Slovak cybersecurity company ESET says a newly patched zero-day vulnerability in the Windows Win32 Kernel Subsystem has been exploited in attacks since March 2023.
Fixed in Windows security updates released during this month’s Patch Tuesday, the security flaw is now tracked as CVE-2025-24983 and was reported to Microsoft by ESET researcher Filip Jurčacko.
The vulnerability is caused by a use-after-free weakness that lets attackers with low privileges gain SYSTEM privileges without requiring user interaction. However, Redmond tagged such attacks as high complexity since successful exploitation requires the threat actors to win a race condition.
ESET said on Tuesday that a zero-day exploit targeting the CVE-2025-24983 vulnerability was “first seen in the wild” in March 2023 on systems backdoored using PipeMagic malware.
This exploit targets only older Windows versions (Windows Server 2012 R2 and Windows 8.1) that Microsoft no longer supports. However, the vulnerability also affects newer Windows versions, including the still-supported Windows Server 2016 and Windows 10 systems running Windows 10 build 1809 and earlier.
“The Use-After-Free (UAF) vulnerability is related to improper memory usage during software operation. This can lead to software crashes, execution of malicious code (including remotely), privilege escalation, or data corruption,” ESET also told BleepingComputer. “The exploit was deployed via the PipeMagic backdoor, capable of exfiltrating data and enabling remote access to the machine.”
PipeMagic was discovered by Kaspersky in 2022, and it can be used to harvest sensitive data, provides the attackers with full remote access to infected devices, and enables them to deploy additional malicious payloads to move laterally through the victims’ networks.
In 2023, Kaspersky saw it deployed in Nokoyawa ransomware attacks that exploited another Windows zero-day, a privilege escalation flaw in the Common Log File System Driver tracked as CVE-2023-28252.
Federal agencies ordered to patch by April 1st
During the March 2025 Patch Tuesday, Microsoft also patched the following five zero-day vulnerabilities tagged as actively exploited:
- CVE-2025-24984 – Windows NTFS Information Disclosure Vulnerability
- CVE-2025-24985 – Windows Fast FAT File System Driver Remote Code Execution Vulnerability
- CVE-2025-24991 – Windows NTFS Information Disclosure Vulnerability
- CVE-2025-24993 – Windows NTFS Remote Code Execution Vulnerability
- CVE-2025-26633 – Microsoft Management Console Security Feature Bypass Vulnerability
Yesterday, CISA added all six zero-days to its Known Exploited Vulnerabilities Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by April 1st, as required by the Binding Operational Directive (BOD) 22-01.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the U.S. cybersecurity agency warned.
“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.”
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
