Summary
ngCERT has detected over 100 (Critical and high) vulnerabilities primarily affecting Microsoft Windows components like Office and few third-party issues. Key risks include remote code execution (RCE), elevation of privilege (EoP), and zero-day exploits, with high CVSS scores (up to 9.8). Ten critical flaws and eight zero-days were noted, some actively exploited and listed in the US Cybersecurity and Infrastructure Security Agency's catalog. It is pertinent to note that these vulnerabilities have been patched by Microsoft, hence the urgent need for system updates and the application of available patches.
Description & Consequence
The vulnerabilities principally affect Microsoft systems categorized as follows:
- RCE in Core Windows Components (About 36% of Microsoft CVEs): Flaws enabling arbitrary code execution via emails, packets, or files with low interaction. Examples include Windows OLE (e.g., CVE-2025-21298 for zero-click Outlook previews), Telephony Service (over 20 CVEs like CVE-2025-21286, CVE-2025-21266, all CVSS 8.8), Remote Desktop Services (e.g., CVE-2025-21297), and others like BranchCache and SPNEGO authentication.
- EoP in Virtualization and Installers (About 25% of Microsoft CVEs): Allows attackers to escalate to SYSTEM privileges. Notable are Hyper-V flaws including CVE-2025-21333, exploited zero-days with CVSS 7.8 and App Installer issues such as CVE-2025-21275. Also includes NTLMv1 remote exploitation.
- Office and Developer Tools Issues: RCE/EoP in Access, Excel, Outlook, .NET, and Visual Studio including CVE-2025-21186, zero-days with CVSS 7.8, often via malicious documents.
- DoS and Information Disclosure: Impacts services like MSMQ (e.g., CVE-2025-21251) and kernel memory leaks.
- Third-Party and Older CVEs: Includes authentication bypass in Progress WhatsUp Gold such as CVE-2024-12108, CVSS 9.6 and legacy issues like Kerberos (2022 CVEs).
Successful exploitation of these flaws could result to:
- Full System Compromise: RCE flaws allow attackers to run arbitrary code as the user or SYSTEM, enabling malware deployment, ransomware, or persistent access.
- Privilege Escalation and Lateral Movement: EoP in Hyper-V or installers facilitates VM escapes, domain dominance, or supply-chain attacks in enterprise networks.
- Data Theft/Exfiltration: Information disclosures (e.g., NTLM hashes via CVE-2025-21308) enable pass-the-hash attacks; Office flaws risk sensitive document leaks.
- Service Disruption: DoS in MSMQ or RDP could halt critical operations in monitored environments.
- Broader Impact: Zero-days like CVE-2025-21298 are wormable via email, amplifying spread in unpatched fleets. For third-party such as WhatsUp Gold, unauthorized server access risks network-wide reconnaissance. Unmitigated, these could lead to regulatory non-compliance issues with GDPR and NIST, and financial losses from breaches.
Solution
To mitigate these vulnerabilities, ngCERT recommends the following measures:
- Patch Urgently: Apply January 2025 updates such as KB5040431 through Windows Update or management tools; prioritize exposed systems and test first.
- Hardening Measures: Disable NTLMv1, block unnecessary ports such as PGM UDP, restrict email previews in Outlook, enable Credential Guard for Hyper-V, and use EPA for authentication. For third-party like WhatsUp Gold, upgrade to patched versions and rotate keys.
- Detection Strategies: Deploy EDR for anomaly monitoring (e.g., Telephony or OLE activity), enable logging for RDP/MSMQ, and scan for PoCs.
- General Practices: Ensure network segmentation, least privilege, regular scans, and MSRC subscriptions to reduce exposure.
Reference
Revision
