Critical WordPress Security Flaw in Everest Forms Plugin
UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin
Network security
Palo Alto Firewall Vulnerabilities Under Active Exploitation
An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.
Summary
| OEM | Palo Alto |
| Severity | High |
| Date of Announcement | 2025-02-19 |
| CVEs | CVE-2025-0108 |
| CVSS Score | 8.8 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.
This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-0108 | Pan OS | High | PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 |
Technical Summary
This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations.
| Vulnerability Name | Details | Severity | Impact |
| Authentication Bypass Vulnerability | This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111. | High | Root access of the affected system, unauthorized file exfiltration. |
Recommendations
- Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately.
Here are the details of the required upgrades:
| Version | Updated Version |
| PAN-OS 11.2 | Upgrade to 11.2.4-h4 or later |
| PAN-OS 11.1 | Upgrade to 11.1.6-h1 or later |
| PAN-OS 10.2 | Upgrade to 10.2.13-h3 or later |
| PAN-OS 10.1 | Upgrade to 10.1.14-h9 or later |
General Recommendations
- Restrict access to PAN-OS management interfaces to trusted IPs only.
- Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions.
- Follow best practices for firewall security, including network segmentation and regular vulnerability assessments.
- Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity.
Conclusion
The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat.
The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.
References:
- https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/
- https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise
Zero-Day Vulnerability in Microsoft Sysinternals Tools
Summary
A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 2025-02-05 |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability Name | Zero-Day |
Overview
Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw.
| Vulnerability Name | CVE ID | Product Affected | Severity | Impact |
| zero-day | Not Yet Assigned | Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others) | High | Arbitrary Code Execution, Privilege Escalation, Malware Deployment |
Technical Summary
The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories.
The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as:
- The Current Working Directory (CWD)
- Network locations (e.g., shared drives)
- User-writable paths over secure system directories
This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL.
Exploit Workflow
- Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan.
- The DLL is placed in the same directory as a vulnerable Sysinternals tool.
- The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory.
- The malicious DLL is loaded instead of the legitimate system DLL.
- Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights).
Recommendations
- Avoid Running Sysinternals Tools from Network Locations
- Always copy tools to a local trusted directory before execution.
- Disable execution of .exe files from network drives if feasible.
- Restrict DLL Search Paths
- Use SafeDLLSearchMode to prioritize secure directories.
- Implement DLL redirection to force tools to load DLLs from trusted paths.
- Implement Application Control Policies
- Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading.
- Restrict execution of Sysinternals tools to trusted admin-only directories.
- Verify DLL Integrity Before Execution
- Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed.
- Block execution of unsigned or suspicious DLLs in sensitive directories.
- Monitor for Suspicious DLL Loading Behavior
- Enable Sysmon logging to detect anomalous DLL loads (Event ID 7).
- Monitor for executions of Sysinternals tools from network shares (Event ID 4688).
Conclusion
Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.
The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems.
References:
- ‹ Previous
- 1
- 2
Recent Comments