Exploitable Command Injection in F5 BIG-IP (CVE-2025-20029)
F5 BIG-IP
Continue ReadingSummary
Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.
Microsoft issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.
OEM | Microsoft |
Severity | Critical |
Date of Announcement | 2025-02-11 |
No. of Vulnerabilities Patched | 67 |
Actively Exploited | Yes |
Exploited in Wild | Yes |
Advisory Version | 1.0 |
Overview
The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks.
The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | CVE-2025-21418 | Windows | High | 7.8 |
Windows Storage Elevation of Privilege Vulnerability | CVE-2025-21391 | Windows | High | 7.1 |
Microsoft Surface Security Feature Bypass Vulnerability | CVE-2025-21194 | Windows | High | 7.1 |
NTLM Hash Disclosure Spoofing Vulnerability | CVE-2025-21377 | Windows | Medium | 6.5 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2025-21418 | Windows server and Windows 10 & 11 | Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed. | Unauthorized access with SYSTEM privileges. |
CVE-2025-21391 | Windows server and Windows 10 & 11 | Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data. | Deletion of critical data, leading to service disruption. |
CVE-2025-21194 | Microsoft Surface | Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware. | Bypass of security features, potentially compromising system integrity. |
CVE-2025-21377 | Windows server and Windows 10 & 11 | NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks. | Potential for attackers to authenticate as the user, leading to unauthorized access. |
Source: Microsoft
In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed:
Remediation:
Conclusion:
The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity.
The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.
References:
A critical remote code execution (RCE) vulnerability, CVE-2024-21413, affecting Microsoft Outlook has been actively exploited.
CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.
OEM | Microsoft |
Severity | Critical |
CVSS | 9.8 |
CVEs | CVE-2024-21413 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
The flaw allows attackers to bypass security protections, leading to NTLM credential theft and arbitrary code execution. The vulnerability is critical, and Microsoft has released patches to mitigate the risk.
Vulnerability Name | CVE ID | Product Affected | Severity |
Remote Code Execution Vulnerability | CVE-2024-21413 | Microsoft | Critical |
Technical Summary
The CVE-2024-21413 vulnerability arises due to improper input validation in Microsoft Outlook when handling emails containing malicious links. Exploitation of this flaw enables attackers to bypass Protected View, a security feature designed to prevent execution of harmful content embedded in Office files.
By manipulating URLs with the file:// protocol and inserting an exclamation mark followed by arbitrary text, attackers can evade Outlook’s built-in security measures, tricking users into opening malicious Office files in editing mode instead of read-only mode. The Preview Pane also serves as an attack vector, enabling zero-click exploitation. Here is the POC also available for this vulnerabilty.
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-21413 | Microsoft Office LTSC 2021, Microsoft 365 Apps, Microsoft Outlook 2016, Microsoft Office 2019 | Exploits improper input validation to bypass Outlook security protections using manipulated hyperlinks. | NTLM credential theft, remote code execution, potential full system compromise |
Remediation:
General Remediation:
Conclusion:
The exploitation of CVE-2024-21413 underscores the ongoing threat posed by improperly validated inputs in widely used enterprise software. With this vulnerability being actively exploited and the POC publicly available, organizations must prioritize patching, strengthen monitoring, and follow best security practices to minimize risks. CISA has included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action.
References:
CVE-2025-24085 is a zero-day vulnerability in Apple’s “Core Media framework” which enables malicious applications to potentially gain elevated privileges on impacted devices. It falls under the “Memory Corruption vulnerability category”, posing significant security risks such as unauthorized access to sensitive data or potential device control.
OEM | Apple Inc |
Severity | High |
CVEs | CVE-2025-24085 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
Privilege escalation vulnerability | CVE-2025-24085 | Apple | High | iPhone-XS and later, macOS Sequoia iPad-Pro (3rd generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), iPad mini (5th generation and later) Apple Watch: Series 6 and later Apple TV: All models |
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2025-24085 | iPhone, iPad, Mac, Apple Watch, Apple TV | CVE-2025-24085 is a memory management vulnerability in Apple’s Core Media framework, responsible for processing audio and video content. The vulnerability stems from improper handling of media data, allowing attackers to execute arbitrary code with elevated privileges. It can be remotely exploited through malicious media files, creating significant security risks. | Arbitrary Code Execution, Privilege Escalation, Sensitive Data Exposure, Remote Exploitation via Media Files |
Affected Version(s) | Fixes and Releases |
iOS 17.2 and later | iOS 18.3 |
iPadOS 17.2 and later | iPadOS 18.3 |
macOS Sequoia (all previous versions) | macOS Sequoia 15.3 |
watchOS 10.3 and later | watchOS 11.3 |
tvOS 17.2 and later | tvOS 18.3 |
visionOS 1.3 and later | visionOS 2.3 |
Apple has fixed this vulnerability in these software versions. Update devices immediately to mitigate the risk of exploitation.
