Cybersecurity groups worldwide have noticed a surge in refined campaigns exploiting each Home windows and Linux vulnerabilities in latest months to attain unauthorized system entry.
These assaults typically start with phishing emails or malicious internet content material designed to ship weaponized paperwork. As soon as opened, the embedded exploits goal unpatched vulnerabilities in generally used software program parts, permitting attackers to execute arbitrary code on sufferer machines.
As organizations wrestle to maintain tempo with patch administration, risk actors have intensified their deal with high-impact flaws that stay unaddressed in lots of environments.
Securelist researchers recognized that a number of long-standing vulnerabilities in Microsoft Workplace’s Equation Editor proceed to be a favourite preliminary entry vector.
CVE-2018-0802 and CVE-2017-11882, each distant code execution flaws within the Equation Editor part, stay closely exploited regardless of patches being out there for years.
As well as, CVE-2017-0199, a flaw affecting Workplace and WordPad, supplies one other path for payload supply.
These Workplace exploits are sometimes mixed with newer Home windows File Explorer and driver vulnerabilities—reminiscent of CVE-2025-24071, which allows NetNTLM credential theft through .library-ms recordsdata, and CVE-2024-35250, a ks.sys driver code execution challenge—to ascertain a foothold and escalate privileges.
Past Microsoft Workplace, attackers have additionally leveraged WinRAR’s archive-handling weaknesses. CVE-2023-38831 and the listing traversal flaw CVE-2025-6218 enable adversaries to position malicious recordsdata exterior the supposed extraction path, hijacking system configurations or dropping persistence backdoors.
On the Linux aspect, the Soiled Pipe vulnerability (CVE-2022-0847) stays a crucial favourite for privilege escalation, whereas CVE-2019-13272 and CVE-2021-22555 proceed for use to realize root entry on unpatched servers.
An infection Mechanism
A very insidious an infection mechanism combines Workplace-based supply with secondary exploitation of system drivers. Securelist analysts famous that attackers craft RTF paperwork containing shellcode that invokes Equation Editor by way of OLE objects.
As soon as the vulnerability triggers, shellcode downloads a two-stage payload: a small loader and a full-featured malware binary.
The loader leverages CVE-2025-24071 to reap NetNTLM hashes from incoming SMB connections, forwarding them to a C2 server.
The complete payload then exploits CVE-2024-35250 to load a malicious driver into kernel house, granting attackers unrestricted code execution.
This dual-exploit chain permits adversaries to bypass user-level defenses and deploy rootkits undetected.
Payload printed on-line (Supply – Securelist)
In lots of incidents, as soon as kernel-level management is achieved, attackers set up customized C2 frameworks—reminiscent of Sliver or Havoc—to keep up persistence.
These implants embrace in-memory safety to evade antivirus scans and use official Home windows companies to mix into regular processes.
By chaining publicly identified exploits, actors can quickly transfer from preliminary compromise to full system management with out writing suspicious recordsdata to disk.
Vulnerability Particulars:-
CVEDescriptionExploit TypeAffected PlatformCVE-2018-0802RCE in Workplace Equation EditorEmbedded OLE exploitWindowsCVE-2017-11882RCE in Workplace Equation EditorEmbedded OLE exploitWindowsCVE-2017-0199Control takeover through Workplace and WordPadScript-based doc exploitWindowsCVE-2023-38831Improper file dealing with in WinRARArchive code executionWindowsCVE-2025-24071NetNTLM credential theft through .library-ms filesCredential dumpingWindowsCVE-2024-35250Arbitrary code execution in ks.sys driverKernel driver exploitWindowsCVE-2022-0847Dirty Pipe privilege escalationPipe buffer overwriteLinuxCVE-2019-13272Improper privilege inheritance handlingPrivilege escalationLinuxCVE-2021-22555Heap overflow in NetfilterHeap-based overflowLinuxCVE-2025-6218Directory traversal in WinRARArchive path manipulationWindows
This consolidated view highlights the persistence of older vulnerabilities alongside newer flaws, underscoring the crucial want for well timed patching and complete defense-in-depth methods.
Organizations ought to prioritize updates for each person functions and system parts to mitigate the danger of those prevalent exploits in real-world assaults.
Enhance your SOC and assist your workforce shield your online business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
