevation of privilege vulnerabilities at the time. All versions of Windows receive a patch, except for the venerable LTSC Windows 10 1507, which is listed on the advisory as vulnerable, but left out in the cold with no update; the FAQ says to check back later. Windows 10 LTSC 1507 is scheduled for end of servicing on 2025-10-14, so the clock is ticking regardless.

LDAP Server: critical RCE

Although it has been many months since we’ve seen a critical zero-day vulnerability from Microsoft, there is no shortage of critical remote code execution (RCE) vulnerabilities published today. Defenders responsible for an LDAP server — which means almost any organization with a non-trivial Microsoft footprint — should add patching for CVE-2025-26663 to their to-do list. With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker. Anyone wondering if today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of LDAP critical RCEs published at the end of last year was likely easier to exploit than today’s example, since today’s CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.

LDAP Client: critical RCE

If you breathe a sigh of relief when you see LDAP server critical RCE vulnerabilities like CVE-2025-26663, because you’re certain that you don’t have any Windows LDAP servers in your estate, how about LDAP clients? CVE-2025-26670 describes a critical RCE in the LDAP client, although the FAQ confusingly states that exploitation would require an attacker to “send specially crafted requests to a vulnerable LDAP server”; this seems like it might be a data entry error on the advisory FAQ, so keep an eye out for an update to that section of the advisory. Assuming the rest of the advisory is all present and correct, exploitation requires that the attacker win a race condition, which keeps the attack complexity higher than it otherwise would be. While we wait for clarification, it’s still a critical RCE which Microsoft rates as “exploitation more likely”. On that basis, patching is always recommended.

RDS: critical RCEs

The prolific Windows vulnerability pioneers at Kunlun Lab are credited with a pair of critical RCE vulnerabilities in Windows Remote Desktop Services. Although both CVE-2025-27480 and CVE-2025-27482 share a CVSSv3 base score of 8.1, Microsoft has ranked them both as critical using its own proprietary severity ranking scale. Both vulnerabilities require that an attacker win a race condition. If you’ve ever read Microsoft’s guide to deploying the Remote Desktop Gateway role, you probably have some systems to patch.

Hyper-V: critical RCE

Some Microsoft security advisory FAQs provide a satisfying level of detail, whereas others raise more questions than they answer. CVE-2025-27491 is a Hyper-V critical RCE which falls into the second category, since it states that an attacker must be authenticated — no need for elevated privileges — but also that the attacker must send the user a malicious site and convince them to open it, and it’s not at all clear why authentication would be required in that case. Also unusual: the remediation table on the advisory lists several 32-bit versions of Windows as receiving patches, although Hyper-V requires a 64-bit processor and a 64-bit host OS.

Microsoft lifecycle update

In Microsoft product lifecycle news, Dynamics GP 2015 moves past the end of extended support today. The next batch of significant lifecycle status changes are due in July 2025, when SQL Server 2012 ESU program draws to a close.

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Developer Tools SQL Server vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Windows Azure vulnerabilities

Windows ESU vulnerabilities

Windows ESU Microsoft Office vulnerabilities

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/03/11/patch-tuesday-march-2025/

Microsoft is addressing 57 vulnerabilities this March 2025 Patch Tuesday, which is a similar volume to last month. However, Microsoft has evidence of in-the-wild exploitation for as many as six of the vulnerabilities published today, and CISA KEV already lists all of them. Microsoft is also aware of public disclosure for one other vulnerability. This is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of six critical remote code execution (RCE) vulnerabilities. Ten browser vulnerabilities have already been published separately this month, and are not included in the total.

Win32 kernel subsystem: zero-day EoP

Older Windows products receive a patch today for CVE-2025-24983, which is an elevation of privilege vulnerability in the Win32 kernel subsystem. Microsoft is aware of exploitation in the wild. Since no user interaction is required, and successful exploitation leads to SYSTEM privileges, this isn’t one to ignore, even if the attacker must win a race condition, which does raise the bar for entry somewhat. Microsoft  Windows 11 and Server 2019 onwards are not listed as receiving patches, so are presumably not vulnerable. It’s not clear why newer Windows products dodged this particular bullet; the Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.

NTFS USB attack: zero-day information disclosure

Defense-in-depth practitioners have been limiting and monitoring access to USB ports for years now, and today brings further evidence for the value of locking things down, in the form of CVE-2025-24984, an information disclosure vulnerability in NTFS. Microsoft has evidence of exploitation in the wild, and functional exploit code. This vulnerability has a thus-far-unique combination of attributes: the attack vector is physical — the advisory describes a malicious USB drive as the delivery mechanism — and the weakness is CWE-532: Insertion of Sensitive Information into Log File. The advisory doesn’t quite join the dots, but successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which could then be combed through by an attacker hungry for privileged information. A relatively low CVSSv3 base score of 4.6 reflects the practical difficulties of real-world exploitation, but a motivated attacker can sometimes achieve extraordinary results starting from the smallest of toeholds, and Microsoft does rate this vulnerability as important on its own proprietary severity ranking scale.

NTFS VHD attack: zero-day information disclosure

If you like NTFS zero-day vulnerabilities, then today’s your lucky day! CVE-2025-24991 describes an out-of-bounds read in NTFS leading to information disclosure, specifically disclosure of small portions of heap memory. An attacker would need to trick a user into mounting a malicious VHD (Virtual Hard Disk), and that alone would be enough to trigger the vulnerability. The advisory does not explain how the attacker would exfiltrate the data, but clearly it’s practically possible, since Microsoft claims evidence of exploitation in the wild.

NTFS VHD attack: zero-day code execution

If you like NTFS zero-day vulnerabilities, but find information disclosure a bit pedestrian, then CVE-2025-24993 might be just what you’re after: exploitation requires that the user mount a malicious VHD, which then leads to heap-based buffer overflow, and the potential for local code execution. As is standard for a certain type of code execution vulnerability, the advisory somewhat awkwardly clarifies that the word “remote” in the title refers to the location of the attacker, and that the attack itself is carried out locally. The advisory doesn’t specify the context of code execution, but it’s a safe assumption that the end goal here is SYSTEM, since the attacker or a user must already execute code in the context of the user to trigger the vulnerability. The CVSSv3 base score of 7.8 reflects the potentially valuable reward for exploitation and low attack complexity, but is held back by the requirement for user interaction.

Fast FAT VHD attack: zero-day code execution

The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

Microsoft Management Console: zero-day security feature bypass

It’s been a few months since we saw a zero-day vulnerability in the Microsoft Management Console, but today brings us CVE-2025-26633, a security feature bypass for which Microsoft is aware of exploitation in the wild, as well as functional exploit code floating around somewhere out there on the internet. Successful exploitation leads to an outcome which isn’t specified by the advisory, but since the Microsoft Management Console has a feature set which includes the creation, hosting, and distribution of custom tools for the administrative management of both hardware and software for any supported version of Windows, it’s easy enough to see why an attacker might be interested. The advisory does mention that both preparation of the target environment and subsequent user interaction are required for successful exploitation, which would require the user to open a malicious file.

Microsoft Access: zero-day code execution

CVE-2025-26630 describes a remote-but-actually-local code execution vulnerability in Microsoft Access. Exploitation requires that the user open a malicious file. Microsoft is aware of public disclosure, but considers exploitation less likely. The weakness is our old friend CWE-416: Use After Free. Beyond that, the advisory is short on detail, but does claim that the Preview Pane is not an attack vector, so that’s a silver lining for this particular cloud. Going by the acknowledgements section of the advisory, it seems likely that relative newcomer Unpatched.ai intends to continue to shake things up, since they were also credited with a trio of zero-day Access vulnerabilities published back in January.

WSL magic email attack: critical RCE

The Windows Subsystem for Linux (WSL2) kernel receives a patch today for an arbitrary code execution vulnerability. Microsoft doesn’t claim evidence of public disclosure or in-the-wild exploitation for CVE-2025-24084, but does rank it as critical using its own proprietary severity ranking scale, which goes beyond what the already-significant CVSSv3 base score of 8.4 would suggest. The advisory describes multiple possible attack vectors, but in the worst case, there is no requirement for user interaction, since simply receiving a malicious email would be enough to trigger the vulnerability. The advisory does not clarify the context of code execution, but the magic email attack vector is alarming. Patch accordingly.

Malicious RDP server: critical RCE

How much do you trust the RDP server you’re about to connect to? An attacker in control of a malicious RDP server simply has to wait for a client vulnerable to CVE-2025-26645 to connect in order to achieve remote code execution on the client. Microsoft has assigned a CVSSv3 base score of 8.8 and a severity ranking of critical. While none of us should be connecting to RDP servers we’re not familiar with, an attacker might well see CVE-2025-26645 as a great opportunity for lateral movement and footprint expansion through the network.

Microsoft lifecycle update

In Microsoft product lifecycle news, SQL Server 2019 moved from mainstream support to extended support on 2025-02-28. Looking ahead, Visual Studio App Center will be retired on 2025-03-31, and Dynamics GP 2015 moves past the end of extended support on 2025-04-08.

Summary charts

Summary tables

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Microsoft Office vulnerabilities

Windows vulnerabilities

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/02/11/microsoft-patch-tuesday/

Microsoft is addressing 56 vulnerabilities this February 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for two of the vulnerabilities published today, which is reflected in CISA KEV. Microsoft is aware of public disclosure for two other vulnerabilities. This is now the fifth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of just three critical remote code execution (RCE) vulnerabilities. Eleven browser vulnerabilities have already been published separately this month, and are not included in the total.