Summary
Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.
Key take away:
OEM | Microsoft |
Severity | Critical |
Date of Announcement | 2025-01-14 |
No. of Vulnerabilities Patched | 159 |
Actively Exploited | yes |
Exploited in Wild | Yes |
Advisory Version | 1.0 |
Overview
Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows:
The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Elevation of privilege vulnerability | CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows | High | 7.8 |
Elevation of Privilege Vulnerability | CVE-2025-21275 | Windows | High | 7.8 |
Remote Code Execution Vulnerability | CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Windows | High | 7.8 |
Spoofing Vulnerability | CVE-2025-21308 | Windows | Medium | 6.5 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel | No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously. | Allow attackers to gain SYSTEM privileges |
CVE-2025-21275 | Windows App Package Installer | Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges. | Attackers could gain SYSTEM privileges |
CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Microsoft Access | Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents. | Remote Code Execution |
CVE-2025-21308 | Windows Themes | Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft. | NTLM credential theft |
Source: Microsoft
Additional Critical Patches Address High-Severity Vulnerabilities
Remediation:
Conclusion:
The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits.
References:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan
Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282
has been actively exploited in the wild since mid-December 2024.
As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.
Summary
OEM | Ivanti |
Severity | Critical |
CVSS | 9.0 |
CVEs | CVE-2025-0282, CVE-2025-0283 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk.
Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
Stack-Based Buffer Overflow Vulnerability | CVE-2025-0282 | Ivanti | Critical | 22.7R2 through 22.7R2.4 22.7R1 through 22.7R1.2 22.7R2 through 22.7R2.3 |
Stack-Based Buffer Overflow Vulnerability | CVE-2025-0283 | Ivanti | High | 22.7R2.4 and prior 9.1R18.9 and prior 22.7R1.2 and prior 22.7R2.3 and prior |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2025-0282 | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution. | RCE, System compromise, Data theft, Network breaches, and Service disruptions. |
CVE-2025-0283 | Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges | Allow Local Authenticated Attackers to Escalate Privileges. |
Remediation:
versions as listed below:
Affected Version(s) | Fixes and Releases |
22.7R2 through 22.7R2.4 | 22.7R2.5 |
22.7R2.4 and prior, 9.1R18.9 and prior | 22.7R2.5 |
22.7R2 through 22.7R2.3 | 22.7R2.5, Patch planned availability Jan. 21 |
22.7R2.3 and prior | 22.7R2.5, Patch planned availability Jan. 21 |
22.7R1 through 22.7R1.2 | Patch planned availability Jan. 21 |
22.7R1.2 and prior | Patch planned availability Jan. 21 |
General Recommendation
References:
Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released
OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.
Summary
Application | OpenSSH |
Severity | High |
CVSS | 8.1 |
CVEs | CVE-2024-6387 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.
A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns.
The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats.
Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
Race Condition vulnerability | CVE-2024-6387 | OpenSSH (8.5p1–9.8p1) | High | OpenSSH 9.8p2 or later |
Technical Summary
CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.
Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms.
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-6387 | OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems | Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). | Remote Code Execution (Root Privileges) |
Impact:
This Vulnerability if exploited could lead to complete system takeover.
Remediation:
Indicators of Compromise (IOCs):
IP Address / Hostname | File Hash |
209.141.53[.]247 | 0df799f05c6d97e2b7d4b26c8e7246f7 |
108.174.58[.]28 | 11cc5f00b466d4f9be4e0a46f2eb51ae |
195.85.205[.]47 | 1f452448cea986aedc88ba50d48691f7 |
62.72.191[.]203 | 207eb58423234306edaecb3ec89935d8 |
botbot.ddosvps.cc |
Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387
Conclusion:
The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.
Swift patching and the adoption of layered security measures are imperative to mitigate the risks.
Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability.
References:
Summary
OEM | Palo Alto |
Severity | High |
CVSS | 8.7 |
CVEs | CVE-2024-3393 |
Exploited in Wild | No |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
(DoS) in DNS Security Using a Specially Crafted Packet | CVE-2024-3393 | Palo Alto | High | PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-3393 | Palo Alto PAN-OS | CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025. | Dos – Denial-of-Service |
Remediation:
PAN-OS Version | Fixes and Releases |
PAN-OS 11.1 | 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 |
PAN-OS 10.2 | 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 |
PAN-OS 10.1 | 10.1.14-h8, 10.1.15 |
PAN-OS 10.2.9-h19 | Only applicable to Prisma Access |
PAN-OS 10.2.10-h12 | Only applicable to Prisma Access |
PAN-OS 11.0 | No fix (reached end-of-life status on November 17, 2024) |
Recommendations:
References: