Microsoft has addressed a critical zero-day vulnerability in the Windows Win32 kernel that hackers have actively exploited for the past two years. The flaw, tracked as CVE-2025-24983, was patched as part of March 2025 Patch Tuesday updates, but cybersecurity experts warn that it has been in use since March 2023.
A Two-Year-Long Security Threat
According to ESET, the cybersecurity firm that discovered and reported the flaw, attackers have been leveraging this security gap for two years to escalate privileges on compromised systems. The vulnerability, which carries a CVSS score of 7.0, is a use-after-free bug within the Win32 kernel subsystem. If successfully exploited, it allows attackers to gain SYSTEM privileges, giving them full control over the affected device.
Microsoft emphasized in its security advisory that exploiting this vulnerability requires an attacker to win a race condition. However, once successfully executed, the attacker could take complete control of a system.
March 2025 Patch Tuesday: Fixing Exploited Vulnerabilities
As part of its March 2025 Patch Tuesday, Microsoft released fixes for 57 security vulnerabilities, including six actively exploited flaws, one of which is CVE-2025-2498b3.
Cybersecurity experts at ESET noted that hackers have been using the PipeMagic backdoor to exploit this zero-day vulnerability. Their investigation revealed that the first in-the-wild use of this exploit was observed in March 2023.
Who is Affected?
ESET’s findings indicate that the vulnerability affects Windows versions released before Windows 10 build 1809. Specifically, the following operating systems are at risk:
- Windows 8.1
- Windows Server 2012 R2
- Windows Server 2016 (still supported)
However, Microsoft confirmed that newer operating systems, including Windows 11, are not affected by this flaw.
How the Exploit Works
The security flaw is triggered under specific conditions when the WaitForInputIdle API is used. According to ESET, the Win32 process structure gets dereferenced more times than it should, leading to a use-after-free scenario.
Although this vulnerability exists, an attacker must win a race condition to successfully execute the exploit, making it more complex but still highly dangerous in the hands of skilled cybercriminals.
Ransomware and APT Groups Abusing Win32 Functions
Security researchers point out that Win32 functions have a long history of being exploited by various threat actors. While the PipeMagic backdoor has been previously linked to the Nokoyawa ransomware group, similar functions have been used in malware campaigns by:
- 3AM ransomware
- BlackMatter ransomware
- BlackSuit ransomware
- LockBit ransomware
- SideWinder APT
Additionally, these techniques have been utilized by adware and other forms of malware, demonstrating the broad risks posed by unpatched Windows vulnerabilities.
Final Thoughts: Immediate Action Required
Given that this zero-day vulnerability has been actively exploited for two years, organizations and individual users running older versions of Windows must prioritize applying the latest Microsoft patches. Cybersecurity experts also recommend implementing network segmentation, endpoint detection tools, and strict access controls to mitigate potential attacks.
With ransomware groups and advanced persistent threats (APTs) continuously searching for new ways to exploit Windows flaws, staying updated on security patches is crucial in preventing breaches.
Want more on cybersecurity? Click here.
