An attacker has been identified as exploiting an elevation of privilege vulnerability in Windows Backup and Restore Service.
“[…] CVE-2023-21752 A vulnerability that allows basic users to execute arbitrary code and delete files on the host. [a] A storage path specified from the Windows backup and restore service,” wrote a CloudSEK security researcher. “This action can only be performed by a privileged user.”
Additionally, the exploit could be used to elevate privileges from a basic user to a system user on the host, allowing account takeover.
“This vulnerability is triggered using a race condition between the creation and deletion of temporary files that occur after the authentication process,” states the CloudSEK advisory.
“Windows hosts subject to irregular patch installations are at risk, where exploits can be exploited by threat actors. The minimum requirement is to have a local account on the targeted system.”
The high-severity vulnerability has a CVSS base score of 7.1 and affects Windows 7, 10, and 11 OS versions. This has been patched by Microsoft. first patch tuesday 0patch also released another fix for this vulnerability on January 31st.
“Although our micro-patch is logically the same as Microsoft’s, we chose to keep the name of the temporary file simpler to minimize its complexity and code size.” I have written security researcher. “This is to accommodate multiple backup processes using the same path at the same time, which is unlikely, but not impossible.”
Back on the CloudSEK advisory, the company says it found threat hackers discussing the vulnerability on Russian-speaking cybercrime forums and Telegram channels.
“On January 10th, a brand new vulnerability was discovered in the Windows backup service,” reads a Telegram post viewed and shared by CloudSEK. “This vulnerability allows privileges from the user level to [local privilege escalation].”
The company’s recommendation comes days after Microsoft announced Over 70 CVE patches released This month includes three zero-days.
