Part01
Exploitation Trend Escalation
Recent monitoring by global cybersecurity teams has detected a significant increase in activities where attackers exploit vulnerabilities in Windows and Linux systems to conduct complex attacks aimed at gaining unauthorized system access. These attacks typically begin with phishing emails or malicious web content, deploying weaponized documents to initiate the attack. When victims open the document, the embedded exploit code targets unpatched vulnerabilities in commonly used software components, allowing attackers to execute arbitrary code on the compromised machine. Due to the widespread issue of delayed patch management in enterprises, threat actors are focusing on exploiting high-risk vulnerabilities that remain unpatched in most environments.Part02
Key Attack Vector Analysis
Securelist researchers have found that multiple long-unpatched vulnerabilities in the Microsoft Office Equation Editor remain the attackers’ preferred initial intrusion vector. Among them:
- CVE-2018-0802 and CVE-2017-11882 (remote code execution vulnerabilities in the Equation Editor component) are still widely exploited despite having patches available for years.
- CVE-2017-0199 (a vulnerability affecting Office and WordPad) provides another path for payload delivery.
These Office vulnerabilities are often combined with newer vulnerabilities in Windows File Explorer and drivers, such as:
- CVE-2025-24071 (stealing NetNTLM credentials via .library-ms files)
- CVE-2024-35250 (code execution vulnerability in the ks.sys driver)
Attackers also exploit defects in WinRAR’s archive processing:
- CVE-2023-38831
- Directory traversal vulnerability CVE-2025-6218
In Linux systems, attackers primarily exploit:
- Dirty Pipe vulnerability (CVE-2022-0847, privilege escalation)
- CVE-2019-13272 and CVE-2021-22555 (to gain root privileges)
Part03
Composite Infection Mechanism
Securelist analysts have disclosed a covert infection mechanism that combines Office document delivery with secondary exploitation of system drivers:
- Attackers create RTF documents containing shellcode, invoking the Equation Editor through OLE objects.
- Once the vulnerability is triggered, the shellcode downloads a two-stage attack payload (a small loader and fully functional malware).
- The loader exploits CVE-2025-24071 to collect NetNTLM hashes from incoming SMB connections and forwards them to a C2 server.
- The full payload exploits CVE-2024-35250 to load malicious drivers into kernel space, achieving unrestricted code execution.
Part04
Vulnerability Details Comparison Table
This comparison table reveals the coexistence of new and old vulnerabilities, highlighting the urgency of timely patching and implementing deep defense strategies. Enterprises should prioritize updating user applications and system components to reduce the risk of these common vulnerabilities being exploited in real attacks.
References:
Threat Actors Leveraging Windows and Linux Vulnerabilities in Real-world Attacks to Gain System Access
https://cybersecuritynews.com/threat-actors-leveraging-windows-and-linux-vulnerabilities/
Source: FreeBuf
The technologies, ideas, and tools mentioned in the articles published and reprinted by Heibai Zhidao are for learning and communication purposes only, and no one may use them for illegal purposes or for profit; otherwise, the consequences will be borne by the user!
If there is any infringement, please contact us to delete the article.
END