A Windows zero-day vulnerability addressed by Microsoft with its March 2025 Patch Tuesday updates has been exploited in the wild since March 2023, ESET says.
The issue, tracked as CVE-2025-24983 (CVSS score of 7.0), is described as a use-after-free bug in the Win32 kernel subsystem that could allow attackers to elevate privileges to System.
“Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft notes on its advisory.
On Tuesday, the tech giant rolled out patches for CVE-2025-24983 and five other security defects marked as exploited. Overall, Microsoft released fixes for 57 vulnerabilities on March 2025 Patch Tuesday.
According to cybersecurity firm ESET, which was credited with finding and reporting the Win32 kernel subsystem vulnerability, attackers have been exploiting the flaw for two years.
The zero-day exploit targeting CVE-2025-24983, ESET said on X, was “first seen in the wild in March 2023”. The attackers executed the code on compromised systems using the PipeMagic backdoor.
“The exploit targets Windows 8.1 and Server 2012 R2. The vulnerability affects OSes released before Windows 10 build 1809, including still supported Windows Server 2016. It does not affect more recent Windows OSes such as Windows 11,” ESET explains.
The issue, the company notes, is that, in a certain scenario, when the WaitForInputIdle API is used, the Win32 process structure is dereferenced “one more time than it should”, resulting in a use-after-free.
However, “a race condition must be won” for an attacker to reach the vulnerability, ESET also explains.
According to cybersecurity expert Andre Gironda, while the Nokoyawa ransomware group was previously seen using PipeMagic, Win32 functions have been abused by ransomware such as 3AM, BlackMatter, BlackSuit, and LockBit, as well as by adware, and malware associated with the SideWinder APT.
Related: Microsoft Flags Six Active Zero-Days, Patches 57 Flaws: Patch Tuesday
Related: Patch Tuesday: Critical Code Execution Bugs in Adobe Acrobat and Reader
Related: SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver
Related: Vulnerabilities Patched in Qualcomm, Mediatek Chipsets
