Zero-Day Threats Addressed in Microsoft’s March 2025 Patch Tuesday
Patch Tuesday
Continue ReadingAttackers
Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately
Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.
Continue Reading
Critical WordPress Security Flaw in Everest Forms Plugin
UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin
Palo Alto Firewall Vulnerabilities Under Active Exploitation
An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.
Summary
| OEM | Palo Alto |
| Severity | High |
| Date of Announcement | 2025-02-19 |
| CVEs | CVE-2025-0108 |
| CVSS Score | 8.8 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.
This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-0108 | Pan OS | High | PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 |
Technical Summary
This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations.
| Vulnerability Name | Details | Severity | Impact |
| Authentication Bypass Vulnerability | This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111. | High | Root access of the affected system, unauthorized file exfiltration. |
Recommendations
- Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately.
Here are the details of the required upgrades:
| Version | Updated Version |
| PAN-OS 11.2 | Upgrade to 11.2.4-h4 or later |
| PAN-OS 11.1 | Upgrade to 11.1.6-h1 or later |
| PAN-OS 10.2 | Upgrade to 10.2.13-h3 or later |
| PAN-OS 10.1 | Upgrade to 10.1.14-h9 or later |
General Recommendations
- Restrict access to PAN-OS management interfaces to trusted IPs only.
- Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions.
- Follow best practices for firewall security, including network segmentation and regular vulnerability assessments.
- Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity.
Conclusion
The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat.
The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.
References:
- https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/
- https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise
Authentication Bypass Vulnerability in FortiOS & FortiProxy
Summary
A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2025-24472 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-24472 | FortiOS FortiProxy | Critical | FortiOS v7.0 – v7.0.16 FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 |
Technical Summary
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-24472 | An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests. | Execute unauthorized code or commands |
Recommendations:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below
| Version | Fixes and Releases |
| FortiOS 7.0 – 7.0.16 | Upgrade to 7.0.17 or latest version |
| FortiProxy 7.0 – 7.0.19 | Upgrade to 7.0.20 or latest version |
| FortiProxy 7.2 – 7.2.12 | Upgrade to 7.2.13 or latest version |
Workarounds:
Below are some workarounds provided by the Fortinet team.
- Disable HTTP/HTTPS administrative interface
- Limit IP addresses that can reach the administrative interface via local-in policies
According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”
References:
Microsoft Updates Patch Tuesday for Feb 2025; Address 67 Vulnerabilities, Includes 2 Exploited Zero-Days
Summary
Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.
Microsoft issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-02-11 |
| No. of Vulnerabilities Patched | 67 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks.
- 63 Microsoft CVEs addressed
- 4 non-Microsoft CVEs included
The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | CVE-2025-21418 | Windows | High | 7.8 |
| Windows Storage Elevation of Privilege Vulnerability | CVE-2025-21391 | Windows | High | 7.1 |
| Microsoft Surface Security Feature Bypass Vulnerability | CVE-2025-21194 | Windows | High | 7.1 |
| NTLM Hash Disclosure Spoofing Vulnerability | CVE-2025-21377 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21418 | Windows server and Windows 10 & 11 | Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed. | Unauthorized access with SYSTEM privileges. |
| CVE-2025-21391 | Windows server and Windows 10 & 11 | Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data. | Deletion of critical data, leading to service disruption. |
| CVE-2025-21194 | Microsoft Surface | Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware. | Bypass of security features, potentially compromising system integrity. |
| CVE-2025-21377 | Windows server and Windows 10 & 11 | NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks. | Potential for attackers to authenticate as the user, leading to unauthorized access. |
Source: Microsoft
In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed:
- CVE-2025-21376: A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability that could allow attackers to execute arbitrary code remotely.
- CVE-2025-21379: A DHCP Client Service RCE vulnerability that may enable remote attackers to execute code with elevated privileges.
- CVE-2025-21381: An RCE vulnerability in Microsoft Excel that could be triggered through malicious spreadsheet files.
Remediation:
- Apply Updates: Immediately install the February 2025 Patch Tuesday updates to address these vulnerabilities.
Conclusion:
The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity.
The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.
References:
Zero-Day Vulnerability in Microsoft Sysinternals Tools
Summary
A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 2025-02-05 |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability Name | Zero-Day |
Overview
Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw.
| Vulnerability Name | CVE ID | Product Affected | Severity | Impact |
| zero-day | Not Yet Assigned | Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others) | High | Arbitrary Code Execution, Privilege Escalation, Malware Deployment |
Technical Summary
The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories.
The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as:
- The Current Working Directory (CWD)
- Network locations (e.g., shared drives)
- User-writable paths over secure system directories
This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL.
Exploit Workflow
- Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan.
- The DLL is placed in the same directory as a vulnerable Sysinternals tool.
- The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory.
- The malicious DLL is loaded instead of the legitimate system DLL.
- Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights).
Recommendations
- Avoid Running Sysinternals Tools from Network Locations
- Always copy tools to a local trusted directory before execution.
- Disable execution of .exe files from network drives if feasible.
- Restrict DLL Search Paths
- Use SafeDLLSearchMode to prioritize secure directories.
- Implement DLL redirection to force tools to load DLLs from trusted paths.
- Implement Application Control Policies
- Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading.
- Restrict execution of Sysinternals tools to trusted admin-only directories.
- Verify DLL Integrity Before Execution
- Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed.
- Block execution of unsigned or suspicious DLLs in sensitive directories.
- Monitor for Suspicious DLL Loading Behavior
- Enable Sysmon logging to detect anomalous DLL loads (Event ID 7).
- Monitor for executions of Sysinternals tools from network shares (Event ID 4688).
Conclusion
Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.
The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems.
References:
Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities
Summary
Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.
Key take away:
- Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
- Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
- This marks highest number of fixes in a single month since at least 2017.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-01-14 |
| No. of Vulnerabilities Patched | 159 |
| Actively Exploited | yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows:
- 58 Remote Code Execution (RCE) Vulnerabilities
- 40 Elevation of Privilege (EoP) Vulnerabilities
- 22 Information Disclosure Vulnerabilities
- 20 Denial of Service (DoS) Vulnerabilities
- 14 Security Feature Bypass
- 5 Spoofing Vulnerabilities
The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Elevation of privilege vulnerability | CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows | High | 7.8 |
| Elevation of Privilege Vulnerability | CVE-2025-21275 | Windows | High | 7.8 |
| Remote Code Execution Vulnerability | CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Windows | High | 7.8 |
| Spoofing Vulnerability | CVE-2025-21308 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel | No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously. | Allow attackers to gain SYSTEM privileges |
| CVE-2025-21275 | Windows App Package Installer | Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges. | Attackers could gain SYSTEM privileges |
| CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Microsoft Access | Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents. | Remote Code Execution |
| CVE-2025-21308 | Windows Themes | Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft. | NTLM credential theft |
Source: Microsoft
Additional Critical Patches Address High-Severity Vulnerabilities
- Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370).
- Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311).
- Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298).
Remediation:
- Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities.
- Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.
- Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access.
Conclusion:
The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits.
References:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan
Critical Windows Privilege Escalation Vulnerability with Public Exploit
Cybersecurity researchers reported a critical Windows privilege escalation vulnerability, identified as CVE-2024-43641 affecting Microsoft Windows. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.
Summary
| OEM | Microsoft |
| Severity | High |
| CVSS | 7.8 |
| CVEs | CVE-2024-43641 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A significant Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641, affects multiple editions of Windows. A recently released Proof-of-Concept (PoC) exploit demonstrates how attackers can exploit this flaw to gain elevated privileges.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Windows Registry Elevation of Privilege Vulnerability | CVE-2024-43641 | Windows | High |
Technical Summary
The vulnerability, CVE-2024-43641, exploits a design flaw in Windows registry hive memory management, specifically during a double-fetch process under memory pressure. This flaw allows malicious SMB servers to respond with differing data for consecutive read requests, breaking kernel assumptions and enabling privilege escalation to SYSTEM level. Key technical details are as follows:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-43641 | Windows 10, Windows 11, Windows Server 2008–2025 | The vulnerability involves improper handling of registry hive memory management under memory pressure. A malicious SMB server can respond with differing data to consecutive read requests, breaking kernel assumptions. Exploitation leverages a “False File Immutability” (FFI) condition. | Allows attackers to escalate privileges, execute arbitrary code, and compromise system integrity. |
Remediation:
- Apply Patches: Users and system administrators are strongly advised to promptly apply the latest security updates.
- Monitor Activity:
- Monitor logs for suspicious activity related to registry operations.
- The cybersecurity community is actively monitoring the situation for any indications of active exploitation in the wild.
Conclusion:
CVE-2024-43641 is a high-severity vulnerability with a publicly available PoC exploit. It is crucial to apply security patches immediately and follow best practices to mitigate the risk of exploitation. Organizations must stay alert and monitor ongoing developments to ensure complete protection against this emerging threat.
References: