Apple iOS & iPadOS Patch 0-Days Vulnerabilities, Exploited in Targeted Attacks
Apple iOS & iPadOS Patch Zero-Days Vulnerabilities, Exploited in Targeted Attacks
Continue ReadingPatch
Patch Now! Claude Code Vulnerabilities Allow Unauthorized Command Execution, CVEs Affect AI Security FoundationsĀ
Summary
Anthropicās Claude Code gained traction as a powerful AI coding assistant and promises developers a safe and streamlined way to build with Claudeās capabilities. But recently two high-severity vulnerabilities have been discovered in Claude Code, Anthropicās AI-powered coding assistant. These flaws allow attackers to escape security restrictions and execute arbitrary system commands.
AI coding assistant was meant to enforce restrictions but unknowingly reveals how to bypass them. Threat researchers from Cymulate discovered two high-severity vulnerabilities in Claude Code, which were quickly addressed by the team.
These issues allowed me to escape its intended restrictions and execute unauthorized actions, all with Claudeās own help.
| Severity | High |
| CVSS Score | 8.7 |
| CVEs | CVE-2025-54794, CVE-2025-54795 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
OverviewĀ
Notably, Claudeās own feedback mechanisms were leveraged by attackers to refine and optimize their payloads.Ā
These CVEs highlight how generative AI tools can be manipulated into aiding exploitation attempts, demonstrating the risks of integrating AI into secure development workflows.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Path Restriction Bypass | CVE-2025-54794 | Claude Code < v0.2.111 | 7.7 | v0.2.111 |
| Command Injection | CVE-2025-54795 | Claude Code < v1.0.20 | 8.7 | v1.0.20 |
Technical Summary
CVE-2025-54794 ā Directory Restriction Bypass
Claude Code tried to keep file access safe by only allowing work in certain folders. But it used a weak method to check file paths it just checked if the file name started with an allowed folder name. An attacker could create a folder with a similar name (like /tmp/allowed_dir_malicious) and trick Claude into thinking it was safe.
This could allow attackers to reach outside the safe folder, read secret files or even access system settings. Using symbolic links, attackers could also jump to important files that should never be touched.Ā
CVE-2025-54795 ā Command Injection
Claude only allows certain commands, like echo or ls, to run. But there was a mistake in how it cleaned user input. Attackers could hide harmful commands inside allowed ones. Example – echo “\”; <MALICIOUS_COMMAND>; echo \”” tricks Claude into running the attackerās command between two harmless echo commands.
Even worse, Claude helped improve these attack attempts. When a try failed, the attacker asked Claude why it didnāt work. Claude explained the problem and suggested fixes leading to successful attacks.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-54794 | Claude Code versions below v0.2.111 | Claude used a weak prefix matching to check if files were inside a safe folder. Attackers could create folders with similar names to bypass these checks. | Attackers can escape the sandbox, access sensitive files, and potentially escalate system privileges. |
| CVE-2025-54795 | Claude Code versions below v1.0.20 | Claude allowed only safe commands, but input was not cleaned properly. Attackers could hide malicious commands inside allowed ones like echo. | Attackers can run harmful commands, open applications, and possibly install malware or backdoors. |
POC Available:
This vulnerability exploits a weakness in how Claude handles whitelisted command strings. Improper input sanitization allows attackers to inject arbitrary shell commands using echo, bypassing any user prompt or approval.
- Exploitation Steps (PoC)Ā
Step 1 ā Try a basic payload
echo “test”; ls -la ../restricted (This gets flagged by Claude, and it asks for user confirmation)
Step 2 ā Refined working payload:
echo “\”; ls -la ../restricted; echo \””
Claude executes this without a prompt.
Lists a directory (../restricted) outside the current working directory, which should not be accessible.
Step 3 ā Execute arbitrary system command (e.g., launch Calculator)
echo “\”; open -a Calculator; echo \””
This launches the Calculator app without any user approval.
