Beyond Information Security

Microsoft Patches 125 Flaws Including Actively Exploited Windows CLFS Vulnerability

Microsoft has released security fixes to address a massive set of 125 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.

Of the 125 vulnerabilities, 11 are rated Critical, 112 are rated Important, and two are rated Low in severity. Forty-nine of these vulnerabilities are classified as privilege escalation, 34 as remote code execution, 16 as information disclosure, and 14 as denial-of-service (DoS) bugs.

The updates are aside from the 22 flaws the company patched in its Chromium-based Edge browser since the release of last month’s Patch Tuesday update.

The vulnerability that has been flagged as under active attack is an elevation of privilege (EoP) flaw impacting the Windows Common Log File System (CLFS) Driver (CVE-2025-29824, CVSS score: 7.8) that stems from a use-after-free scenario, allowing an authorized attacker to elevate privileges locally.

CVE-2025-29824 is the sixth EoP vulnerability to be discovered in the same component that has been exploited in the wild since 2022, the others being CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, and CVE-2024-49138 (CVSS scores: 7.8).

“From an attacker’s perspective, post-compromise activity requires obtaining requisite privileges to conduct follow-on activity on a compromised system, such as lateral movement,” Satnam Narang, senior staff research engineer at Tenable, said.

Source: The hacker news / Bleeping computer / Dark reading / Securityweek / CISCO Talos intelligence group / SANS internet storm center

Link: Microsoft Patches 125 Flaws Including Actively Exploited Windows CLFS Vulnerability

Link: Microsoft April 2025 Patch Tuesday fixes exploited zero-day, 134 flaws

Link: Microsoft Drops Another Massive Patch Update

Link: Microsoft Patches 125 Windows Vulns, Including Exploited CLFS Zero-Day – Securityweek

Link: Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities

Link: Microsoft April 2025 Patch Tuesday – SANS Internet Storm Center

Adobe Patches 11 Critical ColdFusion Flaws Amid 30 Total Vulnerabilities Discovered

Adobe has released security updates to fix a fresh set of security flaws, including multiple critical-severity bugs in ColdFusion versions 2025, 2023 and 2021 that could result in arbitrary file read and code execution.

Of the 30 flaws in the product, 11 are rated Critical in severity –

  • CVE-2025-24446 (CVSS score: 9.1) – An improper input validation vulnerability that could result in an arbitrary file system read
  • CVE-2025-24447 (CVSS score: 9.1) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
  • CVE-2025-30281 (CVSS score: 9.1) – An improper access control vulnerability that could result in an arbitrary file system read
  • CVE-2025-30282 (CVSS score: 9.1) – An improper authentication vulnerability that could result in arbitrary code execution
  • CVE-2025-30284 (CVSS score: 8.0) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
  • CVE-2025-30285 (CVSS score: 8.0) – A deserialization of untrusted data vulnerability that could result in arbitrary code execution
  • CVE-2025-30286 (CVSS score: 8.0) – An operating system command injection vulnerability that could result in arbitrary code execution
  • CVE-2025-30287 (CVSS score: 8.1) – An improper authentication vulnerability that could result in arbitrary code execution
  • CVE-2025-30288 (CVSS score: 7.8) – An improper access control vulnerability that could result in a security feature bypass
  • CVE-2025-30289 (CVSS score: 7.5) – An operating system command injection vulnerability that could result in arbitrary code execution
  • CVE-2025-30290 (CVSS score: 8.7) – A path traversal vulnerability that could result in a security feature bypass

“These updates resolve critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution and security feature bypass,” Adobe said in an advisory.

Source: The hacker news / Securityweek

Link: Adobe Patches 11 Critical ColdFusion Flaws Amid 30 Total Vulnerabilities Discovered

Link: Adobe Calls Urgent Attention to Critical ColdFusion Flaws – SecurityWeek

Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw

Fortinet has released security updates to address a critical security flaw impacting FortiSwitch that could permit an attacker to make unauthorized password changes.

The vulnerability, tracked as CVE-2024-48887, carries a CVSS score of 9.3 out of a maximum of 10.0.

“An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” Fortinet said in an advisory released today.

The shortcoming impacts the following versions –

  • FortiSwitch 7.6.0 (Upgrade to 7.6.1 or above)
  • FortiSwitch 7.4.0 through 7.4.4 (Upgrade to 7.4.5 or above)
  • FortiSwitch 7.2.0 through 7.2.8 (Upgrade to 7.2.9 or above)
  • FortiSwitch 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above), and
  • FortiSwitch 6.4.0 through 6.4.14 (Upgrade to 6.4.15 or above)

The network security company said the security hole was internally discovered and reported by Daniel Rozeboom of the FortiSwitch web UI development team.

As workarounds, Fortinet recommends disabling HTTP/HTTPS access from administrative interfaces and restricting access to the system to only trusted hosts.

Source: The hacker news / Bleeping computer / Securityweek / Helpnet security / Fortinet PSIRT blog

Link: Fortinet Urges FortiSwitch Upgrades to Patch Critical Admin Password Change Flaw

Link: Critical FortiSwitch flaw lets hackers change admin passwords remotely

Link: Fortinet Patches Critical FortiSwitch Vulnerability – SecurityWeek

Link: FortiSwitch vulnerability may give attackers control over vulnerable devices (CVE-2024-48887) – Help Net Security

Link: PSIRT | FortiGuard Labs

SAP Patches Critical Code Injection Vulnerabilities

SAP on Tuesday announced the release of 18 new and two updated security notes as part of its April 2025 Security Patch Day, including three notes addressing critical-severity vulnerabilities.

The first two critical flaws, tracked as CVE-2025-27429 and CVE-2025-31330 (CVSS score of 9.9) are code injection bugs in S/4HANA (Private Cloud) and Landscape Transformation (Analysis Platform).

According to enterprise software security firm Onapsis, however, the CVEs refer to the same security defect and SAP’s patches for them disable the same remote-enabled function module in both products.

“If unpatched, the function module accepts any text as input parameter and generates an ABAP report based on this input using the INSERT REPORT statement. For a successful exploit, it only requires S_RFC authorization on the respective function module or on the corresponding function group,” Onapsis explains.

Tracked as CVE-2025-30016 (CVSS score of 9.8), the third critical-severity vulnerability is an authentication bypass issue in Financial Consolidation that could allow an unauthenticated attacker to impersonate an administrator user.

Source: Securityweek

Link: SAP Patches Critical Code Injection Vulnerabilities – SecurityWeek

Privacy Policy Settings

We use cookies, which are necessary for the basic functions of the website. A cookie is a text file that is used to save settings on your computer. Cookies do not cause any damage to your computer.

Privacy Policy | Imprint