Attackers executed the code on compromised systems using the PipeMagic backdoor to distribute the Windows exploit.
Malicious actors have been exploiting the recently fixed high-severity Win32 kernel subsystem zero-day vulnerability for the past two years.
A Microsoft advisory said the issue, tracked as CVE-2025-24983, is a use-after-free bug in the Win32 kernel subsystem that could allow attackers to elevate privileges to System. “Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft said.
However, research by ESET, which was credited with finding and reporting the Win32 kernel subsystem vulnerability, attackers have been exploiting the flaw for two years.
According to
SecurityWeek,
ESET said on X, the flaw was “first seen in the wild in March 2023” when attackers executed the code on compromised systems using the PipeMagic backdoor to distribute the exploit, which was aimed at Windows 8.1 and Server 2012 R2 instances.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
