Complexities Compounding in Cyber Landscape; WEF Global Cybersecurity Outlook 2025 Analysis
WEF Global Cybersecurity Outlook 2025
Continue ReadingMonth: January 2025
Apple Patched Actively Exploited Zero-Day Vulnerability
Summary
CVE-2025-24085 is a zero-day vulnerability in Apple’s “Core Media framework” which enables malicious applications to potentially gain elevated privileges on impacted devices. It falls under the “Memory Corruption vulnerability category”, posing significant security risks such as unauthorized access to sensitive data or potential device control.
| OEM | Apple Inc |
| Severity | High |
| CVEs | CVE-2025-24085 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Privilege escalation vulnerability | CVE-2025-24085 | Apple | High | iPhone-XS and later, macOS Sequoia iPad-Pro (3rd generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), iPad mini (5th generation and later) Apple Watch: Series 6 and later Apple TV: All models |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24085 | iPhone, iPad, Mac, Apple Watch, Apple TV | CVE-2025-24085 is a memory management vulnerability in Apple’s Core Media framework, responsible for processing audio and video content. The vulnerability stems from improper handling of media data, allowing attackers to execute arbitrary code with elevated privileges. It can be remotely exploited through malicious media files, creating significant security risks. | Arbitrary Code Execution, Privilege Escalation, Sensitive Data Exposure, Remote Exploitation via Media Files |
Remediation:
- Update: Ensure the latest patches are applied to affected Apple devices as listed below
| Affected Version(s) | Fixes and Releases |
| iOS 17.2 and later | iOS 18.3 |
| iPadOS 17.2 and later | iPadOS 18.3 |
| macOS Sequoia (all previous versions) | macOS Sequoia 15.3 |
| watchOS 10.3 and later | watchOS 11.3 |
| tvOS 17.2 and later | tvOS 18.3 |
| visionOS 1.3 and later | visionOS 2.3 |
Apple has fixed this vulnerability in these software versions. Update devices immediately to mitigate the risk of exploitation.
General Recommendations:
- Untrusted Media: Avoid opening suspicious media files, emails, or links from unknown sources, as the vulnerability can be exploited remotely via malicious media.
- Automatic Updates: Enable automatic updates on all Apple devices to ensure timely installation of future security patches.
References:
High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel
High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel
Jordy Zomer, a Security researcher have recently discovered two critical vulnerabilities in KSMBD, the in-kernel SMB server for Linux. These vulnerabilities, CVE-2024-56626 and CVE-2024-56627, could allow attackers to gain control of vulnerable systems.
SUMMARY
| OEM | Linux |
| Severity | High |
| CVSS | 7.8 |
| CVEs | CVE-2024-56626, CVE-2024-56627 |
| Exploited in Wild | No |
| Publicly POC Available | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
These vulnerabilities affect Linux kernel versions greater than 5.15 and have been addressed in version 6.13-rc2. Proof-of-concept (PoC) exploits have been publicly released, emphasizing the critical nature of these issues.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Out-of-bounds write vulnerability in ksmbd. | CVE-2024-56626 | Linux | High | Linux kernel versions greater than 5.15 |
| Out-of-bounds read vulnerability in ksmbd. | CVE-2024-56627 | Linux | High | Linux kernel versions greater than 5.15 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-56626 | Linux Kernel | A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative offsets from clients, causing out-of-bounds writes and potential memory corruption. It was triggered when using vfs objects = streams_xattr in ksmbd.conf. The issue has been fixed in recent kernel updates. | Attackers can execute arbitrary code with kernel privileges |
| CVE-2024-56627 | Linux Kernel | A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative client offsets, enabling out-of-bounds writes and potential memory corruption. This issue occurred when the vfs objects = streams_xattr parameter was set in ksmbd.conf and has been resolved in recent kernel updates. | Attackers can read sensitive kernel memory, leading to information disclosure |
Remediation:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions
listed below
| Version | Fixes and Releases |
| kernel version > 5.15 | kernel version 6.13-rc2 |
Conclusion:
The discovery of CVE-2024-56626 and CVE-2024-56627 highlights critical security flaws in the Linux kernel’s SMB server implementation. Given the availability of proof-of-concept exploits, immediate action is essential to protect systems from potential exploitation. Regularly updating systems and applying security patches are vital practices to maintain a secure environment.
References:
Cisco Meeting Management to Prone to Attack Vectors; Vulnerability CVE-2025-20156
Cisco has warned about a new privilege escalation vulnerability in its Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances.
