Patch Tuesday January 2025

Patch Tuesday January 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

For even more information, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

Microsoft Vulnerabilities

This first Patch Tuesday of the year brings 159 vulnerabilities fixed by Microsoft, a significant increase compared to the previous month. However, the number of critical vulnerabilities is lower, with only 10 addressed. Among these, three are zero-day vulnerabilities, and three others have associated proof-of-concept exploits. Below are the details of the most notable critical updates.

Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilities

Multiple zero-day elevation of privilege vulnerabilities have been identified in the Windows Hyper-V NT Kernel Integration Virtual Service Provider (VSP). These vulnerabilities are tracked under the following CVEs:

• CVE-2025-21335: CWE-416: Use After Free
• CVE-2025-21334: CWE-416: Use After Free
• CVE-2025-21333: CWE-122: Heap-based Buffer Overflow

Severity and Impact

All three vulnerabilities are rated as Important, with a CVSS v3.1 Base Score of 7.8 and a Temporal Score of 6.8. Successful exploitation could grant attackers SYSTEM privileges, compromising the host system and any virtual machines running on it.

CVE-2025-21335 and CVE-2025-21334:
These vulnerabilities result from improper memory pointer handling within the VSP. The system may prematurely free memory still in use, leading to attempts to access invalid references. This can allow attackers to execute arbitrary code with elevated privileges.

CVE-2025-21333:
This vulnerability is caused by insufficient validation of input data sizes when processing specific requests in the VSP. Attackers can send specially crafted data exceeding the allocated buffer size, resulting in a heap-based buffer overflow. This could overwrite critical memory structures, enabling elevated code execution.
Affected Systems

• Windows Operating Systems:
  • Server Editions: Windows Server versions with the Hyper-V role enabled.
  • Client Editions: Windows 10, Windows 11, and other versions where Hyper-V is activated.
• Hyper-V Virtualization Environments: Systems hosting virtual machines relying on Hyper-V services.

Organizations relying on Hyper-V, including data centers, cloud providers, enterprise IT environments, and development platforms, are at risk.

Threat Landscape

An attacker with low privileges can execute code with SYSTEM privileges, gaining control over the host system. Potential impacts include:

• Accessing and manipulating virtual machines on the host.
• Stealing sensitive data or credentials.
• Moving laterally within the network to target other systems.
• Disrupting critical services by modifying configurations or deploying malicious code.

Exploitation Details

• Attack Vector: Local (requires physical or remote local user access).
• Attack Complexity: Low (exploitation is straightforward and reliable).
• Privileges Required: Low (no administrative access needed).
• User Interaction: None (no user action required for exploitation).
• Publicly Disclosed: No
• Exploited in the Wild: Yes
• Proof of Concept: Likely available privately within threat actor communities.

Combined Attack Scenarios

Attackers can combine these vulnerabilities with others to increase impact, such as:

• Installing persistent malware (e.g., rootkits) for long-term access.
• Combining with remote code execution vulnerabilities for remote exploitation.
• Extracting credentials for further attacks.
• Disabling security mechanisms to evade detection.
• Targeting development environments to inject malicious code into software.
• Using compromised hosts to launch attacks against database servers, domain controllers, or other systems.

Mitigation and Recommendations

Given active exploitation in the wild, organizations must:

• Prioritize Patching: Apply updates as soon as they become available.
• Monitor for Unusual Activity: Pay close attention to Hyper-V hosts for signs of compromise.
• Strengthen Security Posture: Restrict local access, enforce strong authentication, and segment critical systems.

The Windows Hyper-V NT Kernel Integration VSP vulnerabilities (CVE-2025-21335, CVE-2025-21334, and CVE-2025-21333) pose significant security risks due to their potential to grant SYSTEM-level privileges. With active exploitation reported, organizations must urgently address these vulnerabilities to protect their infrastructure and prevent targeted attacks. Hypervisors and virtualization components remain critical targets.

Microsoft Access Remote Code Execution Vulnerability (CVE-2025-21186)

CVE-2025-21186 is an important-rated vulnerability affecting Microsoft Access, the database management system included in the Microsoft Office suite. This vulnerability, caused by a heap-based buffer overflow (CWE-122), allows an attacker to execute arbitrary code on the affected system with the privileges of the current user.

Although it is categorized as a remote code execution (RCE) vulnerability, exploitation requires local execution and user interaction, meaning the attacker must convince the user to open a specially crafted file. While the vulnerability has been publicly disclosed, there are no reports of active exploitation in the wild at the time of writing.

Technical Details

The vulnerability arises from improper input validation when Microsoft Access handles certain file types or database entries. Specifically:

• When parsing crafted database files or importing data, Microsoft Access fails to validate the size of the input data before copying it into a fixed-size buffer on the heap.
• This allows an attacker to overflow the buffer, overwrite adjacent memory areas, and manipulate the process memory to inject and execute arbitrary code.

The overflow occurs on the heap, which is used for dynamic memory allocation, providing attackers with flexibility in crafting the exploit.

Affected Systems

• Microsoft Access Versions:
  • Microsoft Access 2013
  • Microsoft Access 2016
  • Microsoft Access 2019
  • Microsoft Access included in Microsoft 365 Apps
• Organizations relying on Microsoft Access as part of their business processes may be particularly at risk.

Impact

An attacker could exploit this vulnerability to:

• Execute arbitrary code with the current user’s privileges.
• Access sensitive data stored in databases or on the system.
• If the user has administrative privileges, gain full control of the system.
• Install malware, ransomware, or backdoors for persistent access.
• Alter or delete critical data, leading to operational disruptions.

Exploitation Details

• Attack Vector: Local (requires local execution of malicious code).
• Attack Complexity: Low (exploitation is straightforward and requires minimal technical skills).
• Privileges Required: None (the attacker does not need prior access to the system).
• User Interaction: Required (the user must open a malicious database file).
• CVSS Version: 3.1
  • Base Score: 7.8 (High)
  • Temporal Score: 6.8
• Publicly Disclosed: Yes
• Exploited in the Wild: No

Exploitation Scenarios

• Phishing and Social Engineering:
  Attackers can craft convincing emails or messages to trick users into opening a malicious Microsoft Access database file (e.g., .accdb, .accde, .accdt). Once opened, the vulnerability is triggered, and arbitrary code is executed.
• Combination with Network Vulnerabilities:
  If combined with other vulnerabilities, attackers could use the code execution to spread malware across an organization’s network or steal sensitive data from connected systems.
• Targeting Organizations:
  Organizations distributing Access databases to clients or partners could inadvertently spread malicious files, impacting downstream systems.

Mitigation and Challenges

While requiring user interaction reduces the likelihood of exploitation compared to fully remote vulnerabilities, the widespread use of phishing makes such attacks highly viable.

Modern memory protection mechanisms like ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) can make heap overflows harder to exploit. However, skilled attackers may bypass these protections using techniques such as heap spraying or manipulating the heap state.

CVE-2025-21186 highlights the challenges of securing applications that handle complex data formats. While the vulnerability requires local execution, its potential to allow RCE highlights the importance of user awareness and system security. The public disclosure of the vulnerability increases the risk of exploitation, providing a critical window for organizations to:

• Assess their exposure.
• Apply security patches.
• Strengthen defenses against phishing and social engineering tactics.

Organizations relying on Microsoft Access should prioritize mitigating this vulnerability to protect their systems and data.

Windows App Package Installer Elevation of Privilege Vulnerability (CVE-2025-21275)

CVE-2025-21275 is an important-rated vulnerability in the Windows App Package Installer that allows attackers to gain elevated privileges on affected systems. The vulnerability is caused by improper authorization (CWE-285) within the App Package Installer component, enabling an attacker to execute code with SYSTEM privileges and potentially compromise the entire system.

While this vulnerability has been publicly disclosed, no active exploitation has been reported as of this writing. It carries a CVSS v3.1 Base Score of 7.8 and a Temporal Score of 6.8, reflecting its severity and current exploitability status.

Vulnerability Details

The Windows App Package Installer fails to properly enforce authorization checks during specific operations. This oversight allows low-privileged users to execute processes or modify system files that typically require higher-privileged accounts.

The installer inadvertently grants elevated privileges during certain operations, enabling attackers to bypass security controls and gain SYSTEM-level access.

Affected Systems

• Windows Operating Systems:
  • Windows 10
  • Windows 11
  • Windows Server versions with the App Package Installer component enabled.

Any system supporting the installation of app packages (e.g., MSIX, APPX) is vulnerable, including both client and server versions.

Exploitation Details

• Attack Vector: Local (requires local access, either physical or via remote mechanisms that provide local user capabilities).
• Attack Complexity: Low (straightforward exploitation requiring minimal technical skills).
• Privileges Required: Low (a low-privileged user account is sufficient).
• User Interaction: None (no user action required).
• Publicly Disclosed: Yes
• Exploited in the Wild: No
• Proof of Concept: Likely possible due to public disclosure, but not widely available.

Potential Exploitation Scenarios

An attacker could exploit this vulnerability by:

1. Creating Malicious App Packages: Crafting an app package that triggers the authorization flaw when installed.
2. Abusing Installer Functions: Manipulating the installer to perform privileged actions without proper checks.
3. Gaining SYSTEM Privileges: Using the exploit to achieve full control over the system.

When combined with other vulnerabilities or techniques, attackers could:

• Escalate Privileges: Use social engineering or phishing to gain initial low-level access, then exploit this vulnerability to escalate privileges.
• Disable Security Controls: Modify antivirus or firewall settings to evade detection.
• Deploy Persistent Malware: Install malware that survives reboots and evades detection mechanisms.
• Lateral Movement: Use the compromised system to move within a network, targeting other systems or sensitive data.

In addition, attackers could:

• Conduct Supply Chain Attacks: Compromise legitimate app packages for widespread distribution.
• Target High-Value Environments: Exploit the vulnerability in organizations such as government agencies or financial institutions.

Mitigation and Recommendations

To reduce the risk associated with CVE-2025-21275:

• Apply Security Updates: Install patches or updates.
• Restrict Access: Limit access to systems running the App Package Installer component.
• Monitor for Malicious Activity: Watch for unusual app package installations or privilege escalations.
• Educate Users: Raise awareness about social engineering and phishing risks.

CVE-2025-21275 poses a significant risk by allowing low-privileged users to gain SYSTEM-level access through improper authorization. While there are no reports of active exploitation, the vulnerability’s public disclosure increases the likelihood of future attacks. Organizations should prioritize patching and implementing security measures to protect affected systems.

Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298)

CVE-2025-21298 is a critical remote code execution (RCE) vulnerability in the Windows Object Linking and Embedding (OLE) component. This vulnerability stems from a use-after-free flaw (CWE-416) in OLE, allowing attackers to execute arbitrary code on affected systems without user interaction. With a CVSS v3.1 Base Score of 9.8, it poses a significant threat to organizations, potentially leading to full system compromise.

Vulnerability Details

The issue arises from improper memory management in the OLE component. Specifically:

• Objects in memory are not correctly managed, resulting in a use-after-free condition when the system continues to reference freed memory.
• Attackers can exploit this flaw to execute arbitrary code in the context of the application or service utilizing OLE.

The vulnerability can be triggered via specially crafted Rich Text Format (RTF) files or emails. For instance, malicious OLE objects embedded in RTF files exploit the vulnerability when processed by applications like Microsoft Outlook, leading to memory corruption and code execution.

Affected Systems

• Windows Operating Systems:
  • Windows 10, Windows 11
  • Windows Server versions (2008, 2012, 2016, 2019, 2022)
• Applications Utilizing OLE:
  • Microsoft Outlook: Particularly at risk when rendering RTF emails.
  • Microsoft Office Suite: Applications that process OLE objects.

Impact

An attacker could:

• Execute arbitrary code to take full control of the system.
• Install programs, modify or delete data, or create accounts with full user privileges.
• Access sensitive information stored on or accessible through the system.
• Move laterally within the network to target additional systems.
• Disrupt critical services or applications.

Exploitation Details

• Attack Vector: Network (can be exploited remotely without physical access).
• Attack Complexity: Low (requires minimal technical skills and readily available information).
• Privileges Required: None (no prior authentication or privileges are necessary).
• User Interaction: None (e.g., Outlook automatically renders email previews).
• CVSS Version: 3.1
• Base Score: 9.8 (Critical)
• Temporal Score: 8.5
• Publicly Disclosed: No
• Exploited in the Wild: No
• Exploitability Assessment: Exploitation More Likely
• Proof of Concept Available: Not publicly, though exploit development is feasible.

Exploitation Scenarios

• Email Attack:
  • The attacker sends an email containing malicious RTF content with embedded OLE objects.
  • The email client (e.g., Outlook) processes the content, potentially exploiting the vulnerability without user interaction.
• System Compromise:
  • The attacker gains control over the system by executing code at the logged-in user’s privilege level.

Scale of Impact

The vulnerability could affect millions of users globally, particularly in environments such as:

• Enterprises: Businesses relying on Windows and Outlook for communication.
• Government Agencies: High-value targets for espionage.
• Financial Institutions: Where confidential data is critical.
• Healthcare Providers: Handling sensitive patient information.
• Education Sector: Universities and schools using Windows-based systems.

CVE-2025-21298 represents a critical threat due to its ability to be exploited remotely over a network with low complexity and no user interaction. Organizations and individuals using Windows systems and applications that process OLE objects, particularly email clients like Microsoft Outlook, should take immediate steps to mitigate the risk. This vulnerability showcases the importance of maintaining strong defenses against network-based attacks targeting widely used software components.

Google Chrome

Google has released Chrome 131, addressing several serious memory vulnerabilities, including three affecting the JavaScript V8 engine.

The first vulnerability, CVE-2024-12692, is a type confusion bug in the V8 engine. Google awarded $55,000 to the researcher who reported it, indicating the severity of the flaw, which could potentially lead to remote code execution (RCE).

The second issue, CVE-2024-12693, is an out-of-bounds memory access bug in the V8 engine. This memory corruption flaw earned a $20,000 bounty for its discovery.

Two additional vulnerabilities were also addressed:

• • CVE-2024-12694: A high-severity post-release exploitation issue in compositing.
  • CVE-2024-12695: An out-of-bounds write vulnerability in the V8 engine. No bounty has been assigned yet.

The updated Chrome version is now available as 131.0.6778.204/.205 for Windows and macOS, and 131.0.6778.204 for Linux. Google confirmed no evidence of these vulnerabilities being exploited in real-world attacks.

To mitigate memory corruption flaws, Google has implemented measures to enhance Chrome’s security and has made significant progress by adopting Rust in its codebase. This transition has already resulted in fewer memory security bugs in Android over the past five years, with similar improvements expected in Chrome as the migration continues.

Mozilla Firefox

Firefox 134 addresses 20 security vulnerabilities, 11 of which are rated as high severity. Of these, 10 stem from memory issues such as buffer overflows, which could enable malicious code execution when opening specially crafted pages. Below are five notable vulnerabilities:

1. 1. CVE-2025-0244: Address Bar Spoofing via Invalid Protocol Scheme (Firefox for Android)
      This vulnerability involves address bar spoofing specific to Firefox for Android. When a website redirects to a URL with an invalid protocol scheme, the browser mishandles the redirection and allows attackers to manipulate the address bar. This flaw can mislead users into believing they are visiting legitimate websites while on malicious pages, enabling phishing, credential theft, or fraudulent transactions.
   2. CVE-2025-0242: Memory Safety Bugs Leading to Potential Arbitrary Code Execution
      Memory safety bugs, including buffer overflows and memory corruption, arise from improper memory operation handling. Attackers can exploit these flaws to execute arbitrary code within the browser, potentially installing malware, hijacking sessions, or accessing sensitive data. The impact is significant as the browser operates with the user’s permissions, potentially compromising other applications or systems.
   3. CVE-2025-0247: Memory Safety Bugs in Firefox and Thunderbird
      Similar to CVE-2025-0242, these memory safety issues are found in Firefox and Thunderbird versions 133 and earlier. Root causes include boundary check failures, race conditions, and use-after-free errors. Exploitation can result in application crashes, data corruption, or arbitrary code execution. For Thunderbird, the risk is heightened as simply opening or previewing a malicious email could trigger the exploit.
   4. CVE-2025-0238: Use-After-Free Vulnerability in Text Processing
      A use-after-free (UAF) vulnerability occurs during text layout processing when breaking lines in specific text content. The browser continues to reference freed memory, potentially leading to arbitrary code execution. Attackers can exploit this flaw to manipulate the freed memory, compromising the browser’s integrity and the user’s security.
   5. CVE-2025-0237: WebChannel API Susceptible to Confused Deputy Attack
      This vulnerability stems from the WebChannel API’s failure to verify the sender’s identity or permissions. The flaw allows less-privileged entities to perform actions on behalf of higher-privileged entities, leading to privilege escalation. Attackers could exploit this to access sensitive APIs, modify browser settings, or execute unauthorized actions.

Strategies Attackers Could Use to Combine These Vulnerabilities

1. 1. Impersonate legitimate websites to steal credentials and exploit memory safety bugs (CVE-2025-0242, CVE-2025-0247) to deploy malware.
   2. Escalate privileges by exploiting the WebChannel API flaw after gaining initial access through phishing or other vulnerabilities.
   3. Manipulate memory allocation via controlled web content to reliably exploit use-after-free vulnerabilities and gain full control over the browser process.

Firefox 134 underscores the importance of timely updates to mitigate such risks and strengthen overall browser security.

WordPress

Hackers are exploiting vulnerabilities in the Hunk Companion and WP Query Console plugins to gain persistent backdoor access to WordPress websites, according to WPScan.

The first vulnerability, CVE-2024-9707 (CVSS 9.8), affects Hunk Companion, a plugin supporting WordPress ThemeHunk functionality. This flaw allows unauthenticated attackers to install and enable arbitrary plugins, potentially leading to remote code execution (RCE) if another vulnerable plugin is installed.

• A patch for CVE-2024-9707 was included in Hunk Companion version 1.8.5, released in October, but it proved ineffective, leaving version 1.8.7 still vulnerable.
• A new patch was released with Hunk Companion version 1.9.0 on December 10, but WordPress reports that about 90% of the plugin’s 10,000 installations remain unpatched.

Attackers are leveraging these vulnerabilities to install and activate WP Query Console, a query-checking plugin that has not been updated in seven years.

The second vulnerability, CVE-2024-50498 (CVSS 9.8), is a code injection flaw affecting all versions of WP Query Console. Although the plugin was closed on October 21, one week before the vulnerability was publicly disclosed, this bug allows attackers to execute commands on a target website, leading to backdoor access and potential full control. Despite being disabled, WP Query Console has been downloaded hundreds of times since late November, suggesting its active use in a mass exploitation campaign.

Recommendations

• Hunk Companion users should update to version 1.9.0 immediately.
• Check websites for signs of intrusion, including the installation of WP Query Console or other suspicious plugins.

Ivanti

Ivanti customers faced an unwelcome surprise during the holiday season with the discovery of two actively exploited zero-day vulnerabilities, CVE-2025-0282 and CVE-2025-0283, in its Connect Secure (ICS) VPN appliances.

The first vulnerability, CVE-2025-0282, is a critical stack buffer overflow that allows unauthenticated remote attackers to execute arbitrary code. Ivanti confirmed that the flaw had already been successfully exploited against a limited number of customers but did not disclose specifics about the attacks.

Mandiant Investigation and Chinese Threat Actor Links
Mandiant, hired by Ivanti to investigate the attacks, revealed that exploitation began as early as mid-December 2024 and was linked to Chinese attackers. While researchers have not attributed the exploitation of CVE-2025-0282 to a specific threat actor, the attackers were observed using the Spawn malware family, which includes components such as the SpawnAnt installer, the SpawnMole tunneler, and the SpawnSnail SSH backdoor. Spawn has previously been associated with the Chinese threat actor UNC5337, believed to be part of UNC5221, a group known for exploiting other Ivanti vulnerabilities like CVE-2023-46805 and CVE-2024-21887.

