My mom accidentally referred to cryptocurrency as “kleptocurrency” this morning and I think I’m going to call it that from now on! 🤑

#ESETresearch has discovered a zero day exploit abusing #CVE-2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges (#LPE). First seen in the wild in March 2023, the exploit was deployed through #PipeMagic backdoor on the compromised machines.

The exploit targets Windows 8.1 and Server 2012 R2. The vulnerability affects OSes released before Windows 10 build 1809, including still supported Windows Server 2016. It does not affect more recent Windows OSes such as Windows 11.

The vulnerability is a use after free in Win32k driver. In a certain scenario achieved using the #WaitForInputIdle API, the #W32PROCESS structure gets dereferenced one more time than it should, causing UAF. To reach the vulnerability, a race condition must be won.

The patches were released today. Microsoft advisory with security update details is available here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24983

[RSS] Reviving the modprobe_path Technique: Overcoming search_binary_handler() Patch

https://blog.theori.io/reviving-the-modprobe-path-technique-overcoming-search-binary-handler-patch-2dcb8f0fae04?source=rss-4b564abdafa3------2

10x the speed and half the memory usage by migrating the TypeScript compiler from TS to Go isn't exactly a ringing TypeScript endorsement.

https://devblogs.microsoft.com/typescript/typescript-native-port/

The only reasonable reaction to this is to unfollow ofc

[RSS] Detecting and Mitigating the Apache Camel Vulnerability CVE-2025-27636

https://www.akamai.com/blog/security-research/march-apache-camel-vulnerability-detections-and-mitigations

Analysis of CVE-2025-24813 Apache Tomcat Path Equivalence RCE

https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html

The Tomcat RCE is pretty fun, fortunately requirements look quite unusual. I'll write this up soonish, but first I have some hardware to fix...

NIST selects HQC (Hamming Quasi-Cyclic -- https://pqc-hqc.org/) for standardization as the second #PQC key-encapsulation mechanism after ML-KEM.

But no rush, "the final version will be published in approximately two years".

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/w-6RREtb7-c/m/vRjBJE3dAAAJ

https://nvlpubs.nist.gov/nistpubs/ir/2025/NIST.IR.8545.pdf

@ra6bit IME pentest can facilitate those things, e.g. I think every pentester has a story when the clients first inventory was compiled because it was needed for pentest scoping. Ofc this is far from ideal, but at least drives things in the right direction

A study of eight AI search engines found they provided incorrect citations of news articles in 60%+ of queries; Grok 3 answered 94% of the queries incorrectly (Columbia Journalism Review)

https://www.cjr.org/tow_center/we-compared-eight-ai-search-engines-theyre-all-bad-at-citing-news.php
http://www.techmeme.com/250310/p28#a250310p28

Now, I have a little problem: I cannot play it because I don't have a vinyl player anymore since ::checks clock:: the last 2 decades.

Can you recommend me some modern vinyl player with, potentially, USB and Bluetooth support?

#Vinyl

DDoS attacks almost always originate from hacked devices. The country/countries that the traffic originates from has never been an indicator of who's behind the attack. Musk's implication that Ukraine was responsible for the Twitter DDoS attack based on seeing some traffic originating from Ukrainian IPs is just dangerous speculation.

I've mapped botnet professionally for a decade, and all that looking at IP addresses locations tells you is the geographical distribution of compromised devices. When you plot this kind of data of chart, you typically just get a heat map of population density, slightly skewed by economic factors. Nations with larger populations tend to have more devices, but developing nations tend to have a higher percentage of older less secure devices, which are more likely to be hacked and recruited into botnets.

[RSS] CVE-2024-28989: Weak Encryption Key Management in Solar Winds Web Help Desk

https://www.netspi.com/blog/technical-blog/adversary-simulation/cve-2024-28989-weak-encryption-key-management-solar-winds-web-help-desk/qq

Still 38 hours left before the WOOT deadline. Who needs tier 1 confs with the inevitable complaints from reviewer 2 who just wishes the hackers would go away? Submit your papers full of fun hacks, chaos and hijinks to the bestest offensive security academic conference and get reviews from people who really appreciate it!

(also pls boost for reach, targeting academics on social media got a lot trickier in this fragmented world 😢)
https://infosec.exchange/@wootsecurity/114140304168415477

This is the fix commit for CVE-2025-24813, looks pretty straightforward:

https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c

Given Tomcat's downstream supply chain I'd be surprised if this didn't end up in KEV...

PoC vulnerable app for the Camel bug:

https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC

Code that may/may not exhibit the same kinds of problems:

https://github.com/search?q=import+org.apache.camel+RouteBuilder&type=code

#threatintel, #java

[oss-security] CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

https://seclists.org/oss-sec/2025/q1/197

"If all of the following were true, a malicious user was able to perform remote code execution:

- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)

- application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack"