Cybersecurity

Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild

Summary

OEM	Microsoft
Severity	Critical
CVSS Score	7.8
CVE	CVE-2024-49138
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0
Publicly POC Available	Yes

Overview

The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.

Vulnerability Name	CVE ID	Product Affected	Severity
CLFS Privilege Escalation	CVE-2024-49138	Microsoft Windows	High

Technical Summary

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-49138	Windows 10, Windows 11, Windows Server 2008–2025	Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released.	Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device.

Remediations

Update Systems: Apply Microsoft’s December 2024 patches without delay.
Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
Limit Access: Implement robust access controls and harden systems.

Conclusion:

The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.

References

https://securityonline.info/zero-day-vulnerability-in-windows-exploited-cve-2024-49138-poc-code-released/
https://github.com/MrAle98/CVE-2024-49138-POC?tab=readme-ov-file
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49138
https://intruceptlabs.com/2024/12/microsoft-december-2024-patch-tuesday-critical-fixes-for-zero-day-and-remote-code-execution/

Privilege Escalation Vulnerability in ComboBlocks Plugin Affects Thousands of Sites

A critical vulnerability in the ComboBlocks WordPress plugin (formerly Post Grid and Gutenberg Blocks) exposes over 40,000 websites to potential complete takeover by unauthenticated attackers. This vulnerability exists due to improper handling of user meta during the registration process, enabling privilege escalation. It affects versions 2.2.85 to 2.3.3 and has been addressed in version 2.3.4.

OEM	WordPress
Severity	Critical
Date of Announcement	2025-01-17
CVSS score	9.8
CVE	CVE-2024-9636
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

ComboBlocks, a plugin designed to enhance website design and functionality, was found to have a critical security flaw (CVE-2024-9636) that could allow unauthenticated attackers to register as administrators, granting them full control over the affected websites.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Unauthenticated Privilege Escalation Vulnerability	CVE-2024-9636	ComboBlocks WordPress Plugin	Critical	9.8

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-9636	ComboBlocks plugin (2.2.85 - 2.3.3)	The vulnerability stems from improper restriction of user meta updates during profile registration. This flaw allows unauthenticated attackers to register as administrators, granting them full control over the website.	Complete website takeover and malware injection.

Remediations

Update Plugin: Immediately update the ComboBlocks plugin to version 2.3.4 or later.
Review Administrative Accounts:

Audit all user accounts with administrative privileges.
Revoke any unauthorized access.

Enhance Security Posture:

Enable multi-factor authentication (MFA) for all admin accounts.
Restrict user permissions based on the principle of least privilege.
Use a web application firewall (WAF) to filter and block malicious traffic.

Monitor and Log Activity:

Activate detailed logging for user registration and privilege changes.
Configure alerts for unusual activity, such as mass registrations or privilege escalations.

Implement Preventative Measures:

Regularly update all plugins and themes.
Backup the WordPress site frequently to ensure quick recovery in case of any compromise.

References

Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities

Summary

Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.

Key take away:

Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
This marks highest number of fixes in a single month since at least 2017.

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-01-14
No. of Vulnerabilities Patched	159
Actively Exploited	yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows:

58 Remote Code Execution (RCE) Vulnerabilities

40 Elevation of Privilege (EoP) Vulnerabilities

22 Information Disclosure Vulnerabilities

20 Denial of Service (DoS) Vulnerabilities

14 Security Feature Bypass

5 Spoofing Vulnerabilities

The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Elevation of privilege vulnerability	CVE-2025-21333, CVE-2025-21334, CVE-2025-21335	Windows	High	7.8
Elevation of Privilege Vulnerability	CVE-2025-21275	Windows	High	7.8
Remote Code Execution Vulnerability	CVE-2025-21186,CVE-2025-21366, CVE-2025-21395	Windows	High	7.8
Spoofing Vulnerability	CVE-2025-21308	Windows	Medium	6.5

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-21333, CVE-2025-21334, CVE-2025-21335	Windows Hyper-V NT Kernel	No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously.	Allow attackers to gain SYSTEM privileges
CVE-2025-21275	Windows App Package Installer	Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges.	Attackers could gain SYSTEM privileges
CVE-2025-21186,CVE-2025-21366, CVE-2025-21395	Microsoft Access	Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents.	Remote Code Execution
CVE-2025-21308	Windows Themes	Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft.	NTLM credential theft

Source: Microsoft

Additional Critical Patches Address High-Severity Vulnerabilities

Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370).

Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311).

Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298).

Remediation:

Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities.

Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.

Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access.

Conclusion:

The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

Banshee Stealer: A Growing Threat to macOS Users

Overview

Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS.

Key Threat Details:

Malware Capabilities:

Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security.