- Why Did This Work?Ā
- Improper Input Escaping:Ā
Claude Code embeds user input into echo “<input>ā but doesnāt properly sanitize or escape the contents.Ā
- Payload Explains the Exploit:Ā
- echo “\”; ā closes the initial stringĀ
- COMMAND ā injects and executes arbitrary commandĀ
- ; echo \”” ā reopens the string to make it appear validĀ
- Claude sees this as just another harmless echo commandĀ
- Since echo is whitelisted, it runs automaticallyĀ
- The attackerās payload slips through the gap and executesĀ
- If the Claude Code is running with higher privileges, attackers can perform Local Privilege Escalation (LPE)Ā
Remediation:
- Update immediately ClaudeĀ Ā Ā
For CVE-2025-54794 ā Update to v0.2.111 or later
For CVE-2025-54795 ā Update to v1.0.20 or later
- Check logs and systems where Claude was used for suspicious behavior.Ā Ā
- Donāt allow untrusted files or user input into Claudeās coding environment.Ā
Conclusion:
These vulnerabilities highlight a growing concern in AI-assisted development, the AIās ability to assist malicious users. Claude Code not only allowed abuse through technical flaws, but also helped attackers refine and improve their exploitation strategy.
Organizations leveraging AI in development pipelines must apply the same rigor used for traditional tools, enforce strict input validation, isolate environments and assume AI can be misled or exploited.
Anthropicās security and engineering teams has been fast with their professional response and smooth coordination during disclosure.
References:
OpenCTI Web-Hook Flaw Enables Full System Compromise
Summary
| OEM | Filigran |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-24977 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A critical vulnerability (CVE-2025-24977) in the OpenCTI Platform allows authenticated users with specific permissions to execute arbitrary commands on the host infrastructure, leading to potential full system compromise.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| ā Webhook Remote Code Execution vulnerability | CVE-2025-24977 | OpenCTI | Critical | 6.4.11 |
Technical Summary
The vulnerability resides in OpenCTIās webhook templating system, which is built on JavaScript. Users with elevated privileges can inject malicious JavaScript into web-hook templates.
Although the platform implements a basic sandbox to prevent the use of external modules, this protection can be bypassed, allowing attackers to gain command execution within the host container.
Due to common deployment practices using Docker or Kubernetes, where environment variables are used to pass sensitive data (eg: credentials, tokens), exploitation of this flaw may expose critical secrets and permit root-level access, leading to full infrastructure takeover.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24977 | Ā OpenCTI (ā¤ v6.4.10) | The webhook feature allows JavaScript-based message customization. Users with manage customizations permission can craft malicious JavaScript in templates to bypass restrictions and execute OS-level commands. Since OpenCTI is often containerized, attackers can gain root access and extract sensitive environment variables passed to the container. | Ā Root shell access in the container, exposure of sensitive secrets, full system compromise, lateral movement within infrastructure. |
Remediation:
- Upgrade: Immediately update to OpenCTI version 6.4.11 or later.
- Restrict user permissions: Especially the manage customizations capability ā limit access to trusted personnel only.
- Review and audit: Existing webhook configurations for signs of misuse, unauthorized scripts, or suspicious behavior.
- Implement container hardening practices: Reduce risk of secret exposure by:
- Avoiding storage of secrets in environment variables when possible.
- Using dedicated secret management tools.
- Running containers with least privilege and limiting runtime capabilities.
The misuse can grant the attacker a root shell inside a container, exposing internal server-side secrets and potentially compromising the entire infrastructure.
Conclusion:
CVE-2025-24977 presents a highly exploitable attack vector within the OpenCTI platform and must be treated as an urgent priority for remediation.
The combination of remote code execution, privileged access and secret exposure in containerized environments makes it especially dangerous.
Organizations leveraging OpenCTI should upgrade to the latest version without delay, review their deployment security posture, and enforce strict access control around webhook customization capabilities.
References:
Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro SchemaĀ
SummaryĀ Security Advisory:
A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2.Ā
| OEM | Apache |
| Severity | High |
| CVSS Score | Not Available |
| CVEs | CVE-2025-46762 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| āRemote Code Execution vulnerabilityĀ | CVE-2025-46762 | Apache Parquet JavaĀ | High | 1.15.2 |
Technical Summary
CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the āspecificā or āreflectā Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.
Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer āgenericā Avro model.Ā
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-46762 | Ā Apache Parquet Java ā¤1.15.1Ā | Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the āspecificā or āreflectā data models, and relies on the presence of pre-approved trusted packages like java.util.Ā | Ā Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution.Ā |
Conditions for Exploitation:
- Applications must use parquet-avro to read Parquet files.Ā
- The Avro āspecificā or āreflectā deserialization models are used (not āgenericā).Ā
- Attacker-supplied or untrusted Parquet files are processed by the system.Ā
This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested.
Remediation:
- Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization.Ā
- For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization:Ā
-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=””
Conclusion:
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation.
References:
Critical NGINX Ingress Vulnerabilities Expose Kubernetes Clusters to CompromiseĀ
Security Advisory
Summary:
The Kubernetes Ingress NGINX Admission Controller has detected 5 significant security vulnerabilities affecting all versions of the ingress-nginx controller prior to v1.12.1 and v1.11.5. Here are the cve ids CVE-2025-1974, CVE-2025-1098, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.
| Maintainer | Kubernetes ingress community |
| Severity | Critical |
| CVSS Score | 9.8 |
| No. of Vulnerabilities Patched | 05 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Patch Available | Yes |
| Advisory Version | 1.0 |
Overview
Admission Controllers frequently don’t require authentication and essentially function as web servers, introducing an additional internal network-accessible endpoint in the cluster. This architecture allows attackers to access them directly from any pod in the network, significantly increasing the attack surface.
The most critical of these, CVE-2025-1974, allows attackers on the pod network to remotely execute code and gain full control of the cluster without authentication.Ā
Although there has not been any active exploitation in the wild, this vulnerability poses a serious risk as it could enable attackers to take complete control of a cluster.
The issue was publicly disclosed on March 24, 2025, and security patches have been released.Ā
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Admission Controller Remote Code Execution (RCE) Vulnerability | CVE-2025-1974 | Ingress NGINX Admission Controller | Critical | 9.8 |
| Configuration Injection via Unsanitized auth-tls-match-cn annotation | CVE-2025-1097 | High | 8.8 | |
| Configuration Injection via Unsanitized Mirror Annotations | CVE-2025-1098 | High | 8.8 | |
| Unsanitized auth-URL Injection Vulnerability | CVE-2025-24514 | High | 8.8 | |
| Auth Secret File Path Traversal Vulnerability | CVE-2025-24513 | Medium | 4.8 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-1974 | Ingress NGINX Controller v1.12.0 & v1.11.4 and below versions | The Validating Admission Controller does not properly check incoming annotations, allowing attackers on the Pod network to inject configurations and potentially execute arbitrary code across the entire cluster. | Full Kubernetes cluster compromise |
| CVE-2025-1097 | Improper validation of the auth-tls-match-cn annotation allows malicious annotation values to override controller configurations. | Remote code execution | |
| CVE-2025-1098 | Unsafe input handling in mirror annotations could result in unauthorized configuration manipulation. | Config injection, security bypass | |
| CVE-2025-24514 | Unsanitized input from auth-URL annotations can allow malicious URLs to modify ingress-controller behavior. | Remote code execution | |
| CVE-2025-24513 | A path traversal issue in handling auth secret files could let attackers access sensitive information. | Information disclosure |
Remediation:
- Apply Patches Promptly: Immediately upgrade to ingress-nginx v1.12.1, v1.11.5 or latest versions to mitigate the vulnerabilities.Ā
- Temporarily Disable the Validating Admission Controller: It is mandatory to upgrade. If upgrading is not immediately possible, you can temporarily disable the Validating Admission Controller.Ā
General Recommendations:
- Set strict RBAC rules to control who can change ingress and webhook settings.Ā
- Disable dynamic admission controllers if they arenāt needed.Ā
- Monitor cluster audit logs for unusual ingress creation activities and suspicious annotations.Ā
- Conduct security reviews and scans for clusters that have not recently been updated.Ā
- Regularly check ingredients for weak or unsafe configurations.Ā
Conclusion:
The Kubernetes ingress-nginx vulnerabilities disclosed in March 2025 are among the most severe to date, with CVE-2025-1974 posing a real threat of full cluster compromise. All organizations running affected versions must apply patches or mitigation steps immediately.
