FlagThis

Microsoft has publicly released a proof-of-concept (PoC) exploit for CVE-2025-21293, a critical privilege escalation vulnerability in Active Directory Domain Services (AD DS). This vulnerability, patched in January 2025, allows attackers to gain system-level privileges, potentially leading to significant security breaches. The public availability of the exploit increases the risk of widespread exploitation. The vulnerability allows an attacker to gain admin level privileges in AD.

A critical vulnerability in Microsoft’s Multi-Factor Authentication (MFA) allowed attackers to bypass it and gain unauthorized access to Office 365 accounts. The flaw exploited session creation and TOTP code tolerance, enabling attackers to brute-force MFA codes undetected within 70 minutes. Microsoft implemented a stricter rate limit to fix the vulnerability.

Microsoft has deprecated the driver synchronization service in Windows Server Update Services (WSUS), effective April 18, 2025. This change means that WSUS will no longer provide driver updates, requiring administrators to explore alternative methods, such as cloud-based management platforms, for driver updates. This deprecation impacts IT administrators who rely on WSUS for driver management.

Two ransomware groups, tracked as STAC5143 and STAC5777, are actively exploiting Microsoft 365 services and default settings to gain access to internal enterprise users. These groups are using their own Microsoft 365 tenants to target organizations, underscoring significant security risks. These attacks highlight the need for enhanced security measures on Microsoft 365 platform to defend against ransomware.

Ransomware groups are using Microsoft Teams for vishing attacks, bypassing traditional email security measures. Attackers are leveraging Teams to deliver malicious links, leading to data breaches and system compromises. This highlights the evolving tactics of cybercriminals who are now targeting collaboration platforms to bypass detection and reach their victims. Organizations must enhance security protocols on collaboration platforms.

The Chinese APT group Salt Typhoon continues to exploit a critical, years-old vulnerability in Microsoft Exchange Servers. Despite repeated warnings and available patches, a vast majority of at-risk Exchange servers remain unpatched, leaving them vulnerable to exploitation. This negligence allows attackers to maintain access to networks, potentially leading to data breaches and further system compromise. This specific flaw has been a long-term target and its continued existence is a testament to the ongoing challenges in patching critical systems. Exploitation of this vulnerability allows for initial access, lateral movement and data exfiltration.

Microsoft has addressed multiple issues with its software. A bug was fixed that caused Windows Server 2022 systems with two or more NUMA nodes to fail to start up, requiring an out-of-band update KB5052819. Additionally, Microsoft resolved problems that were causing Microsoft 365 apps and Classic Outlook to crash on Windows Server 2016 and 2019 systems, which was caused by a recent Office update integrating the React Native framework. These fixes aim to restore stability and functionality to affected systems.

Microsoft is addressing a critical vulnerability in Windows BitLocker (CVE-2025-21210) that exposes the encryption mechanism to a randomization attack. This flaw allows attackers with physical access to manipulate ciphertext blocks, potentially writing sensitive data to disk in plaintext. There is another issue with TPM equipped devices which are showing warnings after Bitlocker is enabled.

The Russian threat actor Star Blizzard has shifted its tactics, now targeting WhatsApp accounts via spear-phishing. The campaign involves messages that prompt victims to join a WhatsApp group, where their credentials can be harvested. This marks a departure from their previous methods, likely to evade detection. The primary targets are individuals involved in government, diplomacy, defense, and international relations, indicating an espionage-focused campaign. The use of social engineering via WhatsApp is a notable shift for this APT group.

Hackers are utilizing the FastHTTP library in Go to perform high-speed brute-force password attacks against Microsoft 365 accounts globally. The attacks are characterized by generating a large volume of HTTP requests, focusing on Azure Active Directory endpoints. This technique demonstrates how high-performance libraries can be exploited to conduct rapid credential-based attacks.

Microsoft has released an update for Windows Server 2022 to address boot issues that may occur on systems with two or more NUMA nodes. The update, KB5052819, resolves a problem that prevented systems from booting correctly. Additionally, Microsoft confirmed issues with the SgrmBroker service after the January 2025 update, affecting Windows 10 and Server 2022 systems. An out-of-band update was released to fix these issues.

A sophisticated phishing campaign is exploiting Microsoft 365 to target PayPal users. Attackers register free Microsoft 365 test domains to create distribution lists for sending authentic-looking PayPal money requests. This method bypasses traditional email protections, increasing the scam’s success rate. The technique leverages genuine PayPal features to deceive victims into revealing their credentials. This is not a new vulnerability, but it is a new use of the legitimate feature.

A critical remote code execution (RCE) vulnerability, tracked as CVE-2024-49112, has been identified in Windows LDAP. A Proof of Concept (PoC) exploit has been released demonstrating how an attacker can send a malicious LDAP request to unpatched Domain Controllers, leading to memory corruption and remote code execution without any user interaction. This vulnerability poses a significant threat to Windows environments. This is a zero click RCE vulnerability.

Microsoft has issued an urgent warning to .NET developers, urging them to update their app and pipeline configurations to avoid using the ‘azureedge.net’ domain for installing .NET components. The domain will soon become unavailable due to the bankruptcy and imminent shutdown of CDN provider Edgio. This change will affect the delivery of .NET installers and archives and requires developers to update their dependencies promptly to prevent application failures. This issue highlights the fragility of relying on third-party services for critical application dependencies.

Microsoft has issued a warning about a bug affecting Windows 11, version 24H2, when installed via media containing the October or November 2024 security updates. This issue causes the operating system to become unable to receive further security updates. The bug does not impact devices updated through Windows Update or the Microsoft Update Catalog. Users are advised to avoid using affected installation media.

A new Microsoft 365 phishing-as-a-service platform called ‘FlowerStorm’ has emerged, filling the gap left by the shutdown of the Rockstar2FA cybercrime service. FlowerStorm is a sophisticated service which allows threat actors to create and deploy phishing campaigns specifically targeting Microsoft 365 accounts. This activity shows a clear increase in targeted phishing campaigns aimed at Microsoft users, which could lead to account compromise, data breaches and other associated risks. The sophisticated platform allows threat actors to automate much of the phishing process, increasing their efficiency and reach. This demonstrates the ease with which cybercriminals can set up and deploy complex phishing schemes.