Mandiant also identified previously unknown malware families, DryHook and PhaseJam, used in the attacks. These malware variants are not linked to any known threat group, suggesting multiple actors may be involved in targeting CVE-2025-0282.

Attack Techniques and Malware Behavior
The observed attacks involved a series of coordinated steps:

1. Reconnaissance: Queries were sent to determine the software version, as the exploit is version-dependent.
2. Exploitation: Attackers exploited CVE-2025-0282, disabled SELinux, altered configurations, executed scripts, and deployed web shells.
3. Malware Deployment:
   • • PhaseJam: A dropper designed to modify ICS components, deploy web shells, and overwrite executables for command execution and data exfiltration. It also blocks system updates while displaying a fake update progress bar.
     • DryHook: Used post-exploitation to steal credentials.
     • SpawnAnt: Ensures persistence by copying itself to a special update section.

Broader Implications and Delayed Patches
Mandiant warns that the release of a proof-of-concept (PoC) for CVE-2025-0282 will likely attract additional attackers. While Ivanti has released patches for Connect Secure, Policy Secure and Neurons for ZTA remain vulnerable, with updates delayed until January 21.

Recommendations
Organizations using Ivanti Connect Secure should immediately apply the latest patches and monitor systems for signs of intrusion, such as the presence of PhaseJam, DryHook, or Spawn malware. Maintaining robust defenses and monitoring for version-dependent exploits are critical in mitigating these ongoing threats.

Palo Alto

Palo Alto Networks has identified a significant vulnerability in its PAN-OS software, potentially leading to a denial-of-service (DoS) condition on affected devices. The flaw, CVE-2024-3393, carries a CVSS score of 8.7 and impacts PAN-OS 10.X and 11.X, as well as Prisma Access versions of PAN-OS. The issue has been addressed in PAN-OS 10.1.14-h8, 10.2.10-h12, 11.1.5, 11.2.3, and subsequent versions.

The issue lies in the DNS security feature of PAN-OS, where an unauthenticated attacker can send a malicious packet through the firewall’s data plane, causing it to reboot. Repeated exploitation can force the firewall into maintenance mode. Palo Alto Networks discovered this vulnerability in a production environment and has acknowledged reports of customers experiencing DoS attacks triggered by malicious DNS packets. However, details about the scope of these attacks have not been disclosed.

Firewalls with DNS security logging enabled are particularly vulnerable to this exploit. For Prisma Access deployments, the vulnerability’s severity is downgraded to a CVSS score of 7.1 if access is limited to authenticated users.

Mitigation and Workarounds
To mitigate risks for unmanaged or Panorama-managed firewalls, customers are advised to:

• Disable DNS Security Logging: Set the logging level to “none” for all configured DNS security categories in each spyware protection profile.

For Strata Cloud Manager (SCM)-managed firewalls:

• Disable DNS security logging on each device individually or across all devices via a support request.

For SCM-managed Prisma Access tenants:

• Submit a support request to disable logging until an upgrade is applied.

Recommendations
Palo Alto Networks strongly encourages users to upgrade their PAN-OS software to the latest patched version as soon as possible to secure their systems and prevent potential exploitation. Regular monitoring and proactive implementation of recommended mitigations are essential for maintaining firewall integrity.

Apache MINA and HugeGraph

The Apache Software Foundation has released critical security updates for MINA and HugeGraph Server, addressing vulnerabilities identified between December 23 and December 25.

MINA Vulnerability: CVE-2024-52046

• Affected Versions: MINA 2.0 through 2.0.26, 2.1 through 2.1.9, and 2.2 through 2.2.3.
• Severity: Critical, with a CVSS score of 10.0.
• Issue: This vulnerability stems from insecure Java deserialization in the ObjectSerializationDecoder. An attacker could exploit it to achieve remote code execution by leveraging the IoBuffer#getObject() method in conjunction with specific classes.

Apache has mitigated the issue in versions 2.0.27, 2.1.10, and 2.2.4, where stricter default security settings have been applied. However, upgrading alone is insufficient. Users must explicitly configure the software to deny all classes unless explicitly allowed, following one of the three provided methods.

HugeGraph Server Vulnerability: CVE-2024-43441

• Affected Versions: HugeGraph Server 1.0 through 1.3.
• Severity: Critical.
• Issue: An authentication bypass caused by improper validation of authentication logic.

The vulnerability has been resolved in version 1.5.0, and upgrading to this version is strongly recommended for all HugeGraph users.

Recommendations
Users of Apache MINA and HugeGraph Server should immediately update to the fixed versions and follow additional configuration guidelines where applicable to fully mitigate risks. Regularly monitoring for updates and ensuring proper security configurations are critical for safeguarding against these vulnerabilities.

Adobe

Adobe has issued an unscheduled security update to address CVE-2024-53961, a critical vulnerability in ColdFusion with a CVSS score of 7.4. The flaw affects Adobe ColdFusion 2023 and 2021 versions and is caused by improper delimitation of a closed directory path, potentially allowing arbitrary file system reads. Adobe has confirmed the existence of a proof-of-concept (PoC) for this vulnerability.

While Adobe has not indicated whether this vulnerability has been exploited in the wild, it strongly recommends:

• Applying the emergency security patches immediately.
• Reviewing updated documentation on blocking Wddx deserialization attacks.
• Implementing the security configuration settings detailed in the ColdFusion 2023 and 2021 manuals.

Given the history of attacks targeting Adobe ColdFusion vulnerabilities (CVE-2023-29298, CVE-2023-38205, and CVE-2023-26360), these measures are critical to mitigating potential risks. Administrators are urged to act promptly to protect their systems.

Apache Tomcat

The Apache Software Foundation (ASF) has issued a security update to address CVE-2024-56337, a critical vulnerability in Tomcat that could lead to remote code execution (RCE) under specific conditions. This vulnerability stems from the incomplete mitigation of another critical flaw, CVE-2024-50379 (CVSS 9.8), which was previously patched on December 17, 2024.
Both vulnerabilities are caused by a time-of-check-to-time-of-use (TOCTOU) race condition. When the default servlet is enabled for writing on a case-insensitive file system, simultaneous file reading and loading during an upload can bypass Tomcat’s case-sensitive checks. This bypass can cause the uploaded file to be treated as a JSP, allowing attackers to execute arbitrary code.
Additional configuration changes may be required to fully address CVE-2024-50379, depending on the Java version used with Tomcat.

Affected Tomcat Versions
The following versions are vulnerable:

• 11.0.0-M1 to 11.0.1 (fixed in 11.0.2 or later)
• 10.1.0-M1 to 10.1.33 (fixed in 10.1.34 or later)
• 9.0.0-M1 to 9.0.97 (fixed in 9.0.98 or later)
• Configuration Recommendations Based on Java Version
• Java 8 or Java 11: Set the sun.io.useCanonCaches system property to false (default is true).
• Java 17: Ensure the sun.io.useCanonCaches system property remains set to false (default is false).
• Java 21 and later: No action required, as the system property is removed.

Action Required
Users should:

• Upgrade to the fixed Tomcat versions as listed above.
• Apply the recommended configuration changes based on their Java version.

Sophos

Sophos has released patches addressing three vulnerabilities in its Sophos Firewall product. These flaws could enable unauthenticated remote attackers to perform SQL injection, execute arbitrary code, or gain privileged SSH access. The vulnerabilities affect Sophos Firewall version 21.0 GA (21.0.0) and earlier. Patches are being applied by default, with permanent fixes available in new firmware updates.
Vulnerabilities Addressed:

1. CVE-2024-12727:
   Type: Pre-authentication SQL injection vulnerability in the email security feature.
   Conditions: Exploitable when Secure PDF eXchange (SPX) is enabled alongside High Availability (HA) mode.
   Impact: Could allow attackers to access the reporting database and potentially achieve remote code execution (RCE).
2. CVE-2024-12728:
   Type: Weak SSH login passphrase for HA cluster initialization.
   Impact: A predictable passphrase remains active after initialization, leaving SSH-enabled systems vulnerable to unauthorized access.
3. CVE-2024-12729:
   Type: Code injection vulnerability in the User Portal.
   Impact: Authenticated users with valid credentials could execute arbitrary code remotely.

Mitigation and Workarounds
CVE-2024-12728:

• Restrict SSH access to a dedicated HA channel physically separated from other network traffic.
• Reconfigure the HA setup using a sufficiently long and random passphrase.
• Disable SSH over the WAN interface for remote management and use Sophos Central or VPN instead.

CVE-2024-12729:

• Ensure the User Portal and web administration interfaces are properly secured.

Patch Availability
The fixes are included in the latest versions of Sophos Firewall and are applied by default. Detailed instructions for applying and testing patches can be found in KBA-000010084.
Sophos strongly recommends applying these updates or following the provided workarounds to mitigate potential risks. Prompt action is essential to maintain system security.

Fortinet

Fortinet has disclosed a critical vulnerability in FortiWLM that could expose sensitive information. Tracked as CVE-2023-34990, this path traversal vulnerability carries a CVSS score of 9.6 and enables remote, unauthenticated attackers to read sensitive files. According to the NIST Vulnerability Description (NVD), the flaw could also allow unauthorized code execution by sending specially crafted requests to the /ems/cgi-bin/ezrf_lighttpd.cgi endpoint.

Affected Versions:

• FortiWLM 8.6.0–8.6.5 (patched in 8.6.6 and later).
• FortiWLM 8.5.0–8.5.4 (patched in 8.5.5 and later).

The vulnerability was disclosed by Horizon3.ai security researcher Zach Hanley as part of a broader set of flaws identified in March 2023.

This issue arises from inadequate input validation in request parameters, allowing attackers to browse directories and read log files on the system. Exploitation can lead to the exposure of session IDs and credentials, enabling attackers to access authenticated endpoints. Notably:

• Session Hijacking: Web session IDs do not change between user sessions, making it possible to intercept and reuse them to gain administrative privileges.
• Chained Exploits: CVE-2023-34990 can be combined with CVE-2023-48782 (CVSS score 8.8), an authenticated command injection vulnerability patched in FortiWLM 8.6.6, to achieve remote code execution (RCE) in root context.

Fortinet also addressed CVE-2024-48889 (CVSS score 7.2): A command injection vulnerability in FortiManager that allows authenticated remote attackers to execute arbitrary code via FGFM-generated requests.

Recommendations
As Fortinet appliances remain a high-priority target for cyber attackers, it is critical to:

• Update FortiWLM to versions 8.6.6 or later and 8.5.5 or later.
• Patch FortiManager to address CVE-2024-48889.
• Regularly monitor systems for suspicious activity and enforce strong session management practices.

Apple

Apple has released significant security updates for its iOS and macOS ecosystems, addressing vulnerabilities that could lead to data breaches, sandbox bypasses, and remote code execution (RCE) attacks. The updates, iOS 18.2 and macOS Sequoia 15.2, fix issues across multiple components, including the kernel, WebKit, AppleMobileFileIntegrity, Passwords, and ImageIO.

Key Vulnerabilities Addressed

• CVE-2024-45490:
  A vulnerability in libexpat, an open-source utility included in Apple’s software.
  Impact: Allows remote attackers to execute arbitrary code and crash applications.
• AppleMobileFileIntegrity:
  Two vulnerabilities were patched that allowed malicious applications to bypass protections and access sensitive user data.
• Kernel Vulnerabilities:
  Fixed flaws that could allow write access to memory mappings and expose sensitive kernel state information through applications.
• WebKit:
  Addressed issues that could lead to process crashes or memory corruption when processing malicious web content.
• Passwords Component:
  Resolved a bug allowing attackers with privileged network access to modify traffic.
• IOMobileFrameBuffer (macOS):
  Patched a vulnerability enabling arbitrary code execution in DCP firmware.

Apple also rolled out security updates for watchOS, tvOS, and visionOS, addressing similar vulnerabilities to ensure ecosystem-wide protection.

Recommendations

Apple users are strongly advised to:

• Update to iOS 18.2 and macOS Sequoia 15.2 immediately.
• Ensure all other devices running watchOS, tvOS, or visionOS are updated to the latest versions.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.