CISA

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Blogs

NIST & CISA Proposed Metric for Vulnerability Exploitation Probability

The National Institute of Standards and Technology (NIST) is proposing a new metric to determine the likelihood of any software or hardware vulnerability being exploited.

The new metric is “Likely Exploited Vulnerabilities” (LEV), that aims to close a key gap in vulnerability management.

This new data point can benefit the SecOps teams who are working to release an effective patch management strategy and address the development flaws.

NIST now wants members of cyber security community to come forward and validate the method as predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation.

However NIST proposed that predicting ones which is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts is important.

Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive.

The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.

Importance of Metric for Vulnerability Exploitation Probability

Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month.

Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild.

It is found organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.

That’s where LEV comes in to assist organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.

In a recently published paper, Peter Mell (formerly of NIST) and Jonathan Spring of CISA presented a vulnerability exploitation metric that builds upon the existing Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The researchers noted that studies show only about 5% of known vulnerabilities are exploited in the wild, while organizations typically remediate only 16% of vulnerabilities each month.

The researchers outline four key ways LEV could be used:

1. Estimate how many vulnerabilities have been exploited.
2. Check how complete KEV lists are.
3. Identify high-risk vulnerabilities missing from those lists.
4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.

Introducing the LEV Metric

Mell and Spring’s new metric—called Likely Exploited Vulnerabilities (LEV) probabilities—aims to address the limitations of both EPSS and the KEV catalog. While EPSS provides 30-day exploitation probabilities, it has known inaccuracies, particularly underestimating risk for already-exploited vulnerabilities. KEV, on the other hand, is limited by its reliance on known exploit data and may not be comprehensive.

LEV probabilities are designed to:

  • Estimate how many and which vulnerabilities are likely to have been exploited
  • Assess the completeness of the KEV catalog
  • Enhance KEV-based prioritization by identifying likely-exploited vulnerabilities not yet listed
  • Improve EPSS-based prioritization by correcting underestimations

Key Findings

The researchers compared LEV and EPSS scores for specific vulnerabilities, showing significant differences.

For example:

  • CVE-2023-1730 (SupportCandy WordPress plugin SQL injection): before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16.
  • CVE-2023-29373 (Microsoft ODBC Driver RCE – Remote Code Execution vulnerability): the LEV probability was 0.54350, while the peak EPSS probability was 0.08.

The LEV analysis identified hundreds of vulnerabilities with probabilities near 1.0. However, many of these are not listed in current KEV catalogs. NIST is actively seeking collaboration with partners as real-world validation is must for LEV to be a promising idea rather than a trusted tool.

NIST is currently seeking industry partners with relevant datasets to empirically evaluate the effectiveness of LEV probabilities through real-world performance measurements.

Sources: https://www.helpnetsecurity.com/2025/05/26/nist-likely-exploited-vulnerabilities/#:~:text=LEV%20aims%20to%20bridge%20that,%2C%20not%20replace%2C%20existing%20methods.

Blogs Cybersecurity News Security Advisory

Cyber Security News at a Glance; May 2025

For the month of May 2025 here are the Top News including Security Advisory & Blogs

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit

A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)

Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

Microsoft addressed 83 vulnerabilities across its product suite. Among them are 5 zero-day vulnerabilities have been confirmed as actively exploited in the wild. The updates span Windows components, Office, Visual Studio, and other core services.

11 vulnerabilities were rated critical, emphasizing the importance of timely remediation especially for enterprise environments.

5 non-Microsoft CVEs included

78 Microsoft CVEs addressed

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

CISA is officially changing the way it disseminates online security updates and guidance.

CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.

Updates on May 13

Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.

“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”

Social Media & emails as Medium to disperse Cybersecurity alerts; CISA

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 

A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching. 

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 
Security Advisory

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 

Summary : A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.

OEM Google 
Severity Medium 
CVSS Score 4.3 
CVEs CVE-2025-4664 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Insufficient Policy Enforcement vulnerability  CVE-2025-4664 Google Chrome  Medium  136.0.7103.113/.114 (Win/Mac),  136.0.7103.113 (Linux) 

Technical Summary 

CVE-2025-4664 is a zero-day vulnerability found in the Chrome Loader component due to insufficient policy enforcement.

It enables remote attackers to bypass browser security controls using crafted HTML content, possibly leaking cross-origin data or achieving sandbox escape. The bug has been actively exploited in the wild.

