Month: April 2025

Security Advisory

Critical Flaw in FortiSwitch of Fortinet Allows Attackers to Change Admin Password

An unverified password change vulnerability [CWE-620] in FortiSwitch GUI discovered.

This may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request as per Fortinet advisory released.

Summary

OEMFortinet 
SeverityCRITICAL
CVSS Score9.8
CVEsCVE-2024-48887
Actively ExploitedYes
Exploited in WildYes
Advisory Version1.0

Overview

Fortinet’s FortiSwitch product line has revealed a significant vulnerability noted as CVE-2024-48887. This flaw allows unauthenticated remote attackers to change administrative passwords by sending specially crafted requests to the device’s password management endpoint. With a CVSS score of 9.8, the vulnerability is classified as Critical and is actively being exploited in the wild.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
A unverified password change vulnerability  CVE-2024-48887Fortinet   CRITICAL  9.8

Technical Summary

A critical vulnerability (CVE-2024-48887) has been identified in Fortinet FortiSwitch devices, affecting versions 6.4.0 through 7.6.0. This flaw resides in the web-based management interface and allows remote, unauthenticated attackers to change administrator passwords by sending a specially crafted HTTP request to the set_password endpoint.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2024-48887  FortiSwitch v7.6, 7.4, 7.2, 7.0, 6.4CVE-2024-48887 is an unauthenticated password change vulnerability in FortiSwitch web GUI.
It enables remote unauthenticated attackers to modify admin passwords through crafted requests to the set_password endpoint.		    Unverified Password Change

Remediation:

  • Apply Security Patches: Install the latest security update for your FortiSwitch version. Fortinet has fixed the issue in 6.4.15 and above,7.0.11 and above,7.2.9 and above,7.4.5 and above,7.6.1 and above versions.

General Recommendations

  • Update Devices Regularly always install the latest firmware and security patches from Fortinet to fix known vulnerabilities.
  • Limit access to the FortiSwitch web GUI to trusted IP addresses and disable HTTP/HTTPS access if it is not required.
  • Set strong and unique passwords and change them regularly to prevent unauthorized access.
  • Monitor unusual Activity for suspicious logins or configuration changes.

Conclusion:


The CVE-2024-48887 vulnerability poses a serious security risk to organizations using affected FortiSwitch devices. Its ease of exploitation and the lack of authentication required make it particularly dangerous.

Organizations must act immediately by applying the relevant security patches, limiting administrative access, and monitoring for unusual activity.

References:

Security Advisory

April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday

Summary of Microsoft April Patch Tuesday

Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.

  • 126 Microsoft CVEs addressed
  • 9 non-Microsoft CVEs included

Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts

OEMMicrosoft
SeverityCritical
Date of Announcement2025-04-08
No. of Vulnerabilities Patched135
Actively ExploitedYes
Exploited in WildYes
Advisory Version1.0

Overview

Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.

The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.

On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability]  CVE-2025-29824WindowsHigh7.8
Remote Desktop Gateway Service RCE VulnerabilityCVE-2025-27480 CVE-2025-27482WindowsHigh8.1
LDAP Service RCE VulnerabilityCVE-2025-26663WindowsHigh   8.1
LDAP Client RCE VulnerabilityCVE-2025-26670WindowsHigh8.1

Technical Summary

The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-29824  Windows 10/11, Windows ServerAn elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges.    Elevation of Privilege
  CVE-2025-27480 CVE-2025-27482  Windows RDSRace condition in Remote Desktop Gateway; triggers use-after-free allowing code execution  Remote Code Execution
  CVE-2025-26663  Windows LDAPCrafted LDAP call causes use-after-free, leading to arbitrary code execution  Remote Code Execution
CVE-2025-26670  Windows TCP/IPMemory mismanagement during DHCPv6 handling, complex exploit chain.  Remote Code Execution

Source: Microsoft & NVD

In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:

  • CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 – Office Use-After-Free RCE Vulnerability

These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.

  • CVE-2025-27752 – Excel Heap Overflow RCE Vulnerability

An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.

  • CVE-2025-29791 – Excel Type Confusion RCE Vulnerability

This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.

  • CVE-2025-26686 – Windows TCP/IP RCE Vulnerability

Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.

  • CVE-2025-27491 – Windows Hyper-V RCE Vulnerability

This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.

Remediation:

  • Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.

General Recommendations:

  • Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
  • Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
  • Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.

“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.

Conclusion:

The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.

Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.

IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.

References:

Security Advisory

Spoofing Vulnerability in WhatsApp Desktop for Windows

Summary 

Be careful when you open that file in whatapp, it might have that spoofing flaw allowing Arbitrary Code Execution (CVE-2025-30401) and affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug .

Overview 

The vulnerability has been fixed in version 2.2450.6. WhatsApp has and will always be an attractive field for attackers and this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
 Spoofing Vulnerability  CVE-2025-30401  WhatsApp Desktop for Windows  Medium  2.2450.6 

Technical Summary 

The vulnerability results from WhatsApp for Windows’s different handling of attachments. It opens files depending on their filename extension while displaying files based on their MIME type. This mismatch allows attackers to spoof file types and trick users into launching malicious executables. 

Example Scenario: 

An attacker sends a file named cat.jpg.exe with a MIME type of image/jpeg. WhatsApp displays the file as an image (because of the MIME type), misleading the user. If the user manually opens the attachment from within WhatsApp, Windows uses the .exe extension to execute the file — potentially launching malicious code. 

This form of UI spoofing can be especially effective in group chats, where malicious attachments may be distributed widely and appear harmless. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-30401   WhatsApp Desktop for Windows (<2.2450.6)  MIME type used for display, but file extension used for execution.

A mismatch between the two could allow a file to appear harmless (e.g., image), while actually being executable (e.g., .exe). 		 Remote Arbitrary code execution 

Remediation

  • Official Patch Available: The vulnerability has been resolved by Meta (formerly Facebook). Users should update WhatsApp for Windows to version 2.2450.6 or latest version. 

Conclusion: 

CVE-2025-30401 is a key example of how inconsistent file processing in the user interface can result in serious security threats. Attackers can create misleading payloads that can run arbitrary code by taking advantage of users’ faith in how apps display attachments.

Due to the possibility of remote exploitation, users should update to the latest WhatsApp version 2.2450.6 or later. Patching should be done right away to avoid any compromise. 

Be careful when you click attachments.

References: 

Blogs

DDoS Attacks on Critical Infrastructure Re-shaping Geopolitical Conflicts

DDoS Attacks on Critical Infrastructure Reshaping Geopolitical Conflicts

Continue Reading
Security Advisory

WordPress Ultimate CSV Importer Flaws Put 20,000+ Sites at Risk

Threat researchers discovered an arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability within the WP Ultimate CSV Importer plugin. This is affecting versions 7.19 and earlier.

The vulnerabilities have been addressed in version 7.19.1 of the plugin.

Summary 

OEM WordPress 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-2008, CVE- 2025-2007 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The security flaw WordPress plugin, Ultimate CSV Importer, affecting over 20,000 websites. The vulnerabilities, identified as CVE-2025-2008 and CVE-2025-2007, can lead to catastrophic consequences, including complete site compromise. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Arbitrary File Upload  CVE-2025-2008 WordPress  High  8.8 
Arbitrary File Deletion  CVE-2025-2007 WordPress  High  8.1 

Technical Summary 

A critical security vulnerability has been discovered in the WP Ultimate CSV Importer plugin (versions ≤ v7.19). This flaw allows attackers with only Subscriber level access to exploit the system in two dangerous ways: 

  1. Malicious File Upload: Attackers can upload malicious files, potentially enabling remote code execution and granting full control over the affected site. This allows for complete site compromise, including the ability to install backdoors or steal sensitive information. 
  1. Critical File Deletion: Attackers can delete crucial files, such as wp-config.php, which can reset the WordPress site and give attackers the ability to take full control over the site. 
CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2008  WP Ultimate CSV Importer plugin (versions ≤ 7.19) A critical flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to upload malicious files due to improper file type validation.
This can lead to remote code execution (RCE) and full site takeover. 		  Remote code execution (RCE) 
 CVE-2025-2007 WP Ultimate CSV Importer plugin (versions ≤ 7.19) A serious flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to delete critical files, like wp-config.php, due to weak file path validation.
This can reset the site, letting attackers take control. 		 Arbitrary file deletion leading to site reset 

Remediation

Install version 7.19.1 or later to fix the security flaws. Keeping all plugins and WordPress updated helps prevent attacks. 

General Recommendations 

  • Update the Plugin – Install the latest version (7.19.1+) to fix security issues and keep your site safe. 
  • Limit User Access – Allow only trusted users to upload or delete files to prevent hackers from exploiting vulnerabilities. 
  • Use Security Plugins – Install tools to block threats, monitor activity, and protect your site. 
  • Backup Your Website – Regularly save backups so you can restore your site if it gets hacked or files are deleted. 

Conclusion: 

A major security issue in a popular WordPress plugin put over 20,000 websites at risk of being taken over by hackers.

Attackers could upload harmful files or delete important ones, making websites vulnerable. This incident shows why keeping plugins updated, limiting user access, and using security tools is crucial. Updating to version 7.19.1 is necessary to stay protected. 

References

Security Advisory

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Summary 

3 Zero-Day Vulnerabilities backported & fixed in Apple Devices

Apple backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.

OEM Apple 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-24201, CVE-2025-24085, and CVE-2025-24200. 
No. of Vulnerabilities Patched 03 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Apple has released an urgent security advisory concerning three zero-day vulnerabilities currently being actively exploited: CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085. These vulnerabilities affect a range of Apple devices, such as iPhones, iPads, Macs, and other platforms. Users are strongly urged to update to the latest patched versions to reduce security risks. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
WebKit Out-of-Bounds Write Vulnerability  CVE-2025-24201 iOS, macOS, visionOS, Safari  High  8.8 
Use-After-Free Vulnerability  CVE-2025-24085 iOS, iPasOS, macOS, watchOS, tvOS  High  7.8 
Incorrect Authorization Vulnerability  CVE-2025-24200  iOS, iPadOS  Medium  6.1 

Technical Summary 

Apple’s latest security update patches three Zero-Day vulnerabilities that hackers were actively exploiting. These vulnerabilities could allow attackers to bypass security protections, making devices more vulnerable. One of the vulnerabilities enables remote code execution, letting attackers run malicious programs. Another flaw allows privilege escalation, giving attackers higher-level access to system functions. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24201  iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, Safari 18.3  Out-of-bounds write issue allowing malicious websites to escape the Web Content sandbox   Remote Code Execution 
 CVE-2025-24085 iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, tvOS 18.3, visionOS 2.3 Use-after-free vulnerability in CoreMedia allowing privilege escalation via malicious apps.  Privilege escalation via CoreMedia 
 CVE-2025-24200  iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5 (iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch, etc.) Authorization bypass vulnerability allowing attackers to disable USB Restricted Mode on locked devices.  Security Bypass USB Restricted Mode 

Remediation

Apply Patches Promptly: Apple has released security updates to address these vulnerabilities. Users should update their devices immediately to mitigate risks 

  • iPhones and iPads: Update to iOS 18.3/iPadOS 18.3 or later. 
  • Macs: Install macOS Sequoia 15.3 or later. 
  • Apple Watch: Upgrade to watchOS 11.3. 
  • Apple TV: Apply tvOS 18.3 updates. 
  • Vision Pro: Install visionOS 2.3 updates. 

General Recommendations: 

  • Prioritize Zero-Day Fixes: Focus on patching actively exploited vulnerabilities, especially those affecting USB Restricted Mode, WebKit, and CoreMedia.  
  • Enable Lockdown Mode: On supported devices, Lockdown Mode can provide additional security against targeted attacks.  
  • Be Cautious with USB Devices: Avoid connecting untrusted accessories to Apple devices to mitigate USB-based attack vectors. 
  • Stay Alert for Malicious Websites: Since WebKit vulnerabilities are actively exploited, avoid suspicious links and untrusted web content. 
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity. 

Conclusion: 

The discovery and active exploitation of these zero-day vulnerabilities underscore the increasing sophistication of cyberattacks targeting Apple’s ecosystem.

While Apple has responded swiftly with patches, users must remain vigilant by keeping their devices updated and adhering to cybersecurity best practices, such as avoiding untrusted applications and enabling Lockdown Mode where applicable. 

Apple fixed all the vulnerability with improved state management.

References


 

Blogs

Android Malware Crocodilus; Threat for cryptocurrency wallet Users

Crocodilus is a new banking malware that evades detection from Google’s play protect.

The Android malware has been specifically targeting to steal sensitive cryptocurrency wallet credentials through social engineering. Its convincing overlay screen warns users to back up their wallet key within 12 hours or risk losing access says security researchers.

Why threat researchers call this trojan ?

Crocodilus includes all the necessary features of modern banking malware: overlay attacks, keylogging, remote access, and “hidden” remote control capabilities. Also the malware is distributed via a proprietary dropper that bypasses Android 13 (and later) security protections as per researchers of Threat fabric.

Unlike any banking trojan which takes over devices, Crocodilus is similar in pattern and uses tactics to load a fake overlay on top of the real app to intercept the victim’s account credentials. These are targeted mostly for banking or cryptocurrency app users.

Another data theft feature of Crocodilus is a keylogger and the malware monitors all Accessibility events and captures all the elements displayed on the screen, i.e. it is an accessibility Logger.

Intricacies of Crocodilus Malware

The modus operandi of the malware makes it easier to preform task to gains access to accessibility service, to unlock access to screen content, perform navigation gestures, monitor for app launches.

The malware also offers remote access Trojan (RAT) functionality, which enables its operators to tap on the screen, navigate the user interface, perform swipe actions.

The malware is fitted with dedicated RAT command to take a screenshot of the Google Authenticator application and capture one-time password codes used for two-factor authentication account protection.

Android users are advised to avoid downloading APKs from outside Google Play and to ensure that Play Protect is always active on their devices.

Researchers discovered source code of malware revealing debug messages left by the developer(s), reveal Turkish speaking.

The Expanding Threat landscape with evolving Modern Malware’s

The Crocodilus malware designed to go after high valued assets that targets cryptocurrency wallets and Banks. These malware can make the defense line up of banking system weak and researchers advise to adopt a layered security approach that includes thorough device and behavior-based risk analysis on their customers’ devices.

Modern malware has the capability to break the security defenses of organization even if they are protected by cutting edge solutions to defend. As the threat landscape expand so are sophisticated attacks rising.

Modern malware can bypass most security solutions, including email filtering, anti-virus applications, sandboxing, and even IPS/IDS and sometime few file-less malware leaves no footprint on your computer and is executed exclusively in run-time memory.

In this sophisticated war against threat criminals enterprise security requires is taking services for active threat hunting and be diligent in scanning files meant for downloads.

To improve enterprise security the important aspects needs to be covered increase usage of multi-layer defenses. Protecting against modern malware is an ongoing effort, and rarely it is “set and forget.” Utilize multiple layers of security, including anti-virus software, network layer protection, secure web gateways, and other tools for best results.

Keep improving your security posture against modern malware is an ongoing effort and includes multiple layers of security. With anti-virus software, advanced network layer protection, secure web gateways, and other tools the security posture at enterprise level increases.

Remember your best defenses can be in trouble, so continue monitoring, adapt and train employees, while using comprehensive multi-layer approach to security.

Source: https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices

Blogs

Security software to represent 60% of worldwide security market; IDC

Worldwide Security Spending to Increase by 12.2% in 2025 as Global Cyberthreats Rise, Says IDC

As we witness complex and more frequent more frequent and complex cyber attacks, a rising concern for global security the spending from worldwide data projects a steady growth. The amount is staggering $377 billion by 2028 says the IDC report. This is an yr on increase of 12.2% year-on-year increase in security spending in 2025.

“Growing digital transformation and hiking emerging technology adoption across the Middle East & Africa (MEA) region — especially countries in the Gulf Cooperation Council (GCC) — have pushed the demand significantly for security solutions to face the evolving threat landscapes,” said Eman Elshewy, senior research manager with IDC Data and Analytics.

The security software market growth will be driven especially by cloud native application protection platform (CNAPP).

This also includes Identity and access management software

security analytics software growth, reflecting the special focus that companies will put on integrated cyberthreats detection and response around their whole organizational perimeter.

Key points on security software market growth

  • Security services will be the second fastest growing technology group in 2025,
  • This is driven by the continuous expansion of managed security services and growths of organizations of all size are included in it. Security hardware will rank third, achieving single-digit but steady growth in 2025.
  • This also include the Banking, federal/central government, telecommunications, capital markets, and healthcare provider will be the industries spending the most at the global level on security in 2025.

 While the fastest-growing will be capital markets, media and entertainment, and life sciences with an expected year-on-year growth rate of 19.4%, 17.1%, and 16.9%, respectively in 2025.

Organisations developing software’s will develop their strategies based on  national and international regulations that still play an important role in guiding organizations’ security strategies — especially in regulated industries .

Cause of rise in the market demand .

The rising malware including virus and Trojan horses are increasing the capacity of cyber criminal and their sophistication in attacks. Cybercriminals deploy attack and employ malware that can take control of devices. With BOYD things are more complicated.

We cannot deny how AI is giving companies a competitive edge and help to fuel more sustainable growth. Forrester predicted that IT services and software will account for nearly two-thirds of global tech spending and, in Europe and North America, this share will be even higher. 

A greater drive for, and increased investment in, cybersecurity will underpin the rise in software spend, says Forrester.

In particular, this includes the updating and modernization of legacy and outdated enterprise systems to better protect organisations in the rapidly evolving threat landscape. 

While large and very large businesses account for the majority of security spending across all regions, small and medium-sized businesses will continue to increase their investments in security throughout the forecast period to address security gaps and protect their assets and processes as their digital transformation accelerates.

Fig 1 Represent the state of security spending 2025

Organizations still lack the internal expertise, to properly assess or address the security implications of this shift. Cyber criminals are making these threats more sophisticated, which is adding to the urgency. IDC says this steady climb in spending will continue through 2028, hitting $377 billion by then.

Now with IDC research finding  reveal investments in security throughout the forecast period to address security gaps and protect organizational assets and processes as their digital transformation accelerates.

Organisations are moving from being secure to being cyber resilient

Right now, business of every models are almost uniformly reliant on digital technology and any disruption here seriously impacts operations and revenue. Cyber criminals are on look out for every scope to launch stealthies attack.

Almost all security strategies often focus on proactively identifying and mitigating threats. Now at this hour as we stand in 2025 we need greater focus on cyber resilience.

Adopting a holistic approach in cyber security is walking the path of cyber resilience and we at Intruceptlabs working in tandem to weave the fabric of security in every workflow that supports this agility.

Recently IntruceptLabs won the Elevate 2024 Program, founded with the mission of “Making applications & digital space safer for businesses,” is encouraging for us as an organization for a cyber resilient future.

Sources: https://www.idc.com/getdoc.jsp?containerId=prEUR253264525

Scroll to top