CVE-2025-24983

win32k.sys — use-after-free via W32PROCESS race condition, exploited ITW since 2023

Exploited in the Wild

Actively exploited since March 2023. Discovered by ESET and delivered via the PipeMagic backdoor.

Summary

Field	Value
Driver	win32k.sys
Vulnerability Class	Use-After-Free / Race Condition
CVSS	7.0
Exploited ITW	Yes (since March 2023)
Patch Date	March 11, 2025

Affected Functions

• W32PROCESS structure management
• WaitForInputIdle API path

Root Cause

When triggered via the WaitForInputIdle API, the W32PROCESS structure gets dereferenced one more time than intended. A race condition between threads accessing the same W32PROCESS causes a use-after-free: one thread frees the structure while another still holds a stale pointer.

ESET researcher Filip Jurcacko discovered this vulnerability had been actively exploited since March 2023. The exploit was delivered through the PipeMagic backdoor and primarily targeted Windows 8.1, Server 2012 R2, Windows 10, and Server 2016.

Vulnerable Code Path

WaitForInputIdle
  → W32PROCESS reference acquisition (race window)
  → concurrent thread frees W32PROCESS
  → stale reference dereference (UAF)

Exploitation

The attacker must win a race condition to trigger the UAF. Once the freed W32PROCESS memory is reclaimed with controlled data, the stale dereference operates on attacker-supplied content. Token manipulation then yields SYSTEM.

Exploitation Primitive

W32PROCESS UAF via WaitForInputIdle race
  → heap reclaim with controlled data
  → token manipulation → SYSTEM

References

• MSRC Advisory
• ESET Research on X
• SecurityWeek — Patched Zero-Day Exploited for Two Years
• Medium — CVE-2025-24983 Explained & Demonstrated
• Tenable — March 2025 Patch Tuesday