A second high-severity flaw, CVE-2025-4609, was also addressed in this update, involving an incorrect handle in the Mojo IPC layer, which can lead to memory corruption or privilege escalation. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-4664  Chrome (Windows, Mac, Linux) Insufficient policy enforcement in Loader enables cross-origin data leaks via crafted HTML.  Data leakage, sandbox escape, potential code execution 

Remediation

  • Update Chrome: Google has released security updates to address these vulnerabilities. Users and administrators must apply the latest Chrome versions: 
  • Windows/macOS: Chrome 136.0.7103.113 /136.0.7103.114 or later 
  • Linux: Chrome 136.0.7103.113 or later 

Conclusion: 
The active exploitation of CVE-2025-4664 highlights the urgent need for rapid security response and patch management. With acknowledgment from CISA and public disclosure by @slonser_, this zero-day poses a real and present threat to users of Chrome and other Chromium-based browsers.

Organizations should take immediate action to patch affected systems and monitor for signs of compromise.

Regular browser updates and proactive vulnerability management are essential to mitigating such critical security risks. 

References

Blogs

Social Media & emails as Medium to disperse Cybersecurity alerts; CISA

CISA is officially changing the way it disseminates online security updates and guidance.

CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.

As per new rule IT admins and others who want to know are advised to sign up for CISA’s email notifications to stay informed.

Updates on May 13

Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.

“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”

Some updates will still be available via RSS, though users tracking the Known Exploited Vulnerabilities Catalog must subscribe to that topic through the GovDelivery email service.

Going forward, only high-priority alerts—those tied to emerging threats or major cyber activity—will be posted on the agency’s Cybersecurity Alerts and Advisories webpage. Routine updates and known vulnerabilities, which were previously published on the site, will now be distributed via email, RSS feeds, and X (formerly Twitter).

“The focus of our Cybersecurity Alerts & Advisories webpage will now be on urgent information tied to emerging threats or major cyber activity,” said CISA.

“CISA wants this critical information to get the attention it deserves and ensure it is easier to find.”

Shift in decentralized Cyber communication i.e. multi channel communication

The shift comes as federal agencies rethink the way they communicate with the public and key stakeholders amid both technological and political pressures. For enterprises, this marks a turning point in how they receive, interpret, and act on federal cybersecurity guidance.

The intent appears focused on reducing information overload and sharpening visibility of alerts that signal active or imminent cyber danger.

 The announcement also said that security teams must ensure they’re subscribed to the correct GovDelivery topics, particularly for high-risk categories like the Known Exploited Vulnerabilities (KEV) Catalog.

How can enterprise proactively respond to alerts?

Enterprises and organisations now need to build and maintain multi-channel alert pipelines that ensure no critical update slips through the cracks. This will involve integrating email subscription systems, real-time RSS feeds, and authenticated social media monitoring into their security operations centers (SOCs). 

Security teams of various enterprise now must reevaluate their incident response protocols. In doing this they must align with the new metre and distribution of federal cybersecurity alerts.

This will help organizations as they place sharper emphasis on emerging threats and allow routine alerts to flow through alternative channels.

Critics have earlier warned how relying on a single private platform, especially one known for algorithmic unpredictability, introduce gaps in information access when high incidents takes place.

Sources: ALERT: CISA revamps how it disperses security advisories and updates starting today | Cybernews

Security Advisory

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

Summary : SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

OEM  SAP 
Severity  Critical 
Date of Announcement  2025-05-13 
No. of Vulnerabilities Patched  16 
Actively Exploited  Yes 
Exploited in Wild  Yes 
Advisory Version  1.0 

Overview 

The most severe issue, CVE-2025-31324 (CVSS 10.0), is a critical unauthenticated file upload vulnerability that has been exploited in the wild since January 2025 for remote code execution (RCE). 

This issue was originally addressed in an SAP security note issued on April 24, 2025, and has since been supplemented by a second vulnerability, CVE-2025-42999, involving insecure deserialization.

These vulnerabilities have been used together in chained attacks to gain full system access on vulnerable SAP NetWeaver servers. 

Vulnerability Name  CVE ID  Product Affected  Severity  CVSS Score 
Unauthenticated File Upload (RCE)  CVE-2025-31324  SAP NetWeaver  Critical  10.0 
Insecure Deserialization (RCE)  CVE-2025-42999  SAP NetWeaver  Critical  9.1 

Technical Summary 

Attackers have leveraged two flaws in SAP NetWeaver Visual Composer in chained exploit scenarios to gain unauthorized remote access and execute arbitrary commands.

CVE-2025-31324 enables unauthenticated file uploads, and CVE-2025-42999 allows privileged users to exploit insecure data deserialization for command execution.

These vulnerabilities have impacted hundreds of internet-facing SAP instances, including systems operated by major enterprises. 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2025-31324  SAP NetWeaver Visual Composer  Unauthenticated file upload vulnerability in development server.  Remote Code Execution (RCE) without privileges 
CVE-2025-42999  SAP NetWeaver Visual Composer  Insecure deserialization in Visual Composer user-accessible function.  Remote Code Execution (RCE) without privileges 

Source: SAP 

In addition to the actively exploited vulnerabilities, several other High Severity Vulnerabilities were also addressed: 

  • CVE-2025-30018: SAP Supplier Relationship Management (Live Auction Cockpit) – Multiple vulnerabilities (CVSS 8.6) 
  • CVE-2025-43010: SAP S/4HANA Cloud Private Edition / On Premise (SCM Master Data Layer) – Code injection (CVSS 8.3) 
  • CVE-2025-43000: SAP Business Objects Business Intelligence Platform (PMW) – Information disclosure (CVSS 7.9) 
  • CVE-2025-43011: SAP Landscape Transformation (PCL Basis) – Missing authorization check (CVSS 7.7) 
  • CVE-2024-39592: SAP PDCE – Missing authorization check (CVSS 7.7) 

Remediation

  • Apply Patches Promptly: Install the May 2025 security updates immediately to mitigate risks from CVE-2025-42999 and other high-severity vulnerabilities, including CVE-2025-31324, along with additional security improvements across various SAP products. 

General Recommendations: 

  • Disable Visual Composer Service: If possible, disable the Visual Composer service to further reduce risk. 
  • Restrict Access to Metadata Upload Functions: Limit access to the metadata uploader to trusted users to prevent unauthorized file uploads. 
  • Monitor for Suspicious Activity: Continuously monitor the SAP NetWeaver environment for any signs of suspicious activity related to the vulnerabilities. 

Conclusion: 

  • The dual exploitation of CVE-2025-31324 and CVE-2025-42999 underscores the critical need for proactive patching and vigilant monitoring of enterprise SAP environments.
  • The vulnerabilities are being exploited by sophisticated threat actors, including the Chinese APT group Chaya_004, with over 2,000 exposed NetWeaver instances and hundreds already compromised. 
  • In response to the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog and has mandated federal agencies to remediate by May 20, 2025, under Binding Operational Directive 22-01. Organizations are strongly urged to act immediately to protect their SAP environments. 

References

 

 

Blogs Cybersecurity News

CISA’s Support for MITRE CVE, CWE programs Extended. 

Contract extension by CISA for MITRE CVE, CWE program prevents shutdown providing sign of relief for Cybersecurity community.

The CVE Program is the primary way software vulnerabilities are tracked maintained by MITRE. Recently the contract between MITRE, a non-profit research and development group including  the U.S. Department of Homeland Security (DHS) to operate the CVE program, was about to expire on April 16, 2025, with no renewal in place.

This created panic in cyber security world as the CVE Program was about  to expire. The United States Cyber security and Infrastructure Security Agency (CISA), stepped in during the last minute and renewed its funding for the software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program(CVE).

CISA ensured that the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs did not lapse.

Renewal of Contract with MITRE & Last Minute Rescue by CISA

‘The contract with MITRE is being extended for 11 months said a CISA’ spokesman..The importance of CVE Program is a focal point for cybersecurity program that is provides critical data and services for digital defense and research.

During the last minute when the contract was about to expire on tuesday night, the United States Cybersecurity and Infrastructure Security Agency (CISA) renewed its funding for the longtime software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program.

MITRE’s vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that “CISA identified incremental funding to keep the Programs operational.” With the clock ticking down before this decision came out, some members of the CVE Program’s board announced a plan to transition the project into new non profit entity called the CVE Foundation.

The CVE program is of prime importance for the entire cyber security community and CISA, the very reason for extending support so that there is no lapse in critical CVE services.

The extension will bring in a sense of security for cyber sec professionals, vendors, and government agencies worldwide can continue to rely on the CVE program for coordinated vulnerability tracking and response.

Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract. 

Over the years there has been doubt among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor. The foundation has also written about its concern.

The cyber security community that includes researchers and cyber professionals were relieved on Wednesday, as the news flashed about the CVE Program hadn’t suddenly ceased to exist as the result of unprecedented instability in US federal funding.

Not only the US but every organization and every security tool is dependent on the CVE program and despite CISA’s last-minute funding, the future of the CVE Program is still unclear.

What makes the CVE program vital for cyber-security community?

Considering the importance of the CVE program, it should be fully funded to conduct job meant for its mission and well resourced.

On its 25th anniversary, the CVE Program continues playing vital role in global cybersecurity by identifying, defining, and cataloging publicly disclosed vulnerabilities. There is one CVE Record for each vulnerability in the catalog.

The vulnerabilities are discovered, then assigned and published by organizations globally that have partnered with the CVE Program

Lets wait for the 11 months contract funding that has been extended by CISA. Still the question remains about sustainability and neutrality of having a prominent globally recognized resource like CVE tied to a single government sponsor.

Sources: CISA Provides Last-Minute Support to Keep CVE Program Running

https://www.wired.com/story/cve-program-cisa-funding-chaos

Security Advisory

PoC Released for High-Severity Linux Kernel UVC Driver Vulnerability

OEMLinux
SeverityHIGH
CVSS7.8
CVEsCVE-2024-53104
Actively ExploitedYes
Publicly POC AvailableYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

CVE-2024-53104 is a high-severity out-of-bounds write vulnerability in the Linux kernel’s USB Video Class (UVC) driver, leading to privilege escalation. The issue affects Linux kernel versions 2.6.26 and later. The vulnerability has gained renewed attention as a proof-of-concept (PoC) exploit has now been publicly released, increasing the risk of exploitation. A patch has been released to address this vulnerability, but unpatched systems remain at high risk.

Vulnerability NameCVE IDProduct AffectedSeverity
  out-of-bounds write vulnerability  CVE-2024-53104  Linux Kernel    High

Technical Summary

The vulnerability exists in the uvc_parse_format function of the UVC driver (uvc_driver.c). It arises due to improper parsing of UVC_VS_UNDEFINED frames, leading to incorrect buffer allocation and out-of-bounds writes.

An attacker could exploit this flaw by inserting a malicious USB device or manipulating video streams, potentially leading to memory corruption, privilege escalation, or arbitrary code execution.

CVE IDSystem AffectedVulnerability DetailsImpact
  CVE-2024-53104    Linux Kernel (2.6.26 and later)  Incorrect parsing of UVC_VS_UNDEFINED frames in uvc_parse_format, leading to miscalculated buffer sizes and memory corruption.    Privilege escalation, system instability, arbitrary code execution  

Remediation:

  • Apply Security Patches: Ensure that the latest security patches provided by the Linux distribution maintainers are promptly applied to mitigate vulnerability.

Recommendations

  • Implement USB Device Control Policies: Organizations should establish and enforce USB device control policies to prevent unauthorized usage and ensure only approved devices can be connected.
  • Deploy Log Monitoring and Analysis Tools: Implement security monitoring tools to continuously monitor logs for potential security incidents, such as exploitation attempts or suspicious activity.

Conclusion:

CVE-2024-53104 is a major vulnerability that poses a substantial risk to Linux systems since it allows for privilege escalation and arbitrary code execution. Users and administrators are strongly urged to apply the latest security patches to mitigate the risk of exploitation. Additionally, implementing a multi-layered security approach can further enhance system protection.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) list, emphasizing the need for immediate remediation.

CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks.

References:

Security Advisory

Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems 

CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.

OEM Microsoft 
Severity High 
CVSS 7.8 
CVEs CVE-2018-8639 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview on Vulnerability

The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat. 

Vulnerability Name CVE ID Product Affected Severity 
 Privilege Escalation Vulnerability  CVE-2018-8639  Windows  High 

Technical Summary 

The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.

Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2018-8639 Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019  Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation. System compromise, unauthorized access, potential malware persistence 

Remediation

  • Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk. 
  • Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.  

General Recommendations: 

  • Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches. 
  • Adopting the principle of least privilege (PoLP) to limit user access. 
  • Continuous monitoring of anomalous kernel-mode activities. 

Conclusion: 

Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2018-8639  
  • https://github.com/ze0r/CVE-2018-8639-exp 

Security Advisory

Palo Alto Firewall Vulnerabilities Under Active Exploitation 

An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.

Summary 

OEM Palo Alto 
Severity High 
Date of Announcement 2025-02-19 
CVEs CVE-2025-0108 
CVSS Score 8.8 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.

This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
 Authentication Bypass Vulnerability  CVE-2025-0108  Pan OS         High PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 

Technical Summary 

This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations. 

Vulnerability Name Details Severity Impact 
 Authentication Bypass Vulnerability  This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111.         High Root access of the affected system, unauthorized file exfiltration. 

Recommendations 

  • Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately. 

Here are the details of the required upgrades: 

Version Updated Version 
PAN-OS 11.2 Upgrade to 11.2.4-h4 or later 
PAN-OS 11.1 Upgrade to 11.1.6-h1 or later 
PAN-OS 10.2 Upgrade to 10.2.13-h3 or later 
PAN-OS 10.1 Upgrade to 10.1.14-h9 or later 

General Recommendations 

  • Restrict access to PAN-OS management interfaces to trusted IPs only. 
  • Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions. 
  • Follow best practices for firewall security, including network segmentation and regular vulnerability assessments. 
  • Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity. 

Conclusion 

The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat. 

The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.

References

  • https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/ 
  • https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise   

Scroll to top