Summary: ESET reports a newly patched zero-day vulnerability in Windows Win32 Kernel Subsystem, tracked as CVE-2025-24983, has been exploited since March 2023. The vulnerability allows attackers to escalate privileges without user interaction and primarily targets older Windows versions, although newer ones are also affected. CISA has included this and other zero-days in its Known Exploited Vulnerabilities Catalog, urging federal agencies to secure their systems by April 1, 2025.
Affected: Microsoft Windows Operating Systems (Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows 10)
Keypoints :
- Zero-day vulnerability CVE-2025-24983 exploited since March 2023, allowing privilege escalation.
- Exploitation targets older and still-supported Windows versions via the PipeMagic malware.
- CISA orders federal agencies to patch affected systems by April 1, 2025, highlighting the risks of such vulnerabilities.