Patchmangement

Security Advisory

Active Exploitation of Microsoft Outlook RCE Vulnerability (CVE-2024-21413) 

A critical remote code execution (RCE) vulnerability, CVE-2024-21413, affecting Microsoft Outlook has been actively exploited.

CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.

OEM Microsoft 
Severity Critical 
CVSS 9.8 
CVEs CVE-2024-21413 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The flaw allows attackers to bypass security protections, leading to NTLM credential theft and arbitrary code execution. The vulnerability is critical, and Microsoft has released patches to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2024-21413  Microsoft  Critical 

Technical Summary 

The CVE-2024-21413 vulnerability arises due to improper input validation in Microsoft Outlook when handling emails containing malicious links. Exploitation of this flaw enables attackers to bypass Protected View, a security feature designed to prevent execution of harmful content embedded in Office files. 

By manipulating URLs with the file:// protocol and inserting an exclamation mark followed by arbitrary text, attackers can evade Outlook’s built-in security measures, tricking users into opening malicious Office files in editing mode instead of read-only mode. The Preview Pane also serves as an attack vector, enabling zero-click exploitation. Here is the POC also available for this vulnerabilty. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-21413 Microsoft Office LTSC 2021, Microsoft 365 Apps, 
Microsoft Outlook 2016, Microsoft Office 2019   		Exploits improper input validation to bypass Outlook security protections using manipulated hyperlinks.  NTLM credential theft, remote code execution, potential full system compromise  

Remediation

  1. Apply Security Patches: Ensure that all the Microsoft Office products are updated with the latest security patches. 
  1. Disable NTLM Authentication: Where feasible, reduce reliance on NTLM authentication to prevent credential theft. 

General Remediation: 

  1. Monitor Network Activity: Watch unusual outbound connections to attacker-controlled servers. 
  1. User Awareness Training: Educate employees on recognizing phishing attempts and avoiding click on suspicious links or attachments. 
  1. Enable Advanced Threat Protection: Use security tools like Microsoft Defender to enhance security monitoring and detection. 
  1. Regularly Update Software: Maintain a routine patching schedule to ensure all systems are protected against known vulnerabilities. 
  1. Restrict Macros and External Content: Configure Microsoft Office to block macros and disable automatic external content execution. 

Conclusion: 

The exploitation of CVE-2024-21413 underscores the ongoing threat posed by improperly validated inputs in widely used enterprise software. With this vulnerability being actively exploited and the POC publicly available, organizations must prioritize patching, strengthen monitoring, and follow best security practices to minimize risks. CISA has included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action. 

References: 

Security Advisory

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw 

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw 

A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution.

Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.

This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates. 

OEM Apple 
Severity Critical 
CVSS 9.8 
CVEs CVE-2025-24118 
Exploited in Wild No 
Publicly POC Available Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A proof-of-concept (PoC) exploit is publicly available, making it critical for users to apply the patch on priority. The vulnerability arises from a race condition in Apple’s XNU kernel due to improper handling of per-thread credentials in read-only structures.

Vulnerability Name CVE ID Product Affected Severity 
 Race Condition Vulnerability  CVE-2025-24118   Apple  Critical 

Technical Summary 

This issue results from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings and memcpy behavior, leading to unauthorized credential modification. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-24118  macOS Sonoma prior to 14.7.3  
macOS Sequoia prior to 15.3 
iPadOS prior to 17.7.4   		A concurrency issue in XNU kernel allows corruption of a thread’s kauth_cred_t credential pointer through a non-atomic memory update. This results in a time-of-check to time-of-use (TOCTOU) race condition. Privilege escalation, memory corruption, potential kernel-level code execution  

Remediation

  • Patch Installation: Users should upgrade to macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4 to mitigate the risk. 

Conclusion: 

CVE-2025-24118 is a critical race condition vulnerability in Apple’s XNU kernel that allows local attackers to escalate privileges and compromise system integrity. Users and organizations are strongly advised to apply the latest patches provided by Apple to protect against potential exploits.

References: 

Security Advisory

Critical Authentication Bypass Vulnerability in CybersFortinet Products Under Active Exploitation

Summary

Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products. 

A critical Zero-day vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an “Authentication Bypass Using an Alternate Path or Channel” vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication.

OEMFortinet
SeverityCritical
CVSS9.6
CVEsCVE-2024-55591
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

According to data from the Shadowserver Foundation, almost 50,000 devices are still unpatched as of January 20, 2025.

The vulnerability, which has been actively exploited since November 2024, enables unauthenticated attackers to obtain super-admin privileges through specially crafted requests to the Node.js websocket module. Although patches have been released, but a large number of devices remain exposed and vulnerable.

Vulnerability NameCVE IDProduct AffectedSeverity
  Authentication Bypass Vulnerability  CVE-2024-55591  FortiOS and FortiProxy  Critical

Technical Summary

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. Exploiting this flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js websocket module. This can lead to unauthorized administrative access, enabling attackers to modify firewall configurations, extract credentials, and move laterally within compromised environments.

Impact by Region (Unpatched Devices)

  • Asia: 20,687 devices
  • North America: 12,866 devices
  • Europe: 7,401 devices
CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2024-55591FortiOS 7.0.0 – 7.0.16, FortiProxy 7.0.0 – 7.0.19, FortiProxy 7.2.0 – 7.2.12Crafted requests to Node.js WebSocket module bypass authentication and allow attackers to gain super-admin privileges.Unauthorized administrative access, credential extraction, and lateral movement.

Remediation:

  1. Upgrade Firmware:
  2. FortiOS: Update to version 7.0.17 or latest
  3. FortiProxy: For 7.0.x version update to v7.0.20 or latest and for 7.2.x version update to v7.2.13 or latest
  • Restrict Administrative Interface Access:
  • Disable HTTP/HTTPS interfaces or limit access to trusted IP addresses using local-in policies.
  • Enable Multi-Factor Authentication (MFA):
  • Enforce MFA on all administrative accounts to reduce the risk of unauthorized access.
  • Monitor Suspicious Activities:
  • Check for unauthorized admin accounts, suspicious logins, or unexpected changes in firewall configurations.

Conclusion:

The exploitation of CVE-2024-55591 underscores the critical importance of timely patch management and robust security practices. Organizations using Fortinet products should act swiftly to apply the necessary updates and implement recommended security measures to protect their networks from potential attacks.

References:

Hashtags

Security Advisory

Critical Windows Privilege Escalation Vulnerability with Public Exploit

Cybersecurity researchers reported a critical Windows privilege escalation vulnerability, identified as CVE-2024-43641 affecting Microsoft Windows. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.

Summary 

OEM Microsoft 
Severity High 
CVSS 7.8 
CVEs CVE-2024-43641 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A significant Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641, affects multiple editions of Windows. A recently released Proof-of-Concept (PoC) exploit demonstrates how attackers can exploit this flaw to gain elevated privileges. 

Vulnerability Name CVE ID Product Affected Severity 
Windows Registry Elevation of Privilege Vulnerability  CVE-2024-43641  Windows    High 

Technical Summary 

The vulnerability, CVE-2024-43641, exploits a design flaw in Windows registry hive memory management, specifically during a double-fetch process under memory pressure. This flaw allows malicious SMB servers to respond with differing data for consecutive read requests, breaking kernel assumptions and enabling privilege escalation to SYSTEM level. Key technical details are as follows: 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-43641 Windows 10, Windows 11, Windows Server 2008–2025 The vulnerability involves improper handling of registry hive memory management under memory pressure. A malicious SMB server can respond with differing data to consecutive read requests, breaking kernel assumptions. Exploitation leverages a “False File Immutability” (FFI) condition. Allows attackers to escalate privileges, execute arbitrary code, and compromise system integrity. 

Remediation

  • Apply Patches: Users and system administrators are strongly advised to promptly apply the latest security updates. 
  • Monitor Activity: 
  • Monitor logs for suspicious activity related to registry operations. 
  • The cybersecurity community is actively monitoring the situation for any indications of active exploitation in the wild. 

Conclusion: 

CVE-2024-43641 is a high-severity vulnerability with a publicly available PoC exploit. It is crucial to apply security patches immediately and follow best practices to mitigate the risk of exploitation. Organizations must stay alert and monitor ongoing developments to ensure complete protection against this emerging threat. 

References: 

Security Advisory

Exploit Proof-of-Concept Released for Windows Lightweight Directory Access Protocol (LDAP CVE-2024-49113 )

CVE-2024-49113 LDAP

Continue Reading
Security Advisory

Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS 

Summary 

OEM Palo Alto 
Severity High 
CVSS 8.7 
CVEs CVE-2024-3393 
Exploited in Wild  No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.  

Vulnerability Name CVE ID Product Affected Severity Affected Version 
(DoS) in DNS Security Using a Specially Crafted Packet CVE-2024-3393   Palo Alto High PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-3393   Palo Alto PAN-OS CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025.     Dos – Denial-of-Service 

Remediation

  • Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below 
PAN-OS Version Fixes and Releases 
PAN-OS 11.1 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 
PAN-OS 10.2 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 
PAN-OS 10.1 10.1.14-h8, 10.1.15 
PAN-OS 10.2.9-h19 Only applicable to Prisma Access 
PAN-OS 10.2.10-h12 Only applicable to Prisma Access 
PAN-OS 11.0 No fix (reached end-of-life status on November 17, 2024) 

Recommendations: 

  • Avoid Using EOL Versions: 
  • PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions. 
  • Monitoring & Incident Response: 
  • Regularly monitor firewall logs for unusual behavior, especially DoS triggers. 
  • For Prisma Access Users (Workaround): 
  • Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks. 

References: 

Scroll to top