3 Actively Exploited Zero-Day Flaws Patched in Microsoft’s Latest Security Update
Microsoft kicked off 2025 with a new set of patches for a total of 161 security vulnerabilities across its software portfolio, including three zero-days that have been actively exploited in attacks.
Of the 161 flaws, 11 are rated Critical and 149 are rated Important in severity. One other flaw, a non-Microsoft CVE related to a Windows Secure Boot bypass (CVE-2024-7344, CVSS score: 6.7), has not been assigned any severity. According to the Zero Day Initiative, the update marks the largest number of CVEs addressed in a single month since at least 2017.
The fixes are in addition to seven vulnerabilities the Windows maker addressed in its Chromium-based Edge browser since the release of December 2024 Patch Tuesday updates.
Prominent among the patches released by Microsoft is a trio of flaws in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335, CVSS scores: 7.8) that the company said has come under active exploitation in the wild.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company said in an advisory for the three vulnerabilities.
Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Securityweek / CISCO Talos intelligence group / SANS internet storm center
Link: https://thehackernews.com/2025/01/3-actively-exploited-zero-day-flaws.html
Link: https://krebsonsecurity.com/2025/01/microsoft-happy-2025-heres-161-security-updates/
Link: https://www.darkreading.com/application-security/microsoft-january-2025-record-security-update
Link: https://www.securityweek.com/microsoft-patches-trio-of-exploited-windows-hyper-v-zero-days/
Link: https://blog.talosintelligence.com/january-patch-tuesday-release/
Link: https://isc.sans.edu/diary/rss/31590
Fortinet Warns of New Zero-Day Used in Attacks on Firewalls with Exposed Interfaces
Threat hunters are calling attention to a new campaign that has targeted Fortinet FortiGate firewall devices with management interfaces exposed on the public internet.
“The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes,” cybersecurity firm Arctic Wolf said in an analysis published last week.
The malicious activity is believed to have commenced in mid-November 2024, with unknown threat actors gaining unauthorized access to management interfaces on affected firewalls to alter configurations and extract credentials using DCSync.
The exact initial access vector is currently not known, although it has been assessed with “high confidence” that it’s likely driven by the exploitation of a zero-day vulnerability given the “compressed timeline across affected organizations as well as firmware versions affected.”
Source: The hacker news / Dark reading / Securityweek
Link: https://thehackernews.com/2025/01/zero-day-vulnerability-suspected-in.html
Link: https://www.darkreading.com/threat-intelligence/zero-day-security-bug-fortinet-firewall-attacks
Link: https://www.securityweek.com/fortinet-confirms-new-zero-day-exploitation/
Researcher Uncovers Critical Flaws in Multiple Versions of Ivanti Endpoint Manager
Ivanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure.
All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern instances of absolute path traversal that allow a remote unauthenticated attacker to leak sensitive information. The flaws are listed below –
- CVE-2024-10811
- CVE-2024-13161
- CVE-2024-13160, and
- CVE-2024-13159
The shortcomings affect EPM versions 2024 November security update and prior, and 2022 SU6 November security update and prior. They have been addressed in EPM 2024 January-2025 Security Update and EPM 2022 SU6 January-2025 Security Update.
Source: The hacker news / Securityweek / Ivanti security advisory
Link: https://thehackernews.com/2025/01/researcher-uncovers-critical-flaws-in.html
Link: https://www.securityweek.com/ivanti-patches-critical-vulnerabilities-in-endpoint-manager-2/
SAP fixes critical vulnerabilities in NetWeaver application servers
SAP has fixed two critical vulnerabilities affecting NetWeaver web application server that could be exploited to escalate privileges and access restricted information.
As part of the January Security Patch Day, the vendor also released updates for other products to patch 12 additional issues rated with medium and high severity.
“SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape,” reads the company’s security bulletin.
he four most severe security problem SAP addressed this month are summarized as follows:
- CVE-2025-0070, critical severity, 9.9 score): Improper authentication in SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to exploit improper authentication checks, resulting in privilege escalation and significantly impacting confidentiality, integrity, and availability.
- CVE-2025-0066, critical severity, 9.9 score: Information disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) occurs due to weak access controls, enabling an attacker to access restricted information and significantly compromising confidentiality, integrity, and availability.
- CVE-2025-0063, high severity, 8.8 score: SQL injection vulnerability in SAP NetWeaver AS ABAP and ABAP Platform arises from a lack of authorization checks for certain RFC function modules. This allows an attacker with basic privileges to compromise an Informix database, leading to a complete loss of confidentiality, integrity, and availability.
- CVE-2025-0061, high severity, 8.7 score: Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform allow an unauthenticated attacker to perform session hijacking over the network due to an information disclosure issue. This enables the attacker to access and modify all application data.
Source: Bleeping computer
DORA’s Deadline Looms: Navigating the EU’s Mandate for Threat Led Penetration Testing
With January 17, 2025 as the effective date for compliance with the Digital Operational Resilience Act (DORA), financial institutions in the EU will be expected to put in place rigorous measures to test and demonstrate compliance with new rules for cybersecurity risk-management, incident reporting, operational resilience testing and third-party risk monitoring. In the DORA regulation, this is referred to as Threat Led Penetration Testing (TLPT). TLPT involves simulating real-world cyberattacks to assess an organization’s defenses against sophisticated threats. The goal is to assess a financial services environment and make sure that all potential doors through which an attacker may enter are closed, and that when a door closes, another is not left, or becomes, open.
At the highest level, this sets standards for resilience and security that are both comprehensive and continuous. From an operational standpoint, accomplishing this comprises activities that scope specific and urgent organizational risks, undertake purpose-driven testing and collaborative defensive validation, and practice emerging threat vigilance. This column will outline the tasks required for organizations subject to DORA to confidently and demonstrably understand, address and anticipate threats specific to each and every business.
Source: Securityweek