CXO

Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately 

Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.

Continue Reading

High-Severity DoS Vulnerability in Cisco NX-OS Software

MPLS Encapsulated IPv6 Denial of Service Vulnerability

OEM CISCO 
Severity High 
CVSS score 7.4 
CVEs CVE-2025-20111 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A high-severity vulnerability (CVE-2025-20111) in Cisco Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode could allow unauthenticated attackers to trigger a denial-of-service (DoS) condition by sending crafted ethernet frames, leading to unexpected device reloads. 

Vulnerability Name CVE ID Product Affected Severity 
 Denial of service vulnerability  CVE-2025-20111   Cisco Nexus   High 

Technical Summary 

The vulnerability originates from improper handling of specific Ethernet frames within the health monitoring diagnostics of Cisco Nexus switches.

An unauthenticated, adjacent attacker can exploit this flaw by sending a sustained rate of crafted Ethernet frames to a vulnerable device. Successful exploitation results in repeated device reloads, disrupting network operations and potentially impacting high-availability environments. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-20111  Nexus 3000 Series: 3100, 3200, 3400, and 3600 models Nexus 9000 Series: 9200, 9300, and 9400 switches running standalone NX-OS Improper handling of specific Ethernet frames in health monitoring diagnostics  Repeated device reboots, potential network downtime  

Remediation

  • Apply Software Updates: Cisco has released patched software versions to address the vulnerability. Network administrators should upgrade affected devices immediately. 
  • Use Cisco Software Checker: Organizations should verify their exposure using Cisco’s Software Checker tool to identify the earliest fixed release. 
  • Implement Workarounds: If immediate patching is not feasible, organizations can mitigate risks using Access Control Lists (ACLs) to filter anomalous Ethernet frames targeting the health monitoring subsystem. 

Conclusion: 

CVE-2025-20111 presents a significant risk to enterprise and data center networks relying on Cisco Nexus switches. While there is no known active exploitation, organizations should prioritize patching and mitigation strategies to prevent service disruptions. Proactive monitoring and adherence to Cisco’s security advisories will help ensure network resilience against potential exploitation. 

References: 

Critical WordPress Security Flaw in Everest Forms Plugin 

UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin

Continue Reading

Palo Alto Firewall Vulnerabilities Under Active Exploitation 

An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.

Summary 

OEM Palo Alto 
Severity High 
Date of Announcement 2025-02-19 
CVEs CVE-2025-0108 
CVSS Score 8.8 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.

This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
 Authentication Bypass Vulnerability  CVE-2025-0108  Pan OS         High PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 

Technical Summary 

This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations. 

Vulnerability Name Details Severity Impact 
 Authentication Bypass Vulnerability  This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111.         High Root access of the affected system, unauthorized file exfiltration. 

Recommendations 

  • Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately. 

Here are the details of the required upgrades: 

Version Updated Version 
PAN-OS 11.2 Upgrade to 11.2.4-h4 or later 
PAN-OS 11.1 Upgrade to 11.1.6-h1 or later 
PAN-OS 10.2 Upgrade to 10.2.13-h3 or later 
PAN-OS 10.1 Upgrade to 10.1.14-h9 or later 

General Recommendations 

  • Restrict access to PAN-OS management interfaces to trusted IPs only. 
  • Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions. 
  • Follow best practices for firewall security, including network segmentation and regular vulnerability assessments. 
  • Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity. 

Conclusion 

The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat. 

The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.

References

  • https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/ 
  • https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise   

Authentication Bypass Vulnerability in FortiOS & FortiProxy 

Summary 

A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.

OEM Fortinet 
Severity Critical 
CVSS 9.6 
CVEs CVE-2025-24472 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Authentication Bypass Vulnerability CVE-2025-24472 FortiOS FortiProxy Critical  FortiOS v7.0 – v7.0.16   FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 

Technical Summary 

CVE ID Vulnerability Details Impact 
  CVE-2025-24472   An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests.   Execute unauthorized code or commands 

Recommendations

  • Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below 
Version Fixes and Releases 
FortiOS 7.0 – 7.0.16 Upgrade to 7.0.17 or latest version 
FortiProxy 7.0 – 7.0.19 Upgrade to 7.0.20 or latest version 
FortiProxy 7.2 – 7.2.12 Upgrade to 7.2.13 or latest version 

Workarounds: 

Below are some workarounds provided by the Fortinet team. 

