A Windows kernel vulnerability patched today by Microsoft has been actively exploited in the wild for two years, claims security firm ESET.
The Windows kernel vulnerability has been allocated CVE-2025-24983.
The elevation of privilege (EOP bug) is among six Microsoft zero days patched by Redmond as part of March’s Patch Tuesday cycle.
Successful exploitation by a local user gives them full SYSTEM privileges.
(Other notable actively exploited bugs include one, CVE-2025-24984, that, unusually, requires bona fide physical access to exploit via USB; yes, this is explicitly to exploit a Windows vulnerability, not just to drop malware!)
CVE-2025-24983: UAF in Win32k driver
CVE-2025-24983 is a use after free (UAF: a memory safety vulnerability class) vulnerability in the Win32k driver (which operates in kernel mode.)
ESET, which reported the vulnerability, said: “The exploit targets Windows 8.1 and Server 2012 R2. The vulnerability affects OSes released before Windows 10 build 1809, including still supported Windows Server 2016.
“It does not affect more recent Windows OSes such as Windows 11.”
ESET added in a thread on its official X handle that CVE-2025-24983 was “first seen in the wild in March 2023… the exploit was deployed through #PipeMagic backdoor on the compromised machines,” the firm posted.
(PipeMagic is a trojan that was first discovered by Kaspersky in 2022. The Russian security firm saw a resurgence of it in 2024, targeting victims in Saudi Arabia as well as East Asia with a fake ChatGPT application…)
March Patch Tuesday: More exploits...
The vulnerability is one of the notable ones in March’s Patch Tuesday, which features a light 56 Microsoft CVE fixes.
As Tyler Reguly, Associate Director, Security R&D at global cybersecurity software and services provider Fortra puts it: “You might notice that the CVE count is low, that the software being updated is completely standard and there are no CVSS scores that fall within the realm of ‘Critical.’
“You might even be inclined to call this a nothingburger…”
You would, however, be wrong, he noted; although (mercifully for admins) all the patches for the six exploited bugs are resolved with the monthly cumulative update: “This means a single update to roll out to fix all of these at once [none] require post-patch configuration steps.”
Cumulative updates are a saving grace, providing a fix to most of the major issues with a single update. When this works, it is fantastic. However, the flip side is that when there is a patch issue, all these critical vulnerabilities go unpatched. Keep an eye on the deployment of your cumulative updates and ensure that they deploy without error, otherwise this month’s updates could end up worse than they need to be” – Tyler Reguly, Fortra
We won’t list all of the others: The likes of Dustin Childs do this better.
But there are some of real note: As Kev Breen, of the threat research team at Immersive notes, there are four CVEs being exploited that are all related to a remote code execution bug associated with mounting Virtual Hard Disk (VHD) files. These are tracked separately as CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, and CVE-2025-24993..."
"Whilst the title classifies this as a remote code extraction, it is not actually exploitable over the network and requires a local action to be taken by the user. Specifically, the exploit relies on the attacker crafting a malicious VHD file and convincing a user to open or mount a VHD file. VHDs are typically used to store operating systems for virtual machines.
"Whilst they are more typically associated with Virtual Machines, we have seen examples over the years where threat actors use VHD or VHDX files as part of phishing campaigns to smuggle malware payloads past AV solutions. Depending on the configuration of Windows systems, simply double-clicking on a VHD file could be enough to mount the container and, therefore, execute any payloads contained within the malicious file.
"Organisations should check their security tools for any VHD files being sent via email or downloaded from the internet and look to add security rules or blocks for these file types where they are not required," said Breen.
