Windows kernel bug now exploited in attacks to gain SYSTEM privileges

CISA has warned U.S. federal agencies to secure their systems against ongoing attacks targeting a high-severity Windows kernel vulnerability.

Tracked as CVE-2024-35250, this security flaw is due to an untrusted pointer dereference weakness that allows local attackers to gain SYSTEM privileges in low-complexity attacks that don’t require user interaction.

While Microsoft didn’t share more details in a security advisory published in June, the DEVCORE Research Team that found the flaw and reported it to Microsoft through Trend Micro’s Zero Day Initiative says the vulnerable system component is the Microsoft Kernel Streaming Service (MSKSSRV.SYS).

DEVCORE security researchers used this MSKSSRV privilege escalation security flaw to compromise a fully patched Windows 11 system on the first day of this year’s Pwn2Own Vancouver 2024 hacking contest.

Redmond patched the bug during the June 2024 Patch Tuesday, with proof-of-concept exploit code released on GitHub four months later.

“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company says in a security advisory that has yet to be updated to indicate the vulnerability is under active exploitation.

DEVCORE published the following video demo of their CVE-2024-35250 proof-of-concept exploit being used to hack a Windows 11 23H2 device.

Today, CISA also added a critical Adobe ColdFusion vulnerability (tracked as CVE-2024-20767), which Adobe patched in March. Since then, several proof-of-concept exploits have been published online.

CVE-2024-20767 is due to an improper access control weakness that allows unauthenticated, remote attackers to read the system and other sensitive files. According to SecureLayer7, successfully exploiting ColdFusion servers with the admin panel exposed online can also allow attackers to bypass security measures and perform arbitrary file system writes.

The Fofa search engine tracks over 145,000 Internet-exposed ColdFusion servers, although it is impossible to pinpoint the exact ones with remotely accessible admin panels.

CISA added both vulnerabilities to its Known Exploited Vulnerabilities catalog, tagging them as actively exploited. As mandated by the Binding Operational Directive (BOD) 22-01, federal agencies must secure their networks within three weeks by January 6.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency said.

While CISA’s KEV catalog primarily alerts federal agencies about security bugs that should be patched as soon as possible, private organizations are also advised to prioritize mitigating these vulnerabilities to block ongoing attacks.

A Microsoft spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today for more details regarding CVE-2024-35250 in the wild exploitation.