ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ESETresearch</span></a> has discovered a zero day exploit abusing <a href="https://infosec.exchange/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE</span></a>-2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges (<a href="https://infosec.exchange/tags/LPE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LPE</span></a>). First seen in the wild in March 2023, the exploit was deployed through <a href="https://infosec.exchange/tags/PipeMagic" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PipeMagic</span></a> backdoor on the compromised machines.</p><p>The exploit targets Windows 8.1 and Server 2012 R2. The vulnerability affects OSes released before Windows 10 build 1809, including still supported Windows Server 2016. It does not affect more recent Windows OSes such as Windows 11.</p><p>The vulnerability is a use after free in Win32k driver. In a certain scenario achieved using the <a href="https://infosec.exchange/tags/WaitForInputIdle" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WaitForInputIdle</span></a> API, the <a href="https://infosec.exchange/tags/W32PROCESS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>W32PROCESS</span></a> structure gets dereferenced one more time than it should, causing UAF. To reach the vulnerability, a race condition must be won.</p><p>The patches were released today. Microsoft advisory with security update details is available here: <br><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24983" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">msrc.microsoft.com/update-guid</span><span class="invisible">e/vulnerability/CVE-2025-24983</span></a></p>