Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation
Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it said has come under active exploitation in the wild.
Of the 63 vulnerabilities, three are rated Critical, 57 are rated Important, one is rated Moderate, and two are rated Low in severity. This is aside from the 23 flaws Microsoft addressed in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.
The update is notable for fixing two actively exploited flaws –
- CVE-2025-21391 (CVSS score: 7.1) – Windows Storage Elevation of Privilege Vulnerability
- CVE-2025-21418 (CVSS score: 7.8) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
„An attacker would only be able to delete targeted files on a system,“ Microsoft said in an alert for CVE-2025-21391. „This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable.“
Mike Walters, president and co-founder of Action1, noted that the vulnerability could be chained with other flaws to escalate privileges and perform follow-on actions that can complicate recovery efforts and allow threat actors to cover up their tracks by deleting crucial forensic artifacts.
Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Securityweek / CISCO Talos intelligence group / SANS internet storm center
Link: https://thehackernews.com/2025/02/microsofts-patch-tuesday-fixes-63-flaws.html
Link: https://krebsonsecurity.com/2025/02/microsoft-patch-tuesday-february-2025-edition/
Link: https://www.darkreading.com/application-security/microsofts-february-patch-lighter-lift-januarys
Link: https://www.securityweek.com/microsoft-patches-wormable-windows-flaw-and-file-deleting-zero-day/
Link: https://blog.talosintelligence.com/february-patch-tuesday-release/
Link: https://isc.sans.edu/diary/Microsoft%20February%202025%20Patch%20Tuesday/31674
Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software
Palo Alto Networks has addressed a high-severity security flaw in its PAN-OS software that could result in an authentication bypass.
The vulnerability, tracked as CVE-2025-0108, carries a CVSS score of 7.8 out of 10.0. The score, however, drops to 5.1 if access to the management interface is restricted to a jump box.
„An authentication bypass in the Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to bypass the authentication otherwise required by the PAN-OS management web interface and invoke certain PHP scripts,“ Palo Alto Networks said in an advisory.
„While invoking these PHP scripts does not enable remote code execution, it can negatively impact the integrity and confidentiality of PAN-OS.“
The vulnerability affects the following versions –
- PAN-OS 11.2 < 11.2.4-h4 (Fixed in >= 11.2.4-h4)
- PAN-OS 11.1 < 11.1.6-h1 (Fixed in >= 11.1.6-h1)
- PAN-OS 11.0 (Upgrade to a supported fixed version as it has reached end-of-life status on November 17, 2024)
- PAN-OS 10.2 < 10.2.13-h3 (Fixed in >= 10.2.13-h3
- PAN-OS 10.1 < 10.1.14-h9 (Fixed in >= 10.1.14-h9)
Searchlight Cyber/Assetnote security researcher Adam Kues, who is credited with discovering and reporting the flaw, said the security defect has to do with a discrepancy in how the interface’s Nginx and Apache components handle incoming requests, resulting in a directory traversal attack.
Source: The hacker news / Securityweek / Helpnet Security / Searchlight Cyber blog
Link: https://thehackernews.com/2025/02/palo-alto-networks-patches.html
Link: https://www.securityweek.com/palo-alto-networks-patches-potentially-serious-firewall-vulnerability/
Link: https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os/
Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now
Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could be exploited to achieve arbitrary code execution.
The list of vulnerabilities is below –
- CVE-2024-38657 (CVSS score: 9.1) – External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to write arbitrary files
- CVE-2025-22467 (CVSS score: 9.9) – A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution
- CVE-2024-10644 (CVSS score: 9.1) – Code injection in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy Secure before version 22.7R1.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution
- CVE-2024-47908 (CVSS score: 9.1) – Operating system command injection in the admin web console of Ivanti CSA before version 5.0.5 allows a remote authenticated attacker with admin privileges to achieve remote code execution
The shortcomings have been addressed in the below versions –
- Ivanti Connect Secure 22.7R2.6
- Ivanti Policy Secure 22.7R1.3
- Ivanti CSA 5.0.5
The company said it’s not aware of any of the flaws being exploited in the wild. However, with Ivanti appliances being repeatedly weaponized by malicious actors, it’s imperative that users take steps to apply the latest patches.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/02/ivanti-patches-critical-flaws-in.html
Link: https://www.securityweek.com/ivanti-fortinet-patch-remote-code-execution-vulnerabilities/
Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update
Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild.
Assigned the CVE identifier CVE-2025-24200 (CVSS score: 4.6), the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack.
This suggests that the attackers require physical access to the device in order to exploit the flaw. Introduced in iOS 11.4.1, USB Restricted Mode prevents an Apple iOS and iPadOS device from communicating with a connected accessory if it has not been unlocked and connected to an accessory within the past hour.
The feature is seen as an attempt to prevent digital forensics tools like Cellebrite or GrayKey, which are mainly used by law enforcement agencies, from gaining unauthorized entry to a confiscated device and extracting sensitive data.
In line with advisories of this kind, no other details about the security flaw are currently available. The iPhone maker said the vulnerability was addressed with improved state management.
Source: The hacker news / Bleeping computer / Dark reading
Link: https://thehackernews.com/2025/02/apple-patches-actively-exploited-ios.html
Link: https://www.darkreading.com/endpoint-security/apple-releases-urgent-patch-usb-vulnerability
ICS Patch Tuesday: Vulnerabilities Addressed by Schneider Electric, Siemens
Industrial giants Schneider Electric and Siemens have released their February 2025 Patch Tuesday ICS security advisories.
Siemens has published 14 new advisories covering a total of approximately 100 vulnerabilities. This includes roughly 70 third-party component issues addressed in Scalance W devices. Siemens has released patches for some of the impacted products and it’s working on releasing additional fixes.
Based on their CVSS score, the most important vulnerabilities affect the Tableau Server component of Opcenter Intelligence. Two critical flaws could allow remote code/command execution. In addition, high-severity vulnerabilities found in the product can allow malicious admins to change user passwords, and conduct SSRF attacks.
Ten high- and medium-severity vulnerabilities will be patched by Siemens in Ruggedcom APE1808 appliances that use Fortinet firewall technology. Fortinet’s FortiOS patches will soon be available for impacted Siemens devices.
Siemens has also addressed high-severity issues in Siprotec 5 (information disclosure, arbitrary command execution), Apogee PXC and Talon TC (password decryption), Simatic and Sirius (session token reuse), Simatic S7-1200 (DoS), Simatic IPC (privilege escalation), and Teamcenter (open redirect).
Source: Securityweek
Adobe Plugs 45 Software Security Holes, Warns of Code Execution Risks
Adobe on Tuesday rolled out patches for at least 45 documented vulnerabilities across multiple products and warned that these software defects expose users to remote code execution exploitation.
Among the most serious issues are a large batch of critical bugs in Adobe Commerce that could lead to arbitrary code execution, security feature bypass and privilege escalation. The San Jose, Calif. software vendor slapped a “critical” rating on the Adobe Commerce advisory and urged business customers to apply available patches with urgency.
The company also shipped fixes for at least four critical-severity bugs in Adobe InDesign, warning that memory safety issues like out-of-bounds writes and buffer overflows introduce major code execution risks. The Adobe Illustrator, Adobe InCopy and Substance 3D Designer products also received security-themed updates to fix multiple critical remote code execution vulnerabilities.
The Patch Tuesday updates also touched the popular Adobe Photoshop and Photoshop Elements applications with Adobe warning of privilege escalation risks.
Source: Securityweek
Link: https://www.securityweek.com/adobe-plugs-45-software-security-holes-warn-of-code-execution-risks/
SAP Releases 21 Security Patches
Enterprise software maker SAP on Tuesday announced the release of 19 new and two updated security notes as part of its February 2025 Patch Day.
Six of the notes, five new and one update, are marked high priority, resolving high-severity vulnerabilities in NetWeaver, BusinessObjects, Supplier Relationship Management, Approuter, Enterprise Project Connection, and HANA.
The first note released on SAP’s February 2025 Security Patch Day is an update to a note published in February 2024 to address a cross-site scripting (XSS) flaw in NetWeaver AS Java. The update references a second update for the security note, which completely patches the bug and lowers the CVSS score to 6.1.
Of the new high-priority notes, the most severe resolves an improper authorization issue in BusinessObjects. Tracked as CVE-2025-0064 (CVSS score of 8.7), the bug could allow an attacker to impersonate users.
“The vulnerability affects the Central Management Console of SAP BO and allows a highly privileged attacker to impersonate any user in the system through access to the secret passphrase of the trusted systems,” application security firm Onapsis explains.
SAP on Tuesday released patches for a path traversal defect in Supplier Relationship Management that could allow unauthenticated attackers to fetch arbitrary files of the application and access potentially sensitive data. The vulnerability is tracked as CVE-2025-25243 (CVSS score of 8.6).
Source: Securityweek
Link: https://www.securityweek.com/sap-releases-21-security-patches/