“To take advantage of this vulnerability, an authenticated attacker would want to run a specifically crafted software on the goal system to use the vulnerability to raise their privileges to a Medium Integrity Degree.”
The second exploited zero day, CVE-2024-43451, earns a decrease CVSS of 6.5 however will nonetheless be a fear, on condition that it’s a hash disclosure flaw within the now deprecated NTLMv2 affecting all variations of Home windows stretching again to Home windows Server 2008.
For a hacker, essentially the most direct route previous security is to defeat or bypass authentication not directly. That may be accomplished by stealing passwords, but in addition by stealing their hashes. Within the case of this flaw, that may permit an attacker to conduct a pass-the-hash assault by siphoning off the hash from reminiscence earlier than utilizing it to authenticate on a goal system.
