Exploitable Command Injection in F5 BIG-IP (CVE-2025-20029)
F5 BIG-IP
Continue ReadingPatch management
Authentication Bypass Vulnerability in FortiOS & FortiProxy
Summary
A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2025-24472 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-24472 | FortiOS FortiProxy | Critical | FortiOS v7.0 – v7.0.16 FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 |
Technical Summary
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-24472 | An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests. | Execute unauthorized code or commands |
Recommendations:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below
| Version | Fixes and Releases |
| FortiOS 7.0 – 7.0.16 | Upgrade to 7.0.17 or latest version |
| FortiProxy 7.0 – 7.0.19 | Upgrade to 7.0.20 or latest version |
| FortiProxy 7.2 – 7.2.12 | Upgrade to 7.2.13 or latest version |
Workarounds:
Below are some workarounds provided by the Fortinet team.
- Disable HTTP/HTTPS administrative interface
- Limit IP addresses that can reach the administrative interface via local-in policies
According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”
References:
7Zip Mark-Of-The-Web Vulnerability
A high severity vulnerability in 7-Zip is exploiting in the wild. This vulnerability, identified as a Mark-of-the-Web (MoTW) bypass, allows attackers to craft a double archive file that, when extracted, bypasses MoTW protections.
| OEM | 7Zip |
| Severity | High |
| CVSS | 7.0 |
| CVEs | CVE-2025-0411 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The vulnerability enables threat actors to create archives containing malicious scripts or executables, which, due to the flaw, will not receive the usual MoTW protection.
This exposes Windows users to potential attacks and has recently been added to the CISA Known Exploited Vulnerabilities Catalog. Furthermore, a Proof of Concept (PoC) for this vulnerability has been publicly released, increasing the risk of exploitation.
7-Zip vulnerability allows attackers to bypass the Mark of the Web (MotW) Windows security feature and was exploited by Russian hackers as a zero-day since September 2024.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| MOTW Bypass vulnerability | CVE-2025-0411 | 7zip | High |
Technical Summary
This vulnerability bypasses the Mark-of-the-Web (MoTW) feature, a security measure in Windows operating systems that flags files originating from the internet as potentially untrusted. MoTW is typically applied to files like downloaded documents, images, or executable files, which prompts a warning when opened. However, this vulnerability occurs when 7-Zip fails to properly propagate MoTW protections to files inside double-encapsulated archives.
An attacker can craft an archive containing another archive (a “double archive”), and 7-Zip did not properly propagate MoTW protections to the content to the inner archive.
This flaw allows any malicious content in the inner archive to be executed without triggering any security warnings. Consequently, this exposes Windows users to the risk of remote code execution and other malicious activities.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-0411 | 7Zip Prior to v24.09 | This flaw allows attackers to execute arbitrary code through double-encapsulated archives that bypass MoTW protections. | Arbitrary remote code injection, potential system compromise |
Remediation:
Update 7zip to v24.09 or the latest version. Installing the latest version will ensure that vulnerability is addressed, protecting systems from potential exploitation.
Generic Recommendations
- Exercise Caution with File Extraction: Always verify the source before extracting files, especially from unfamiliar or untrusted sources.
- Enhance User Awareness: Educate users on identifying phishing attempts and avoiding clicks on suspicious links or attachments.
- Monitor for Anomalies: Continuously monitor systems for signs of exploitation, unusual file extraction behaviors, or unauthorized access attempts.
Conclusion
The MoTW bypass vulnerability in 7-Zip represents a serious security concern for Windows users, as it allows attackers to circumvent protective measures and execute malicious code. Updating to the latest version of 7-Zip is the recommended action to ensure systems are protected against this vulnerability.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2025-0411
- https://www.zerodayinitiative.com/advisories/ZDI-25-045/
- https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html
- https://cybersecuritynews.com/poc-exploit-released-for-7-zip-vulnerability/
- https://github.com/dhmosfunk/7-Zip-CVE-2025-0411-POC
#CyberSecurity #7Zip #SecurityAdvisory #VulnerabilityManagement #CISO #CXO #PatchManagement #Intrucept
High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel
High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel
Jordy Zomer, a Security researcher have recently discovered two critical vulnerabilities in KSMBD, the in-kernel SMB server for Linux. These vulnerabilities, CVE-2024-56626 and CVE-2024-56627, could allow attackers to gain control of vulnerable systems.
SUMMARY
| OEM | Linux |
| Severity | High |
| CVSS | 7.8 |
| CVEs | CVE-2024-56626, CVE-2024-56627 |
| Exploited in Wild | No |
| Publicly POC Available | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
These vulnerabilities affect Linux kernel versions greater than 5.15 and have been addressed in version 6.13-rc2. Proof-of-concept (PoC) exploits have been publicly released, emphasizing the critical nature of these issues.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Out-of-bounds write vulnerability in ksmbd. | CVE-2024-56626 | Linux | High | Linux kernel versions greater than 5.15 |
| Out-of-bounds read vulnerability in ksmbd. | CVE-2024-56627 | Linux | High | Linux kernel versions greater than 5.15 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-56626 | Linux Kernel | A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative offsets from clients, causing out-of-bounds writes and potential memory corruption. It was triggered when using vfs objects = streams_xattr in ksmbd.conf. The issue has been fixed in recent kernel updates. | Attackers can execute arbitrary code with kernel privileges |
| CVE-2024-56627 | Linux Kernel | A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative client offsets, enabling out-of-bounds writes and potential memory corruption. This issue occurred when the vfs objects = streams_xattr parameter was set in ksmbd.conf and has been resolved in recent kernel updates. | Attackers can read sensitive kernel memory, leading to information disclosure |
Remediation:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions
listed below
| Version | Fixes and Releases |
| kernel version > 5.15 | kernel version 6.13-rc2 |
Conclusion:
The discovery of CVE-2024-56626 and CVE-2024-56627 highlights critical security flaws in the Linux kernel’s SMB server implementation. Given the availability of proof-of-concept exploits, immediate action is essential to protect systems from potential exploitation. Regularly updating systems and applying security patches are vital practices to maintain a secure environment.
References:
Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild
Summary
OEM | Microsoft |
Severity | Critical |
CVSS Score | 7.8 |
CVE | CVE-2024-49138 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Publicly POC Available | Yes |
Overview
The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.
Vulnerability Name | CVE ID | Product Affected | Severity |
CLFS Privilege Escalation | CVE-2024-49138 | Microsoft Windows | High |
Technical Summary
CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-49138 | Windows 10, Windows 11, Windows Server 2008–2025 | Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released. | Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device. |
Remediations
- Update Systems: Apply Microsoft’s December 2024 patches without delay.
- Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
- Limit Access: Implement robust access controls and harden systems.
Conclusion:
The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.
References
- https://securityonline.info/zero-day-vulnerability-in-windows-exploited-cve-2024-49138-poc-code-released/
- https://github.com/MrAle98/CVE-2024-49138-POC?tab=readme-ov-file
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49138
- https://intruceptlabs.com/2024/12/microsoft-december-2024-patch-tuesday-critical-fixes-for-zero-day-and-remote-code-execution/
GitLab Releases Patch to Fix Critical and High-Severity Vulnerabilities
GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities.
Summary
| OEM | Gitlab |
| Severity | High |
| CVEs | CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970, CVE-2025-0194, CVE-2024-6324, CVE-2024-12431, CVE-2024-13041 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The vulnerabilities could potentially impact unauthorized access, data manipulation, and service disruption. These have been disclosed through GitLab’s HackerOne bug bounty program. Latest Versions 17.7.1, 17.6.3, and 17.5.5 are now available for immediate download and upgrade to address these issues.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Import Functionality Vulnerabilities | CVE-2024-6385 | GitLab CE/EE | Critical |
| Import Functionality Vulnerabilities | CVE-2024-5655 | GitLab CE/EE | High |
| Import Functionality Vulnerabilities | CVE-2024-6678 | GitLab CE/EE | High |
| Import Functionality Vulnerabilities | CVE-2024-8970 | GitLab CE/EE | High |
| Access Token Exposure in Logs | CVE-2025-0194 | GitLab CE/EE | Medium |
| Cyclic Reference of Epics Leading to DoS | CVE-2024-6324 | GitLab CE/EE | Medium |
| Unauthorized Manipulation of Issue Status | CVE-2024-12431 | GitLab CE/EE | Medium |
| Instance SAML Bypass | CVE-2024-13041 | GitLab CE/EE | Medium |
Technical Summary
This update addresses several significant vulnerabilities identified in GitLab CE/EE:
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-6385 | GitLab CE/EE | Vulnerability in import functionality allowing potential exploitation | Allows attackers to exploit the system. |
| CVE-2024-5655 | |||
| CVE-2024-6678 | |||
| CVE-2024-8970 | |||
| CVE-2025-0194 | GitLab CE/EE | Possible exposure of access tokens in logs under certain conditions. | Potential unauthorized access to sensitive resources. |
| CVE-2024-6324 | GitLab CE/EE | Cyclic references between epics could lead to resource exhaustion, causing a Denial of Service (DoS). | Service disruption due to resource exhaustion. |
| CVE-2024-12431 | GitLab CE/EE | Unauthorized users could manipulate issue statuses in public projects, potentially disrupting workflows. | Workflow disruption and compromised data integrity. |
| CVE-2024-13041 | GitLab CE/EE | Flaw in instance SAML configuration allowing bypass of external provider settings. | Unauthorized access to internal projects or groups. |
Key Changes to Import Functionality:
- Post-import mapping: This new feature allows administrators to assign imported contributions and memberships to users after the import process is complete, enhancing control and security.
- Email-independent mapping: The updated mapping process no longer relies on email addresses, providing greater flexibility and security when importing from instances with different email domains.
- User control: Users on the destination instance now have the power to accept or reject assigned contributions, adding another layer of security and preventing unauthorized access.
Remediation:
- Upgrade GitLab Instances: All users are strongly advised to upgrade to versions 17.7.1, 17.6.3, or 17.5.5 immediately to mitigate these vulnerabilities.
- Disable Importers Temporarily: Until upgrades are complete, disable importers to avoid exploitation. If import functionality is essential, enable it only during the import process and disable it afterward.
- Adopt Updated Features: Leverage the new post-import mapping, email-independent mapping, and user control enhancements for increased security.
Conclusion:
The vulnerabilities addressed in this patch release highlight the importance of timely updates and proactive security measures. GitLab’s redesign of its import functionality and the prompt patch release demonstrate a commitment to user security. Upgrading to the latest patched versions and adhering to the recommended actions is critical to maintaining a secure environment.
References:
Image
Ivanti Connect Secure VPN Actively Being Exploited in the Wild
Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.
As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.
Summary
| OEM | Ivanti |
| Severity | Critical |
| CVSS | 9.0 |
| CVEs | CVE-2025-0282, CVE-2025-0283 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Stack-Based Buffer Overflow Vulnerability | CVE-2025-0282 | Ivanti | Critical | 22.7R2 through 22.7R2.4 22.7R1 through 22.7R1.2 22.7R2 through 22.7R2.3 |
| Stack-Based Buffer Overflow Vulnerability | CVE-2025-0283 | Ivanti | High | 22.7R2.4 and prior 9.1R18.9 and prior 22.7R1.2 and prior 22.7R2.3 and prior |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-0282 | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. | RCE, System compromise, Data theft, Network breaches, and Service disruptions. |
| CVE-2025-0283 | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges | Allow Local Authenticated Attackers to Escalate Privileges. |
Remediation:
- Ensure that the appropriate patches or updates are applied to the relevant Ivanti
- Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.
versions as listed below:
| Affected Version(s) | Fixes and Releases |
| 22.7R2 through 22.7R2.4 | 22.7R2.5 |
| 22.7R2.4 and prior, 9.1R18.9 and prior | 22.7R2.5 |
| 22.7R2 through 22.7R2.3 | 22.7R2.5, Patch planned availability Jan. 21 |
| 22.7R2.3 and prior | 22.7R2.5, Patch planned availability Jan. 21 |
| 22.7R1 through 22.7R1.2 | Patch planned availability Jan. 21 |
| 22.7R1.2 and prior | Patch planned availability Jan. 21 |
- Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security.
- Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools.
- Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025.
- Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025.
General Recommendation
- Regularly update software and systems to address known vulnerabilities.
- Implement continuous monitoring to identify any unauthorized access or suspicious activities.
- Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces.
- Create and Maintain an incident response plan to quickly mitigate the impact of any security breach.
References:
Re-release of November 2024 Exchange Server Security Updates
Microsoft users had a tough time to send or load attachments to emails when using Outlook, were unable to connect to the server, and in some cases could not log into their accounts.
Microsoft Exchange Online is a platform for business communication that has a mail server and cloud apps for email, contacts, and calendars.
Microsoft mitigated the issue after identification were able to determine the cause of the outages and is rolling out a fix for the issue. That rollout is gradual, however, as outage reports continue to come in at DownDetector.
Impact
The outage left many users unable to communicate with colleagues, particularly as it coincided with the start of the workday in Europe. Frustration quickly spread across social media, with users reporting issues accessing emails and participating in Teams calls
Re-release of November 2024 Exchange Server Security Updates
Summary
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 27/11/2024 |
| Product | Microsoft Exchange Server |
| CVE ID | CVE-2024-49040 |
| CVSS Score | 7.5 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
On November 27, 2024, Microsoft re-released the November 2024 Security Updates (SUs) for Exchange Server to resolve an issue introduced in the initial release on November 12, 2024. The original update (SUv1) caused Exchange Server transport rules to intermittently stop functioning, particularly in environments using transport or Data Loss Protection (DLP) rules. The updated version (SUv2) addresses this issue.
Table of Actions for Admins:
| Scenario | Action Required |
| SUv1 installed manually, and transport/DLP rules are not used | Install SUv2 to regain control over the X-MS-Exchange-P2FromRegexMatch header. |
| SUv1 installed via Windows/Microsoft Update, no transport/DLP rules used | No immediate action needed; SUv2 will be installed automatically in December 2024. |
| SUv1 installed and then uninstalled due to transport rule issues | Install SUv2 immediately. |
| SUv1 never installed | Install SUv2 immediately. |
Remediation Steps
1. Immediate Actions
- Use the Health Checker script to inventory your Exchange Servers and assess update needs.
- Install the latest Cumulative Update (CU) followed by the November 2024 SUv2.
2. Monitor System Performance
- After enabling AMSI integration for message bodies, monitor for any performance issues such as delays in mail flow or server responsiveness.
3. Run SetupAssist Script for Issues
- Use the SetupAssist script to troubleshoot issues with failed installations or update issues, and check logs for specific error details.
References:
- ‹ Previous
- 1
- 2
- 3