Zero-Day Windows Kernel Flaw Exploited for Over a Year Finally Patched by Microsoft

# Windows Zero-Day Vulnerability Exploited Since March 2023

ESET researchers have discovered that a recently patched Windows vulnerability has been actively exploited for over a year. The flaw, now tracked as CVE-2025-24983, was fixed during Microsoft’s March 2025 Patch Tuesday update cycle.

## Vulnerability Details

The security flaw stems from a use-after-free weakness in the Windows Win32 Kernel Subsystem that allows attackers with low privileges to escalate to SYSTEM-level access without user interaction. Microsoft has classified successful exploitation as “high complexity” since attackers must win a race condition to leverage the vulnerability.

ESET researcher Filip Jurčacko, who reported the vulnerability to Microsoft, found that exploitation began in March 2023 on systems compromised with PipeMagic malware. The zero-day primarily targeted unsupported Windows versions (Windows Server 2012 R2 and Windows 8.1), though newer systems including Windows Server 2016 and Windows 10 (build 1809 and earlier) are also vulnerable.

“The Use-After-Free vulnerability is related to improper memory usage during software operation. This can lead to software crashes, execution of malicious code, privilege escalation, or data corruption,” ESET explained.

## PipeMagic Backdoor Connection

The exploit was delivered through the PipeMagic backdoor, which Kaspersky first identified in 2022. This malware can:
– Exfiltrate sensitive data
– Provide remote access to infected machines
– Deploy additional payloads for lateral movement

PipeMagic was previously linked to Nokoyawa ransomware attacks that exploited another Windows zero-day (CVE-2023-28252) in 2023.

## Additional Zero-Days and Federal Response

Microsoft’s March 2025 update also patched five other actively exploited zero-days:
– CVE-2025-24984 – Windows NTFS Information Disclosure
– CVE-2025-24985 – Windows Fast FAT File System Driver Remote Code Execution
– CVE-2025-24991 – Windows NTFS Information Disclosure
– CVE-2025-24993 – Windows NTFS Remote Code Execution
– CVE-2025-26633 – Microsoft Management Console Security Feature Bypass

CISA has added all six vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring Federal Civilian Executive Branch agencies to patch by April 1st under Binding Operational Directive 22-01. CISA strongly recommends all organizations prioritize remediation of these vulnerabilities as part of their security practices.

Keywords: Windows zero-day vulnerability, CVE-2025-24983, use-after-free vulnerability, PipeMagic malware, privilege escalation, Windows security patch

Share This Article

Zero-Day Windows Kernel Flaw Exploited for Over a Year Finally Patched by Microsoft

Related Articles

Urgent Alert: Booking.com Phishing Scam Uses “ClickFix” Trick to Deploy Dangerous Malware Against Hospitality Workers

Urgent Alert: Critical FreeType Vulnerability Actively Exploited in the Wild – What You Need to Know

Alert: Medusa Ransomware Strikes Over 300 U.S. Critical Infrastructure Organizations

Quick Links

Company

Get In Touch