  • Disable HTTP/HTTPS administrative interface 
  • Limit IP addresses that can reach the administrative interface via local-in policies 

According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”

References: 

Microsoft Updates Patch Tuesday for Feb 2025; Address 67 Vulnerabilities, Includes 2 Exploited Zero-Days 

Summary

Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.  

Microsoft  issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-02-11
No. of Vulnerabilities Patched 67 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks. 

  • 63 Microsoft CVEs addressed 
  • 4 non-Microsoft CVEs included 

The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability CVE-2025-21418 Windows High 7.8 
Windows Storage Elevation of Privilege Vulnerability  CVE-2025-21391 Windows High 7.1 
Microsoft Surface Security Feature Bypass Vulnerability CVE-2025-21194 Windows High  7.1 
NTLM Hash Disclosure Spoofing Vulnerability CVE-2025-21377 Windows Medium  6.5 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21418  Windows server and Windows 10 & 11  Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed.    Unauthorized access with SYSTEM privileges.  
  CVE-2025-21391  Windows server and Windows 10 & 11 Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data.    Deletion of critical data, leading to service disruption. 
  CVE-2025-21194    Microsoft Surface    Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware.    Bypass of security features, potentially compromising system integrity. 
 CVE-2025-21377  Windows server and Windows 10 & 11 NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks.   Potential for attackers to authenticate as the user, leading to unauthorized access. 

Source:  Microsoft       

In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed: 

  • CVE-2025-21376: A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability that could allow attackers to execute arbitrary code remotely. 
  • CVE-2025-21379: A DHCP Client Service RCE vulnerability that may enable remote attackers to execute code with elevated privileges. 
  • CVE-2025-21381: An RCE vulnerability in Microsoft Excel that could be triggered through malicious spreadsheet files. 

Remediation

  • Apply Updates: Immediately install the February 2025 Patch Tuesday updates to address these vulnerabilities. 

Conclusion: 

The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity. 

The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.

References

Apple’s USB Restricted Mode Exploited in Targeted Attacks 

OEM Apple 
Severity High 
CVSS Not Assigned 
CVEs CVE-2025-24200   
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

Apple has issued emergency security patches to mitigate a zero-day vulnerability, CVE-2025-24200, which has been actively exploited in sophisticated attacks targeting specific individuals. The flaw allows attackers to bypass USB Restricted Mode on a locked device, potentially exposing sensitive data. Initially identified by The Citizen Lab, this vulnerability is believed to have been leveraged in real-world scenarios against high-profile targets. Apple has responded by enhancing state management in iOS 18.3.1 and iPadOS 18.3.1 to prevent exploitation. 

Vulnerability Name CVE ID Product Affected Severity 
 USB Restricted Mode Bypass Vulnerability  CVE-2025-24200  Apple  High 

Technical Summary 

The vulnerability, tracked as CVE-2025-24200, affects USB Restricted Mode, a security feature introduced in 2018 to prevent data transfer over USB when a device remains locked for seven days. A flaw in the Accessibility framework allows an attacker with physical access to disable USB Restricted Mode, bypassing this protection and potentially accessing sensitive data. 

Apple has mentioned “This issue has been exploited in extremely sophisticated attacks against specific individuals.” The vulnerability was discovered by Bill Marczak, a senior researcher at The Citizen Lab. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-24200 iPhone XS and later iPad Pro (13-inch) iPad Pro 12.9-inch (3rd generation and later) iPad Pro 11-inch (1st generation and later) iPad Air (3rd generation and later) iPad (7th generation and later) iPad mini (5th generation and later) A flaw in the Accessibility framework allows a physical attacker to disable USB Restricted Mode, bypassing protections designed to prevent unauthorized data transfer.   Unauthorized access to sensitive data 

Remediation

  1. Users are strongly advised to update their devices to the latest versions: 
  • iOS: Update to version 18.3.1 
  • iPadOS: Update to version 18.3.1 
  1. To update your device, go to Settings > General > Software Update, and follow the on-screen instructions. 

Conclusion 

The CVE-2025-24200 vulnerability poses a serious risk to device security, particularly for individuals targeted in sophisticated cyberattacks. While the exploitation has been limited to specific individuals, all users of affected devices should install the latest updates immediately to mitigate potential risks. Apple remains committed to user security by addressing vulnerabilities promptly and ensuring continuous protection against emerging threats. 

References: 

Active Exploitation of Microsoft Outlook RCE Vulnerability (CVE-2024-21413) 

A critical remote code execution (RCE) vulnerability, CVE-2024-21413, affecting Microsoft Outlook has been actively exploited.

CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.

OEM Microsoft 
Severity Critical 
CVSS 9.8 
CVEs CVE-2024-21413 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The flaw allows attackers to bypass security protections, leading to NTLM credential theft and arbitrary code execution. The vulnerability is critical, and Microsoft has released patches to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2024-21413  Microsoft  Critical 

Technical Summary 

The CVE-2024-21413 vulnerability arises due to improper input validation in Microsoft Outlook when handling emails containing malicious links. Exploitation of this flaw enables attackers to bypass Protected View, a security feature designed to prevent execution of harmful content embedded in Office files. 

By manipulating URLs with the file:// protocol and inserting an exclamation mark followed by arbitrary text, attackers can evade Outlook’s built-in security measures, tricking users into opening malicious Office files in editing mode instead of read-only mode. The Preview Pane also serves as an attack vector, enabling zero-click exploitation. Here is the POC also available for this vulnerabilty. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-21413 Microsoft Office LTSC 2021, Microsoft 365 Apps, 
Microsoft Outlook 2016, Microsoft Office 2019   
Exploits improper input validation to bypass Outlook security protections using manipulated hyperlinks.  NTLM credential theft, remote code execution, potential full system compromise  

Remediation

  1. Apply Security Patches: Ensure that all the Microsoft Office products are updated with the latest security patches. 
  1. Disable NTLM Authentication: Where feasible, reduce reliance on NTLM authentication to prevent credential theft. 

General Remediation: 

  1. Monitor Network Activity: Watch unusual outbound connections to attacker-controlled servers. 
  1. User Awareness Training: Educate employees on recognizing phishing attempts and avoiding click on suspicious links or attachments. 
  1. Enable Advanced Threat Protection: Use security tools like Microsoft Defender to enhance security monitoring and detection. 
  1. Regularly Update Software: Maintain a routine patching schedule to ensure all systems are protected against known vulnerabilities. 
  1. Restrict Macros and External Content: Configure Microsoft Office to block macros and disable automatic external content execution. 

Conclusion: 

The exploitation of CVE-2024-21413 underscores the ongoing threat posed by improperly validated inputs in widely used enterprise software. With this vulnerability being actively exploited and the POC publicly available, organizations must prioritize patching, strengthen monitoring, and follow best security practices to minimize risks. CISA has included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action. 

References: 

Zero-Day Vulnerability in Microsoft Sysinternals Tools  

Summary 

A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.

OEM Microsoft 
Severity High 
Date of Announcement 2025-02-05 
CVEs Not Yet Assigned 
Exploited in Wild No 
Patch/Remediation Available No 
Advisory Version 1.0 
Vulnerability Name Zero-Day  

Overview 

Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw. 

Vulnerability Name CVE ID Product Affected Severity Impact 
            zero-day  Not Yet Assigned Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others)          High Arbitrary Code Execution, Privilege Escalation, Malware Deployment 

Technical Summary 

The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories. 

The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as: 

  • The Current Working Directory (CWD) 
  • Network locations (e.g., shared drives) 
  • User-writable paths over secure system directories 

This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL. 

Exploit Workflow 

  1. Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan. 
  1. The DLL is placed in the same directory as a vulnerable Sysinternals tool. 
  1. The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory. 
  1. The malicious DLL is loaded instead of the legitimate system DLL. 
  1. Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights). 

Recommendations 

  1. Avoid Running Sysinternals Tools from Network Locations 
  • Always copy tools to a local trusted directory before execution. 
  • Disable execution of .exe files from network drives if feasible. 
  1. Restrict DLL Search Paths 
  • Use SafeDLLSearchMode to prioritize secure directories. 
  • Implement DLL redirection to force tools to load DLLs from trusted paths. 
  1. Implement Application Control Policies 
  • Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading. 
  • Restrict execution of Sysinternals tools to trusted admin-only directories. 
  1. Verify DLL Integrity Before Execution 
  • Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed. 
  • Block execution of unsigned or suspicious DLLs in sensitive directories. 
  1. Monitor for Suspicious DLL Loading Behavior 
  • Enable Sysmon logging to detect anomalous DLL loads (Event ID 7). 
  • Monitor for executions of Sysinternals tools from network shares (Event ID 4688). 

Conclusion 

Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.

The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems. 

References

Scroll to top