Patch Mangement

Microsoft Updates Patch Tuesday for Feb 2025; Address 67 Vulnerabilities, Includes 2 Exploited Zero-Days

Summary

Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.

Microsoft issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-01-14
No. of Vulnerabilities Patched	67
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks.

63 Microsoft CVEs addressed

4 non-Microsoft CVEs included

The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	CVE-2025-21418	Windows	High	7.8
Windows Storage Elevation of Privilege Vulnerability	CVE-2025-21391	Windows	High	7.1
Microsoft Surface Security Feature Bypass Vulnerability	CVE-2025-21194	Windows	High	7.1
NTLM Hash Disclosure Spoofing Vulnerability	CVE-2025-21377	Windows	Medium	6.5

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-21418	Windows server and Windows 10 & 11	Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed.	Unauthorized access with SYSTEM privileges.
CVE-2025-21391	Windows server and Windows 10 & 11	Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data.	Deletion of critical data, leading to service disruption.
CVE-2025-21194	Microsoft Surface	Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware.	Bypass of security features, potentially compromising system integrity.
CVE-2025-21377	Windows server and Windows 10 & 11	NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks.	Potential for attackers to authenticate as the user, leading to unauthorized access.

Source: Microsoft

In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed:

CVE-2025-21376: A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability that could allow attackers to execute arbitrary code remotely.

CVE-2025-21379: A DHCP Client Service RCE vulnerability that may enable remote attackers to execute code with elevated privileges.

CVE-2025-21381: An RCE vulnerability in Microsoft Excel that could be triggered through malicious spreadsheet files.

Remediation:

Apply Updates: Immediately install the February 2025 Patch Tuesday updates to address these vulnerabilities.

Conclusion:

The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity.

The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.

References:

https://msrc.microsoft.com/update-guide/releasenote/2025-Feb

https://cybersecuritynews.com/microsoft-patch-tuesday-february-2025/

Apple’s USB Restricted Mode Exploited in Targeted Attacks

OEM	Apple
Severity	High
CVSS	Not Assigned
CVEs	CVE-2025-24200
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

Apple has issued emergency security patches to mitigate a zero-day vulnerability, CVE-2025-24200, which has been actively exploited in sophisticated attacks targeting specific individuals. The flaw allows attackers to bypass USB Restricted Mode on a locked device, potentially exposing sensitive data. Initially identified by The Citizen Lab, this vulnerability is believed to have been leveraged in real-world scenarios against high-profile targets. Apple has responded by enhancing state management in iOS 18.3.1 and iPadOS 18.3.1 to prevent exploitation.

Vulnerability Name	CVE ID	Product Affected	Severity
USB Restricted Mode Bypass Vulnerability	CVE-2025-24200	Apple	High

Technical Summary

The vulnerability, tracked as CVE-2025-24200, affects USB Restricted Mode, a security feature introduced in 2018 to prevent data transfer over USB when a device remains locked for seven days. A flaw in the Accessibility framework allows an attacker with physical access to disable USB Restricted Mode, bypassing this protection and potentially accessing sensitive data.

Apple has mentioned “This issue has been exploited in extremely sophisticated attacks against specific individuals.” The vulnerability was discovered by Bill Marczak, a senior researcher at The Citizen Lab.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24200	iPhone XS and later iPad Pro (13-inch) iPad Pro 12.9-inch (3rd generation and later) iPad Pro 11-inch (1st generation and later) iPad Air (3rd generation and later) iPad (7th generation and later) iPad mini (5th generation and later)	A flaw in the Accessibility framework allows a physical attacker to disable USB Restricted Mode, bypassing protections designed to prevent unauthorized data transfer.	Unauthorized access to sensitive data

Remediation:

Users are strongly advised to update their devices to the latest versions:

iOS: Update to version 18.3.1

iPadOS: Update to version 18.3.1

To update your device, go to Settings > General > Software Update, and follow the on-screen instructions.

Conclusion

The CVE-2025-24200 vulnerability poses a serious risk to device security, particularly for individuals targeted in sophisticated cyberattacks. While the exploitation has been limited to specific individuals, all users of affected devices should install the latest updates immediately to mitigate potential risks. Apple remains committed to user security by addressing vulnerabilities promptly and ensuring continuous protection against emerging threats.

References:

https://support.apple.com/en-us/122174

https://www.bleepingcomputer.com/news/apple/apple-fixes-zero-day-exploited-in-extremely-sophisticated-attacks/

Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities

Summary

Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.

Key take away:

Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
This marks highest number of fixes in a single month since at least 2017.

OEM	Microsoft
Severity	Critical
Date of Announcement	2025-01-14
No. of Vulnerabilities Patched	159
Actively Exploited	yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview

Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows:

58 Remote Code Execution (RCE) Vulnerabilities

40 Elevation of Privilege (EoP) Vulnerabilities

22 Information Disclosure Vulnerabilities

20 Denial of Service (DoS) Vulnerabilities

14 Security Feature Bypass

5 Spoofing Vulnerabilities

The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Elevation of privilege vulnerability	CVE-2025-21333, CVE-2025-21334, CVE-2025-21335	Windows	High	7.8
Elevation of Privilege Vulnerability	CVE-2025-21275	Windows	High	7.8
Remote Code Execution Vulnerability	CVE-2025-21186,CVE-2025-21366, CVE-2025-21395	Windows	High	7.8
Spoofing Vulnerability	CVE-2025-21308	Windows	Medium	6.5

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-21333, CVE-2025-21334, CVE-2025-21335	Windows Hyper-V NT Kernel	No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously.	Allow attackers to gain SYSTEM privileges
CVE-2025-21275	Windows App Package Installer	Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges.	Attackers could gain SYSTEM privileges
CVE-2025-21186,CVE-2025-21366, CVE-2025-21395	Microsoft Access	Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents.	Remote Code Execution
CVE-2025-21308	Windows Themes	Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft.	NTLM credential theft

Source: Microsoft

Additional Critical Patches Address High-Severity Vulnerabilities

Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370).

Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311).

Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298).

Remediation:

Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities.

Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.

Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access.

Conclusion:

The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities

SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

The flaw, identified as CVE-2024-53704, poses a significant security risk, allowing attackers to exploit the system remotely. Administrators are strongly encouraged to update their systems immediately to mitigate potential threats. SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

Key Details:

The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems.
It impacts SonicWall’s SSL-VPN products, widely used for secure remote access.
Exploitation of this bug could lead to severe consequences, including unauthorized access to sensitive data, network infiltration, and system compromise.

Summary

OEM	SonicWall
Severity	High
CVSS	8.2
CVEs	CVE-2024-53704
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

The security flaw, tracked as CVE-2024-53704, presents a serious risk, enabling remote exploitation by attackers. Administrators are highly advised to apply the necessary patches without delay to protect against potential threats.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Improper Authentication	CVE-2024-53704	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019 8.0.0-8035
A privilege escalation vulnerability	CVE-2024-53706	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019
A weakness in the SSLVPN authentication token generator	CVE-2024-40762	SonicWall	High	7.1.x (7.1.1-7058 and older), 7.1.2-7019
A server-side request forgery (SSRF) vulnerability	CVE-2024-53705	SonicWall	Medium	6.5.4.15-117n and older 7.0.x (7.0.1-5161 and older)

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-53704	Gen7 Firewalls, Gen7 NSv, TZ80	An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.	Bypass authentication
CVE-2024-53706	Gen7 Cloud Platform NSv	A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution.	Allow attackers to gain root privileges and potentially execute code.
CVE-2024-40762	Gen7 Firewalls, Gen7 NSv, TZ80	Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass.	Weak PRNG in authentication tokens can lead to authentication bypass in SSLVPN.
CVE-2024-53705	Gen6 Hardware Firewalls, Gen7 Firewalls, Gen7 NSv	A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall.	Allow attackers to establish TCP connections to arbitrary IP addresses and ports

Remediation:

Update: Impacted users are recommended to upgrade to the following versions to address the security risk:

Firewalls Versions	Fixes and Releases
Gen 6 / 6.5 hardware firewalls	SonicOS 6.5.5.1-6n or newer
Gen 6 / 6.5 NSv firewalls	SonicOS 6.5.4.v-21s-RC2457 or newer
Gen 7 firewalls	SonicOS 7.0.1-5165 or newer; 7.1.3-7015 and higher
TZ80: SonicOS	SonicOS 8.0.0-8037 or newer

Recommendations:

Patch Without Delay: Install the latest firmware update from SonicWall to resolve this vulnerability. Detailed instructions are available in SonicWall’s official advisory.

Monitor Network Activity: Regularly monitor network traffic for signs of suspicious or unauthorized access.

Limit Access: Restrict VPN access to trusted users and enforce Multi-Factor Authentication (MFA) for all accounts.

Stay Updated: Subscribe to SonicWall’s security alerts and updates to stay informed about upcoming vulnerabilities.

References:

https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-exploitable-sslvpn-bug-immediately/

https://www.criticalpathsecurity.com/critical-security-alert-sonicwall-urges-immediate-patching-of-ssl-vpn-vulnerability/

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003

Microsoft Updates Patch Tuesday for Feb 2025; Address 67 Vulnerabilities, Includes 2 Exploited Zero-Days

Apple’s USB Restricted Mode Exploited in Targeted Attacks

Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities

Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives