The Bug Report - March 2025 Edition

By Jonathan Omakun · April 3, 2025

Why am I here?

Welcome to the March 2025 edition of The Bug Report—where the bracket-breaking isn’t just happening on the court.

While US college basketball fans are busy filling out brackets and chasing Cinderella stories, we’ve been filling out CVE write-ups and chasing PoCs through kernel panic replays and Tomcat logs. Our flavor of madness doesn’t come with overtime—just overflows.

This month’s threat landscape reads more like a Final Four of vulnerabilities. From Apache Tomcat’s accidental assist on Remote Code Execution, to Hyper-V playing fast and loose with privilege boundaries, to both Windows and Linux systems showing us the dangers of legacy code, we’ve got an action-packed lineup that’ll leave defenders scrambling.

So grab your favorite snacks (or that fifth cup of coffee), and let’s break down the bugs that made the cut in March:

CVE-2025-24813: Apache Tomcat, Remote Code Execution
CVE-2025-21333: Microsoft Windows Hyper-V, Privilege Escalation
CVE-2025-24985: Microsoft Windows FASTFAT.SYS, Remote Code Execution
CVE-2025-0927: Linux Kernel HFS+, Privilege Escalation

Let’s jump ball.

CVE-2025-24813: PUT your session in danger

What is it?

Apache Tomcat just pulled a no-look pass—straight to the attacker. 🏀

CVE-2025-24813 abuses the classic PUT method mishandling in Apache Tomcat’s default servlet when partial PUT requests are enabled. When it receives these, Tomcat creates temporary files using the user-supplied filename, replacing any path separators with a period (e.g., / becomes .).

Harmless, right? Wrong.

That behavior allows crafty attackers to drop or overwrite files in unexpected places—especially if your upload directory overlaps with a directory holding sensitive data, or worse, session data.

And if your app uses file-based session persistence (Tomcat does by default), attackers can overwrite a session file with a deserialization payload targeting gadgets like Apache Commons-Collections or SnakeYAML. When Tomcat deserializes it during session restoration?

Boom: Remote Code Execution.

Who cares?

If you're running an Apache Tomcat server that:

• Uses file-based session persistence,
• Has partial PUT enabled (default: yes),
• AND hasn’t disabled write permissions to the default servlet (default: no),

...then congratulations, you’ve got a potentially unauthenticated RCE vector on your hands.

Even more fun: there's a public PoC/scanner floating around, which means this is no longer theoretical. Attackers only need to know or guess the session filename (which, by default, follows predictable naming patterns).

What can I do?

• Apache Tomcat 11.0.3+
• Tomcat 10.1.35+
• Tomcat 9.0.99+

CVE-2025-21333: Hyper-V hits hyperspeed to SYSTEM

What is it?

Hyper-V got crossed up so hard it ended up face-first on the floor.

This bug affects the NT Kernel Integration VSP (Virtualization Service Provider), where I/O Ring (IORING) pointers used for virtual device communication are not properly validated before use. By manipulating the I/O ring’s submission queue and abusing unchecked pointers in the IORING_CQE structures, an attacker can gain arbitrary kernel memory read/write, leading to full SYSTEM access from a standard user context.

🏀 Technical Breakdown:

Attackers abuse IORING_SUBMIT_WORK structures with corrupted IORING_CQE queues, triggering a memory write via memcpy or pointer dereference to attacker-controlled memory.

From there, they manipulate heap layout and swap tokens in memory (PsReferencePrimaryToken, anyone?) to gain SYSTEM shell privileges.

WNF spraying helps groom memory allocations predictably—a precision move right out of the heap feng shui playbook.

🎯 Clutch Exploit Path:

• Heap spray with IORING buffers
• Trigger kernel read/write primitive
• Swap process token using leaked address
• Enjoy your SYSTEM dunk

Already spotted in the wild—and there’s a public PoC

Who cares?