User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access.

Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging.

C&C decryption Source: Cybersecurity News

Evasion Tactics:

Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems.

Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods.

Distribution Mechanisms:

Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files.

Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware.

Repository releases source: Cybersecurity News

Recent Developments:

Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally.

Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape.

Impact:

Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses.

Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications.

Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide.

Indicators of Compromise (IOCs):

The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link .

IP Address and Domain	File Hash
41.216.183[.]49	00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93
Alden[.]io	1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416
api7[.]cfd	3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab
Authorisev[.]site	b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114

Recommendations:

To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures:

Avoid Untrusted Downloads:

Refrain from downloading software from unverified sources, particularly free or “cracked” versions.

Verify the authenticity of GitHub repositories before downloading any files.

Strengthening System Defenses:

Regularly update macOS and all installed applications to patch known vulnerabilities.

Deploy advanced security solutions with real-time threat detection and proactive intelligence.

Enhance Awareness and Training:

Educate users on identifying phishing websites and suspicious downloads.

Encourage caution when responding to system prompts or entering credentials.

Enable Two-Factor Authentication (2FA):

Secure accounts with 2FA to minimize the impact of stolen credentials.

Monitor System Activity:

Regularly review system logs for unauthorized changes or suspicious activity.

Use tools to monitor unexpected outgoing data transmissions.

Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.

Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early.

Conclusion:

The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats.

References:

https://blog.checkpoint.com/research/cracking-the-code-how-banshee-stealer-targets-macos-users/

https://cybersecuritynews.com/banshee-malware-targets-macos/#google_vignette

https://otx.alienvault.com/pulse/677fe682d3832164346deca1

Cybersecurity Trends for 2025; Responsible AI to gain Importance

Cyber security trends as per research and data available shows that responsible AI will gain importance with more public scrutiny of risks growing along with remediation practices. Organizations will now require to balance taking risks with AI and having rapid remediation strategies available.

As per experts the areas that will get attention will be cloud security and data location. In 2025, new laws may require that sensitive data stay within national borders, affecting how companies manage and store data across regions. As businesses and critical services become increasingly dependent on cloud services, some countries may prioritize cloud availability in national emergency plans, recognizing that stable cloud access is mandatory for crisis management. This shift could lead towards the establishment of a new program like Cloud Service Priority (CSP), treating cloud infrastructure as important as utilities like electricity and telecoms.

How organization need to prepare themselves as big and small businesses and brands will see dramatically increased risks, as bad actors using AI will launch convincing impersonation attacks. This will make it easier with higher accuracy than ever to fool customers and clients.

Key Cyber Security Trends of 2025

As organization navigate through 2025 we will witness that threat actors will increasingly use AI for sophisticated phishing, vishing, and social engineering attacks.

Gen-AI

Generative AI is driving an unprecedented surge in cyber fraud, with nearly 47% of organisations identifying adversarial AI-powered attacks as their primary concern, according to the World Economic Forum’s Global Cybersecurity Outlook 2025.

Due to technological advancements the Cyberspace is growing more complex due to technological advancements as they are interconnected to supply chains. Collaboration between public and private sectors is essential to secure the benefits of digitalization at all levels.

Digitalization

76% of cybersecurity leaders report difficulties navigating a patchwork of global policies and 66% of organizations expect AI to transform cybersecurity, only 37% have implemented safeguards to secure these tools before deployment.

IoT Devices Vulnerable

Hackers will grow attacks on IoT devices as per research by Analytics insights report 2025 as over 30 billion devices across the globe will be connected through the Internet of Things. IoT enhance productivity offering convenience but due to their low-security backgrounds hackers may utilize opportunity to obtain sensitive information, or form massive botnets to execute Distributed Denial-of-Service (DDoS) attacks. (Analytics insight)

Ransomware

Attackers have resorted to different methods of extortion, involving ransom demands along with DDoS attacks. Encryption and fileless ransomware are being developed in an attempt to evade detection. RaaS makes it increasingly easy for non-technical users to carry out advanced attacks and the trend is growing. Experts predict that, by 2025, ransomware attacks will occur globally every two seconds prime targets remain in the healthcare, education, and government sectors.

AI /ML

To survive in highly competitive environment hackers will continue using AI so as organization will continue with previous theme of 2024 application of artificial intelligence and this will expand along with machine learning (ML) as these tools are the game changer in in a cybersecurity strategy.

