CISA has issued an urgent security advisory, adding Microsoft Windows privilege escalation vulnerability CVE-2021-43226 to its Known Exploited Vulnerabilities (KEV) catalog on October 6, 2025. 

The vulnerability affects the Microsoft Windows Common Log File System (CLFS) Driver and poses significant security risks to enterprise environments.

The CVE-2021-43226 vulnerability resides within Microsoft’s Common Log File System Driver, a core Windows component responsible for managing transaction logging operations. 

Microsoft Windows Privilege Escalation Flaw (CVE-2021-43226)

This privilege escalation flaw allows local, authenticated attackers with existing system access to bypass critical security mechanisms and elevate their privileges to SYSTEM level access.

According to Microsoft’s Security Response Center, the vulnerability stems from improper validation of user-supplied data within the CLFS driver’s memory management routines. 

Attackers can exploit this weakness by crafting malicious CLFS log files that trigger buffer overflow conditions, leading to arbitrary code execution with elevated privileges. 

The exploit requires local access and standard user privileges as prerequisites, making it particularly dangerous in enterprise environments where attackers have already gained an initial foothold through phishing or social engineering attacks.

The vulnerability affects multiple Windows versions, including Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022. 

Security researchers have identified proof-of-concept exploit code circulating in underground forums, increasing the likelihood of active exploitation campaigns.

Mitigations 

CISA has established a mandatory remediation deadline of October 27, 2025, requiring federal agencies and critical infrastructure organizations to implement security patches immediately. 

The directive follows Binding Operational Directive (BOD) 22-01 guidelines, which mandate swift action against vulnerabilities with evidence of active exploitation.

Organizations must apply Microsoft’s security updates through the standard Windows Update mechanism or Windows Server Update Services (WSUS) for enterprise deployments. 

System administrators should prioritize patching domain controllers, file servers, and other critical infrastructure components first. 

For systems unable to receive immediate updates, Microsoft recommends implementing Application Control policies and Windows Defender Exploit Guard as temporary mitigations.

The vulnerability’s addition to CISA’s KEV catalog indicates confirmed exploitation in real-world attack scenarios, though specific ransomware campaign attribution remains unknown. 

Security teams should monitor for suspicious Event ID 4656 and 4658 logs indicating unauthorized file system access attempts, particularly involving CLFS-related processes like clfs.sys and clfsw32.dll.

Organizations should conduct immediate vulnerability assessments using tools like Microsoft Baseline Security Analyzer or third-party scanners to identify vulnerable systems across their infrastructure.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Windows Privilege Escalation Vulnerability Exploited in Attacks appeared first on Cyber Security News.

A new command injection vulnerability in OpenSSH, tracked as CVE-2025-61984, has been disclosed, which could allow an attacker to achieve remote code execution on a victim’s machine.

The vulnerability is a bypass of a previous fix for a similar issue (CVE-2023-51385) and exploits how the ProxyCommand feature interacts with the underlying system shell when handling specially crafted usernames.

The core of the vulnerability lies in OpenSSH’s failure to properly sanitize control characters, such as newlines, within usernames. An attacker can create a username that includes a newline character followed by a malicious command.

This username is then passed to the shell via SSH’s ProxyCommand. While OpenSSH filters many dangerous shell metacharacters, it does not filter characters that could force a syntax error in certain shells.

When a shell like Bash, Fish, or csh processes the ProxyCommand, the crafted syntax error on the first line, the command fails, but the shell does not exit.

Instead, it proceeds to execute the command on the next line, which is the malicious payload supplied by the attacker. This behavior effectively bypasses security measures intended to prevent command execution, opening the door for an RCE.

The Git Submodule Attack Vector

The most practical exploitation scenario for CVE-2025-61984 involves a malicious Git repository. An attacker can configure a submodule within their repository to use a URL containing the malicious, multi-line username.

If a victim clones this repository recursively (git clone --recursive), Git will attempt to connect via SSH to fetch the submodule. This triggers the vulnerability ProxyCommand if the user has a specific configuration.

The exploit requires two conditions on the victim’s machine: a shell that continues execution after a syntax error (like Bash) and an SSH configuration file (~/.ssh/config) with a ProxyCommand that uses the %r token to include the remote username.

Notably, the secure shell Zsh is not vulnerable to this technique as it terminates upon encountering such errors. Tools like Teleport have been found to generate SSH configurations that use this vulnerable pattern, potentially increasing the attack surface.

Mitigations

The OpenSSH project has released a patch in version 10.1 that fully addresses this vulnerability by disallowing control characters in usernames. All users are strongly urged to upgrade to this version or newer.

For systems that cannot be immediately updated, several mitigations can be implemented.

Users can edit their SSH configurations to enclose the %r token in single quotes ('%r') within any ProxyCommand directive, which prevents the shell from interpreting the special characters.

Another effective defense-in-depth measure is to configure Git to restrict the automatic use of SSH for submodules.

This vulnerability serves as a critical reminder of the complex security risks that can emerge from the interactions between trusted developer tools.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post OpenSSH Vulnerability Exploited Via ProxyCommand to Execute Remote Code – PoC Released appeared first on Cyber Security News.