The vulnerabilities found are affecting the admission controller component of Ingress NGINX Controller for Kubernetes and highlight the importance of strict configuration validation and access control in Kubernetes environments.Ā
Security researchers from Wiz found that 43% of cloud environments are vulnerable to these vulnerabilities. They uncovered over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllersā admission controllers to the public internetāputting them at immediate critical risk.Ā
References:
New Exploit Allows Remote Code Execution in Apache TomcatĀ
Patch Without Delay
| OEM | Apache |
| Severity | Critical |
| CVSS | 9.8 |
| CVEs | CVE-2025-24813 |
| Exploited in Wild | Yes |
| POC Available | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The CVE-2025-24813 is recently identified Apache Tomcat vulnerability that is being actively exploited in the wild.Ā Under certain circumstances, this vulnerability permits information disclosure and remote code execution (RCE).Ā
A two-step exploit procedure can be used by attackers to take over compromised systems.Ā Patching became more urgent after a proof-of-concept (PoC) vulnerability was made public within 30 hours of disclosure.Ā
Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2025-24813 | Apache Tomcat | Critical |
Technical Summary
The vulnerability arises from Tomcatās handling of PUT and GET requests in environments where specific configurations are enabled. Exploitation requires:
- Writes enabled for the default servletĀ
- Partial PUT support enabledĀ
- Security-sensitive files stored in a sub-directory of public uploadsĀ
- Attacker knowledge of the file namesĀ
- Use of file-based session persistenceĀ
Successful exploitation allows attackers to upload malicious Java session files via a PUT request and trigger deserialization through a GET request, leading to RCE. A PoC exploit has been publicly released, making detection and mitigation critical.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24813 | Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98 | Exploits PUT and GET request handling, allowing arbitrary file injection and execution. | Remote Code Execution, Information Disclosure. |
Remediation:
- Update the Apache Tomcat versions to the latest one v11.0.3, v10.1.35,Ā v9.0.99 to mitigate the vulnerability.Ā
General Recommendations:
- Disable partial PUT support: Prevent attackers from leveraging the exploit by disabling this feature if not required.Ā
- Restrict access to sensitive files: Ensure security-sensitive files are not stored in publicly accessible directories.Ā
- Implement authentication controls: Strengthen authentication and authorization for file upload operations.Ā
- Enhance API security: Deploy real-time API security solutions to detect and block malicious PUT requests.Ā
Conclusion:
CVE-2025-24813 represents a significant security risk, with active exploitation already observed. The availability of a public PoC exploit further increases the likelihood of widespread attacks. The ease of exploitation and the potential for severe consequences make it critical for affected organizations to apply the latest patches immediately. Additionally, security teams should enhance monitoring for suspicious PUT and GET request patterns to mitigate this attack technique.
References:
Multiple High-Severity Vulnerabilities Patched in ZoomĀ Ā
Summary
Multiple high-severity vulnerabilities have been identified in Zoom applications, including Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK, causing exposure of Sensitive Data.
The most critical flaws, patched in Zoomās March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free) CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps).
All rated high severity with CVSS scores ranging from 7.1 to 8.5.
