Vulnerability management

Security Advisory

Windows 11 DLL Flaws Open Doors to Privilege Escalation! 

Summary 

Security researcher John Ostrowski of Compass Security has uncovered two privilege escalation vulnerabilities in Microsoft Windows CVE-2025-24076 and CVE-2025-24994.

DLL hijacking is a technique that exploits how Windows applications load DLLs.

OEM Windows 
Severity HIGH 
CVSS Score 7.3 
CVEs CVE-2025-24994, CVE-2025-24076 
No. of Vulnerabilities Patched 02 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

These flaws, found in the Mobile Devices management component, stem from insecure DLL loading behavior that could allow unprivileged users to escalate privileges to SYSTEM via a DLL hijacking attack. Microsoft has released fixes for both vulnerabilities as part of its March 2025 Patch Tuesday rollout. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
​Windows Cross Device Service Elevation of Privilege Vulnerability  CVE-2025-24076 Windows  HIGH  7.3 
​Windows Cross Device Service Elevation of Privilege Vulnerability CVE-2025-24994 Windows HIGH 7.3 

Technical Summary 

The vulnerability arises due to Windows 11’s “Mobile devices” functionality loading a DLL from a user-writable location without verifying its signature. This enables unprivileged users to replace the DLL with a malicious proxy that executes with elevated privileges. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24076  Windows 11 Version 22H2, 22H3, 23H2, 24H2.  Exploits a race condition in the “Mobile devices” feature via DLL hijacking. The system process loads CrossDevice.Streaming.Source.dll from a user-writable directory (%PROGRAMDATA%\CrossDevice\), allowing privilege escalation when replaced with a malicious DLL. Attackers used Opportunistic Locks and API hooking (via Detours) to reliably exploit the narrow timing window.   Allows SYSTEM-level privilege escalation 
CVE-2025-24994 Windows 11 Version 22H2, 22H3, 23H2, 24H2 Involves a similar DLL hijacking flaw in a user-to-user context. A user-level process loads a DLL without signature validation, allowing a malicious DLL to be executed under another user’s context. This vector is less severe but still exploitable.  Allows user-to-user privilege escalation 

Remediation

  • Implement Security Updates to make sure to install the current security patches made available by Microsoft, specifically March 2025 updates, into affected systems. 
  • Turn off Cross Device Service if not needed, disable the “Mobile Devices” feature in Windows 11 to avoid exploitation of the vulnerabilities. 
  • Look for Suspicious Activity constantly scan system logs for suspect activity, particularly attempts to alter or load DLL files in protected processes. 
  • Restrict User Permissions prevent non-administrative users from changing system files or running processes with elevated privileges. 
  • Support DLL Signature Verification makes all programs support DLL signature verification so that no applications can load unsigned or altered DLL files. 

Conclusion: 
The discovered DLL hijacking vulnerabilities in Windows 11’s “Mobile devices” feature demonstrate how legacy attack techniques remain potent when integrated into new OS functionalities.

The presence of a working Proof-of-Concept (PoC) reinforces the practical risk posed by these flaws. Organizations should immediately apply the March 2025 security updates and consider employing EDR solutions to monitor for related behavior. Continued vigilance and file access control hardening remain essential in defending against such privilege escalation attacks.  

While CVE-2025-24076 enables SYSTEM-level access but CVE-2025-24994 arises from a related user-level process failing to validate DLLs.

This opens the door to user-to-user attacks, though its impact is far less severe compared to its SYSTEM-targeting sibling.

References


 

Security Advisory

New Exploit Allows Remote Code Execution in Apache Tomcat 

Patch Without Delay

OEM Apache 
Severity Critical 
CVSS 9.8 
CVEs CVE-2025-24813 
Exploited in Wild Yes 
POC Available Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The CVE-2025-24813 is recently identified Apache Tomcat vulnerability that is being actively exploited in the wild.  Under certain circumstances, this vulnerability permits information disclosure and remote code execution (RCE). 

A two-step exploit procedure can be used by attackers to take over compromised systems.  Patching became more urgent after a proof-of-concept (PoC) vulnerability was made public within 30 hours of disclosure. 

Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

Vulnerability Name CVE ID Product Affected Severity 
 Remote Code Execution Vulnerability  CVE-2025-24813  Apache Tomcat  Critical 

Technical Summary 

The vulnerability arises from Tomcat’s handling of PUT and GET requests in environments where specific configurations are enabled. Exploitation requires: 

  • Writes enabled for the default servlet 
  • Partial PUT support enabled 
  • Security-sensitive files stored in a sub-directory of public uploads 
  • Attacker knowledge of the file names 
  • Use of file-based session persistence 

Successful exploitation allows attackers to upload malicious Java session files via a PUT request and trigger deserialization through a GET request, leading to RCE. A PoC exploit has been publicly released, making detection and mitigation critical. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-24813  Apache Tomcat  11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34,  9.0.0.M1 to 9.0.98  Exploits PUT and GET request handling, allowing arbitrary file injection and execution.  Remote Code Execution, Information Disclosure. 

Remediation

  • Update the Apache Tomcat versions to the latest one v11.0.3, v10.1.35,  v9.0.99 to mitigate the vulnerability. 

General Recommendations: 

  • Disable partial PUT support: Prevent attackers from leveraging the exploit by disabling this feature if not required. 
  • Restrict access to sensitive files: Ensure security-sensitive files are not stored in publicly accessible directories. 
  • Implement authentication controls: Strengthen authentication and authorization for file upload operations. 
  • Enhance API security: Deploy real-time API security solutions to detect and block malicious PUT requests. 

Conclusion: 

CVE-2025-24813 represents a significant security risk, with active exploitation already observed. The availability of a public PoC exploit further increases the likelihood of widespread attacks. The ease of exploitation and the potential for severe consequences make it critical for affected organizations to apply the latest patches immediately. Additionally, security teams should enhance monitoring for suspicious PUT and GET request patterns to mitigate this attack technique. 

References: 

Blogs

Leadership role in Effective Vulnerability Management

Leadership role in Vulnerability Management

Continue Reading
Security Advisory

Multiple High-Severity Vulnerabilities Patched in Zoom  

Summary 

Multiple high-severity vulnerabilities have been identified in Zoom applications, including Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK, causing exposure of Sensitive Data.

The most critical flaws, patched in Zoom’s March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free) CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps).

All rated high severity with CVSS scores ranging from 7.1 to 8.5. 

OEM Zoom 
Severity High 
CVSS 8.5  
CVEs CVE-2025-27440, CVE-2025-27439, CVE-2025-0151,  CVE-2025-0150, CVE-2025-0149 
Publicly POC Available No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

These vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service (DoS) attacks. Zoom has released patches addressing these issues in version 6.3.0. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Heap-Based Buffer Overflow Vulnerability  CVE-2025-27440  ZOOM High 8.5 
Buffer Underflow Vulnerability  CVE-2025-27439  ZOOM High 8.5 
Use-After-Free Vulnerability CVE-2025-0151 ZOOM High  8.5 
Incorrect Behavior Order Vulnerability CVE-2025-0150 ZOOM High 7.1 
Insufficient Data Verification Vulnerability  CVE-2025-0149 ZOOM Medium 6.5 

Technical Summary 

These vulnerabilities could be exploited to gain unauthorized access, execute arbitrary code, or disrupt services through privilege escalation and memory corruption techniques. Exploitation requires authentication and network access, posing a risk to enterprise users. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-27440  Zoom Workplace Apps ( Windows, macOS, and Linux, as well as mobile apps for iOS and Android.)  Heap-based buffer overflow, allowing attackers to inject malicious code   Privilege Escalation 
 CVE-2025-27439  Zoom Workplace Apps Buffer underflow, leading to unexpected crashes or data leakage   Denial of Service, Data Exposure 
CVE-2025-0151    Zoom Workplace Apps  Use-after-free issue leading to memory corruption and arbitrary code execution   Privilege Escalation 
CVE-2025-0150  Zoom Workplace Apps (iOS) Incorrect behavior order allowing unauthorized access to authentication tokens   Information Disclosure 
CVE-2025-0149 Zoom Workplace Apps  Insufficient verification of data authenticity, allowing malformed network packets to bypass security checks Denial of Service 

Remediation

  • Apply Patches Promptly: Ensure all Zoom applications are updated to version 6.3.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.

Conclusion: 

The recent vulnerabilities in Zoom highlight the ongoing challenges in securing widely used communication platforms. While Zoom has acted swiftly in providing patches, the recurrence of memory corruption and input validation flaws suggests architectural challenges.

Organizations should maintain a proactive security stance, ensuring timely updates and implementing stringent controls to safeguard sensitive data. 

Organizations must treat Zoom not as a neutral utility but as a high-risk vector requiring stringent controls.

References

Security Advisory

Critical Security Flaw in Kibana Requires Immediate Attention 

Kibana is a robust tool for data visualization and exploration that can be used to search, examine, and track data that is stored in Elasticsearch. A vital part of many organizations’ data analysis procedures, it offers real-time insights through interactive dashboards. 

Elastic released security updates to address a critical vulnerability, tracked as CVE-2025-25012 (CVSS score of 9.9), impacting the Kibana data visualization dashboard software for Elasticsearch.

OEM Elastic 
Severity Critical 
CVSS 9.9 
CVEs CVE-2025-25012 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A critical security vulnerability (CVE-2025-25012) has been identified in Kibana, affecting versions 8.15.0 to 8.17.2. The flaw allows attackers to execute arbitrary code, potentially compromising affected systems. Elastic has released a patch in Kibana version 8.17.3to address this issue, and users are strongly advised to update immediately. 

Vulnerability Name CVE ID Product Affected Severity 
 Arbitrary code execution Vulnerability  CVE-2025-25012  Elastic  Critical 

Technical Summary 

This vulnerability arises from improper handling of JavaScript object prototypes in Kibana’s file upload and HTTP request processing functionalities.

Attackers can exploit this flaw to inject malicious payloads, modify application behavior, and execute arbitrary code. The vulnerability is classified under CWE-1321 (Improper Control of Prototype-Based Attribute Modifications) and aligns with the MITRE ATT&CK framework under tactic T1059 (Command and Scripting Interpreter). 

Affected Versions and Exploitation Conditions: 

  • Kibana 8.15.0 – 8.17.0: Exploitable by users with the Viewer role. 
  • Kibana 8.17.1 – 8.17.2: Requires privileges fleet-all, integrations-all, and actions:execute-advanced-connectors. 
CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-25012   Kibana 8.15.0 – 8.17.2   Prototype pollution via crafted file uploads and HTTP requests, allowing manipulation of JavaScript object properties and security controls.  Remote Code Execution, Unauthorized Data Access, Lateral Movement  

Remediation

  • Upgrade: Elastic has released a security patch to address the issue. It is highly recommended to upgrade to Kibana 8.17.3 or a later version 
  • Temporary Mitigation: If upgrading is not feasible in the short term, apply the following measure to reduce risk: 
  • Disable the Integration Assistant feature by setting xpack.integration_assistant.enabled: false in kibana.yml. 

Conclusion: 

Organizations utilizing Kibana should take urgent action to patch CVE-2025-25012 by upgrading to version 8.17.3.

The vulnerability is highly severe, particularly for environments using Kibana for security monitoring, as attackers could exploit this flaw to disable alerts and manipulate detection pipelines. If patching is not immediately possible, temporary mitigations should be applied to reduce the risk of exploitation. Ensuring real-time vulnerability monitoring and implementing strict access controls are also recommended to safeguard against similar threats in the future. 

References: 

Image 

Security Advisory

Exploitable Command Injection in F5 BIG-IP (CVE-2025-20029) 

F5 BIG-IP

Continue Reading
Security Advisory

Authentication Bypass Vulnerability in FortiOS & FortiProxy 

Summary 

A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.

OEM Fortinet 
Severity Critical 
CVSS 9.6 
CVEs CVE-2025-24472 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Authentication Bypass Vulnerability CVE-2025-24472 FortiOS FortiProxy Critical  FortiOS v7.0 – v7.0.16   FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 

Technical Summary 

CVE ID Vulnerability Details Impact 
  CVE-2025-24472   An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests.   Execute unauthorized code or commands 

Recommendations

  • Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below 
Version Fixes and Releases 
FortiOS 7.0 – 7.0.16 Upgrade to 7.0.17 or latest version 
FortiProxy 7.0 – 7.0.19 Upgrade to 7.0.20 or latest version 
FortiProxy 7.2 – 7.2.12 Upgrade to 7.2.13 or latest version 

Workarounds: 

Below are some workarounds provided by the Fortinet team. 

  • Disable HTTP/HTTPS administrative interface 
  • Limit IP addresses that can reach the administrative interface via local-in policies 

According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”

References: 

Security Advisory

7Zip Mark-Of-The-Web Vulnerability

A high severity vulnerability in 7-Zip is exploiting in the wild. This vulnerability, identified as a Mark-of-the-Web (MoTW) bypass, allows attackers to craft a double archive file that, when extracted, bypasses MoTW protections.