The vulnerability, CVE-2025-20156 was disclosed by Cisco on January 22 and is awaiting further analysis by the US National Vulnerability Database (NVD)
| OEM | Cisco |
| Severity | Critical |
| CVSS | 9.9 |
| CVEs | CVE-2025-20156 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A critical vulnerability (CVE-2025-20156) in Cisco Meeting Management could allow attackers to gain unauthorized administrative access. This issue affects versions prior to 3.9.1 and has been classified as critical. Cisco strongly recommends updating to the latest fixed version to address this risk.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Privilege Escalation Vulnerability | CVE-2025-20156 | Cisco | Critical |
Technical Summary
A critical security vulnerability has been identified in Cisco Meeting Management. This flaw resides in the REST API and stems from improper enforcement of authorization protocols for REST API users. Remote, authenticated attackers with low-level privileges can exploit this issue by sending specially crafted API requests to specific endpoints. A successful exploit could allow attackers to escalate their privileges to administrator level and gain control over edge nodes managed by Cisco Meeting Management.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20156 | Cisco Meeting Management prior to version 3.9.1 | Insufficient authorization checks in the REST API allow attackers to send crafted API requests to escalate privileges. | Attackers can gain full administrative control and disrupt business operations. |
Remediation:
- Update to the Latest Version:
- Upgrade Cisco Meeting Management to version 3.9.1or later.
- Regular Security Practices:
- Monitor Cisco’s security advisories.
- Regularly update systems to address emerging threats.
Conclusion:
CVE-2025-20156 poses a critical risk to Cisco Meeting Management users. Exploiting this flaw could disrupt operations by granting attacker’s administrative control. Immediate updates are crucial to mitigate the risk and protect affected systems.
References:
- https://cybersecuritynews.com/cisco-meeting-management-vulnerability/
Critical Authentication Bypass Vulnerability in CybersFortinet Products Under Active Exploitation
Summary
Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products.
A critical Zero-day vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an “Authentication Bypass Using an Alternate Path or Channel” vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2024-55591 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
According to data from the Shadowserver Foundation, almost 50,000 devices are still unpatched as of January 20, 2025.
The vulnerability, which has been actively exploited since November 2024, enables unauthenticated attackers to obtain super-admin privileges through specially crafted requests to the Node.js websocket module. Although patches have been released, but a large number of devices remain exposed and vulnerable.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Authentication Bypass Vulnerability | CVE-2024-55591 | FortiOS and FortiProxy | Critical |
Technical Summary
CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. Exploiting this flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js websocket module. This can lead to unauthorized administrative access, enabling attackers to modify firewall configurations, extract credentials, and move laterally within compromised environments.
Impact by Region (Unpatched Devices)
- Asia: 20,687 devices
- North America: 12,866 devices
- Europe: 7,401 devices
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-55591 | FortiOS 7.0.0 – 7.0.16, FortiProxy 7.0.0 – 7.0.19, FortiProxy 7.2.0 – 7.2.12 | Crafted requests to Node.js WebSocket module bypass authentication and allow attackers to gain super-admin privileges. | Unauthorized administrative access, credential extraction, and lateral movement. |
Remediation:
- Upgrade Firmware:
- FortiOS: Update to version 7.0.17 or latest
- FortiProxy: For 7.0.x version update to v7.0.20 or latest and for 7.2.x version update to v7.2.13 or latest
- Restrict Administrative Interface Access:
- Disable HTTP/HTTPS interfaces or limit access to trusted IP addresses using local-in policies.
- Enable Multi-Factor Authentication (MFA):
- Enforce MFA on all administrative accounts to reduce the risk of unauthorized access.
- Monitor Suspicious Activities:
- Check for unauthorized admin accounts, suspicious logins, or unexpected changes in firewall configurations.
Conclusion:
The exploitation of CVE-2024-55591 underscores the critical importance of timely patch management and robust security practices. Organizations using Fortinet products should act swiftly to apply the necessary updates and implement recommended security measures to protect their networks from potential attacks.
References:
- https://www.fortiguard.com/psirt
- https://cybersecuritynews.com/50000-fortinet-firewalls-remain-vulnerable-to-critical-zero-day-exploit/
- https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-19&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-55591%2B&geo=all&data_set=count&scale=log
Hashtags
New Regulations & Directives to Boost Cyber Defense; DORA & NIS2
DORA & NIS2
EU Regulations to Strengthen Cyber defense
Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild
Summary
OEM | Microsoft |
Severity | Critical |
CVSS Score | 7.8 |
CVE | CVE-2024-49138 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Publicly POC Available | Yes |
Overview
The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.
