In recent months, cybersecurity teams have observed a significant increase in sophisticated cyberattacks targeting both Windows and Linux systems. Threat actors are exploiting unpatched vulnerabilities to gain unauthorized access, often initiating attacks through phishing emails or malicious web content that deliver weaponized documents. Once these documents are opened, embedded exploits target known vulnerabilities in widely used software components, enabling attackers to execute arbitrary code on victim machines.
Despite the availability of patches, several longstanding vulnerabilities in Microsoft Office’s Equation Editor remain heavily exploited. Notably, CVE-2018-0802 and CVE-2017-11882 are remote code execution flaws that continue to serve as primary vectors for initial access. Additionally, CVE-2017-0199, affecting Office and WordPad, provides another avenue for payload delivery.
Attackers often combine these Office exploits with more recent Windows vulnerabilities to establish a foothold and escalate privileges. For instance, CVE-2025-24071 enables NetNTLM credential theft via .library-ms files, while CVE-2024-35250 is a ks.sys driver code execution issue. Beyond Microsoft Office, weaknesses in WinRAR’s archive handling have been leveraged. CVE-2023-38831 and the directory traversal flaw CVE-2025-6218 allow adversaries to place malicious files outside the intended extraction path, hijacking system configurations or deploying persistent backdoors.
On the Linux front, the Dirty Pipe vulnerability (CVE-2022-0847) remains a critical tool for privilege escalation. Other vulnerabilities, such as CVE-2019-13272 and CVE-2021-22555, continue to be exploited to gain root access on unpatched servers.
Infection Mechanism
A particularly insidious infection mechanism involves combining Office-based delivery with secondary exploitation of system drivers. Attackers craft RTF documents containing shellcode that invokes Equation Editor through OLE objects. Once the vulnerability is triggered, the shellcode downloads a two-stage payload: a small loader and a full-featured malware binary.
The loader exploits CVE-2025-24071 to harvest NetNTLM hashes from incoming SMB connections, forwarding them to a command-and-control (C2) server. The full payload then exploits CVE-2024-35250 to load a malicious driver into kernel space, granting attackers unrestricted code execution. This dual-exploit chain allows adversaries to bypass user-level defenses and deploy rootkits undetected.
In many incidents, once kernel-level control is achieved, attackers install custom C2 frameworks—such as Sliver or Havoc—to maintain persistence. These implants include in-memory protection to evade antivirus scans and use legitimate Windows services to blend into normal processes. By chaining publicly known exploits, actors can rapidly move from initial compromise to full system control without writing suspicious files to disk.
Vulnerability Details
The following table summarizes the vulnerabilities exploited in these attacks:
| CVE | Description | Exploit Type | Affected Platform |
|—————|————————————————–|——————————–|——————-|
| CVE-2018-0802 | RCE in Office Equation Editor | Embedded OLE exploit | Windows |
| CVE-2017-11882| RCE in Office Equation Editor | Embedded OLE exploit | Windows |
| CVE-2017-0199 | Control takeover via Office and WordPad | Script-based document exploit | Windows |
| CVE-2023-38831| Improper file handling in WinRAR | Archive code execution | Windows |
| CVE-2025-24071| NetNTLM credential theft via .library-ms files | Credential dumping | Windows |
| CVE-2024-35250| Arbitrary code execution in ks.sys driver | Kernel driver exploit | Windows |
| CVE-2022-0847 | Dirty Pipe privilege escalation | Pipe buffer overwrite | Linux |
| CVE-2019-13272| Improper privilege inheritance handling | Privilege escalation | Linux |
| CVE-2021-22555| Heap overflow in Netfilter | Heap-based overflow | Linux |
| CVE-2025-6218 | Directory traversal in WinRAR | Archive path manipulation | Windows |
This consolidated view highlights the persistence of older vulnerabilities alongside newer flaws, underscoring the critical need for timely patching and comprehensive defense-in-depth strategies. Organizations should prioritize updates for both user applications and system components to mitigate the risk of these prevalent exploits in real-world attacks.
