Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver. They don't each need their own post. Together they make one point about patching Windows fast.
Read the Windows entries that landed in the catalog across 2025 and 2026 and a clear shape emerges: most are privilege escalations, in the kernel, in drivers, in the components that turn a foothold into SYSTEM, and a handful are the user-interaction RCEs that provide the foothold in the first place. They span different components but tell one story, and the response is the same for nearly all of them. Grouping by component is more useful than a post per CVE.
Kernel storage drivers (the March 2025 cluster)
A run of NTFS and FAT bugs were exploited together: CVE-2025-24984 and CVE-2025-24991 (NTFS information disclosure), CVE-2025-24993 (NTFS heap overflow RCE), and CVE-2025-24985 (a FAT driver RCE). The common trigger was mounting a malicious virtual hard disk (VHD), getting a user to open a crafted disk image runs the vulnerable parsing code. They were patched alongside the CLFS zero-day CVE-2025-24983 and the MMC bug CVE-2025-26633, a heavily-exploited Patch Tuesday. Lesson: file-system parsers process attacker-controllable images; treat mounting untrusted disk images as dangerous.
A 20-year-old third-party driver
CVE-2025-24990 is an elevation of privilege in ltmdm64.sys, the Agere Systems modem driver that shipped with Windows for two decades, long after anyone used a fax modem. Microsoft’s fix was to remove the driver entirely. It’s a clean reminder that legacy components bundled into the OS are attack surface you didn’t choose and may not know is there, the same theme as the legacy runtimes and SOHO devices elsewhere in the catalog.
Hyper-V
CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335 are exploited elevation-of-privilege flaws in the Hyper-V NT Kernel Integration VSP, allowing escape from the guest context to SYSTEM. Virtualization-boundary bugs matter because the hypervisor is supposed to be a hard isolation layer; when it isn’t, a compromised VM threatens the host and its neighbors.
Network stack and protocol handlers
CVE-2025-21418 and CVE-2025-32709 are EoP bugs in afd.sys (the Ancillary Function Driver for WinSock), a recurring local-privesc target. CVE-2025-33073 is an SMB client flaw enabling privilege escalation via relay. CVE-2025-33053 is a WebDAV remote code execution triggered by a malicious URL. These are the network-facing and relay-style bugs that either escalate locally or pull a victim into execution.
Graphics, scripting, and the rest
CVE-2025-30400 (DWM Core Library EoP, the same component as the QakBot-exploited CVE-2024-30051), CVE-2025-30397 (Scripting Engine memory-corruption RCE), and a series of further Windows EoP entries (CVE-2025-21391, CVE-2025-21333-group, CVE-2025-59230, CVE-2025-60710, CVE-2025-62215, CVE-2025-62221, CVE-2026-20805, CVE-2026-21519, CVE-2026-21525, CVE-2026-21533) round out a steady cadence of exploited privilege escalations in graphics, common controls, RRAS, and kernel components.
The point, and what to do
The takeaway isn’t any single bug; it’s the cadence. Month after month, the Windows flaws that get exploited are overwhelmingly privilege escalations, the second stage attackers reach for after a phish or a foothold, plus the occasional user-interaction RCE that is the foothold. That has direct operational implications:
- Apply Patch Tuesday updates across the whole fleet, fast, including workstations. The exploited EoP bugs land on the endpoints where footholds start, so workstation patching is not lower priority than servers.
- Don’t deprioritize “local” EoP. As argued throughout this series (APT34/CVE-2024-30088), local privilege escalation is the load-bearing step in nearly every intrusion. Weight it like the criticals.
- Treat user-interaction RCEs as phishing defense too. The VHD-mount and WebDAV/scripting bugs need a user to open something; email filtering, attachment handling, and ASR rules complement patching.
- Hunt for the escalation, not just the entry. Unexpected SYSTEM-context processes, EDR going dark, and anomalous driver loads are the signals that a foothold is becoming domain-relevant.
- Mind legacy components in the OS. The Agere driver removal is a prompt to audit what old, unused drivers and features are still present and reduce them.
The reframe is to stop reading each Windows CVE as a discrete event and read the stream: the exploited Windows bug is almost always a privilege escalation, which means your patch cadence on endpoints, and your detection of escalation behavior, are what actually decide whether a foothold becomes a breach. Patch Patch Tuesday promptly and everywhere, watch for the SYSTEM step, and retire the legacy bits of Windows you forgot were running. We track the Windows entries as one continuous cadence, because that’s how the attackers exploit them.
Sources
Share
Related field notes
-
A clickable link in a SYSTEM dialog is a SYSTEM shell waiting to happen
CVE-2019-1388 turned a hyperlink in the UAC certificate dialog into a path to NT AUTHORITY\SYSTEM. No exploit code, just clicks: open the cert, click 'Issued by,' and the browser launches as SYSTEM. The lesson is what any interactive element in a privileged process really is.
-
The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.
CVE-2024-30051 is a DWM Core Library privilege escalation to SYSTEM, used as a zero-day. Kaspersky tied it to QakBot, the botnet taken down nine months earlier, and found the exploit was already in several groups' hands before the patch.
-
The boring privilege-escalation bug is the one that finishes the job
CVE-2024-30088 is a local Windows kernel race condition. It needs an attacker who's already inside, which is exactly why it gets deprioritized. APT34 used it to turn a foothold into SYSTEM, then dropped a password filter to skim every cleartext login.
One email, every weekday morning.
You're in. Check your inbox.