Zero day

Security Advisory

Android Security Patch December 2025 Fixed 100+ Vulnerabilities Including Zero-Days 

Android security Patch: Google has released the Android Security update for December 2025 addressing over 100 vulnerabilities and two actively exploited zero-day vulnerabilities across Framework, System, Kernel, and vendor components like Qualcomm, MediaTek, and Unisoc.

The most severe issues include a critical remote denial-of-service flaw in Framework and multiple zero-day elevation-of-privilege vulnerabilities actively exploited.

OEM Google Android 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-48631, CVE-2025-48633, CVE-2025-48572 & 104 more CVEs 
POC Available No 
Actively Exploited Yes 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These flaws could enable attackers to crash devices remotely, escalate privileges locally, or disclose sensitive data without additional execution privileges. Android users are urged to immediate updates as soon as available. 

                      Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Remote Denial-of-Service Vulnerability CVE-2025-48631 Android Framework Critical Dec 2025 Android Security Update 
Information Disclosure Zero-Day Vulnerability CVE-2025-48633 Android Framework High Dec 2025 Android Security Update 
Elevation of Privilege Zero-Day Vulnerability CVE-2025-48572 Android Framework High Dec 2025 Android Security Update 

Technical Summary 

The December 2025 Android vulnerabilities primarily impact Framework (remote DoS, EoP, ID), System (local privilege escalation), and Kernel (pKVM/IOMMU flaws), with additional high-severity issues in vendor components from Qualcomm, MediaTek, Arm and Unisoc. Critical zero-days like the Framework remote DoS enable attacker-initiated crashes without privileges, while EoP flaws allow local escalation for background activity launch or data access.

Organizations and users should treat these vulnerabilities as critical due to active exploitation. Updating all devices to the 2025 December, security patch level is strongly recommended to stay protected. 

CVE ID Vulnerability Details Impact 
CVE-2025-48631 Framework vulnerability that allows a remote attacker to cause a device crash, reboot loop, or render it unresponsive without requiring additional privileges or user interaction. Remote device crash, Denial of service 
CVE-2025-48633 This exploiting framework information disclosure flaw that exposes sensitive internal system data, enabling attacker reconnaissance or exploit chaining Data leakage, privacy violation 
CVE-2025-48572 This exploiting elevation of privilege vulnerability within the Framework that allows attackers to gain higher system privileges, enabling unauthorized operations Privilege escalation, arbitrary code execution 

These additional vulnerabilities include 104 other Critical and High-severity issues that could allow data exposure, system instability, or service disruptions. Applying the latest update is important as these vulnerabilities still have significant security risks if left unpatched. 

Remediation

  • Update all Android devices to the latest Security Patch when it’s available. 

Conclusion: 
These vulnerabilities, including actively exploited zero-days, pose severe risks to Android devices enabling remote crashes, privilege escalation, and data exposure. It is recommended to update to the both personal and enterprise Android devices to the latest security patch for December, 2025.  

References

Security Advisory

Microsoft October Patch Fixes 175 Vulnerabilities, 6 Zero-Days & Critical Exploits 

Summary:  Microsoft’s October 2025 Patch Tuesday fixes 175 security vulnerabilities in the products Windows, Office, Azure, and .NET and others. It includes patches for 6 – zero-day vulnerabilities where three vulnerabilities have been exploited and three publicly known vulnerabilities.  

Microsoft advises immediate deployment of updates and removal of affected drivers, while assessing legacy fax hardware for compatibility issues introduced by the driver removal in this month update.

The October 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services. 

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-10-14 
No. of Patches 175 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Major fixes address serious remote code execution issues in Office and WSUS, along with privilege escalation vulnerabilities in Windows and Azure. The update also removes the Agere Modem driver, which could affect older fax devices. Users & Administrator are urged to update the patch to immediately to stay protected. 

Here are the CVE addresses for Microsoft & non-Microsoft:  

  • 175 Microsoft CVEs addressed 
  • 21 non-Microsoft CVEs addressed (Republished) 

Breakdown of October 2025 Vulnerabilities 

  • 80 Elevation of Privilege (EoP) 
  • 31 Remote Code Execution (RCE) 
  • 28 Information Disclosure 
  • 11 Denial of Service (DoS) 
  • 11 Security Feature Bypass 
  • 12 Spoofing  
  • 2 Tampering 

Source: Microsoft 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows Agere Modem Driver Elevation of Privilege Vulnerability CVE-2025-24990 Windows 10, 11, Server 2016-2022 High 7.8 
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability CVE-2025-59230 Windows 10, 11, Server 2016-2022 High 7.8 
Secure Boot Bypass Vulnerability in IGEL OS CVE-2025-47827 IGEL OS Medium 4.6 
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability CVE-2025-59287 Windows Server Critical 9.8 
Microsoft Office Remote Code Execution Vulnerability CVE-2025-59234 Microsoft Office High 7.8 
Microsoft Excel Remote Code Execution Vulnerability CVE-2025-59236 Microsoft Excel (2016-2021) High 8.4 

Technical Summary 

October 2025 Patch Tuesday includes security updates addresses remote code execution, privilege escalation and information disclosure vulnerabilities in core Windows components, Office applications and Azure cloud services.

3 zero-days are actively exploited, including CVE-2025-24990 in the Agere Modem driver, where attackers can abuse the third-party component to gain administrative privileges without needing the modem hardware active, leading to local system compromise.  

Additionally, exposes improper access controls in Windows Remote Access Connection Manager, enabling authorized attackers to escalate to SYSTEM privileges with moderate effort.  

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-24990 Windows Agere Modem Driver Third-party driver abused for admin privileges; removed in updates, may break fax modem hardware Privilege Escalation 
CVE-2025-59230 Windows Remote Access Connection Manager Improper access control allows local attackers to gain SYSTEM privileges Privilege Escalation 
CVE-2025-47827 IGEL OS < v11 Improper cryptographic signature verification enables Secure Boot bypass via crafted root filesystem Security Feature Bypass 
CVE-2025-59287 Windows Server Update Service Deserialization of untrusted data allows unauthenticated RCE over networks, prime for supply-chain attacks Remote Code Execution 
CVE-2025-59234 Microsoft Office (2016-2021) Use-after-free in Office allows RCE via malicious files, no authentication required Remote Code Execution 
CVE-2025-59236 Microsoft Excel (2016-2021) Use-after-free in Excel enables RCE via malicious files, potentially leading to system control Remote Code Execution 

Source: Microsoft 

In addition to several other publicly exploited Zero-Day & Critical severity issues were addressed 

  • CVE-2025-0033: AMD SEV-SNP Flaw – Race condition in AMD EPYC processors allows hypervisor to tamper with guest memory; needs privileged access. (Critical) 
  • CVE-2025-24052: Windows Agere Modem EoP – Flaw in modem driver enables local admin privilege escalation; driver removed, may affect fax hardware. (High) 
  • CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium) 
  • CVE202549708: Microsoft Graphics Component EoP – Memory corruption enables network-based privilege escalation.  (Critical) 
  • CVE-2025-59227: Microsoft Office RCE – Use-after-free affecting multiple Office versions. (Critical) 
  • CVE-2016-9535: LibTIFF Heap Buffer Overflow – RCE via malformed TIFF files in image processing. (Critical) 
  • CVE-2025-59291 & CVE-2025-59292: Azure Container Instances/Compute Gallery EoP – External file path control for local privilege escalation. (Critical) 

Key Affected Products and Services 

  • Windows Core and Security Components 

Updates for Windows Kernel, NTFS, BitLocker, NTLM, SMB, WinSock, PrintWorkflowUserSvc and Remote Desktop Services, with several vulnerabilities rated CVSS 7.8 or higher. 

  • Microsoft Office Suite 

Patches for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, particularly via malicious file execution. 

  • Azure and Cloud Services 

Fixes for Azure Entra ID, Monitor Agent, Connected Machine Agent, PlayFab and Confidential Container Instances. 

  • Virtualization and Hyper-V 

Vulnerabilities in Hyper-V and Virtual Secure Mode, including privilege escalation and DoS risks. 

  • Developer and Management Tools 

Updates for PowerShell, Visual Studio and Configuration Manager addressing local privilege escalation. 

  • Communication & File Services 

Patches for SMB, WSUS, and Connected Devices Platform with critical RCE and lateral movement risks. 

  • Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, including republished Chrome CVEs. 

Remediation: 

  • Install the October 2025 security updates immediately to mitigate risks. 

Here are some recommendations below  

  • Use EDR tools to monitor any indicators like Office crashes or logs. 
  • Disable unused services to prevent any remote access or other exploitation. 
  • Apply least privilege access in Office and Azure environments. 
  • Segment networks to reduce any lateral movement. 

Conclusion: 
Critical RCE flaws in Office and WSUS, along with privilege escalation bugs, pose significant risks for ransomware, data theft and lateral movement. Administrator, users & security teams should deploy patches immediately, enhance monitoring and apply mitigations to reduce exposure. 

References

Security Advisory

Critical WhatsApp Zero-Day Vulnerability Allows Remote Code Execution  

Summary 

OEM WhatsApp 
Severity Medium 
CVSS Score 5.4 
CVEs CVE-2025-55177 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A security vulnerability recently discovered in WhatsApp’s linked device feature that allows users to access WhatsApp across multiple devices, such as phones and computers.

CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting its significance. The flaw allows attackers to send crafted messages that forced WhatsApp to load malicious content from a rogue website without any user interaction. WhatsApp and Apple already patched the issue and users are urged to update their apps immediately to stay protected.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
WhatsApp Incorrect Authorization Vulnerability  CVE-2025-55177 WhatsApp  Medium 2.25.21.73 and later. 
 
WB iOS 2.25.21.78 and later.  
WhatsApp Desktop for Mac 2.25.21.78 and later. 

Technical Summary 

The vulnerability was due to incomplete authorization of synchronization messages in WhatsApp’s linked device feature. This flaw allowed an attacker to send crafted sync messages that could trick WhatsApp into processing content from an arbitrary URL, even if the message came from an untrusted source.

This could result in WhatsApp loading and executing malicious content on the target device without any user interaction. The impact of the attack was significantly increased when combined with a separate Apple OS vulnerability (CVE-2025-43300), making it suitable for sophisticated, targeted exploitation.

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-55177 WhatsApp for iOS (v2.22.25.2 to v2.25.21.72) 
 WhatsApp Business for iOS (v2.22.25.2 to v2.25.21.77) 
 WhatsApp Desktop for Mac (v2.22.25.2 to v2.25.21.77		Incomplete authorization in the linked device sync feature allowed attackers to send crafted sync messages that caused WhatsApp to load content from an arbitrary URL without user interaction. This could be used to execute malicious code on the device. Remote code execution,.  Potential full device compromise.  

Remediation

Update the WhatsApp in iOS and mac devices to the latest version 

  • WhatsApp for iOS: Update to v2.25.21.73 or latest version 
  • WhatsApp Business for iOS: Update to v2.25.21.78 or latest version  
  • WhatsApp Desktop for Mac: Update to v2.25.21.78 or latest version 

Conclusion: 
The WhatsApp vulnerability highlights the growing risks of zero-click attacks, where devices can be compromised without any user interaction. This flaw has been exploited in targeted attacks and poses a serious threat to user security and privacy. It is important for all users to keep their apps and operating systems up to date and follow trusted security recommendations

References

Security Advisory

Zero-Day Exploitation in SonicWall Targeted by Akira Ransomware 

Summary 

A critical zero-day vulnerability is suspected in SonicWall SSL VPN appliances, which are currently being actively exploited by threat actors linked to the Akira ransomware group. These attacks began last month and exploit even fully patched devices and systems with multi-factor authentication (MFA) enabled. In many cases, attackers move quickly, encrypting victim systems within hours of gaining access. 

Detailed Observation 

The ongoing attacks targeting SonicWall SSL VPN appliances suggest the presence of a zero-day vulnerability that allows threat actors to gain unauthorized access to enterprise networks.

This exploitation may be limited to TZ and NSa-series SonicWall firewalls with SSLVPN enabled. The attack patterns indicate that the attackers may be exploiting a flaw in the VPN’s authentication or session management mechanisms which they can be able to bypass the MFA.

Security researchers also observed that the threat actors often used legitimate credentials, including recently rotated passwords, implying either credential theft or session hijacking.

These login attempts were traced back to Virtual Private Servers (VPS), a common tactic to obscure the attacker’s origin. Once threat actors on the network, they abuse the privileged accounts, then start establishing C2 and move laterally in the network, then at the last stage before deploying the ransomware they are disabling the defenses to smooth deploy.

The ransomware group suggests Akira, has been seen deploying malware and encrypting data within hours, showcasing a high level of automation and operational efficiency.

The pattern and speed of these attacks point to a well-orchestrated campaign that likely began months earlier (as early as October 2024) but surged in mid-July 2025. This level of sophistication, combined with the failure of traditional defenses, strongly supports the theory that attackers are leveraging an undisclosed vulnerability in SonicWall’s SSL VPN stack. 

Remediation

Until an official SonicWall patch is released, organizations should take the following immediate actions: 

  • Disable SonicWall SSL VPN if possible, especially for external access. 
  • Enforce network segmentation to limit the radius of any potential breach. 
  • Monitor access logs for suspicious login attempts (especially from VPS-hosting IP ranges). 
  • Block known malicious IPs and ASNs used in previous attacks. 
  • Rotate all VPN credentials, especially for admin or privileged users. 
  • Harden MFA configuration (though current evidence shows bypasses are possible). 
  • Enable IP reputation and botnet protection features in SonicWall firewalls. 
  • Audit all VPN user accounts, removing any inactive or unnecessary ones. 

IOCs 

Attacker IP Threat Actors used tools ASN/CIDR hosting adversary infrastructure User & Password created  
42.252.99[.]59 w.exe AS24863 – LINK-NET – 45.242.96.0/22 backupSQL (U) 
45.86.208[.]240 win.exe AS62240 – Clouvider – 45.86.208.0/22 lockadmin (U) 
77.247.126[.]239 C:\ProgramData\winrar.exe AS62240 – Clouvider – 77.247.126.0/24 Password123$ (P) 
104.238.205[.]105 C:\ProgramData\OpenSSHa.msi AS23470 – ReliableSite LLC – 104.238.204.0/22 Msnc?42da (P) 
104.238.220[.]216 C:\Program Files\OpenSSH\sshd.exe AS23470 – ReliableSite LLC – 104.238.220.0/22 VRT83g$%ce (P) 
181.215.182[.]64 C:\programdata\ssh\cloudflared.exe AS174 – COGENT-174 – 181.215.182.0/24  
193.163.194[.]7 C:\Program Files\FileZilla FTP Client\fzsftp.exe AS62240 – Clouvider – 193.163.194.0/24  
193.239.236[.]149 C:\ProgramData\1.bat AS62240 – Clouvider – 193.239.236.0/23  
194.33.45[.]155 C:\ProgramData\2.bat AS62240 – Clouvider – 194.33.45.0/24  
  • Source: huntress.com 

Conclusion: 
The exploitation of a suspected zero-day in SonicWall SSL VPN poses an immediate and critical threat to enterprise environments.

The ability of attackers to bypass authentication and deploy ransomware within hours is highly dangerous and points to a sophisticated, active campaign.

Organizations using SonicWall VPNs must take preemptive steps now, including disabling VPN access if feasible and aggressively monitoring for anomalies, until SonicWall releases a formal patch or mitigation advisory 

References

Security Advisory

Critical 0-Day Vulnerabilities in Qualcomm Adreno GPU Drivers Actively Exploited  

Summary 

OEM Qualcomm 
Severity HIGH 
CVSS Score 8.6 
CVEs CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Three actively exploited zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) have been disclosed and patched.

These flaws impact billions of Android devices across vendors such as Samsung, Google, Xiaomi, and OnePlus. Qualcomm released patches to OEMs in May 2025, urging immediate integration to mitigate severe memory corruption and code execution threats. 

Vulnerability Name CVE ID Product Affected CVSS Score Severity 
​Incorrect Authorization Vulnerability  CVE-2025-21479 Qualcomm Adreno GPU Driver  8.6  High 
Incorrect Authorization Vulnerability  CVE-2025-21480 Qualcomm Adreno GPU Driver  8.6  High 
Use-After-Free Vulnerability  CVE-2025-27038 Qualcomm Adreno GPU Driver  7.5  High 

Technical Summary 

These vulnerabilities reside within Qualcomm’s Adreno GPU driver, specifically in the Graphics component. The flaws allow attackers to corrupt memory, escalate privileges or execute arbitrary code. Two issues (CVE-2025-21479, CVE-2025-21480) result from incorrect authorization mechanisms in GPU microcode and the third (CVE-2025-27038) is a use-after-free flaw that can be exploited via malicious content rendered through Chrome. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-21479   Android (Adreno GPU) Unauthorized command execution during specific GPU microcode sequences causes memory corruption.   Privilege escalation, system compromise. 
   CVE-2025-21480    Android (Adreno GPU) Similar unauthorized GPU command flaw allowing memory corruption via improper authorization checks.   Memory corruption, remote code execution. 
  CVE-2025-27038   Android (Chrome/Adreno) Use-after-free condition in graphics rendering pipeline (via Chrome) allows attacker control over freed memory space.   Arbitrary code execution. 

Recommendations

  • Apply OEM Patches Immediately: Qualcomm released fixes in May 2025 to all OEMs; users should install the latest firmware updates from their device manufacturers. 
  • Check for Updates: Go to Settings → System → Software Update and apply the latest security patches as soon as available. 
  • Apply Security Updates: Users should ensure their Android devices receive the latest security updates. 
  • Monitor Manufacturer Communications: Stay informed about patch availability specific to your device model via official OEM channels. 

Conclusion: 
These zero-day vulnerabilities in Qualcomm’s Adreno GPU drivers highlight ongoing security risks in mobile hardware components.

Exploited in limited, targeted attacks potentially by spyware vendors or state-sponsored actors these flaws pose significant threats to Android devices worldwide. 

In response to confirmed exploitation, CISA has added all three CVEs (CVE-2025-21479, CVE-2025-21480, CVE-2025-27038) to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action for federal systems.

Timely patching by OEMs and proactive updates by users are critical to mitigating these risks and preventing further exploitation. 

References

 

Security Advisory

Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk 

Summary : A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.

OEM Google 
Severity Medium 
CVSS Score 4.3 
CVEs CVE-2025-4664 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Insufficient Policy Enforcement vulnerability  CVE-2025-4664 Google Chrome  Medium  136.0.7103.113/.114 (Win/Mac),  136.0.7103.113 (Linux) 

Technical Summary 

CVE-2025-4664 is a zero-day vulnerability found in the Chrome Loader component due to insufficient policy enforcement.

It enables remote attackers to bypass browser security controls using crafted HTML content, possibly leaking cross-origin data or achieving sandbox escape. The bug has been actively exploited in the wild.

A second high-severity flaw, CVE-2025-4609, was also addressed in this update, involving an incorrect handle in the Mojo IPC layer, which can lead to memory corruption or privilege escalation. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-4664  Chrome (Windows, Mac, Linux) Insufficient policy enforcement in Loader enables cross-origin data leaks via crafted HTML.  Data leakage, sandbox escape, potential code execution 

Remediation

  • Update Chrome: Google has released security updates to address these vulnerabilities. Users and administrators must apply the latest Chrome versions: 
  • Windows/macOS: Chrome 136.0.7103.113 /136.0.7103.114 or later 
  • Linux: Chrome 136.0.7103.113 or later 

Conclusion: 
The active exploitation of CVE-2025-4664 highlights the urgent need for rapid security response and patch management. With acknowledgment from CISA and public disclosure by @slonser_, this zero-day poses a real and present threat to users of Chrome and other Chromium-based browsers.

Organizations should take immediate action to patch affected systems and monitor for signs of compromise.

Regular browser updates and proactive vulnerability management are essential to mitigating such critical security risks. 

References

Security Advisory

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

Summary : SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

OEM  SAP 
Severity  Critical 
Date of Announcement  2025-05-13 
No. of Vulnerabilities Patched  16 
Actively Exploited  Yes 
Exploited in Wild  Yes 
Advisory Version  1.0 

Overview 

The most severe issue, CVE-2025-31324 (CVSS 10.0), is a critical unauthenticated file upload vulnerability that has been exploited in the wild since January 2025 for remote code execution (RCE). 

This issue was originally addressed in an SAP security note issued on April 24, 2025, and has since been supplemented by a second vulnerability, CVE-2025-42999, involving insecure deserialization.

These vulnerabilities have been used together in chained attacks to gain full system access on vulnerable SAP NetWeaver servers. 

Vulnerability Name  CVE ID  Product Affected  Severity  CVSS Score 
Unauthenticated File Upload (RCE)  CVE-2025-31324  SAP NetWeaver  Critical  10.0 
Insecure Deserialization (RCE)  CVE-2025-42999  SAP NetWeaver  Critical  9.1 

Technical Summary 

Attackers have leveraged two flaws in SAP NetWeaver Visual Composer in chained exploit scenarios to gain unauthorized remote access and execute arbitrary commands.

CVE-2025-31324 enables unauthenticated file uploads, and CVE-2025-42999 allows privileged users to exploit insecure data deserialization for command execution.

These vulnerabilities have impacted hundreds of internet-facing SAP instances, including systems operated by major enterprises. 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2025-31324  SAP NetWeaver Visual Composer  Unauthenticated file upload vulnerability in development server.  Remote Code Execution (RCE) without privileges 
CVE-2025-42999  SAP NetWeaver Visual Composer  Insecure deserialization in Visual Composer user-accessible function.  Remote Code Execution (RCE) without privileges 

Source: SAP 

In addition to the actively exploited vulnerabilities, several other High Severity Vulnerabilities were also addressed: 

  • CVE-2025-30018: SAP Supplier Relationship Management (Live Auction Cockpit) – Multiple vulnerabilities (CVSS 8.6) 
  • CVE-2025-43010: SAP S/4HANA Cloud Private Edition / On Premise (SCM Master Data Layer) – Code injection (CVSS 8.3) 
  • CVE-2025-43000: SAP Business Objects Business Intelligence Platform (PMW) – Information disclosure (CVSS 7.9) 
  • CVE-2025-43011: SAP Landscape Transformation (PCL Basis) – Missing authorization check (CVSS 7.7) 
  • CVE-2024-39592: SAP PDCE – Missing authorization check (CVSS 7.7) 

Remediation

  • Apply Patches Promptly: Install the May 2025 security updates immediately to mitigate risks from CVE-2025-42999 and other high-severity vulnerabilities, including CVE-2025-31324, along with additional security improvements across various SAP products. 

General Recommendations: 

  • Disable Visual Composer Service: If possible, disable the Visual Composer service to further reduce risk. 
  • Restrict Access to Metadata Upload Functions: Limit access to the metadata uploader to trusted users to prevent unauthorized file uploads. 
  • Monitor for Suspicious Activity: Continuously monitor the SAP NetWeaver environment for any signs of suspicious activity related to the vulnerabilities. 

Conclusion: 

  • The dual exploitation of CVE-2025-31324 and CVE-2025-42999 underscores the critical need for proactive patching and vigilant monitoring of enterprise SAP environments.
  • The vulnerabilities are being exploited by sophisticated threat actors, including the Chinese APT group Chaya_004, with over 2,000 exposed NetWeaver instances and hundreds already compromised. 
  • In response to the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog and has mandated federal agencies to remediate by May 20, 2025, under Binding Operational Directive 22-01. Organizations are strongly urged to act immediately to protect their SAP environments. 

References

 

 

Security Advisory

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

May 2025 Patch Tuesday by Microsoft

Continue Reading
Security Advisory

7Zip Mark-Of-The-Web Vulnerability

A high severity vulnerability in 7-Zip is exploiting in the wild. This vulnerability, identified as a Mark-of-the-Web (MoTW) bypass, allows attackers to craft a double archive file that, when extracted, bypasses MoTW protections.

OEM7Zip
SeverityHigh
CVSS7.0
CVEsCVE-2025-0411
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

The vulnerability enables threat actors to create archives containing malicious scripts or executables, which, due to the flaw, will not receive the usual MoTW protection.

This exposes Windows users to potential attacks and has recently been added to the CISA Known Exploited Vulnerabilities Catalog. Furthermore, a Proof of Concept (PoC) for this vulnerability has been publicly released, increasing the risk of exploitation.

7-Zip vulnerability allows attackers to bypass the Mark of the Web (MotW) Windows security feature and was exploited by Russian hackers as a zero-day since September 2024.

Vulnerability NameCVE IDProduct AffectedSeverity
  MOTW Bypass vulnerability  CVE-2025-0411  7zip  High

Technical Summary

This vulnerability bypasses the Mark-of-the-Web (MoTW) feature, a security measure in Windows operating systems that flags files originating from the internet as potentially untrusted. MoTW is typically applied to files like downloaded documents, images, or executable files, which prompts a warning when opened. However, this vulnerability occurs when 7-Zip fails to properly propagate MoTW protections to files inside double-encapsulated archives.

An attacker can craft an archive containing another archive (a “double archive”), and 7-Zip did not properly propagate MoTW protections to the content to the inner archive.

This flaw allows any malicious content in the inner archive to be executed without triggering any security warnings. Consequently, this exposes Windows users to the risk of remote code execution and other malicious activities.

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2025-04117Zip Prior to v24.09    This flaw allows attackers to execute arbitrary code through double-encapsulated archives that bypass MoTW protections.Arbitrary remote code injection, potential system compromise

Remediation:

Update 7zip to v24.09 or the latest version. Installing the latest version will ensure that vulnerability is addressed, protecting systems from potential exploitation.

Generic Recommendations

  • Exercise Caution with File Extraction: Always verify the source before extracting files, especially from unfamiliar or untrusted sources.
  • Enhance User Awareness: Educate users on identifying phishing attempts and avoiding clicks on suspicious links or attachments.
  • Monitor for Anomalies: Continuously monitor systems for signs of exploitation, unusual file extraction behaviors, or unauthorized access attempts.

Conclusion

The MoTW bypass vulnerability in 7-Zip represents a serious security concern for Windows users, as it allows attackers to circumvent protective measures and execute malicious code. Updating to the latest version of 7-Zip is the recommended action to ensure systems are protected against this vulnerability.

References:

#CyberSecurity #7Zip #SecurityAdvisory #VulnerabilityManagement #CISO #CXO #PatchManagement #Intrucept

Security Advisory

Zero-Day Vulnerability in Microsoft Sysinternals Tools  

Summary 

A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.

OEM Microsoft 
Severity High 
Date of Announcement 2025-02-05 
CVEs Not Yet Assigned 
Exploited in Wild No 
Patch/Remediation Available No 
Advisory Version 1.0 
Vulnerability Name Zero-Day  

Overview 

Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw. 

Vulnerability Name CVE ID Product Affected Severity Impact 
            zero-day  Not Yet Assigned Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others)          High Arbitrary Code Execution, Privilege Escalation, Malware Deployment 

Technical Summary 

The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories. 

The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as: 

  • The Current Working Directory (CWD) 
  • Network locations (e.g., shared drives) 
  • User-writable paths over secure system directories 

This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL. 

Exploit Workflow 

  1. Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan. 
  1. The DLL is placed in the same directory as a vulnerable Sysinternals tool. 
  1. The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory. 
  1. The malicious DLL is loaded instead of the legitimate system DLL. 
  1. Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights). 

Recommendations 

  1. Avoid Running Sysinternals Tools from Network Locations 
  • Always copy tools to a local trusted directory before execution. 
  • Disable execution of .exe files from network drives if feasible. 
  1. Restrict DLL Search Paths 
  • Use SafeDLLSearchMode to prioritize secure directories. 
  • Implement DLL redirection to force tools to load DLLs from trusted paths. 
  1. Implement Application Control Policies 
  • Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading. 
  • Restrict execution of Sysinternals tools to trusted admin-only directories. 
  1. Verify DLL Integrity Before Execution 
  • Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed. 
  • Block execution of unsigned or suspicious DLLs in sensitive directories. 
  1. Monitor for Suspicious DLL Loading Behavior 
  • Enable Sysmon logging to detect anomalous DLL loads (Event ID 7). 
  • Monitor for executions of Sysinternals tools from network shares (Event ID 4688). 

Conclusion 

Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.

The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems. 

References

Scroll to top