Active Exploitation of Windows Kernel Privilege Escalation Vulnerability CVE-2025-62215
Microsoft has disclosed a critical elevation-of-privilege vulnerability in the Windows Kernel, tracked as CVE-2025-62215, which is being actively exploited in the wild. The flaw arises from a race condition and improper memory management, specifically a double-free scenario, allowing local attackers to escalate privileges to SYSTEM level. Exploitation requires an attacker to already have access to the system, but no user interaction is needed, and the attack can be automated. Microsoft has rated the vulnerability as Important, with a CVSS score of 7.0, and notes that all supported Windows 10 editions are affected, including those under Extended Security Updates (ESU). No workaround is available other than applying the official update, and immediate patching is strongly recommended.
The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-415 (Double Free), making it a classic post-compromise privilege escalation vector. Attackers can exploit the timing-sensitive memory corruption path in the kernel to gain elevated access, disable security defenses, and move laterally within networks. The attack surface is particularly concerning in enterprise environments where multiple users share access, as any authenticated user can potentially trigger the exploit. Security experts warn that both targeted threat actors and ransomware operators may leverage this flaw to deepen their foothold after initial access, emphasizing the urgency of deploying the security update across all affected systems.
Sources
Related Stories
Windows Kernel Elevation of Privilege Vulnerability (CVE-2026-26132)
Microsoft published details for **CVE-2026-26132**, an **Important** severity **Windows Kernel** *elevation of privilege* vulnerability caused by **CWE-416 (use-after-free)**. The issue is scored **CVSS 3.1: 7.8** with vector `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, indicating exploitation requires **local access** and **low complexity**, with **low privileges required** and **no user interaction**, and could result in high impact to confidentiality, integrity, and availability. Microsoft’s Security Update Guide entry provides standard machine-consumable references (e.g., *PowerShell*, *API*, and *CSAF* links) for tracking and patch management. No additional exploitation details, in-the-wild exploitation confirmation, or public proof-of-concept information is included in the provided material beyond the vulnerability classification and scoring.
6 days ago
Microsoft Windows Kernel Elevation of Privilege Vulnerability (CVE-2026-24289)
Microsoft published guidance for **CVE-2026-24289**, an **Important** severity **Windows Kernel elevation of privilege** vulnerability caused by **CWE-416 (use-after-free)**. Microsoft scored the issue with **CVSS 3.1: 7.8** (vector `AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`), indicating exploitation requires **local** access with **low** attack complexity and **low privileges**, and could result in high impact to confidentiality, integrity, and availability if successfully exploited. The Security Update Guide entry provides standard Microsoft consumption options (e.g., *PowerShell*, API, CSAF) for tracking and integrating the advisory into vulnerability management workflows. The two provided references are effectively duplicate MSRC pages for the same CVE (one localized under `/en-US/`) and do not add distinct technical details beyond the vulnerability classification and scoring.
1 weeks agoActive Exploitation of Patched Windows SMB Client Vulnerability CVE-2025-33073
A critical vulnerability in the Windows SMB client, tracked as CVE-2025-33073, is being actively exploited by threat actors months after Microsoft released a patch. The flaw, which affects Windows 10, Windows 11 (up to version 24H2), and all supported versions of Windows Server, was initially addressed in Microsoft's June 2025 Patch Tuesday update. The vulnerability allows attackers to escalate privileges to SYSTEM level by coercing a victim machine to connect to a malicious SMB server, where the protocol can be compromised. Attackers can exploit this by executing a specially crafted script or convincing users to run such a script, leading to authentication with the attacker's server and subsequent compromise. Security researchers from organizations including CrowdStrike, Synacktiv, GuidePoint Security, BNP Paribas, SySS GmbH, RedTeam Pentesting GmbH, and Google Project Zero contributed to the discovery and public disclosure of the flaw. Some researchers have highlighted that the vulnerability bypasses NTLM reflection mitigations and can be used for authenticated remote command execution, not just privilege escalation as initially described by Microsoft. Technical details and proof-of-concept exploits have been published, increasing the risk of widespread exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-33073 to its Known Exploited Vulnerabilities (KEV) catalog on October 20, 2025, confirming active exploitation in the wild. CISA has mandated that all US federal civilian agencies apply the patch or remove vulnerable systems from operation by November 10, 2025, under Binding Operational Directive 22-01. While this directive is specific to federal agencies, CISA has strongly urged all organizations to remediate the vulnerability immediately due to the ongoing attacks. The vulnerability was publicly disclosed at the time of patch release, but exploitation was not observed until months later, underscoring the importance of timely patch management. Microsoft has not yet issued a public statement regarding the active exploitation. The flaw's ability to bypass existing mitigations and enable remote command execution makes it particularly dangerous for enterprise environments. Organizations that have not yet applied the June 2025 patch remain at significant risk of compromise. The ongoing exploitation highlights the persistent threat posed by delayed patching and the rapid weaponization of disclosed vulnerabilities. Security teams are advised to prioritize remediation and monitor for signs of exploitation related to CVE-2025-33073.
4 months ago