UEFI, Drivers, Browsers — Everything Under Attack at Once. Kaspersky Records a Massive Assault on Computer Subsystems
While you were working in Office, hackers were quietly breaching your system.
While you were working in Office, hackers were quietly breaching your system.
According to a Kaspersky Lab report for Q2 2025, vulnerability activity has intensified significantly, with nearly all subsystems of modern computers under attack—from UEFI and drivers to browsers, operating systems, and applications. As before, threat actors continue to exploit these vulnerabilities in real-world attacks to gain access to user devices, actively combining them with C2 (Command and Control) frameworks in complex, targeted operations.
An analysis of CVE statistics over the past 5 years shows a steady increase in the total number of registered vulnerabilities. While there were about 2,600 at the beginning of 2024, this number exceeded 4,000 by January 2025. The upward trend continued, with May being the only exception. It's important to note that some CVEs may be registered with IDs from previous years but only published in 2025. Alarmingly, the first half of 2025 also saw a substantial rise in critical vulnerabilities with a CVSS score above 8.9. Although not all vulnerabilities are rated on this scale, a positive trend is observed: critical bugs are more frequently accompanied by detailed descriptions and public analysis, which can lead to faster risk mitigation.
Most Exploited Vulnerabilities:
- Windows: The most actively exploited vulnerabilities were again old Microsoft Office problems—CVE-2018-0802, CVE-2017-11882, and CVE-2017-0199—affecting the Equation Editor component. These were followed by exploits for WinRAR (CVE-2023-38831), a vulnerability in Windows Explorer (CVE-2025-24071) allowing theft of NetNTLM hashes, and a bug in the ks.sys driver (CVE-2024-35250) enabling arbitrary code execution. These are used for both initial access and privilege escalation.
- Linux: The most common exploits were Dirty Pipe (CVE-2022-0847), CVE-2019-13272 (related to privilege inheritance), and CVE-2021-22555—a heap overflow vulnerability in the Netfilter subsystem. This confirms the growing interest of attackers in Linux systems, primarily due to their expanding user base.
In targeted APT operations, vulnerabilities in remote access tools, document editors, and logging subsystems were most frequently exploited. Low-code/no-code platforms and even AI application frameworks are now a prime target, indicating attacker interest in modern development tools. Interestingly, the found bugs concerned the infrastructure software itself, not the generated code.
Leading C2 Frameworks in H1 2025:
Sliver, Metasploit, Havoc, and Brute Ratel C4. These frameworks directly support working with exploits and provide attackers with rich capabilities for persistence, remote control, and further automation.
Key Vulnerabilities Used in Recent APT Operations:
- CVE-2025-31324 in SAP NetWeaver Visual Composer (RCE, CVSS 10.0)
- CVE-2024-1709 in ConnectWise ScreenConnect (Auth Bypass, CVSS 10.0)
- CVE-2024-31839 and CVE-2024-30850 in CHAOS v5.0.1 (XSS and RCE)
- CVE-2025-33053 in Windows (Arbitrary code execution via improper shortcut path handling)
- CVE-2025-32433: RCE in the Erlang/OTP SSH server, allowing remote command execution without authentication.
- CVE-2025-6218: A new directory traversal vulnerability in WinRAR, similar to CVE-2023-38831.
- CVE-2025-3052: A UEFI flaw allowing Secure Boot bypass via insecure handling of NVRAM variables.
- CVE-2025-49113: Insecure deserialization in Roundcube Webmail (requires auth).
- CVE-2025-1533: A bug in the AsIO3.sys driver causing a system crash with paths longer than 256 characters.
The number of vulnerabilities, especially critical ones, continues to grow. Therefore, it is crucial not only to apply updates promptly but also to monitor for C2 agents on compromised systems, focus on endpoint protection, and implement a flexible patch management policy. Only this approach can effectively reduce exploitation risks and ensure infrastructure resilience.
