Apache ActiveMQ Vulnerability CVE-2026-34197 Exploited in the Wild
CVE-2026-34197, an Apache ActiveMQ flaw
Continue ReadingSecurity updates
CISCO’s Secure FMC Being Exploited in 0-Day Attack, Targeting Firewalls
Zeroday attack attributed to Interlock ransomware group by CISCO
Continue Reading
Microsoft Releases Tuesday Patch-March 2026; Fixed 83 Flaws
Microsoft Tuesday Patch March 2026 fixes 83 Vulnerabilities Including 2 Actively Exploited Zero-Days
Continue Reading
Cisco Released Emergency Patch for Vulnerabilities in its Firewall Products
Cisco Released Emergency Patch
Continue Reading
CISA added FileZen CVE-2026-25108 to its KEV Catalog; Patch Now
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog, that is being exploited in the wild.
Findings from CISA also confirmed about the flaw, that it affects Soliton Systems K.K. FileZen, a file transfer product. It has been included in KEV, sensing urgency for organizations still running vulnerable versions of the product.
“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request,” CISA said.
Key Findings from FileZen CVE-2026-25108 vulnerability added in CISA’s KEV list
The primary reason after evaluation by threat researcher’s were –
FileZen CVE-2026-25108 is an OS command injection vulnerability. According to NVD, when the FileZen Antivirus Check Option is enabled, a logged-in user can send a specially crafted HTTP request and execute arbitrary operating system commands. In such scenario an attacker with valid access could potentially run commands on the underlying server, creating serious risk to confidentiality, integrity, and availability.
- The vulnerability carries a CVSS v4 score of 8.7 (High) from JPCERT/CC, and NVD also lists a CVSS v3.1 score of 8.8 (High).
- Being a high-severity, actively exploited flaw tied to direct command execution and class of bug occurs when an application improperly handles input that ends up being interpreted by the operating system as a command.
- For attackers it becomes easy to manipulate server behavior and potentially execute arbitrary commands
Why CISA added FileZen CVE-2026-25108 to its KEV
- The vulnerability is not unauthenticated and any exploitation by attackers will requires a user to be logged in and it’s still not safe.
- What we witnessed in case of many real-world attacks always begins with stolen credentials or weak passwords or previously compromised accounts of less privileged.
- Any availability of any valid account could escalate the flaw like FileZen CVE-2026-25108 can pave way for an deeper compromise in future.
- This is exactly why CISA’s KEV addition matters so much. A KEV listing means the issue has moved beyond theoretical risk and into confirmed real-world exploitation.
Impact of the Vulnerability as assessed by vendor JVN (Japan Vulnerability Notes)
JVN states that if a user logs in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.
Soliton similarly says there is a possibility that a remote third party could execute arbitrary OS commands within FileZen.
The practical impact of that can be severe. Depending on server configuration and user privileges, successful exploitation could allow an attacker to:
- Run unauthorized commands on the server
- Manipulate files or processes
- Establish persistence
- Access sensitive transferred data
- Use the compromised FileZen environment as a pivot point into internal systems
Technical Analysis of CVE-2026-25108
OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.
Remediation & understanding why it is essential to integrate with threat intelligence monitoring platform
Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. When vendor platform Soliton indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update.
As per vendor’s suggestion a resetting of password for all users if an organization suspects a compromise. Integration with cyber threat intelligence platform will provide early warning indicators of exploitation as cyber threat intelligence platforms collect data from various sources to provide early warning indicators of exploitation.
CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. This mandate specifically applies to federal agencies, it serves as a stark reminder for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.
Sources; CVE-2026-25108 CISA Confirms Active Exploitation of FileZen
Critical Solar Winds Vulnerabilities being Exploited by Threat Actors
Critical Solar Winds Vulnerabilities being Exploited by Threat Actors
Continue Reading
Microsoft November Updates- Fixes 63 Vulnerabilities,1 Zero-Day Exploits ; Patch Now
Summary : Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities across multiple Microsoft components. The Microsoft Patch Tuesday also addresses four “Critical” vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges and the fourth is an information disclosure flaw.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-11-11 |
| No. of Patches | 63 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview : Key Updates on Patch Tuesday
The update includes one actively exploited zero-day vulnerability (CVE-2025-62215) in the Windows Kernel and five additional Critical-rated vulnerabilities affecting Office, DirectX, GDI+, Visual Studio, and Nuance PowerScribe.
