Critical vulnerabilites

Multiple High-Severity Vulnerabilities Patched in Zoom  

Summary 

Multiple high-severity vulnerabilities have been identified in Zoom applications, including Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK, causing exposure of Sensitive Data.

The most critical flaws, patched in Zoom’s March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free) CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps).

All rated high severity with CVSS scores ranging from 7.1 to 8.5. 

OEM Zoom 
Severity High 
CVSS 8.5  
CVEs CVE-2025-27440, CVE-2025-27439, CVE-2025-0151,  CVE-2025-0150, CVE-2025-0149 
Publicly POC Available No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

These vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service (DoS) attacks. Zoom has released patches addressing these issues in version 6.3.0. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Heap-Based Buffer Overflow Vulnerability  CVE-2025-27440  ZOOM High 8.5 
Buffer Underflow Vulnerability  CVE-2025-27439  ZOOM High 8.5 
Use-After-Free Vulnerability CVE-2025-0151 ZOOM High  8.5 
Incorrect Behavior Order Vulnerability CVE-2025-0150 ZOOM High 7.1 
Insufficient Data Verification Vulnerability  CVE-2025-0149 ZOOM Medium 6.5 

Technical Summary 

These vulnerabilities could be exploited to gain unauthorized access, execute arbitrary code, or disrupt services through privilege escalation and memory corruption techniques. Exploitation requires authentication and network access, posing a risk to enterprise users. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-27440  Zoom Workplace Apps ( Windows, macOS, and Linux, as well as mobile apps for iOS and Android.)  Heap-based buffer overflow, allowing attackers to inject malicious code   Privilege Escalation 
 CVE-2025-27439  Zoom Workplace Apps Buffer underflow, leading to unexpected crashes or data leakage   Denial of Service, Data Exposure 
CVE-2025-0151    Zoom Workplace Apps  Use-after-free issue leading to memory corruption and arbitrary code execution   Privilege Escalation 
CVE-2025-0150  Zoom Workplace Apps (iOS) Incorrect behavior order allowing unauthorized access to authentication tokens   Information Disclosure 
CVE-2025-0149 Zoom Workplace Apps  Insufficient verification of data authenticity, allowing malformed network packets to bypass security checks Denial of Service 

Remediation

  • Apply Patches Promptly: Ensure all Zoom applications are updated to version 6.3.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.

Conclusion: 

The recent vulnerabilities in Zoom highlight the ongoing challenges in securing widely used communication platforms. While Zoom has acted swiftly in providing patches, the recurrence of memory corruption and input validation flaws suggests architectural challenges.

Organizations should maintain a proactive security stance, ensuring timely updates and implementing stringent controls to safeguard sensitive data. 

Organizations must treat Zoom not as a neutral utility but as a high-risk vector requiring stringent controls.

References

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.

Summary 

Application OpenSSH 
Severity High 
CVSS 8.1 
CVEs CVE-2024-6387 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.

A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns. 

The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Race Condition vulnerability   CVE-2024-6387  OpenSSH (8.5p1–9.8p1)  High  OpenSSH 9.8p2 or later 

Technical Summary 

CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.

Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-6387 OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). Remote Code Execution (Root Privileges) 

Impact:

This Vulnerability if exploited could lead to complete system takeover.

Remediation

  • Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue. 
  • Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges. 
  • Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns. 

Indicators of Compromise (IOCs): 

IP Address / Hostname File Hash 
209.141.53[.]247 0df799f05c6d97e2b7d4b26c8e7246f7 
108.174.58[.]28 11cc5f00b466d4f9be4e0a46f2eb51ae 
195.85.205[.]47 1f452448cea986aedc88ba50d48691f7 
62.72.191[.]203 207eb58423234306edaecb3ec89935d8 
botbot.ddosvps.cc  

Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387 

Conclusion: 

The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.

Swift patching and the adoption of layered security measures are imperative to mitigate the risks. 

Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2024-6387 
  • https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/

Microsoft December 2024 Patch Tuesday: Critical Fixes for Zero-Day and Remote Code Execution

Summary

OEM

Microsoft

Severity

High

Date of Announcement

2024-12-12

NO. of Vulnerabilities Patched

71

Actively Exploited

01

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft released updates addressing 71 vulnerabilities across its product suite, including 1 actively exploited zero-day vulnerability. Critical patches include fixes for remote code execution (RCE) flaws in Windows TCP/IP and Windows Common Log File System (CLFS). Immediate attention is required for systems running Windows Server, Microsoft Exchange, and other affected components. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 30 Remote Code Execution (RCE) Vulnerabilities
  • 27 Elevation of Privilege (EoP) Vulnerabilities
  • 7 Information Disclosure Vulnerabilities
  • 4 Denial of Service (DoS) Vulnerabilities
  • 1Defense-in-depth improvement
  • 1 Spoofing Vulnerabilities

The highlighted vulnerabilities include one zero-day flaw and critical RCE vulnerabilities, one of which is currently being actively exploited.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Unauthenticated Remote Code Execution in Windows LDAP

CVE-2024-49112 

Windows

Critical

9.8

Remote Code Execution in Windows Hyper-V

CVE-2024-49117

Windows

High

8.8

Remote Code Execution via Use-After-Free in Remote Desktop Services

CVE-2024-49132

Windows

High

8.1

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2024-49138

Windows

High

7.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49112 

Microsoft Windows Lightweight Directory Access Protocol (LDAP)

This vulnerability allows attackers to execute arbitrary code at the LDAP service level by sending specially crafted LDAP calls to a Windows Domain Controller. While Microsoft recommends disconnecting Domain Controllers from the Internet as a mitigation, applying the patch is the best course of action.

Remote Code Execution

CVE-2024-49117

Microsoft Windows Hyper-V

This vulnerability can be exploited by an authenticated attacker to execute code on the host operating system from a guest virtual machine. Cross-VM attacks are also possible. Although the attacker must have basic authentication, the vulnerability poses significant risks to virtualized environments.

Remote Code Execution

CVE-2024-49132

Microsoft Windows Remote Desktop Services

An attacker can exploit a use-after-free memory condition in Remote Desktop Gateway, allowing RCE. Exploitation requires precise timing, which makes this an advanced attack. Successful exploitation grants attackers control over the affected system.

Allows an attacker to execute remote code on systems using Remote Desktop Gateway

CVE-2024-49138

Windows Common Log File System Driver

This critical security flaw affects the Windows Common Log File System Driver and is classified as an Elevation of Privilege vulnerability.

It allows attackers to gain SYSTEM privileges on Windows devices, potentially giving them full control over the affected system.

Additional Critical Patches Address High-Severity Vulnerabilities

  • These are the eight other critical vulnerabilities that are rated 8.1 on the CVSS scale in Remote Desktop Services (CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, CVE-2024-49115, CVE-2024-49128, CVE-2024-49123, CVE-2024-49120, CVE-2024-49119).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49077).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49132).

Remediation

  • Ensure all December 2024 Patch Tuesday updates are applied promptly.
  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
  • Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.
Scroll to top