Multiple critical Windows kernel vulnerabilities are being actively exploited in the wild, forcing Microsoft to release emergency patches.
Security experts have discovered that one of the flaws, CVE-2025-24983, a use-after-free vulnerability in the Win32k driver, has actually been exploited since March 2023. That’s right – hackers have been quietly using this bug for over a year. The vulnerability allows attackers with local access to elevate their privileges to SYSTEM level, fundamentally giving them the keys to the kingdom. This exploitation has been linked to the PipeMagic backdoor since its discovery.
Hackers quietly exploited Win32k vulnerability for over a year, transforming local access into complete system control.
But wait, there’s more. Microsoft also patched CVE-2025-24984, an information disclosure vulnerability in Windows NTFS that requires physical access via USB devices. Not as scary as remote exploits, but still dangerous in the wrong hands. The bug lets attackers read portions of heap memory – potentially exposing sensitive data.
The patches don’t stop there. CVE-2025-24985 addresses an integer overflow vulnerability in the Windows Fast FAT File System Driver. Attackers exploit this by tricking users into mounting malicious VHD files, leading to remote code execution. Security researcher Valentina Palmiotti, who works at IBM X-Force, has published extensive details on similar kernel vulnerability exploitation techniques.
Similar techniques are used to exploit CVE-2025-24991 and CVE-2025-24993, both NTFS vulnerabilities that could expose heap memory or allow arbitrary code execution.
Security professionals are scrambling to deploy these patches. Trend Micro researchers also discovered CVE-2025-26633, a security feature bypass in Microsoft Management Console. Hackers are using malicious MSC files to execute code with user privileges. No big deal, just your entire system at risk.
Experts recommend immediate patch deployment after testing, prioritizing internet-facing systems. These vulnerabilities highlight the need for organizations to conduct regular assessments to identify and address vulnerabilities before they can be exploited. They also suggest implementing privilege separation and least privilege principles. Good luck with that.
Suspicious VHD file activity should be monitored closely, as multiple exploits use this attack vector.
ESET researcher Filip Jurčacko discovered one of the vulnerabilities, while others were reported anonymously to Microsoft. The affected systems include Windows 8.1, Server 2012 R2, Server 2016, and multiple other Windows versions.
Time to update those systems. Like, yesterday.