OEM7Zip
SeverityHigh
CVSS7.0
CVEsCVE-2025-0411
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

The vulnerability enables threat actors to create archives containing malicious scripts or executables, which, due to the flaw, will not receive the usual MoTW protection.

This exposes Windows users to potential attacks and has recently been added to the CISA Known Exploited Vulnerabilities Catalog. Furthermore, a Proof of Concept (PoC) for this vulnerability has been publicly released, increasing the risk of exploitation.

7-Zip vulnerability allows attackers to bypass the Mark of the Web (MotW) Windows security feature and was exploited by Russian hackers as a zero-day since September 2024.

Vulnerability NameCVE IDProduct AffectedSeverity
  MOTW Bypass vulnerability  CVE-2025-0411  7zip  High

Technical Summary

This vulnerability bypasses the Mark-of-the-Web (MoTW) feature, a security measure in Windows operating systems that flags files originating from the internet as potentially untrusted. MoTW is typically applied to files like downloaded documents, images, or executable files, which prompts a warning when opened. However, this vulnerability occurs when 7-Zip fails to properly propagate MoTW protections to files inside double-encapsulated archives.

An attacker can craft an archive containing another archive (a “double archive”), and 7-Zip did not properly propagate MoTW protections to the content to the inner archive.

This flaw allows any malicious content in the inner archive to be executed without triggering any security warnings. Consequently, this exposes Windows users to the risk of remote code execution and other malicious activities.

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2025-04117Zip Prior to v24.09    This flaw allows attackers to execute arbitrary code through double-encapsulated archives that bypass MoTW protections.Arbitrary remote code injection, potential system compromise

Remediation:

Update 7zip to v24.09 or the latest version. Installing the latest version will ensure that vulnerability is addressed, protecting systems from potential exploitation.

Generic Recommendations

  • Exercise Caution with File Extraction: Always verify the source before extracting files, especially from unfamiliar or untrusted sources.
  • Enhance User Awareness: Educate users on identifying phishing attempts and avoiding clicks on suspicious links or attachments.
  • Monitor for Anomalies: Continuously monitor systems for signs of exploitation, unusual file extraction behaviors, or unauthorized access attempts.

Conclusion

The MoTW bypass vulnerability in 7-Zip represents a serious security concern for Windows users, as it allows attackers to circumvent protective measures and execute malicious code. Updating to the latest version of 7-Zip is the recommended action to ensure systems are protected against this vulnerability.

References:

#CyberSecurity #7Zip #SecurityAdvisory #VulnerabilityManagement #CISO #CXO #PatchManagement #Intrucept

Security Advisory

Zero-Day Vulnerability in Microsoft Sysinternals Tools  

Summary 

A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.

OEM Microsoft 
Severity High 
Date of Announcement 2025-02-05 
CVEs Not Yet Assigned 
Exploited in Wild No 
Patch/Remediation Available No 
Advisory Version 1.0 
Vulnerability Name Zero-Day  

Overview 

Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw. 

Vulnerability Name CVE ID Product Affected Severity Impact 
            zero-day  Not Yet Assigned Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others)          High Arbitrary Code Execution, Privilege Escalation, Malware Deployment 

Technical Summary 

The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories. 

The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as: 

  • The Current Working Directory (CWD) 
  • Network locations (e.g., shared drives) 
  • User-writable paths over secure system directories 

This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL. 

Exploit Workflow 

  1. Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan. 
  1. The DLL is placed in the same directory as a vulnerable Sysinternals tool. 
  1. The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory. 
  1. The malicious DLL is loaded instead of the legitimate system DLL. 
  1. Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights). 

Recommendations 

  1. Avoid Running Sysinternals Tools from Network Locations 
  • Always copy tools to a local trusted directory before execution. 
  • Disable execution of .exe files from network drives if feasible. 
  1. Restrict DLL Search Paths 
  • Use SafeDLLSearchMode to prioritize secure directories. 
  • Implement DLL redirection to force tools to load DLLs from trusted paths. 
  1. Implement Application Control Policies 
  • Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading. 
  • Restrict execution of Sysinternals tools to trusted admin-only directories. 
  1. Verify DLL Integrity Before Execution 
  • Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed. 
  • Block execution of unsigned or suspicious DLLs in sensitive directories. 
  1. Monitor for Suspicious DLL Loading Behavior 
  • Enable Sysmon logging to detect anomalous DLL loads (Event ID 7). 
  • Monitor for executions of Sysinternals tools from network shares (Event ID 4688). 

Conclusion 

Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.

The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems. 

References

Scroll to top