This release continues Microsoft’s focus on privilege escalation and remote code execution (RCE) vulnerabilities, highlighting the urgent need for comprehensive patch management across enterprise systems.
Here are the CVE addresses for Microsoft & non-Microsoft:
- 63 Microsoft CVEs addressed
- 5 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
- 29 Elevation of Privilege (EoP)
- 16 Remote Code Execution (RCE)
- 11 Information Disclosure
- 3 Denial of Service (DoS)
- 2 Security Feature Bypass
- 2 Spoofing
Source: Microsoft
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Kernel Elevation of Privilege Vulnerability (Zero-Day, Exploited in Wild) | CVE-2025-62215 | Windows 10, 11, Server 2016–2022 | Critical | 9.0 |
| Microsoft Office Use-After-Free Remote Code Execution Vulnerability | CVE-2025- 62199 | Microsoft Office (Word/Excel/Office Suite) | Critical | 9.8 |
| Nuance PowerScribe Missing Authorization Information Disclosure Vulnerability | CVE-2025-30398 | Nuance PowerScribe 360 | Critical | 9.1 |
| Windows DirectX Graphics Kernel Use-After-Free Vulnerability | CVE-2025-60716 | Windows DirectX Graphics Kernel | Critical | 8.8 |
| Microsoft GDI+ Heap-Based Buffer Overflow RCE Vulnerability | CVE-2025-60724 | Microsoft Graphics Component (GDI+) | Critical | 8.7 |
| Visual Studio Command Injection Remote Code Execution Vulnerability | CVE-2025-62214 | Microsoft Visual Studio / Visual Studio Code | Critical | 8.1 |
Technical Summary
The zero-day is a Windows Kernel bug that lets attackers gain full system control. Other critical & important vulnerabilities include Office and GDI+ vulnerabilities that could allow hackers to run malicious code or steal data.
Microsoft also patched issues in Visual Studio, DirectX, and Azure services. Users and admins are strongly advised to install these updates right away to stay protected.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62215 | Windows Kernel | Race conditions in shared resource execution enables local attackers to elevate privileges to SYSTEM (Zero-Day; Exploited in Wild) | Elevation of Privilege |
| CVE-2025-62199 | Microsoft Office | Use-after-free vulnerability in Office allows RCE via malicious documents, typically delivered through phishing campaigns | Remote Code Execution |
| CVE-2025-30398 | Nuance PowerScribe 360 | Missing authorization vulnerability allows disclosure of sensitive medical or user data over the network | Information Disclosure |
| CVE-2025-60716 | Windows DirectX Graphics Kernel | Use-after-free conditions allow local attackers to escalate privileges, potentially compromising the entire system | Elevation of Privilege |
| CVE-2025-60724 | Microsoft GDI+ | Heap-based buffer overflow allows attackers to execute arbitrary code remotely via crafted network traffic or malicious files | Remote Code Execution |
| CVE-2025-62214 | Visual Studio | Command injection vulnerability allows attackers to execute arbitrary code locally in developer environments | Remote Code Execution |
Source: Microsoft
In addition to several other Important severity vulnerabilities were addressed below –
- CVE-2025-59505: Windows Smart Card Reader – Double-free memory handling vulnerability enabling privilege escalation.
- CVE-2025-60704: Windows Kerberos – Missing cryptographic validation allows privilege escalation.
- CVE-2025-60719: Windows WinSock Driver – Untrusted pointer dereference enabling SYSTEM-level access.
- CVE-2025-59504: Azure Monitor Agent – Heap-based buffer overflow allowing local code execution.
- CVE-2025-60714: Windows OLE – Buffer overflow permitting local RCE.
- CVE-2025-62452: Windows RRAS – Heap overflow enabling network-based RCE.
- CVE-2025-59509: Windows Speech Recognition – Sensitive data exposure vulnerability.
- CVE-2025-62208 / CVE-2025-62209: Windows License Manager – Sensitive information insertion into logs.
- CVE-2025-62210 / CVE-2025-62211: Dynamics 365 Field Service – Cross-site scripting (XSS) spoofing.
- CVE-2025-62449 / CVE-2025-62453: VS Code / GitHub Copilot – Path traversal and AI output validation bypass & Others more Vulnerabilities.
Source: Microsoft, bleepingcompute, cybersecuritynews
Key Affected Products and Services
The November 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services:
- Windows Core Components
Updates for Kernel, Hyper-V, Kerberos, RRAS, WinSock, Smart Card, Bluetooth subsystems.
- Microsoft Office Suite
Patches for Word, Excel, and related components impacted by RCE and Information Disclosure vulnerabilities.
- Azure & Cloud Services
Fixes for Azure Monitor Agent, Dynamics 365, Entra ID, and related connectors.
- Graphics Components
Patches for GDI+, DirectX, WSL GUI.
- Developer Tools
Updates for Visual Studio, Visual Studio Code, and GitHub Copilot.
- Third-Party Applications
Patches for Nuance PowerScribe (Medical domain).
- Mobile Platform Technologies
Updates for Microsoft OneDrive for Android.
Remediation:
- Install the November 2025 Microsoft security updates immediately across all Windows, Office, and Azure systems.
Here are some recommendations below
- Monitor for Indicators of Compromise (IoCs) for privilege escalation attempts, new SYSTEM-level services, or unusual Office file crashes.
- Ensure Windows 10 ESU enrollment for extended support systems.
- Restrict local admin privileges and enforce least-privilege access.
- Leverage EDR/SIEM solutions to detect suspicious kernel and Office activity.
- Segment critical systems and disable unused network services (RRAS, SMB).
Conclusion:
Microsoft’s November 2025 Patch Tuesday resolves 63 vulnerabilities, including one actively exploited Zero-Day and multiple Critical RCE and EoP vulnerabilities in Office, Windows Kernel, GDI+, and Visual Studio.
Given the confirmed exploitation and the presence of memory corruption vulnerabilities, immediate patch deployment is necessary to prevent potential ransomware and privilege escalation attacks in our modern cyber world.
References:
Fortinet Released Security Update’s; Patched Multiple High & Medium Severity Vulnerabilities
Summary: Fortinet disclosed multiple critical security vulnerabilities impacting several of its core products, including FortiPAM, FortiSwitch Manager and FortiOS platforms and patched them.
The vulnerabilities encompass issues such as improper privilege escalation, heap-based buffer overflow, weak authentication, improper certificate validation, denial-of-service risk, and race condition flaws in authentication modules.
One of the high severity issue is a weak authentication mechanism vulnerability (CVE-2025-49201) in FortiPAM & FortiSwitch Manager, and a heap overflow flaw (CVE-2025-57740) in the SSL VPN RDP bookmark functionality.
| OEM | Fortinet |
| Severity | High |
| CVSS Score | 7.8 |
| CVEs | CVE-2025-49201, CVE-2025-58325, CVE-2025-57740, CVE-2025-57741 & others |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These vulnerabilities pose significant risks to enterprise environments, potentially allowing attackers to bypass authentication controls or execute arbitrary code within targeted systems. Users & Administrators are urged to update to the patched version.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Weak Authentication Mechanism | CVE-2025-49201 | FortiPAM, FortiSwitch Manager | High | FortiPAM 1.5.1, 1.4.3 or later / FortiSwitch Manager 7.2.5 or later |
| CLI Command Functionality Bypass | CVE-2025-58325 | FortiOS | High | FortiOS 7.6.1+, 7.4.6+, 7.2.11+, 7.0.16+ |
| Heap Overflow – Remote Code Execution (FortiProxy SSL VPN Bookmarks) | CVE-2025-57741 | FortiProxy | High | FortiProxy 7.2.5+, 7.0.5+ |
| Heap Overflow – Remote Code Execution (SSL VPN RDP Bookmark) | CVE-2025-57740 | FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager. | Medium | FortiOS 7.4.4+ / 7.2.8+ / 7.0.15+, FortiProxy 7.4.4+ / 7.2.10+, FortiPAM 1.3.0+, FortiSwitch Manager 7.2.4+ |
Technical Summary
Multiple critical and medium-severity vulnerabilities have been identified across several Fortinet products, including FortiOS, FortiPAM, FortiProxy, FortiAnalyzer, and FortiSwitchManager.
Other vulnerabilities could allow attackers to escalate privileges, execute unauthorized code, or bypass authentication, threatening system integrity and confidentiality.
Additional flaws may enable unauthenticated users to disrupt services, intercept network traffic, or exploit race conditions to gain improper access within centralized management and authentication platforms. As the Fortinet released the security updates, quick deploy of the patches to ensure resilience against exploitation and to protect enterprise assets.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-49201 | FortiPAM, FortiSwitch Manager | This flaw enables remote attackers to bypass authentication by sending specially crafted HTTP requests, allowing unauthorized code or command execution within privileged access management and switch management interfaces. | Authentication Bypass / Remote Code Execution |
| CVE-2025-57740 | FortiOS, FortiProxy, FortiPAM, FortiSwitch Manager | This heap-based buffer overflow in the SSL VPN RDP bookmark feature can be triggered by authenticated users through crafted bookmark data, resulting in memory corruption and possible code execution in the VPN context. | Remote Code Execution / System Compromise |
| CVE-2025-58325 | FortiOS | A CLI command functionality bypass allows attackers to execute restricted administrative commands through improper input validation, potentially escalating privileges or modifying critical system parameters. | Privilege Escalation / Remote Code Execution |
| CVE-2025-57741 | FortiProxy | This heap overflow vulnerability in FortiProxy’s SSL VPN RDP bookmarks can result in memory corruption, giving attackers a pathway to execute arbitrary code remotely during VPN session initialization. | Remote Code Execution / Service Compromise |
Additionally, multiple vulnerabilities have been disclosed that enable remote authentication bypass and include other issues with significant impact potential.
| Vulnerability Name | CVE ID | Affected Component | Severity |
| FGFM protocol allows unauthenticated reset of the connection | CVE-2025-26008 | FortiOS, FortiProxy, FortiPAM, FortiSwitchManager. | Medium |
| Heap Overflow in fgfmsd | CVE-2025-50571 | FortiAnalyzer/Cloud, FortiManager/Cloud. | Medium |
| Heap buffer overflow in websocket | CVE-2025-22258 | FortiOS,FortiPAM, FortiProxy, FortiSRA | Medium |
| Improper autorization over static files | CVE-2025-54822 | FortiOS, FortiProxy | Medium |
| Insufficient Session Expiration in SSLVPN using SAML authentication | CVE-2025-25252 | FortiOS | Medium |
| Missing authentication check in OFTP service | CVE-2025-53845 | FortiAnalyzer | Medium |
| Race condion in FortiCloud SSO SAML authentication | CVE-2025-54973 | FortiAnalyzer | Medium |
| Stack-based buffer overflow on fortitoken import feature | CVE-2025-46718 | FortiOS, FortiProxy | Medium |
Recommendations
Update Fortinet products to the following fixed versions as soon as possible and check the updated version from the Fortinet website
- FortiPAM: Upgrade to version 1.5.1 or later, or 1.4.3 or latest version
- FortiSwitch Manager: Upgrade to version 7.2.5 or higher
- FortiOS: Upgrade to versions 7.6.6+, 7.4.9+, 7.2.11+,7.0.16+ depending on the release series
- FortiProxy: Upgrade to 7.6.3+, 7.4.9+ and latest version
- FortiAnalyzer: Upgrade to 7.6.3+, 7.4.7+, 7.2.11+, 7.0.14+ latest version
Patches are available and should be applied immediately. For environments where immediate patching is not immediately feasible, you can also follow the below recommendations :
- Enable multi-factor authentication (MFA) to reduce unauthorized access risk
- Restrict network access to management interfaces to trusted personnel only
- Monitor logs for unusual brute-force attempts or anomalous login activity
- Apply the principle of least privilege to limit access to VPN and management services
- Use firewalls with strict whitelisting to block external attack vectors to vulnerable services
Conclusion:
The recent Fortinet advisories underscore the critical importance of timely vulnerability management, particularly for products controlling privileged access and remote connectivity.
The flaws in authentication and memory management can jeopardize the security posture of enterprise environments.
Organizations should urgently apply patches, monitor for suspicious login and session activity, and implement proactive security measures to reduce exploitation risks. Proactive response and regular updates are essential to maintaining robust security against evolving threats targeting critical infrastructure.
References:
Hashtags
#Infosec #CyberSecurity #Fortinet #FortiPAM #SQL #RCE #SecurityAdvisory #Vulnerabilitymanagement # PatchManagement #CISO #CXO #Intrucept
Microsoft Updates Patch Tuesday for Feb 2025; Address 67 Vulnerabilities, Includes 2 Exploited Zero-Days
Summary
Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.
Microsoft issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-02-11 |
| No. of Vulnerabilities Patched | 67 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks.
- 63 Microsoft CVEs addressed
- 4 non-Microsoft CVEs included
The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | CVE-2025-21418 | Windows | High | 7.8 |
| Windows Storage Elevation of Privilege Vulnerability | CVE-2025-21391 | Windows | High | 7.1 |
| Microsoft Surface Security Feature Bypass Vulnerability | CVE-2025-21194 | Windows | High | 7.1 |
| NTLM Hash Disclosure Spoofing Vulnerability | CVE-2025-21377 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21418 | Windows server and Windows 10 & 11 | Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed. | Unauthorized access with SYSTEM privileges. |
| CVE-2025-21391 | Windows server and Windows 10 & 11 | Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data. | Deletion of critical data, leading to service disruption. |
| CVE-2025-21194 | Microsoft Surface | Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware. | Bypass of security features, potentially compromising system integrity. |
| CVE-2025-21377 | Windows server and Windows 10 & 11 | NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks. | Potential for attackers to authenticate as the user, leading to unauthorized access. |
Source: Microsoft
In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed:
- CVE-2025-21376: A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability that could allow attackers to execute arbitrary code remotely.
- CVE-2025-21379: A DHCP Client Service RCE vulnerability that may enable remote attackers to execute code with elevated privileges.
- CVE-2025-21381: An RCE vulnerability in Microsoft Excel that could be triggered through malicious spreadsheet files.
Remediation:
- Apply Updates: Immediately install the February 2025 Patch Tuesday updates to address these vulnerabilities.
Conclusion:
The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity.
The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.
References:
Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities
Summary
Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.
Key take away:
- Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
- Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
- This marks highest number of fixes in a single month since at least 2017.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-01-14 |
| No. of Vulnerabilities Patched | 159 |
| Actively Exploited | yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows:
- 58 Remote Code Execution (RCE) Vulnerabilities
- 40 Elevation of Privilege (EoP) Vulnerabilities
- 22 Information Disclosure Vulnerabilities
- 20 Denial of Service (DoS) Vulnerabilities
- 14 Security Feature Bypass
- 5 Spoofing Vulnerabilities
The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Elevation of privilege vulnerability | CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows | High | 7.8 |
| Elevation of Privilege Vulnerability | CVE-2025-21275 | Windows | High | 7.8 |
| Remote Code Execution Vulnerability | CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Windows | High | 7.8 |
| Spoofing Vulnerability | CVE-2025-21308 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel | No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously. | Allow attackers to gain SYSTEM privileges |
| CVE-2025-21275 | Windows App Package Installer | Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges. | Attackers could gain SYSTEM privileges |
| CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 | Microsoft Access | Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents. | Remote Code Execution |
| CVE-2025-21308 | Windows Themes | Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft. | NTLM credential theft |
Source: Microsoft
Additional Critical Patches Address High-Severity Vulnerabilities
- Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370).
- Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311).
- Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298).
Remediation:
- Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities.
- Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.
- Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access.
Conclusion:
The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits.
References:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan
Recent Comments