Security Advisory

Security Advisory

Ivanti Connect Secure VPN Actively Being Exploited in the Wild 

Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.

As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.

Summary 

OEM Ivanti  
Severity Critical 
CVSS 9.0 
CVEs CVE-2025-0282, CVE-2025-0283  
Exploited in Wild  Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another  Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Stack-Based Buffer Overflow Vulnerability  CVE-2025-0282 Ivanti Critical 22.7R2 through 22.7R2.4  22.7R1 through 22.7R1.2  22.7R2 through 22.7R2.3  
Stack-Based Buffer Overflow Vulnerability CVE-2025-0283  Ivanti High 22.7R2.4 and prior 9.1R18.9 and prior  22.7R1.2 and prior 22.7R2.3 and prior  

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-0282  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.  RCE, System compromise, Data theft, Network breaches, and Service disruptions.  
CVE-2025-0283  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges Allow Local Authenticated Attackers to Escalate Privileges. 

Remediation

  • Ensure that the appropriate patches or updates are applied to the relevant Ivanti 
  • Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.

versions as listed below: 

Affected Version(s) Fixes and Releases 
22.7R2 through 22.7R2.4  22.7R2.5  
22.7R2.4 and prior,  9.1R18.9 and prior  22.7R2.5  
22.7R2 through 22.7R2.3  22.7R2.5, Patch planned availability Jan. 21  
22.7R2.3 and prior  22.7R2.5, Patch planned availability Jan. 21  
22.7R1 through 22.7R1.2  Patch planned availability Jan. 21  
22.7R1.2 and prior  Patch planned availability Jan. 21  
  • Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security. 
  • Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools. 
  • Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025. 
  • Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025. 

General Recommendation 

  • Regularly update software and systems to address known vulnerabilities. 
  • Implement continuous monitoring to identify any unauthorized access or suspicious activities. 
  • Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces. 
  • Create and Maintain an incident response plan to quickly mitigate the impact of any security breach. 

References: 

Security Advisory

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.

Summary 

Application OpenSSH 
Severity High 
CVSS 8.1 
CVEs CVE-2024-6387 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.

A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns. 

The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Race Condition vulnerability   CVE-2024-6387  OpenSSH (8.5p1–9.8p1)  High  OpenSSH 9.8p2 or later 

Technical Summary 

CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.

Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-6387 OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). Remote Code Execution (Root Privileges) 

Impact:

This Vulnerability if exploited could lead to complete system takeover.

Remediation

  • Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue. 
  • Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges. 
  • Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns. 

Indicators of Compromise (IOCs): 

IP Address / Hostname File Hash 
209.141.53[.]247 0df799f05c6d97e2b7d4b26c8e7246f7 
108.174.58[.]28 11cc5f00b466d4f9be4e0a46f2eb51ae 
195.85.205[.]47 1f452448cea986aedc88ba50d48691f7 
62.72.191[.]203 207eb58423234306edaecb3ec89935d8 
botbot.ddosvps.cc  

Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387 

Conclusion: 

The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.

Swift patching and the adoption of layered security measures are imperative to mitigate the risks. 

Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2024-6387 
  • https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/

Security Advisory

Critical Windows Privilege Escalation Vulnerability with Public Exploit

Cybersecurity researchers reported a critical Windows privilege escalation vulnerability, identified as CVE-2024-43641 affecting Microsoft Windows. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.

Summary 

OEM Microsoft 
Severity High 
CVSS 7.8 
CVEs CVE-2024-43641 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A significant Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641, affects multiple editions of Windows. A recently released Proof-of-Concept (PoC) exploit demonstrates how attackers can exploit this flaw to gain elevated privileges. 

Vulnerability Name CVE ID Product Affected Severity 
Windows Registry Elevation of Privilege Vulnerability  CVE-2024-43641  Windows    High 

Technical Summary 

The vulnerability, CVE-2024-43641, exploits a design flaw in Windows registry hive memory management, specifically during a double-fetch process under memory pressure. This flaw allows malicious SMB servers to respond with differing data for consecutive read requests, breaking kernel assumptions and enabling privilege escalation to SYSTEM level. Key technical details are as follows: 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-43641 Windows 10, Windows 11, Windows Server 2008–2025 The vulnerability involves improper handling of registry hive memory management under memory pressure. A malicious SMB server can respond with differing data to consecutive read requests, breaking kernel assumptions. Exploitation leverages a “False File Immutability” (FFI) condition. Allows attackers to escalate privileges, execute arbitrary code, and compromise system integrity. 

Remediation

  • Apply Patches: Users and system administrators are strongly advised to promptly apply the latest security updates. 
  • Monitor Activity: 
  • Monitor logs for suspicious activity related to registry operations. 
  • The cybersecurity community is actively monitoring the situation for any indications of active exploitation in the wild. 

Conclusion: 

CVE-2024-43641 is a high-severity vulnerability with a publicly available PoC exploit. It is crucial to apply security patches immediately and follow best practices to mitigate the risk of exploitation. Organizations must stay alert and monitor ongoing developments to ensure complete protection against this emerging threat. 

References: 

Security Advisory

Exploit Proof-of-Concept Released for Windows Lightweight Directory Access Protocol (LDAP CVE-2024-49113 )

CVE-2024-49113 LDAP

Continue Reading
Security Advisory

Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS 

Summary 

OEM Palo Alto 
Severity High 
CVSS 8.7 
CVEs CVE-2024-3393 
Exploited in Wild  No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.  

Vulnerability Name CVE ID Product Affected Severity Affected Version 
(DoS) in DNS Security Using a Specially Crafted Packet CVE-2024-3393   Palo Alto High PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-3393   Palo Alto PAN-OS CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025.     Dos – Denial-of-Service 

Remediation

  • Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below 
PAN-OS Version Fixes and Releases 
PAN-OS 11.1 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 
PAN-OS 10.2 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 
PAN-OS 10.1 10.1.14-h8, 10.1.15 
PAN-OS 10.2.9-h19 Only applicable to Prisma Access 
PAN-OS 10.2.10-h12 Only applicable to Prisma Access 
PAN-OS 11.0 No fix (reached end-of-life status on November 17, 2024) 

Recommendations: 

  • Avoid Using EOL Versions: 
  • PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions. 
  • Monitoring & Incident Response: 
  • Regularly monitor firewall logs for unusual behavior, especially DoS triggers. 
  • For Prisma Access Users (Workaround): 
  • Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks. 

References: 

Security Advisory

Critical Apache Tomcat Vulnerabilities Allow RCE & DoS

Summary

OEMApache
SeverityCritical
CVSS9.8
CVEsCVE-2024-50379, CVE-2024-54677
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.

Vulnerability NameCVE IDProduct AffectedSeverityAffected Version
Race Condition Vulnerability CVE-2024-50379ApacheCriticalApache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97
Uncontrolled Resource Consumption Vulnerability CVE-2024-54677ApacheMediumApache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97

Technical Summary

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2024-50379Apache TomcatA race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system.    Remote Code Execution
CVE-2024-54677Apache TomcatThe examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service.    Denial of Service

Remediation:

  • Upgrade Apache Tomcat to the latest fixed versions:
    • Apache Tomcat 11.0.2 or latest
    • Apache Tomcat 10.1.34 or latest
    • Apache Tomcat 9.0.98 or latest

Recommendations:

  • Configuration Hardening:
    • Restrict write permissions for the default servlet to prevent unauthorized JSP file uploads.
    • Remove or disable example applications to reduce exposure to potential attacks.
  • Monitor and Audit:
    • Regularly review server logs for signs of exploitation attempts.
    • Apply a robust file upload policy to limit sizes and validate content.
  • Regularly update all your software’s to address security vulnerabilities 

References:

Security Advisory

Cleo Releases Patch for Critical Vulnerabilities Exploited in the Wild

Summary

OEM

Cleo

Severity

Critical

CVSS score

9.8

CVE

CVE-2024-55956, CVE-2024-50623

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

The Clop ransomware group has exploited critical vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, specifically targeting Cleo Harmony, VLTrader, and LexiCom. These vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, allow unauthenticated attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromises.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Fixed Version

Unauthenticated Command Execution

CVE-2024-55956

Cleo products

Critical

9.8

5.8.0.24 or latest

Unrestricted File Upload/Download Vulnerability

CVE-2024-50623

Cleo products

Critical

9.8

5.8.0.24 or latest

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-55956

Cleo Harmony, VLTrader, LexiCom

This flaw enables unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Attackers can write a ZIP file containing a malicious XML file describing a new host. The malicious XML file contained a Mailbox action associated with the new host, which when run would execute an arbitrary OS command.

Execution of arbitrary commands, resulting in full system compromise.

CVE-2024-50623

Cleo Harmony, VLTrader, LexiCom

This vulnerability permits unauthenticated attackers to upload and download files without restrictions via the ‘/Synchronization’ endpoint. By uploading malicious files, attackers can achieve remote code execution. The exploitation involves writing malicious code to specific files, such as “webserverAjaxSwingconftemplatesdefault-pagebody-footerVL.html”, which is then leveraged to execute an attacker-controlled payload, potentially in the form of a webshell.

Unauthorized file manipulation and potential system compromise.

Remediations

  • Update Cleo Harmony, VLTrader, and LexiCom to the updated version 5.8.0.24 or latest one.

Recommendations

  • It is strongly advised to move any internet-exposed Cleo systems behind a firewall until patches are applied to prevent unauthorized exploitation.
  • Disable autorun files in Cleo software by clearing the “Autorun Directory” field under “Options” to limit the attack surface; this doesn’t resolve the file-write vulnerability.
  • Implement monitoring for signs of the “Cleopatra” backdoor and other malicious activities associated with Clop ransomware.
  • Conduct a thorough audit of your systems to identify any malicious files or abnormal system behavior associated with Cleo software. This includes checking logs, directories, and network traffic for unusual activities related to the known exploit chain.
  • If you have an EDR solution, block the attacker IPs associated with the exploit to prevent further external communication with compromised systems.
  • Ensure regular backups of critical data are performed and stored securely offline to facilitate recovery in case of any ransomware attack.

IOCs

Based on the research
These are the attacker IP addresses embedded in the encoded PowerShell

IP Address IOCs

File IOCs

176.123.5[.]126

60282967-dc91-40ef-a34c-38e992509c2c.xml

5.149.249[.]226

healthchecktemplate.txt

185.181.230[.]103

healthcheck.txt

209.127.12[.]38

181.214.147[.]164

192.119.99[.]42

References

Security Advisory

Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation

Summary

OEM

WordPress

Severity

Critical

Date of Announcement

2024-12-13

CVSS score

9.8

CVE

CVE-2024-11972

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Hunk Companion Plugin Vulnerability

CVE-2024-11972

Hunk Companion Plugin for WordPress

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-11972

Hunk Companion plugin versions  prior to 1.8.4

This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins.

This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise.

Remediations

  • “Hunk Companion” WordPress plugin, should update to version 9.0 or later.

General Recommendations

  • Regularly inspect your WordPress site for unknown plugins or modifications.
  • Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
  • Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
  • Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.

References

Security Advisory

Zero-Day Vulnerability in Windows Exposes NTLM Credentials

Summary

OEM

Microsoft

Severity

Critical

Date of Announcement

2024-12-12

CVE

Not yet assigned

Exploited in Wild

No

Patch/Remediation Available

Yes (No official patch)

Advisory Version

1.0

Vulnerability Name

NTLM Zero-Day

Overview

A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.

Vulnerability Name

CVE ID

Product Affected

Severity

NTLM zero-day

Not Yet Assigned

Microsoft Windows

Critical

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

Not Yet Assigned

Windows 7 to 11 (24H2), Server 2008 R2 to 2022

A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder.

Enables attackers to steal NTLM credentials and  gain unauthorized access of the affected systems.

Remediations

  • Apply the 0patch Micropatch:
    • Register for a free account at 0patch Central.
    • Install the 0patch agent to automatically receive the micropatch.
  • Disable NTLM Authentication:
    • Navigate to Security Settings > Local Policies > Security Options in Group Policy.
    • Configure “Network security: Restrict NTLM” policies to limit NTLM usage. 

General Recommendations

  • Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
  • Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
  • Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
  • Monitor systems for suspicious NTLM-related activity.

References

Security Advisory

Microsoft December 2024 Patch Tuesday: Critical Fixes for Zero-Day and Remote Code Execution

Summary

OEM

Microsoft

Severity

High

Date of Announcement

2024-12-12

NO. of Vulnerabilities Patched

71

Actively Exploited

01

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft released updates addressing 71 vulnerabilities across its product suite, including 1 actively exploited zero-day vulnerability. Critical patches include fixes for remote code execution (RCE) flaws in Windows TCP/IP and Windows Common Log File System (CLFS). Immediate attention is required for systems running Windows Server, Microsoft Exchange, and other affected components. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 30 Remote Code Execution (RCE) Vulnerabilities
  • 27 Elevation of Privilege (EoP) Vulnerabilities
  • 7 Information Disclosure Vulnerabilities
  • 4 Denial of Service (DoS) Vulnerabilities
  • 1Defense-in-depth improvement
  • 1 Spoofing Vulnerabilities

The highlighted vulnerabilities include one zero-day flaw and critical RCE vulnerabilities, one of which is currently being actively exploited.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Unauthenticated Remote Code Execution in Windows LDAP

CVE-2024-49112 

Windows

Critical

9.8

Remote Code Execution in Windows Hyper-V

CVE-2024-49117

Windows

High

8.8

Remote Code Execution via Use-After-Free in Remote Desktop Services

CVE-2024-49132

Windows

High

8.1

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2024-49138

Windows

High

7.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49112 

Microsoft Windows Lightweight Directory Access Protocol (LDAP)

This vulnerability allows attackers to execute arbitrary code at the LDAP service level by sending specially crafted LDAP calls to a Windows Domain Controller. While Microsoft recommends disconnecting Domain Controllers from the Internet as a mitigation, applying the patch is the best course of action.

Remote Code Execution

CVE-2024-49117

Microsoft Windows Hyper-V

This vulnerability can be exploited by an authenticated attacker to execute code on the host operating system from a guest virtual machine. Cross-VM attacks are also possible. Although the attacker must have basic authentication, the vulnerability poses significant risks to virtualized environments.

Remote Code Execution

CVE-2024-49132

Microsoft Windows Remote Desktop Services

An attacker can exploit a use-after-free memory condition in Remote Desktop Gateway, allowing RCE. Exploitation requires precise timing, which makes this an advanced attack. Successful exploitation grants attackers control over the affected system.

Allows an attacker to execute remote code on systems using Remote Desktop Gateway

CVE-2024-49138

Windows Common Log File System Driver

This critical security flaw affects the Windows Common Log File System Driver and is classified as an Elevation of Privilege vulnerability.

It allows attackers to gain SYSTEM privileges on Windows devices, potentially giving them full control over the affected system.

Additional Critical Patches Address High-Severity Vulnerabilities

  • These are the eight other critical vulnerabilities that are rated 8.1 on the CVSS scale in Remote Desktop Services (CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, CVE-2024-49115, CVE-2024-49128, CVE-2024-49123, CVE-2024-49120, CVE-2024-49119).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49077).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49132).

Remediation

  • Ensure all December 2024 Patch Tuesday updates are applied promptly.
  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
  • Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.

References

https://msrc.microsoft.com/update-guide/releaseNote/2024-Dec

Scroll to top