Quantum Computing

The year 2025 will witness the rise and development of Quantum Computing and computers.An exciting technological development; however, it also generates grave challenges for cybersecurity. Quantum computers solve complex problems much faster than classical computers, making traditional cryptography algorithms vulnerable to quantum attacks is equally necessary to be proactive, with an immediate focus on quantum-safe encryption that would last to provide safety to the digital security systems in the years to follow. McKinsey poll says, 72% of tech executives, investors and quantum computing academics believe that “a fully fault-tolerant quantum computer” will be here by 2035, while 28% think this won’t happen until at least 2040. With Quantum computing business can protect their data and stay ahead of quantum threats with the right tools and strategies in place.

Regulations

Regulatory changes and compliance will evolve in 2025 as government across the European countries are gearing up with regulation being prepared to protect against surge of ransomware attacks, introducing stringent measures to combat the growing menace of cyber extortion. The EU emerged as a frontrunner in cybersecurity regulation, with the Network and Information Security (NIS2) Directive coming into full force.

BISO Analytics: In 2025 we will witness rise of virtual CISO (vCISO) or CSO consultant roles over full-time in-house roles. Also Shifting CISO responsibilities have brought about an increasing role for BISOs. The cybersecurity team has a lot to handle as companies face more cyber threats, compliance requirements, growing remote workforces, and rapid adoption of new cloud-based technologies. With such a large scope of duty, the CISO is often over stretched and in this complex cybersecurity environment having a BISO will bring in support to entire cyber security strategy.
BISO ‘s may also be called upon to interact with marketing and corporate communications, bringing their research into potential attack vectors, typical points of vulnerability, and unique understanding of the hackers mindset and guide organizations that are increasingly battening cybersecurity strategy to deal with various attack vectors.

Intrucept offers BISO Analytics as a services. BISOs are crucial for strategies requiring technical cybersecurity and strategic business input.

Organizations need bespoke solutions to defend against attacks across email, social, and other channels as we witness evolving nature of attacks demands continuous weekly innovation to stay ahead. The use of Multifactor authentication reduces the danger in identity and access management EDR solutions with feeds of threat intelligence will gain prominence. Intrucept is dedicated in helping organizations to run fast and be secure. We will always find that being easy and slowing down is a tendency but we as organization try to enable our customers to maintain speed (and even accelerate).

References:

McKinsey Lock Down! Top Cybersecurity Threats We May Witness in 2025 Healthcare Trends Shaping 2025 And Insights For Industry Leaders Lock Down! Top Cybersecurity Threats We May Witness in 2025
Healthcare Trends Shaping 2025 And Insights For Industry Leaders
https://www.cisecurity.org/insights/blog/12-cis-experts-cybersecurity-predictions-2025

Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities

SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

The flaw, identified as CVE-2024-53704, poses a significant security risk, allowing attackers to exploit the system remotely. Administrators are strongly encouraged to update their systems immediately to mitigate potential threats. SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

Key Details:

The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems.
It impacts SonicWall’s SSL-VPN products, widely used for secure remote access.
Exploitation of this bug could lead to severe consequences, including unauthorized access to sensitive data, network infiltration, and system compromise.

Summary

OEM	SonicWall
Severity	High
CVSS	8.2
CVEs	CVE-2024-53704
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

The security flaw, tracked as CVE-2024-53704, presents a serious risk, enabling remote exploitation by attackers. Administrators are highly advised to apply the necessary patches without delay to protect against potential threats.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Improper Authentication	CVE-2024-53704	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019 8.0.0-8035
A privilege escalation vulnerability	CVE-2024-53706	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019
A weakness in the SSLVPN authentication token generator	CVE-2024-40762	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019
A server-side request forgery (SSRF) vulnerability	CVE-2024-53705	SonicWall	Medium	6.5.4.15-117n and older 7.0.x (7.0.1-5161 and older)

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-53704	Gen7 Firewalls, Gen7 NSv, TZ80	An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.	Bypass authentication
CVE-2024-53706	Gen7 Cloud Platform NSv	A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution.	Allow attackers to gain root privileges and potentially execute code.
CVE-2024-40762	Gen7 Firewalls, Gen7 NSv, TZ80	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass.	Weak PRNG in authentication tokens can lead to authentication bypass in SSLVPN.
CVE-2024-53705	Gen6 Hardware Firewalls, Gen7 Firewalls, Gen7 NSv	A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall.	Allow attackers to establish TCP connections to arbitrary IP addresses and ports

Remediation:

Update: Impacted users are recommended to upgrade to the following versions to address the security risk:

Firewalls Versions	Fixes and Releases
Gen 6 / 6.5 hardware firewalls	SonicOS 6.5.5.1-6n or newer
Gen 6 / 6.5 NSv firewalls	SonicOS 6.5.4.v-21s-RC2457 or newer
Gen 7 firewalls	SonicOS 7.0.1-5165 or newer; 7.1.3-7015 and higher
TZ80: SonicOS	SonicOS 8.0.0-8037 or newer

Recommendations:

Patch Without Delay: Install the latest firmware update from SonicWall to resolve this vulnerability. Detailed instructions are available in SonicWall’s official advisory.

Monitor Network Activity: Regularly monitor network traffic for signs of suspicious or unauthorized access.

Limit Access: Restrict VPN access to trusted users and enforce Multi-Factor Authentication (MFA) for all accounts.

Stay Updated: Subscribe to SonicWall’s security alerts and updates to stay informed about upcoming vulnerabilities.

References:

https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-exploitable-sslvpn-bug-immediately/

https://www.criticalpathsecurity.com/critical-security-alert-sonicwall-urges-immediate-patching-of-ssl-vpn-vulnerability/

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003

Ivanti Connect Secure VPN Actively Being Exploited in the Wild

Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.

As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.

Summary

OEM	Ivanti
Severity	Critical
CVSS	9.0
CVEs	CVE-2025-0282, CVE-2025-0283
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Stack-Based Buffer Overflow Vulnerability	CVE-2025-0282	Ivanti	Critical	22.7R2 through 22.7R2.4  22.7R1 through 22.7R1.2  22.7R2 through 22.7R2.3
Stack-Based Buffer Overflow Vulnerability	CVE-2025-0283	Ivanti	High	22.7R2.4 and prior 9.1R18.9 and prior  22.7R1.2 and prior 22.7R2.3 and prior

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-0282	Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways	A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.	RCE, System compromise, Data theft, Network breaches, and Service disruptions.
CVE-2025-0283	Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways	A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges	Allow Local Authenticated Attackers to Escalate Privileges.

Remediation:

Ensure that the appropriate patches or updates are applied to the relevant Ivanti
Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.

versions as listed below:

Affected Version(s)	Fixes and Releases
22.7R2 through 22.7R2.4	22.7R2.5
22.7R2.4 and prior,  9.1R18.9 and prior	22.7R2.5
22.7R2 through 22.7R2.3	22.7R2.5, Patch planned availability Jan. 21
22.7R2.3 and prior	22.7R2.5, Patch planned availability Jan. 21
22.7R1 through 22.7R1.2	Patch planned availability Jan. 21
22.7R1.2 and prior	Patch planned availability Jan. 21

Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security.

Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools.

Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025.

Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025.

General Recommendation

Regularly update software and systems to address known vulnerabilities.

Implement continuous monitoring to identify any unauthorized access or suspicious activities.

Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces.

Create and Maintain an incident response plan to quickly mitigate the impact of any security breach.

References:

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2025-0283

https://nvd.nist.gov/vuln/detail/CVE-2025-0282

https://thehackernews.com/2025/01/ivanti-flaw-cve-2025-0282-actively.html

Critical Windows Privilege Escalation Vulnerability with Public Exploit

Cybersecurity researchers reported a critical Windows privilege escalation vulnerability, identified as CVE-2024-43641 affecting Microsoft Windows. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.

Summary

OEM	Microsoft
Severity	High
CVSS	7.8
CVEs	CVE-2024-43641
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A significant Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641, affects multiple editions of Windows. A recently released Proof-of-Concept (PoC) exploit demonstrates how attackers can exploit this flaw to gain elevated privileges.

Vulnerability Name	CVE ID	Product Affected	Severity
Windows Registry Elevation of Privilege Vulnerability	CVE-2024-43641	Windows	High

Technical Summary

The vulnerability, CVE-2024-43641, exploits a design flaw in Windows registry hive memory management, specifically during a double-fetch process under memory pressure. This flaw allows malicious SMB servers to respond with differing data for consecutive read requests, breaking kernel assumptions and enabling privilege escalation to SYSTEM level. Key technical details are as follows:

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-43641	Windows 10, Windows 11, Windows Server 2008–2025	The vulnerability involves improper handling of registry hive memory management under memory pressure. A malicious SMB server can respond with differing data to consecutive read requests, breaking kernel assumptions. Exploitation leverages a “False File Immutability” (FFI) condition.	Allows attackers to escalate privileges, execute arbitrary code, and compromise system integrity.

Remediation:

Apply Patches: Users and system administrators are strongly advised to promptly apply the latest security updates.

Monitor Activity:

Monitor logs for suspicious activity related to registry operations.

The cybersecurity community is actively monitoring the situation for any indications of active exploitation in the wild.

Conclusion:

CVE-2024-43641 is a high-severity vulnerability with a publicly available PoC exploit. It is crucial to apply security patches immediately and follow best practices to mitigate the risk of exploitation. Organizations must stay alert and monitor ongoing developments to ensure complete protection against this emerging threat.

References: