Trend Micro Releases New Critical Patch for Trend Micro Apex Central
Trend Micro releases Critical patches for ‘Build 7190’ , Patches Multiple Vulnerabilities Including RCE & DoS
Continue ReadingDoS
Apple Releases iOS & iPadOS 26.1 Update, Fixed Multiple Security Vulnerabilities
Summary: Apple released iOS 26.1 and iPadOS 26, addressed multiple security vulnerabilities across core system components including WebKit, Kernel, Accessibility, Apple Neural Engine, CloudKit etc.
| OEM | Apple |
| Severity | High |
| CVEs | CVE-2025-43438, CVE-2025-43429, CVE-2025-43442, CVE-2025-43455, CVE-2025-43398 & others |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview:
These vulnerabilities could enable malicious apps to escape sandboxes, access sensitive user data, execute arbitrary code via web content, monitor keystrokes or disable theft protection mechanisms. Affected devices include iPhone 11 & later and iPad models from 3rd gen onward etc. Immediate update is strongly recommended to prevent any breaches, system crashes.
| Vulnerability Name | CVE ID | Product Affected | Fixed Version |
| WebKit Use-After-Free (Safari Crash/RCE) | CVE-2025-43438 | iOS, iPadOS | iOS/iPadOS 26.1 |
| WebKit Buffer Overflow (RCE Risk) | CVE-2025-43429 | iOS, iPadOS | iOS/iPadOS 26.1 |
| App Installed Detection via Accessibility | CVE-2025-43442 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Sensitive Screenshot in Embedded Views | CVE-2025-43455 | iOS, iPadOS | iOS/iPadOS 26.1 |
| Kernel Memory Corruption / DoS | CVE-2025-43398 | iOS, iPadOS | iOS/iPadOS 26.1 |
Technical Summary:
The iOS/iPadOS 26.1 update fixes major security issues in sandbox protection, memory handling, privacy settings, and the WebKit browser engine. These critical vulnerabilities could allow apps or websites to access restricted data or execute malicious code. Key impact issues mentioned below.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-43438 | WebKit | Use-after-free in Safari triggers crash or code execution via malicious web content | Remote Code Execution, System Compromise |
| CVE-2025-43429 | WebKit | Buffer overflow in content processing allows arbitrary code execution | Remote Code Execution, Service Compromise |
| CVE-2025-43442 | Accessibility | Permissions flaw allows apps to detect installed apps (fingerprinting) | Privacy Violation, User Tracking |
| CVE-2025-43455 | Apple Account | Malicious apps can screenshot sensitive embedded UI (login views) | Credential, PII Exposure |
| CVE-2025-43398 | Kernel | Memory mishandling leads to system termination or kernel corruption | Denial of Service, Potential Privilege Escalation |
Additionally, there are multiple high & medium vulnerabilities have been disclosed that enable sandbox escapes, data leaks, and web-based attacks with significant impact potential. Here are some cves in the below table
| Vulnerability Name | CVE ID | Affected Component |
| Sandbox Escape via Assets | CVE-2025-43407 | Assets |
| Sandbox Escape via CloudKit Symlink | CVE-2025-43448 | CloudKit |
| Stolen Device Protection Bypass | CVE-2025-43422 | Stolen Device Protection |
| Cross-Origin Data Exfiltration | CVE-2025-43480 | WebKit |
| Keystroke Monitoring via WebKit | CVE-2025-43495 | WebKit |
| Apple Neural Engine Kernel Corruption | CVE-2025-43447, CVE-2025-43462 | Apple Neural Engine |
| Canvas Cross-Origin Image Theft | CVE-2025-43392 | WebKit Canvas |
| Contacts Data Leak in Logs | CVE-2025-43426 | Contacts |
| Lock Screen Content Leak | CVE-2025-43350 | Control Center |
| Address Bar Spoofing | CVE-2025-43493 | Safari |
| UI Spoofing in Safari | CVE-2025-43503 | Safari |
Recommendations:
Update all eligible devices immediately (Settings > General > Software Update products) to the following fixed versions as soon as possible and check the updated version from the Apple security website.
Patches are available and should be applied immediately.
For environments where immediate patching is not immediately feasible, you can also follow the recommendations below.
- Enable Stolen Device Protection and Lockdown Mode (where applicable)
- Restrict app installations to trusted sources.
- Avoid visiting untrusted websites from browser
- Use VPN and enable Advanced Data Protection for iCloud
- Monitor for anomalous app behavior or battery drain
Conclusion:
The iOS/iPadOS 26.1 update fixes several security vulnerabilities that could affect user privacy, device stability, and system protection.
Organizations and Individual using Apple devices must prioritize deployment of this update to mitigate risks of data exfiltration, spyware and other attack vectors. Timely patching remains the most effective control against zero-day exploitation on new vulnerabilities in digital ecosystems.
References:
Microsoft Plug 140 Vulnerabilities in July Patch Tuesday; SQL Server Zero-Day Disclosed
Summary : July Patch Tuesday
The July 2025 Patch Tuesday addresses a publicly disclosed zero-day vulnerability CVE-2025-49719 in Microsoft SQL Server.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-07-08 |
| No. of Patches | 140 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Microsoft has released security updates addressing 140 vulnerabilities as part of July 2025 Patch Tuesday, including one publicly disclosed zero-day vulnerability affecting Microsoft SQL Server. Fourteen(14) of the vulnerabilities are classified as Critical, with ten(10) enabling Remote Code Execution (RCE).
Microsoft products impacted span across Windows, SQL Server, Microsoft Office, SharePoint, Hyper-V, Visual Studio and Azure services
- 130 Microsoft CVEs addressed
- 10 non-Microsoft CVEs addressed
Breakdown of July 2025 Vulnerabilities
- 41 Remote Code Execution (RCE)
- 18 Information Disclosure
- 53 Elevation of Privilege (EoP)
- 5 Denial of Service (DoS)
- 8 Security Feature Bypass
- 4 Spoofing
- 1 Data Tampering
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| SQL Server Information Disclosure | CVE-2025-49719 | Microsoft SQL Server | High | 7.5 |
Technical Summary
The information disclosure flaw arises from improper input validation, enabling a remote unauthenticated attacker to access data from uninitialized memory.
Microsoft also resolved a significant number of critical RCE vulnerabilities, particularly in Microsoft Office, SharePoint and Windows core components like Hyper-V and KDC Proxy. Several vulnerabilities can be triggered through minimal user interaction, such as viewing a document in the preview pane or interacting with network services.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-49719 | Microsoft SQL Server | Publicly disclosed information disclosure via improper input validation; attackers may access uninitialized memory | Unauthorized data disclosure |
Source: Microsoft and NVD
In addition to the publicly disclosed vulnerability, several other critical and high-severity issues were addressed:
- CVE-2025-49701 and CVE-2025-49704: Microsoft SharePoint, RCE over the Internet via authenticated access (CVSS 8.8)
- CVE-2025-49735: Windows KDC Proxy Service, Use-after-free vulnerability allowing unauthenticated RCE (CVSS 8.1)
- CVE-2025-47981: SPNEGO Extended Negotiation, Heap buffer overflow enabling RCE through crafted messages (CVSS 9.8)
- CVE-2025-48822: Hyper-V Discrete Device Assignment (DDA), RCE via PCI passthrough flaw in virtual environments (CVSS 8.6)
- CVE-2025-49717: Microsoft SQL Server, Heap-based buffer overflow enabling authenticated RCE (CVSS 8.5)
- CVE-2025-49695 to CVE-2025-49703: Microsoft Office/Word, Multiple RCEs via heap overflow, out-of-bounds read, type confusion (CVSS 8.4 & 7.8)
- CVE-2025-36357: AMD L1 Data Queue, Side-channel transient execution attack.
- CVE-2025-36350: AMD Store Queue, Speculative execution side-channel leak.
Key Affected Products and Services
The vulnerabilities addressed in July 2025 impact a wide range of Microsoft products and services, including:
- Windows Components:
Windows Kernel, BitLocker, SSDP Service, Hyper-V, KDC Proxy and Routing and Remote Access Service (RRAS).
- Microsoft Office Suite:
Excel, Word, PowerPoint, and SharePoint with several vulnerabilities enabling Remote Code Execution (RCE) or Elevation of Privilege (EoP).
- Cloud and Enterprise Services:
Azure Monitor Agent, Microsoft Intune and Microsoft SQL Server.
- Development Tools:
Visual Studio and the Python extension for Visual Studio Code.
- Browsers:
Microsoft Edge (Chromium-based).
Remediation:
- Apply Patches Promptly: Install the July 2025 security updates immediately to mitigate risks.
Conclusion:
The July 2025 Patch Tuesday reflects a large-scale update effort from Microsoft, addressing both known and undisclosed security risks. The zero-day (CVE-2025-49719) highlights ongoing concerns with SQL Server, while critical vulnerabilities in Office, SharePoint and core Windows services demand urgent patching.
Organizations should prioritize deployment of these patches and remain vigilant for any post-patch exploitation attempts, especially in externally facing applications.
References:
Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass
Security Advisory; Summary
Multiple vulnerabilities have been identified in Apache Tomcat affecting various versions and critical security updates provided to address four newly discovered vulnerabilities in Apache Tomcat. The disclosed Apache Tomcat vulnerabilities pose serious threats, especially in high-availability or internet-exposed environments.
Apache Tomcat is one of the world’s most widely used open-source Java servlet containers.
| OEM | Apache |
| Severity | High |
| CVSS Score | 8.4 |
| CVEs | CVE-2025-48976, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The affected versions 9.0.x, 10.1.x and 11.0.x, also include high-impact denial-of-service (DoS) vulnerabilities and a moderate authentication bypass flaw as well as a Windows installer issue that may allow privilege escalation via side-loading.
Timely patching is essential to prevent potential service disruptions and unauthorized access.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Memory Exhaustion via Multipart Header Exploitation | CVE-2025-48976 | Apache Tomcat | High |
| Multipart Upload Resource Exhaustion | CVE-2025-48988 | Apache Tomcat | High |
| Security Constraint Bypass (Pre/PostResources) | CVE-2025-49125 | Apache Tomcat | High |
| Windows Installer Side-Loading Risk | CVE-2025-49124 | Apache Tomcat | High |
Technical Summary
The vulnerabilities affect Tomcat’s handling of multipart HTTP requests, resource mounting and Windows installation process. Exploitation may result in denial-of-service (via memory exhaustion), privilege escalation (via installer abuse) and authentication bypass.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-48976 | Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 | Fixed memory allocation limit in multipart header processing could be exploited to consume memory and cause DoS. | Denial-of-service attack. |
| CVE-2025-48988 | Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 | Multipart request body with many parts can trigger high memory usage due to improper limit handling between parameters and parts. | Denial-of-service attack. |
| CVE-2025-49125 | Tomcat with Pre/Post Resources enabled | Lack of resource path normalization allows attackers to access resources outside root bypassing auth controls. | Authentication and Authorization Bypass. |
| CVE-2025-49124 | Tomcat Windows Installers | Installer invoked icacls.exe without full path, making it vulnerable to side-loading attacks via PATH manipulation. | Privilege Escalation. |
Remediation:
Update Immediately: Users of the affected versions should apply one of the following mitigations.
- Upgrade to Apache Tomcat 11.0.8 or later
- Upgrade to Apache Tomcat 10.1.42 or later
- Upgrade to Apache Tomcat 9.0.106 or later
Conclusion:
Attackers could exploit these flaws to cause denial-of-service, escalate privileges or bypass authentication and authorization controls.
The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.
Tomcat is widely used in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.
References:
- https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db
Critical Vulnerabilities Patched in IBM QRadar Suite & Cloud Pak for Security
Summary : Security Advisory
Multiple vulnerabilities have been discovered in IBM QRadar Suite Software and Cloud Pak, affecting versions 1.10.0.0 through 1.11.2.0.
The company released patches on June 3, 2025, addressing five distinct Common Vulnerabilities and Exposures (CVEs) that affect enterprise security infrastructure used by organizations worldwide.
| OEM | IBM |
| Severity | Critical |
| CVSS Score | 9.6 |
| CVEs | CVE-2025-25022, CVE-2025-2502, CVE-2025-25020, CVE-2025-25019, CVE-2025-1334 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These include risks such as remote code execution, information disclosure, session hijacking, and denial of service. The most critical vulnerability (CVE-2025-25022) allows unauthenticated access to sensitive configuration files. IBM has released version 1.11.3.0 to address these issues.
| Vulnerability Name | CVE ID | Product Affected | CVSS Score | Severity |
| Information Disclosure Vulnerability | CVE-2025-25022 | IBM Cloud Pak, QRadar Suite | 9.6 | Critical |
| Code Execution Vulnerability | CVE-2025-25021 | IBM QRadar SIEM | 7.2 | High |
| Denial of Service Vulnerability | CVE-2025-25020 | IBM QRadar SIEM | 6.5 | Medium |
| Session Hijacking Vulnerability | CVE-2025-25019 | IBM QRadar SIEM | 4.8 | Medium |
| Web Cache Disclosure Vulnerability | CVE-2025-1334 | IBM QRadar Suite | 4.0 | Medium |
Technical Summary
The identified vulnerabilities affect both the IBM QRadar Suite and Cloud Pak, exposing them to a variety of threats such as unauthorized access, arbitrary code execution, and denial of service.
These flaws arise from weaknesses in session handling, code generation, API validation, and file configuration security.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-25022 | QRadar SIEM | Unauthenticated access to sensitive config files due to poor protections. | Information disclosure, RCE |
| CVE-2025-25021 | QRadar SIEM | Privileged code execution due to improper script code generation in case management. | Remote Code Execution |
| CVE-2025-25020 | QRadar SIEM | API input validation flaw allowing service crash via malformed data | Denial of Service |
| CVE-2025-25019 | QRadar SIEM | Sessions not invalidated upon logout, enabling impersonation by attackers. | Session Hijacking |
| CVE-2025-1334 | QRadar Suite | Cached web content readable by other users, compromising multi-user data confidentiality. | Local Info Disclosure |
Remediation:
- Apply Latest Fix: Upgrade to IBM QRadar Suite Software and Cloud Pak version 1.11.3.0 or later.
Refer to IBM’s official installation and upgrade documentation for detailed steps.
Conclusion:
These vulnerabilities pose significant security risks, especially CVE-2025-25022 with a critical severity score of 9.6. Organizations using the affected IBM QRadar and Cloud Pak versions should prioritize upgrading to latest version to mitigate exposure.
IBM has acknowledged these issues and released patches to address all five vulnerabilities.
Notably, IBM has identified no effective workarounds or mitigations for these vulnerabilities, making patching the only viable protection strategy.
References:
CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation
Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).
The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.
| OEM | CISCO |
| Severity | HIGH |
| CVSS Score | 8.6 |
| CVEs | CVE-2025-20152, CVE-2025-20113, CVE-2025-20114 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).
These unpatched issues, could result in network disruption and unauthorized access to sensitive data.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| RADIUS DoS Vulnerability | CVE-2025-20152 | Cisco Identity Services Engine | High | ISE 3.4 Patch 1 (3.4P1) |
| Privilege Escalation Vulnerability | CVE-2025-20113 | Unified Intelligence Center | High | UIC 12.5(1)SU ES04, 12.6(2)ES04 |
| Privilege Escalation Vulnerability | CVE-2025-20114 | Unified Intelligence Center | High | UIC 12.5(1)SU ES04, 12.6(2)ES04 |
Technical Summary
The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.
Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20152 | CISCO ISE 3.4 | Improper handling of malformed RADIUS authentication requests can cause a system reload. | Denial of Service (DoS), Network Disruption |
| CVE-2025-20113 | Unified Intelligence Center 12.5, 12.6 | Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions. | Privilege Escalation, Unauthorized Data Access |
| CVE-2025-20114 | Unified Intelligence Center 12.5, 12.6 | Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users. | Horizontal Privilege Escalation, Data Exposure |
Remediation:
Cisco has released security updates to address these vulnerabilities:
- For CVE-2025-20152 (Cisco ISE):
Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.
- For CVE-2025-20113 and CVE-2025-20114 (UIC):
Upgrade to:
- UIC 12.5(1)SU ES04 or later.
- UIC 12.6(2)ES04 or later.
- Unified CCX users should migrate to a fixed release if using affected versions.
Administrators are advised to verify product versions and apply patches through official Cisco channels.
Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.
Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.
References:
Multiple High-Severity Vulnerabilities Patched in Zoom
Summary
Multiple high-severity vulnerabilities have been identified in Zoom applications, including Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK, causing exposure of Sensitive Data.
The most critical flaws, patched in Zoom’s March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free) CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps).
All rated high severity with CVSS scores ranging from 7.1 to 8.5.
| OEM | Zoom |
| Severity | High |
| CVSS | 8.5 |
| CVEs | CVE-2025-27440, CVE-2025-27439, CVE-2025-0151, CVE-2025-0150, CVE-2025-0149 |
| Publicly POC Available | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
These vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service (DoS) attacks. Zoom has released patches addressing these issues in version 6.3.0.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Heap-Based Buffer Overflow Vulnerability | CVE-2025-27440 | ZOOM | High | 8.5 |
| Buffer Underflow Vulnerability | CVE-2025-27439 | ZOOM | High | 8.5 |
| Use-After-Free Vulnerability | CVE-2025-0151 | ZOOM | High | 8.5 |
| Incorrect Behavior Order Vulnerability | CVE-2025-0150 | ZOOM | High | 7.1 |
| Insufficient Data Verification Vulnerability | CVE-2025-0149 | ZOOM | Medium | 6.5 |
Technical Summary
These vulnerabilities could be exploited to gain unauthorized access, execute arbitrary code, or disrupt services through privilege escalation and memory corruption techniques. Exploitation requires authentication and network access, posing a risk to enterprise users.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-27440 | Zoom Workplace Apps ( Windows, macOS, and Linux, as well as mobile apps for iOS and Android.) | Heap-based buffer overflow, allowing attackers to inject malicious code | Privilege Escalation |
| CVE-2025-27439 | Zoom Workplace Apps | Buffer underflow, leading to unexpected crashes or data leakage | Denial of Service, Data Exposure |
| CVE-2025-0151 | Zoom Workplace Apps | Use-after-free issue leading to memory corruption and arbitrary code execution | Privilege Escalation |
| CVE-2025-0150 | Zoom Workplace Apps (iOS) | Incorrect behavior order allowing unauthorized access to authentication tokens | Information Disclosure |
| CVE-2025-0149 | Zoom Workplace Apps | Insufficient verification of data authenticity, allowing malformed network packets to bypass security checks | Denial of Service |
Remediation:
- Apply Patches Promptly: Ensure all Zoom applications are updated to version 6.3.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.
Conclusion:
The recent vulnerabilities in Zoom highlight the ongoing challenges in securing widely used communication platforms. While Zoom has acted swiftly in providing patches, the recurrence of memory corruption and input validation flaws suggests architectural challenges.
Organizations should maintain a proactive security stance, ensuring timely updates and implementing stringent controls to safeguard sensitive data.
Organizations must treat Zoom not as a neutral utility but as a high-risk vector requiring stringent controls.
References:
Ivanti Connect Secure VPN Actively Being Exploited in the Wild
Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.
As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.
Summary
| OEM | Ivanti |
| Severity | Critical |
| CVSS | 9.0 |
| CVEs | CVE-2025-0282, CVE-2025-0283 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Stack-Based Buffer Overflow Vulnerability | CVE-2025-0282 | Ivanti | Critical | 22.7R2 through 22.7R2.4 22.7R1 through 22.7R1.2 22.7R2 through 22.7R2.3 |
| Stack-Based Buffer Overflow Vulnerability | CVE-2025-0283 | Ivanti | High | 22.7R2.4 and prior 9.1R18.9 and prior 22.7R1.2 and prior 22.7R2.3 and prior |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-0282 | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. | RCE, System compromise, Data theft, Network breaches, and Service disruptions. |
| CVE-2025-0283 | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges | Allow Local Authenticated Attackers to Escalate Privileges. |
Remediation:
- Ensure that the appropriate patches or updates are applied to the relevant Ivanti
- Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.
versions as listed below:
| Affected Version(s) | Fixes and Releases |
| 22.7R2 through 22.7R2.4 | 22.7R2.5 |
| 22.7R2.4 and prior, 9.1R18.9 and prior | 22.7R2.5 |
| 22.7R2 through 22.7R2.3 | 22.7R2.5, Patch planned availability Jan. 21 |
| 22.7R2.3 and prior | 22.7R2.5, Patch planned availability Jan. 21 |
| 22.7R1 through 22.7R1.2 | Patch planned availability Jan. 21 |
| 22.7R1.2 and prior | Patch planned availability Jan. 21 |
- Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security.
- Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools.
- Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025.
- Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025.
General Recommendation
- Regularly update software and systems to address known vulnerabilities.
- Implement continuous monitoring to identify any unauthorized access or suspicious activities.
- Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces.
- Create and Maintain an incident response plan to quickly mitigate the impact of any security breach.
References:
Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS
Summary
| OEM | Palo Alto |
| Severity | High |
| CVSS | 8.7 |
| CVEs | CVE-2024-3393 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| (DoS) in DNS Security Using a Specially Crafted Packet | CVE-2024-3393 | Palo Alto | High | PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-3393 | Palo Alto PAN-OS | CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025. | Dos – Denial-of-Service |
Remediation:
- Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below
| PAN-OS Version | Fixes and Releases |
| PAN-OS 11.1 | 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 |
| PAN-OS 10.2 | 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 |
| PAN-OS 10.1 | 10.1.14-h8, 10.1.15 |
| PAN-OS 10.2.9-h19 | Only applicable to Prisma Access |
| PAN-OS 10.2.10-h12 | Only applicable to Prisma Access |
| PAN-OS 11.0 | No fix (reached end-of-life status on November 17, 2024) |
Recommendations:
- Avoid Using EOL Versions:
- PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions.
- Monitoring & Incident Response:
- Regularly monitor firewall logs for unusual behavior, especially DoS triggers.
- For Prisma Access Users (Workaround):
- Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks.
References:
Recent Comments