Vulnerability Name | CVE ID | Product Affected | Severity |
CLFS Privilege Escalation | CVE-2024-49138 | Microsoft Windows | High |
Technical Summary
CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-49138 | Windows 10, Windows 11, Windows Server 2008–2025 | Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released. | Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device. |
Remediations
- Update Systems: Apply Microsoft’s December 2024 patches without delay.
- Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
- Limit Access: Implement robust access controls and harden systems.
Conclusion:
The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.
References
- https://securityonline.info/zero-day-vulnerability-in-windows-exploited-cve-2024-49138-poc-code-released/
- https://github.com/MrAle98/CVE-2024-49138-POC?tab=readme-ov-file
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49138
- https://intruceptlabs.com/2024/12/microsoft-december-2024-patch-tuesday-critical-fixes-for-zero-day-and-remote-code-execution/
Privilege Escalation Vulnerability in ComboBlocks Plugin Affects Thousands of Sites
A critical vulnerability in the ComboBlocks WordPress plugin (formerly Post Grid and Gutenberg Blocks) exposes over 40,000 websites to potential complete takeover by unauthenticated attackers. This vulnerability exists due to improper handling of user meta during the registration process, enabling privilege escalation. It affects versions 2.2.85 to 2.3.3 and has been addressed in version 2.3.4.
OEM | WordPress |
Severity | Critical |
Date of Announcement | 2025-01-17 |
CVSS score | 9.8 |
CVE | CVE-2024-9636 |
Exploited in Wild | No |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
ComboBlocks, a plugin designed to enhance website design and functionality, was found to have a critical security flaw (CVE-2024-9636) that could allow unauthenticated attackers to register as administrators, granting them full control over the affected websites.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Unauthenticated Privilege Escalation | CVE-2024-9636 | ComboBlocks WordPress Plugin | Critical | 9.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-9636 | ComboBlocks plugin (2.2.85 - 2.3.3) | The vulnerability stems from improper restriction of user meta updates during profile registration. This flaw allows unauthenticated attackers to register as administrators, granting them full control over the website. | Complete website takeover and malware injection. |
Remediations
- Update Plugin: Immediately update the ComboBlocks plugin to version 2.3.4 or later.
- Review Administrative Accounts:
- Audit all user accounts with administrative privileges.
- Revoke any unauthorized access.
- Enhance Security Posture:
- Enable multi-factor authentication (MFA) for all admin accounts.
- Restrict user permissions based on the principle of least privilege.
- Use a web application firewall (WAF) to filter and block malicious traffic.
- Monitor and Log Activity:
- Activate detailed logging for user registration and privilege changes.
- Configure alerts for unusual activity, such as mass registrations or privilege escalations.
- Implement Preventative Measures:
- Regularly update all plugins and themes.
- Backup the WordPress site frequently to ensure quick recovery in case of any compromise.
References
Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities
Summary
Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.
Key take away:
- Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
- Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
- This marks highest number of fixes in a single month since at least 2017.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-01-14 |
| No. of Vulnerabilities Patched | 159 |
| Actively Exploited | yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows:
- 58 Remote Code Execution (RCE) Vulnerabilities
- 40 Elevation of Privilege (EoP) Vulnerabilities
- 22 Information Disclosure Vulnerabilities
- 20 Denial of Service (DoS) Vulnerabilities
- 14 Security Feature Bypass
- 5 Spoofing Vulnerabilities
The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Elevation of privilege vulnerability | CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows | High | 7.8 |
| Elevation of Privilege Vulnerability | CVE-2025-21275 | Windows | High | 7.8 |
| Remote Code Execution Vulnerability | CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Windows | High | 7.8 |
| Spoofing Vulnerability | CVE-2025-21308 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel | No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously. | Allow attackers to gain SYSTEM privileges |
| CVE-2025-21275 | Windows App Package Installer | Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges. | Attackers could gain SYSTEM privileges |
| CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Microsoft Access | Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents. | Remote Code Execution |
| CVE-2025-21308 | Windows Themes | Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft. | NTLM credential theft |
Source: Microsoft
Additional Critical Patches Address High-Severity Vulnerabilities
- Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370).
- Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311).
- Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298).
Remediation:
- Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities.
- Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.
- Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access.
Conclusion:
The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits.
References:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan
Codefinger Ransomware attack encrypts Amazon S3 buckets
- Ransomware crew dubbed Codefinger targets AWS S3 buckets
- Sets data-destruct timer for 7 days
- Threat actors demand for Ransom payment made for the symmetric AES-256 keys required to decrypt it
Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.
The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.
The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.
“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.
According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.
In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it.
Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.
Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.
As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.
Sources:
https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
www.Bleeping computers.com