Monday, May 19, 2025
HomeComputer SecurityZDI Exposed Unpatched Microsoft RCE Zero-day Flaw in Public After it Crossed...

ZDI Exposed Unpatched Microsoft RCE Zero-day Flaw in Public After it Crossed the 120 Days Deadline

Published on

SIEM as a Service

Follow Us on Google News

A Microsoft Zero-day vulnerability that existing in Microsoft JET Database Engine has been crossed zero-day Initiative (ZDI) 120 days disclosure deadline and now it released in public.

ZDI initially reported this zero-day flow to Microsoft on May 8, 2018, since then Microsoft acknowledged the vulnerability and started working on it to provide the patch for Windows.

This Zero-day flow discovered and reported by Lucas Leong of Trend Micro Security Research and the vulnerability allows an attacker to run an arbitrary code in Microsoft’s Jet database engine.

- Advertisement - Google News

Vulnerability Details

This specific vulnerability existing in the management of indexes in the Jet database engine that allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.

In order to trigger this Microsoft Zero-day vulnerability, the attacker needs to send a specially crafted file containing data stored in the JET database format and the user needs to open the file to trigger this vulnerability in victims machine.

According to ZDI, “The root cause of this issue resides in the Microsoft JET Database Engine. Microsoft patched two other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB. Here’s a look at the resulting crash”

Mainly user interaction does require to successfully exploit this vulnerability in victims machine by tricking them to open the malicious file.

ZDI research confirms that this Microsoft Zero-day existing in the Windows 7 and they believe all supported Windows version are impacted by this bug. You can also find the Proof-of-concept code here. 

As of now this vulnerability is not yet patched and Microsoft continuously working on it to patch this critical Zero-day vulnerability and we expect the patch in the regularly scheduled October Tuesday patch release since it’s not released in September patch.

Also Read:

Hackers Started Exploiting the Unpatched Windows Task Scheduler Zero Day Flaw using Malware

New Zero Day Attack Discovered in MS Word Document Uses to Hack your PC – Still Not yet Patched

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Pwn2Own Day 3: Zero-Day Exploits Windows 11, VMware ESXi, and Firefox

The Pwn2Own Berlin 2025 last day ended with impressive technological accomplishments, bringing the total...

GNU C(glibc) Vulnerability Let Attackers Execute Arbitrary Code on Millions of Linux Systems

Security researchers have disclosed a significant vulnerability in the GNU C Library (glibc), potentially...

Exploiting dMSA for Advanced Active Directory Persistence

Security researchers have identified new methods for achieving persistence in Active Directory environments by...

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Pwn2Own Day 3: Zero-Day Exploits Windows 11, VMware ESXi, and Firefox

The Pwn2Own Berlin 2025 last day ended with impressive technological accomplishments, bringing the total...

GNU C(glibc) Vulnerability Let Attackers Execute Arbitrary Code on Millions of Linux Systems

Security researchers have disclosed a significant vulnerability in the GNU C Library (glibc), potentially...

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...