Ancillary Function Driver: zero-day EoP

All versions of Windows receive patches today for CVE-2025-21418, a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD). Successful exploitation leads to SYSTEM privileges. The AFD has been around for decades; it handles foundational networking functionality, so it is necessarily a kernel driver which interacts with a great deal of user-supplied input. It is perhaps not very shocking that AFD has been the site of a significant number of problems over the years: specifically, elevation of privilege (EoP) vulnerabilities. Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritize for patching. The relatively low CVSSv3 base score of 7.8 and severity rating of Important may appear relatively mild; however, broad similarities exist between this vuln and CVE-2024-38193, which Rapid7 flagged as ripe for malware abuse on the day it was published, and which has subsequently been linked to exploitation by North Korean state-associated threat actor tracked as Lazarus.

Windows Storage: zero-day EoP

Ever wanted to delete a file on a Windows box, but pesky permissions prevented you from achieving your goal? CVE-2025-21391 might be just what you need: an elevation of privilege (EoP) vulnerability in the Windows Storage service for which Microsoft is aware of exploitation in the wild. No user interaction is required, and attack complexity is low, and the weakness is given as “CWE-59: Improper Link Resolution Before File Access” but what are attackers hoping to achieve here? Although the advisory provides scant detail, and even offers some vague reassurance that “an attacker would only be able to delete targeted files on a system”, it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service. As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links.

NTLMv2 disclosure: zero-day spoofing

It’s almost surprising when any particular Patch Tuesday doesn’t involve plugging one or two holes through which NTLM hashes can leak. CVE-2025-21377 describes an NTLMv2 hash disclosure vulnerability where exploitation ultimately results in the attacker gaining the ability to authenticate as the targeted user. Minimal user interaction with a malicious file is required, including selecting, inspecting, or “performing an action other than opening or executing the file.” This trademark linguistic ducking and weaving may be Microsoft’s way of saying “if we told you any more, we’d give the game away.” Accordingly, Microsoft assesses exploitation as more likely. The advisory acknowledges researchers from 0patch by ACROS Security — who also reported last month’s NTLM hash disclosure zero-day vuln CVE-2025-21308 — as well as others from Securify and Cathay Pacific; this might be the first instance of an airline receiving credit for reporting a Microsoft zero-day vulnerability.

Surface: zero-day container escape

A wide array of Microsoft Surface machines are vulnerable to CVE-2025-21194 until patched, although the most recent Surface Pro 10 and 11 series are not listed as vulnerable. The vulnerability is described as a security feature bypass, and exploitation could lead to container escape from a UEFI host machine and compromise of the hypervisor. Surface devices receive updates via Windows Update, although the advisory also gives brief instructions for users who wish to apply the updates manually. Microsoft describes the vulnerability as publicly disclosed.

LDAP server: critical RCE

Any security advisory which lists multiple weakness types typically describes a complex vulnerability, and Windows LDAP critical remote code execution (RCE) CVE-2025-21376 is no exception. Successful exploitation requires an attacker to navigate multiple challenges, including winning a race condition. The prize: code execution on the Windows LDAP server. Although Microsoft seldom specifies the privilege level of code execution on LDAP server vulnerabilities, Rapid7 has noted previously that the LDAP service runs in a SYSTEM context, and that is the only safe assumption. All versions of Windows receive a patch.

DHCP client: critical RCE

Today sees the publication of a slightly mysterious critical RCE in the Windows DHCP Client Service. Exploitation of CVE-2025-21379 requires an attacker to intercept and potentially modify communications between the Windows DHCP client and the requested resource, which implies either that an attacker can break encryption, or that no encryption is present in the DHCP communication; this risk is highlighted in Microsoft’s own spec for DHCP implementation.

Excel: critical RCE

As if spreadsheets weren’t dangerous enough by themselves, today sees publication of CVE-2025-21381, a critical RCE in Excel. As usual for this class of attack, the advisory clarifies that “remote” in this case refers to the location of the attacker, since user interaction is required, and the code execution will be in the context of the user on their local machine. The Outlook Preview Pane is an attack vector, so simply glancing at an email containing a specially crafted malicious spreadsheet is enough for the attack to succeed, although an attacker could also convince a user to download and open a file from a website, or perhaps simply drop a few USB sticks in the parking lot.

Microsoft lifecycle update

In Microsoft product lifecycle news, SQL Server 2019 moves from mainstream support to extended support on 2025-02-28.

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Developer Tools Mariner vulnerabilities

Device vulnerabilities

ESU Windows vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Windows vulnerabilities

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/01/14/patch-tuesday-january-2025/

Microsoft is addressing 161 vulnerabilities this January 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for eight of the vulnerabilities published today, with three listed on CISA KEV. This is now the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of nine critical remote code execution (RCE) vulnerabilities. Unusually, Microsoft has not yet published any browser vulnerabilities this month.

Access: triple zero-day RCE

Today sees the publication of three very similar zero-day Microsoft Access vulnerabilities: CVE-2025-21366, CVE-2025-21395, and CVE-2025-21186. In each case, Microsoft notes public disclosure, but does not claim evidence of exploitation in the wild. Successful exploitation leads to code execution via heap-based buffer overflow, and requires that an attacker convince the user to download and open a malicious file.

Curiously, in each case, one portion of the advisory FAQ describes the update protection as “blocking potentially malicious extensions from being sent in an email”, but the remainder of the advisory doesn’t clarify how this would prevent malicious activity. Typically, patches provide protection by blocking malicious files upon receipt of a malicious email attachment, rather than preventing a malicious attachment from being sent in the first place, since an attacker is free to send whatever they like from any system they control.

The FAQ does mention that users who would otherwise have interacted with a malicious attachment will instead receive a notification that there was an attachment but “it cannot be accessed”, which is perhaps the best play on words we’ve seen from MSRC in a while.

Hyper-V NT Kernel Integration VSP: triple zero-day EoP

Microsoft is addressing a trio of related Windows Hyper-V NT Kernel Integration VSP elevation of privilege vulnerabilities today: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. Microsoft is aware of exploitation in the wild for all three, as seen on both the Microsoft advisories and CISA KEV. In each case, exploitation leads to SYSTEM privileges. The advisories are short on additional detail, beyond a brief acknowledgement of Anonymous — presumably an undisclosed party, rather than the hacktivist collective — on CVE-2025-21333.

While we can sometimes infer context from prior examples, in this case there aren’t any; there is no mention of Hyper-V NT Kernel Integration VSP in any vulnerability published by Microsoft, at least as far back as 2017. If we look back five years, CVE-2020-16885 does describe an elevation of privilege vulnerability in the Windows storage VSP driver, but there isn’t a lot to go on there either.

The Virtualization Service Provider (VSP) resides in the root partition of a Hyper-V instance, and provides synthetic device support to child partitions over the Virtual Machine Bus (VMBus): it’s the foundation of how Hyper-V allows the child partition to trick itself into thinking that it’s a real computer. Given that the entire thing is a security boundary, it’s perhaps surprising that no Hyper-V NT Kernel Integration VSP vulnerabilities have been acknowledged by Microsoft until today, but it won’t be at all shocking if more now emerge.

The advisories published today do not clarify whether the elevation of privilege is only to SYSTEM within the child partition, but container escape specialists will surely be hunting for exploits in this area.

Windows Themes: zero-day NTLM disclosure

Many enterprise users or even admins may not think about Windows Themes very often, but consider CVE-2025-21308: a spoofing vulnerability where successful exploitation leads to improper disclosure of an NTLM hash, which allows an attacker to impersonate the user from whom it was acquired. Microsoft does not have evidence of in-the-wild exploitation, but does note public disclosure.

The advisory FAQ dances around the exploitation methodology without explaining; what we learn is that once an attacker had somehow delivered a malicious file to the target system, a user would need to manipulate the malicious file, but not necessarily click or open it. Without further detail, we can only speculate, but it’s plausible that simply opening a folder containing the file in Windows Explorer — including the Downloads folder — or inserting a USB drive, would be enough to trigger the vulnerability and see your NTLM hash leak silently for collection by the threat actor.

Some good news: Microsoft has removed NTLMv1 support from Windows 11 24H2 and Server 2025 onwards. Less good: it has been a whole two months since Microsoft last patched a zero-day NTLM disclosure vulnerability; that flaw was within MSHTML/Trident, and Windows 11 24H2 and Server 2025 were still vulnerable, since NTLMv2 is still supported across the board.

On the advisory for CVE-2025-21308, Microsoft does link to documents describing a mitigation technique: restricting NTLM traffic. This is certainly worth a look, since a representative of reporting research organization 0patch has confirmed that NTLMv2 is affected by CVE-2025-21308.

Windows Installer: zero-day EoP

Installing or updating software often requires elevated privileges, and researchers and threat actors have known this for a long time. The advisory for CVE-2025-21275 doesn’t weigh us down with lengthy explanations, it simply says that successful exploitation leads to SYSTEM privileges. Microsoft is aware of public disclosure of this vulnerability, but not in-the-wild exploitation.

CVE-2025-21275 is the latest in a long line of Windows Installer elevation of privilege vulnerabilities; Microsoft has now published 37 Windows Installer elevation of privilege vulnerabilities in total since the start of 2020, although only five of those have been zero-days, with only CVE-2024-38014 known by Microsoft to have been exploited prior to publication in September 2024.

PGM: critical RCE

Microsoft’s in-house research teams are a reliable source of vulnerability discovery in Microsoft products, and today we get patches for the self-discovered CVE-2025-21307, a critical RCE in the Windows Reliable Multicast Transport Driver (RMCAST) with a CVSSv3 base score of 9.8. The vulnerability is only exploitable on a system where a program is listening on a Pragmatic General Multicast (PGM) port.

In 2025, you might very well expect that any service that a major commercial operating system exposes to the network would provide at least some form of authentication capability, but if so, prepare to be disappointed by the Windows implementation of PGM. The concept was first described in RFC 3208, which was published in 2001 in an Experimental state and stayed that way. As Microsoft themselves put it, “the PGM specification [RFC3208] is ambiguous in a number of areas”.

Given the lack of required user interaction and remote attack vector for CVE-2025-21307, it’s well worth asking yourself: does our firewall allow a PGM receiver to receive inbound traffic from the public internet? If so, the second-best time to prevent that is right now.

OLE: critical RCE

Outlook admins who force their users to read emails in plain text only can skip this paragraph, but everyone else should be aware of CVE-2025-21298, a Windows Object Linking and Embedding (OLE) critical RCE with a CVSSv3 base score of 9.8. The eternal threat of the malicious inbound email finds expression again here; just previewing the wrong email in Outlook is all it takes for an attacker to achieve code execution in the context of the user. All versions of Windows receive a patch.

Microsoft lifecycle update

In Microsoft product lifecycle news, Visual Studio 2022 17.6 LTSC receives its last update today.

Summary Charts

Summary tables

Azure vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

ESU Windows Microsoft Office vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Windows vulnerabilities

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/12/10/patch-tuesday-december-2024/

Microsoft is addressing 70 vulnerabilities this December 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and public disclosure for one of the vulnerabilities published today, and this is reflected in a CISA KEV entry. For the third month in a row, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today sees the publication of 16 critical remote code execution (RCE) vulnerabilities, which is more than usual. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Common Log File System: zero-day EoP

This month’s zero-day vulnerability is CVE-2024-49138, an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, a general-purpose Windows logging service that can be used by software clients running in user-mode or kernel-mode. Exploitation leads to SYSTEM privileges, and if this all sounds familiar, it should.

There have been a series of zero-day elevation of privilege vulnerabilities in CLFS over the past few years. Past offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252; today’s addition of CVE-2024-49138 is the first CLFS zero-day vulnerability which Microsoft has published in 2024. Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution.

Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one. Expect more CLFS zero-day vulnerabilities to emerge in the future, unless Microsoft decides to perform a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws. Patches are available for all versions of Windows.

Groups of critical RCE

Patterns emerge when we consider the 16 critical RCE vulnerabilities published today as a whole, which might somewhat reduce the level of alarm that unusually large number might otherwise cause weary defenders.

LDAP: critical RCE

A trio of Windows LDAP critical RCE vulnerabilities receive patches this month, including CVE-2024-49112, which has a  CVSSv3 base score of 9.8, which is the highest of any of the vulnerabilities which Microsoft has published today. Exploitation is via a specially crafted set of LDAP calls, and leads to code execution within the context of the LDAP service; although the advisory doesn’t specify, the LDAP service runs in a SYSTEM context. Microsoft advises defenders who still permit domain controllers to receive inbound RPC calls from untrusted networks or to access the internet to stop doing that.

LSASS: critical RCE

Another potential cause for concern this month: CVE-2024-49126 is a critical RCE in the Local Security Authority Subsystem Service (LSASS). Exploitation could potentially be carried out remotely, and the attacker needs no privileges, nor does the user need to perform any action; the only silver lining is that an attacker must win a race condition. Although the advisory says that code execution would be in the context of the server’s account, it might be safest to assume that code execution would be in a SYSTEM context.

Hyper-V: container escape

CVE-2024-49117 describes a container escape for Hyper-V; exploitation requires that the attacker make specially crafted file operation requests on the virtual machine (VM) to hardware resources on the VM, which could result in remote code execution on the hypervisor. The FAQ on the advisory sets out that no special privileges are required in the context of the VM, so any level of access is enough to break free from the VM. We also learn that the container escape could be lateral, where an attacker moves from one VM to another, rather than to the hypervisor.

Remote Desktop Services: 8 critical RCEs

All eight critical RCE vulnerabilities in Remote Desktop Services published today (e.g. CVE-2024-49106) share a number of similarities: they have identical CVSS vectors, exploitation requires that an attacker win a race condition, and the same research group is credited in each case.

Microsoft lifecycle update

There are no significant Microsoft product lifecycle transitions this month.

Summary charts

Summary tables

Browser vulnerabilities

Developer Tools vulnerabilities

Microsoft Office vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Windows ESU vulnerabilities

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/11/12/patch-tuesday-november-2024/

Microsoft is addressing 90 vulnerabilities this November 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for four of the vulnerabilities published today, although as with last month’s batch, it does not evaluate any of these zero-day vulnerabilities as critical severity (yet). Of those four, Microsoft lists two as exploited in the wild, and both of these are now listed on CISA KEV. Microsoft is aware of some level of public disclosure for three. Microsoft is also patching two further critical remote code execution (RCE) vulnerabilities today. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Active Directory Certificate Service: zero-day EoP aka EKUwu

CVE-2024-49019 describes an elevation of privilege vulnerability in Active Directory Certificate Services. While the vulnerability only affects assets with the Windows Active Directory Certificate Services role, an attacker who successfully exploits this vulnerability could gain domain admin privileges, so that doesn’t offer much comfort. Unsurprisingly, given the potential prize for attackers, Microsoft assesses future exploitation as more likely. Vulnerable PKI environments are those which include published certificates created using a version 1 certificate template with the source of subject name set to “Supplied in the request” and Enroll permissions granted to a broader set of accounts. Microsoft does not obviously provide any means of determining the certificate template version used to create a certificate, although the advisory does offer recommendations for anyone hoping to secure certificate templates.

There is a significant history of research and exploitation of Active Directory Certificate Services, including the widely-discussed Certified Pre-Owned series, and the discovering researchers have now added further to that corpus, tagging CVE-2024-49019 as ESC15. In keeping with another long-standing infosec tradition, the researcher has provided a fun celebrity vulnerability name — in this case, EKUwu, a portmanteau of EKU (Extended Key Usage) and UwU, an emoticon representing a cute face — as part of their detailed and insightful write-up.

MSHTML: zero-day NTLMv2 hash disclosure

Given the CVSSv3 base score of 6.0, one might almost be forgiven for overlooking CVE-2024-43451, which describes an NTLM hash disclosure spoofing vulnerability in the MSHTML platform which powered Internet Explorer. However, public disclosure and in-the-wild exploitation are always worth a look. Although exploitation requires that the user interact with a malicious file, a successful attacker receives the user’s NTLMv2 hash, and can then use that to authenticate as the user.

Microsoft has arguably scored CVE-2024-43451 correctly according to the CVSSv3.1 specification. However, although the Microsoft CVSSv3 vector describes an impact only to confidentiality, if an attacker can authenticate as the user post-exploitation, a further potential for subsequent impact to integrity and availability now exists; if we take that potential indirect effect into account, the CVSSv3 base score would look more like 8.8, which is the sort of number where alarm bells typically start ringing for many defenders. As a further sting in the tail, the advisory FAQ describes the required user interaction as minimal: left click, right click, or even the highly non-specific “performing an action other than opening or executing [the file]”. There’s certainly the potential for a long tail of exploitation here, especially in environments with more relaxed patching cadence.

The complete Windows catalog from Server 2025 and Windows 11 24H2 all the way back to Server 2008 receives patches for CVE-2024-43451. As Rapid7 has previously noted, MSHTML (also known as Trident) is still fully present in Windows — and unpatched assets are thus vulnerable — regardless of whether or not a Windows asset has Internet Explorer 11 disabled.

Exchange: zero-day sender spoofing

It’s been a few months since we’ve seen any security patches for Exchange, but the streak is now broken with a zero-day vulnerability. Mailserver admins should be paying attention to CVE-2024-49040, which is a publicly disclosed spoofing vulnerability. The specific weakness is CWE-451: User Interface (UI) Misrepresentation of Critical Information, which is often associated with phishing attacks, as well as browser vulnerabilities, and can describe a wide range of misdeeds, from visual truncation and UI overlay to homograph abuse. Microsoft does not yet claim knowledge of in-the-wild exploitation.

The advisory for CVE-2024-49040 hints that post-patching actions may be required for remediation of CVE-2024-49040, and links to further information in a separate article titled “Exchange Server non-RFC compliant P2 FROM header detection”. A careful read of the article doesn’t appear to list any mandatory post-patching actions; instead, there is an optional extra mitigation strategy action around Exchange Transport Rules, as well as an encouragingly detailed explanation of the protection offered by today’s patches. The article showcases that an Exchange-connected email client such as Outlook might display a forged sender as if it were legitimate, which we can all agree is not a good outcome. Attackers don’t have to look far to find other vulnerabilities to chain with this one, since today’s sibling zero-day vulnerability CVE-2024-43451 is certainly an option. On the other hand, let’s take a moment to appreciate the Exchange team’s blog title: “You Had Me at EHLO”.

Patches for CVE-2024-49040 are available for Exchange 2019 CU13 and CU14, as well as Exchange 2016 CU23. It’s worth remembering that both Exchange 2016 and 2019 have an extended end date of 2025-10-14, which is now less than a year away; this despite the fact that the successor for 2016 and 2019, which Microsoft is unsubtly branding as Exchange Server Subscription Edition, isn’t due for release until early in 2025 Q3. Many admins would no doubt prefer a longer upgrade window.

The researcher who reported CVE-2024-49040 also discovered a means to impersonate Microsoft corporate email accounts earlier this year, but went public with his findings after Microsoft dismissed his report; it appears that the relationship has been at least somewhat repaired.

Task Scheduler: zero-day EoP (but not SYSTEM)

Windows Task Scheduler facilitates all sorts of useful outcomes, and if you’re a threat actor, it now offers one more: elevation of privilege via CVE-2024-49039. Microsoft is aware of exploitation in the wild. Given the low attack complexity and low privileges requirement, no requirement for user interaction, high impact across the CIA triad, and changed scope, it’s no surprise that the CVSSv3 base score comes out as a relatively zesty 8.8. However, Windows elevation of privilege vulnerabilities are always most exciting for attackers when they lead directly to SYSTEM privileges, but that’s not the case here. The attacker in this scenario starts out in a low-privileged AppContainer sandbox, and exploitation via a malicious app provides medium integrity level privileges, which is the same as a regular non-administrative user on the system. Still, every step forward for a threat actor is a step back for defenders.

.NET: critical RCE

This month brings patches for CVE-2024-43498, a critical RCE in .NET 9.0 with a CVSSv3 base score of 9.8, which is so seldom a harbinger of good news. Exploitation might mean compromise of a desktop application by loading a malicious file, but most concerningly could also describe RCE in the context of a vulnerable .NET webapp via a specially crafted request. Microsoft assesses exploitation as less likely, but there’s nothing on the advisory which obviously supports that assessment, since this is a low-complexity network attack which requires neither privileges nor user interaction. CVE-2024-43498 is surely worthy of immediate patching. It’s also never a bad idea to review other options for protection, especially for internet-exposed services.

Kerberos: critical RCE

The advisory for CVE-2024-43639 describes a critical RCE in Kerberos with a CVSSv3 base score of 9.8, although not in great detail. The FAQ explains that an unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Windows Kerberos to perform remote code execution against the target, but without providing much information about the target or the precise context of code execution. The only safe assumption here is that code execution is in a highly-privileged context on a server which handles key authentication tasks. Patch accordingly.

Microsoft lifecycle update

In Microsoft lifecycle news, the most notable change is the arrival of Windows Server 2025 as a General Availability product at the start of November. Microsoft has announced a number of new features in Server 2025, which we will look forward to discussing in more detail in future editions of this blog.

At the other end of the lifecycle continuum, .NET 6.0 receives its final scheduled updates today; as .NET 6.0 is/was a Long Term Support (LTS) version, and .NET 7.0 is already beyond end of life, the only current upgrade path is to .NET 8.0.

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities

Mariner System Center vulnerabilities

Microsoft Office vulnerabilities

Open Source Software vulnerabilities

SQL Server vulnerabilities

Server Software vulnerabilities

Windows vulnerabilities

Updates

• 2024-11-12: corrected CVSSv3 base score for CVE-2024-43639.

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/10/08/patch-tuesday-october-2024/

Microsoft is addressing 118 vulnerabilities this October 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for five of the vulnerabilities published today, although it does not rate any of these as critical (yet). Of those five, Microsoft lists two as exploited in the wild, and both of these are now listed on CISA KEV. Microsoft is also patching three further critical remote code execution (RCE) vulnerabilities today. Three browser vulnerabilities have already been published separately this month, and are not included in the total.

Somewhat unusually, we’ll take a look at two of the three critical RCEs published today — CVE-2024-43468 and CVE-2024-43582 — before moving on to the arguably somewhat-less- threatening zero-day vulnerabilities patched today.

Microsoft Configuration Manager: pre-auth RCE

Microsoft Configuration Manager receives a patch for the only vulnerability published by Microsoft today with a CVSS base score of 9.8. Although Microsoft doesn’t tag it as either publicly disclosed or exploited-in-the-wild, the advisory for CVE-2024-43468 appears to describe a no-interaction, low complexity, unauthenticated network RCE against Microsoft Configuration Manager. Exploitation is achieved by sending specially-crafted malicious requests, and leads to code execution in the context of the Configuration Manager server or its underlying database. The relevant update is installed within the Configuration Manager console, and requires specific administrator actions that Microsoft describes in detail in a generic series of articles. Further information and several specific required steps are described in KB29166583.

Confusingly, this KB29166583 was first published over a month ago on 2024-09-04, and was then subsequently unpublished and republished on 2024-09-18, all without any mention of CVE-2024-43468, which was published only today and which KB29166583 apparently remediates. Defenders should read the available documentation carefully, and then probably read it again for good measure.

RPD RPC: pre-auth RCE

Any RDP Server critical RCE is worth patching quickly. CVE-2024-43582 is a pre-auth critical RCE in the Remote Desktop Protocol Server. Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset. One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly.

Winlogon: zero-day EoP

Who doesn’t love a good elevation of privilege vulnerability? Weary blue teamers who see the words “publicly disclosed” on a brand-new advisory know the answer. CVE-2024-43583 describes a flaw in Winlogon which gets an attacker all the way to SYSTEM via abuse of a third-party Input Method Editor (IME) during the sign-on process. The supplementary KB5046254 article explains that the 2024-10-08 patches disable non-Microsoft IME during the sign-in process. On that basis, outright removal of third-party IME is a mitigation available to anyone who is not able to apply today’s patches immediately.

Attack surface reduction is always worth considering, and removal of third-party IMEs certainly accomplishes that. Anyone who needs to keep a third-party IME can still do so, but once today’s patches are applied, that third-party IME will be disabled — only in the context of the sign-in process — to prevent exploitation of CVE-2024-43583. Although Microsoft doesn’t quite spell it out, the only reasonable interpretation of the available information is that an asset with no first-party/Microsoft IME installed would remain vulnerable after patching, since otherwise no IME would be available when attempting to sign in. Use of third-party IME is more likely to be a concern in mixed-language or non-English-speaking contexts. The disclosure process around this vulnerability may not have been entirely smooth; back in September, one of the researchers credited with the discovery expressed discontent with MSRC via X-formerly-known-as-Twitter.

Hyper-V: zero-day container escape

CVE-2024-20659 describes a publicly-disclosed security feature bypass in Hyper-V. Microsoft describes exploitation as both less likely and highly complex. An attacker must be both lucky and resourceful, since only UEFI-enabled hypervisors with certain unspecified hardware are vulnerable, and exploitation requires coordination of a number of factors followed by a well-timed reboot. All this after first achieving a foothold on the same network — although in this context, this likely means access to a VM on the target hypervisor, rather than some other location on the same subnet. The prize for successful exploitation is compromise of the hypervisor kernel.

MSHTML: zero-day XSS

CVE-2024-43573 is an exploited-in-the-wild spoofing vulnerability in MSHTML for which Microsoft is also aware of functional public exploit code; the advisory lists CWE-79 as the weakness, which translates to cross-site scripting (XSS). The advisory is sparse on further detail, although Windows Server 2012/2012 R2 admins who typically install Security Only updates should note that Microsoft is encouraging installation of the Monthly Rollups to ensure remediation in this case. The low CVSSv3 base score of 6.5 reflects the requirement for user interaction and the lack of impact to integrity or availability; a reasonable assumption might be that exploitation leads to improper disclosure of sensitive data, but no other direct effect on the target asset.

cURL: zero-day RCE

Microsoft is most famous for its closed source products, but has cautiously softened its stance on open source considerably in the past quarter century or so. Windows has included components of cURL for almost seven years at this point, along with various other open source components; Microsoft does patch these from time to time, although not always as quickly as defenders might like. Today’s patches for CVE-2024-6197, a publicly-disclosed RCE vulnerability in cURL, continue that trend.

The Microsoft advisory for CVE-2024-6197 clarifies that Windows does not ship libcurl, only the curl command line, but that’s still vulnerable and thus in scope for a fix. Exploitation requires that the user connect to a malicious server controlled by the attacker, and code execution is presumably in the context of the user launching the curl CLI tool on the Windows asset. The cURL project advisory for CVE-2024-6197 was originally published on 2024-07-24, and offers further detail from their perspective. Interestingly, the cURL project describes the most likely outcome of exploitation as a crash, and does not specifically mention RCE, although it is careful not to exclude the possibility of unspecified “more serious results,” which could well mean RCE. Microsoft rates this vulnerability as important, which is on track with the CVSS base score of 8.8.

Management Console: zero-day RCE

CVE-2024-43572 rounds out today’s five zero-day vulnerabilities, and describes a low-complexity, no-user-interaction RCE in Microsoft Management Console. Microsoft is aware of both public functional exploit code and in-the-wild exploitation. The vulnerability is exploited when a user downloads and opens a specially-crafted malicious Microsoft Saved Console (MSC) file, so there’s no suggestion here that the Management Console is vulnerable via network attack. Today’s patches prevent untrusted MSC files from being opened, although the advisory does not describe how Windows will know what’s trusted and what isn’t. Microsoft has chosen to map CVE-2024-43572 to CWE-70, which is a very broad category, the use of which is explicitly discouraged by MITRE.

VS Code Arduino extension: cloud critical RCE

A third critical RCE patched today is hopefully less concerning than its siblings. CVE-2024-43488 is in the Visual Studio Code extension for Arduino, and Microsoft notes that the vulnerability documented by this CVE requires no customer action to resolve. A reasonable question is: what does “no action required” really mean here? Within the advisory, Microsoft both claims to have fully mitigated the vulnerability, and also that there is no plan to fix the vulnerability. As confusing as that all sounds, perhaps the most important takeaway here is that Microsoft is now issuing cloud service CVEs in a stated effort to improve transparency. It’s not clear when the vulnerability was first introduced or when it was remediated, but nevertheless the recent expansion into a whole new class of CVEs is a welcome step by Microsoft.

SharePoint: EoP to SYSTEM

A sparse advisory for CVE-2024-43503, which is an elevation of privilege vulnerability which leads to SYSTEM. Advisories for similar vulnerabilities typically describe the specific SharePoint privileges required, but this one does not, so a reasonable assumption might be that the requirement here is simply minimal Site Member privileges.

Microsoft lifecycle update

Today sees the end of support for Windows 11 22H2 for Home, Pro, Pro Education, Pro for Workstations, and SE editions, as well as for Windows 11 21H2 for Education, Enterprise, and Enterprise multi-session editions. Server 2012 and Server 2012 R2 pass into Year 2 of ESU. Windows Embedded POSReady — the POS stands for Point-of-Sale — receives its final ESU updates today, and that might just be the last gasp for Windows 7 as a whole. As well as patching today’s critical RCE CVE-2024-43468, Intune admins still using Configuration Manager 2303 should look to upgrade to a newer version immediately, because support ends (somewhat unusually) on Thursday this week.

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

ESU Windows vulnerabilities