Anyone using Windows Sandbox or MDAG on an unpatched system should be very concerned. This isn’t a guest-to-host escape—but it does affect the host OS. If an attacker has local access, they can escalate to SYSTEM. If you’re in enterprise environments with strict application isolation via sandboxing, this bug pokes a huge hole in your assumptions.

What can I do?

Patch immediately. Microsoft fixed this in January 2025.

This has been actively exploited, and the exploit is already making its rounds in offensive toolkits.

CVE-2025-24985: FastFAT’s fatally flawed legacy

What is it?

File system defense? More like zone coverage with no one in the paint.

CVE-2025-24985 is a critical vulnerability in FASTFAT.SYS, the Windows driver responsible for handling FAT12/16/32 file systems. A lack of input validation when parsing filesystem metadata leads to an integer overflow, followed by a heap-based buffer overflow.

In plain English, give the kernel a malicious VHD with malformed FAT structures, and you could be running arbitrary code in kernel mode.

This isn't just a crashable DoS bug—it’s a full kernel RCE. And yes, it’s been exploited in the wild.

Who cares?

Anyone using Windows.

Specifically, if your users can be tricked into mounting VHD files (via phishing, remote scripts, or malicious USB sticks), then this bug becomes a serious threat vector.
This vulnerability is particularly dangerous in environments where:

• Removable drives are common,
• Legacy file formats still exist (IoT, embedded),
• Virtual disks are used for provisioning or deployment.

And just like that, you're in Ring 0.

What can I do?

Apply the March 2025 Patch Tuesday update. Microsoft issued fixes across:

• Windows 10
• Windows 11
• Windows Server (2008 – 2025)

Trellix customers: Trellix Intrusion Prevention System (IPS) and MVX contain detection coverage for this vulnerability. Ensure you have the latest signature sets applied for these solutions. For IPS, this alert requires the HTTP response feature to be enabled. This attack will not be detected if the HTTP response option is disabled.

CVE-2025-0927: Linux HFS+ bug digs deep

What is it?

This one’s a full-court press against kernel memory—and the refs missed it for 20 years. This bug lives in Linux’s legacy support for Apple’s HFS+ file system, specifically in how the kernel parses B-tree structures inside HFS+ attribute files. A malicious HFS+ image can corrupt the node key length in a B-tree, triggering a slab out-of-bounds write in hfs_bnode_read_key()—and we’re off to the races with privilege escalation.

🏀 Offensive Strategy:

A working PoC from Attila Szasz shows full local privilege escalation on Ubuntu by:

• Mounting a malformed HFS+ image that corrupts key_len inside hfsplus_attr_key.
• The kernel reads the wrong offset, leading to a heap overflow in a controlled kmalloc-1k slab.
• Use side-channel leaking via keyrings, TTY spraying, and PGV socket ring buffers to leak a valid kernel pointer and compute the KASLR base.
• Then, overwrite /proc/sys/kernel/modprobe with attacker-controlled paths, triggering a modprobe path hijack for root shell.

🧪 Key Pseudocode (from @4ttil4sz1a’s PoC):

C/C++

struct hfsplus_attr_key *first_key = (struct hfsplus_attr_key *)(address_node + sizeof(struct hfs_bnode_desc));

first_key->key_len = htobe16(0x418 - 2); // Overflows write buffer into slab
   

🏆 This one is a championship-level exploit, fully weaponized and elegant in its abuse of 20-year-old kernel pathways.

Who cares?

If you're on:

• Ubuntu 22.04 (or similar)
• Linux kernel ≤ 6.12.0,
• And allow user namespaces + mounting,

...you're at risk.

While it's "local-only", this is one of those classic "anyone on the box = root" bugs that could be weaponized in container escapes, SSH jumps, or user-to-admin escalation.

What can I do?

• Patch immediately. Most distros have released updates.
• Ubuntu users: apply USN-6662-1.
• Consider disabling HFS+ support if not needed (CONFIG_HFSPLUS_FS=n).
• Lock down user namespace and mount permissions.