| OEM | Zoom |
| Severity | High |
| CVSS | 8.5 |
| CVEs | CVE-2025-27440, CVE-2025-27439, CVE-2025-0151, CVE-2025-0150, CVE-2025-0149 |
| Publicly POC Available | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
These vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service (DoS) attacks. Zoom has released patches addressing these issues in version 6.3.0.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Heap-Based Buffer Overflow Vulnerability | CVE-2025-27440 | ZOOM | High | 8.5 |
| Buffer Underflow Vulnerability | CVE-2025-27439 | ZOOM | High | 8.5 |
| Use-After-Free Vulnerability | CVE-2025-0151 | ZOOM | High | 8.5 |
| Incorrect Behavior Order Vulnerability | CVE-2025-0150 | ZOOM | High | 7.1 |
| Insufficient Data Verification Vulnerability | CVE-2025-0149 | ZOOM | Medium | 6.5 |
Technical Summary
These vulnerabilities could be exploited to gain unauthorized access, execute arbitrary code, or disrupt services through privilege escalation and memory corruption techniques. Exploitation requires authentication and network access, posing a risk to enterprise users.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-27440 | Zoom Workplace Apps (āÆWindows, macOS, and Linux, as well as mobile apps for iOS and Android.) | Heap-based buffer overflow, allowing attackers to inject malicious code | Privilege Escalation |
| CVE-2025-27439 | Zoom Workplace Apps | Buffer underflow, leading to unexpected crashes or data leakage | Denial of Service, Data Exposure |
| CVE-2025-0151 | Zoom Workplace Apps | Use-after-free issue leading to memory corruption and arbitrary code execution | Privilege Escalation |
| CVE-2025-0150 | Zoom Workplace Apps (iOS) | Incorrect behavior order allowing unauthorized access to authentication tokens | āÆInformation Disclosure |
| CVE-2025-0149 | Zoom Workplace Apps | Insufficient verification of data authenticity, allowing malformed network packets to bypass security checks | Denial of Service |
Remediation:
- Apply Patches Promptly: Ensure all Zoom applications are updated to version 6.3.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.
Conclusion:
The recent vulnerabilities in Zoom highlight the ongoing challenges in securing widely used communication platforms. While Zoom has acted swiftly in providing patches, the recurrence of memory corruption and input validation flaws suggests architectural challenges.
Organizations should maintain a proactive security stance, ensuring timely updates and implementing stringent controls to safeguard sensitive data.
Organizations must treat Zoom not as a neutral utility but as a high-risk vector requiring stringent controls.
References:
Ivanti Connect Secure VPN Actively Being Exploited in the WildĀ
Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances:Ā CVE-2025-0282Ā andĀ CVE-2025-0283. Notably,Ā CVE-2025-0282Ā has been actively exploited in the wild since mid-December 2024.
As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.
Summary
| OEM | Ivanti |
| Severity | Critical |
| CVSS | 9.0 |
| CVEs | CVE-2025-0282, CVE-2025-0283āÆ |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. AnotherĀ Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges.āÆIvanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk.Ā
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Stack-Based Buffer Overflow Vulnerability | CVE-2025-0282 | Ivanti | Critical | 22.7R2 through 22.7R2.4āÆ 22.7R1 through 22.7R1.2āÆ 22.7R2 through 22.7R2.3āÆ |
| Stack-Based Buffer Overflow Vulnerability | CVE-2025-0283āÆ | Ivanti | High | 22.7R2.4 and prior 9.1R18.9 and priorāÆ 22.7R1.2 and prior 22.7R2.3 and priorāÆ |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-0282āÆ | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gatewaysāÆ | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.āÆ | RCE, System compromise, Data theft, Network breaches, and Service disruptions. |
| CVE-2025-0283āÆ | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gatewaysāÆ | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges | Allow Local Authenticated Attackers to Escalate Privileges. |
Remediation:
- Ensure that the appropriate patches or updates are applied to the relevant IvantiĀ
- Organizations using ICS appliances are strongly advised to apply these patches and follow Ivantiās Security Advisory to safeguard their systems.
versions as listed below:
| Affected Version(s) | Fixes and Releases |
| 22.7R2 through 22.7R2.4āÆ | 22.7R2.5āÆ |
| 22.7R2.4 and prior,āÆ 9.1R18.9 and priorāÆ | 22.7R2.5āÆ |
| 22.7R2 through 22.7R2.3āÆ | 22.7R2.5, Patch planned availability Jan. 21āÆ |
| 22.7R2.3 and priorāÆ | 22.7R2.5, Patch planned availability Jan. 21āÆ |
| 22.7R1 through 22.7R1.2āÆ | Patch planned availability Jan. 21āÆ |
| 22.7R1.2 and priorāÆ | Patch planned availability Jan. 21āÆ |
- Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security.Ā
- Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools.Ā
- Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025.Ā
- Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025.Ā
General Recommendation
- Regularly update software and systems to address known vulnerabilities.Ā
- Implement continuous monitoring to identify any unauthorized access or suspicious activities.Ā
- Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces.Ā
- Create and Maintain an incident response plan to quickly mitigate the impact of any security breach.Ā
References:
Microsoft December 2024 Patch Tuesday: Critical Fixes for Zero-Day and Remote Code Execution
Summary
OEM | Microsoft |
Severity | High |
Date of Announcement | 2024-12-12 |
NO. of Vulnerabilities Patched | 71 |
Actively Exploited | 01 |
Exploited in Wild | Yes |
Advisory Version | 1.0 |
Overview
Microsoft released updates addressing 71 vulnerabilities across its product suite, including 1 actively exploited zero-day vulnerability. Critical patches include fixes for remote code execution (RCE) flaws in Windows TCP/IP and Windows Common Log File System (CLFS). Immediate attention is required for systems running Windows Server, Microsoft Exchange, and other affected components. The patch targets a range of critical issues across Microsoft products, categorized as follows:
- 30 Remote Code Execution (RCE) Vulnerabilities
- 27 Elevation of Privilege (EoP) Vulnerabilities
- 7 Information Disclosure Vulnerabilities
- 4 Denial of Service (DoS) Vulnerabilities
- 1Defense-in-depth improvement
- 1 Spoofing Vulnerabilities
The highlighted vulnerabilities include one zero-day flaw and critical RCE vulnerabilities, one of which is currently being actively exploited.
Vulnerability Name | CVE ID | Product Affected | Impact | CVSS Score |
Unauthenticated Remote Code Execution in Windows LDAP | CVE-2024-49112 | Windows | Critical | 9.8 |
Remote Code Execution in Windows Hyper-V | CVE-2024-49117 | Windows | High | 8.8 |
Remote Code Execution via Use-After-Free in Remote Desktop Services | CVE-2024-49132 | Windows | High | 8.1 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability | CVE-2024-49138 | Windows | High | 7.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-49112 | Microsoft Windows Lightweight Directory Access Protocol (LDAP) | This vulnerability allows attackers to execute arbitrary code at the LDAP service level by sending specially crafted LDAP calls to a Windows Domain Controller. While Microsoft recommends disconnecting Domain Controllers from the Internet as a mitigation, applying the patch is the best course of action. | Remote Code Execution |
CVE-2024-49117 | Microsoft Windows Hyper-V | This vulnerability can be exploited by an authenticated attacker to execute code on the host operating system from a guest virtual machine. Cross-VM attacks are also possible. Although the attacker must have basic authentication, the vulnerability poses significant risks to virtualized environments. | Remote Code Execution |
CVE-2024-49132 | Microsoft Windows Remote Desktop Services | An attacker can exploit a use-after-free memory condition in Remote Desktop Gateway, allowing RCE. Exploitation requires precise timing, which makes this an advanced attack. Successful exploitation grants attackers control over the affected system. | Allows an attacker to execute remote code on systems using Remote Desktop Gateway |
CVE-2024-49138 | Windows Common Log File System Driver | This critical security flaw affects the Windows Common Log File System Driver and is classified as an Elevation of Privilege vulnerability. | It allows attackers to gain SYSTEM privileges on Windows devices, potentially giving them full control over the affected system. |
Additional Critical Patches Address High-Severity Vulnerabilities
- These are the eight other critical vulnerabilities that are rated 8.1 on the CVSS scale in Remote Desktop Services (CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, CVE-2024-49115, CVE-2024-49128, CVE-2024-49123, CVE-2024-49120, CVE-2024-49119).
- Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49077).
- Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49132).
Remediation
- Ensure all December 2024 Patch Tuesday updates are applied promptly.
- Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
- Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.