Patch Tuesday April 2025

Patch Tuesday April 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

For even more information, watch the recorded April 2025 Vulnerability Digest webinar, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.

Microsoft Vulnerabilities

This Patch Tuesday, Microsoft addressed 121 vulnerabilities—significantly more than last month—including 11 rated as critical. However, only one zero-day was fixed, a notable drop. For the first time in years, none of the vulnerabilities have a publicly available proof of concept. Here are the details of the most notable critical updates.

Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2025-29824)

This is a Use After Free (UAF) vulnerability in the Windows Common Log File System (CLFS) driver. UAF issues occur when memory that has been freed is accessed again, leading to unpredictable behavior. In this case, the CLFS driver mishandles memory, allowing an attacker to manipulate the memory state. The flaw lies in how the driver allocates and frees memory when processing log files, making it possible to execute arbitrary code in the driver’s context, which runs with elevated privileges.

Affected Systems

• Windows 10 (32-bit and x64)
• Windows 11
• Windows Server 2012 and above

This vulnerability is significant because it affects a core component of Windows, impacting a wide range of environments, including enterprise systems and critical infrastructure.

If exploited, it allows privilege escalation to SYSTEM level—the highest privilege on a Windows system. An attacker could:

• Install malicious software
• Modify system files and registry settings
• Disable security features
• Access sensitive data
• Maintain persistent access

This could lead to full system compromise and lateral movement across networks.

CVSS Overview

• CVSS Score: 7.8 (Base) / 7.2 (Temporal)
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None

Exploitability

• • Exploited in the wild: Yes
  • Proof of Concept available: Likely, as functional exploit code is referenced

Exploitation Scenarios

1. 1. Standalone Exploitation
      A local attacker could craft malicious input to trigger the vulnerability and execute code with SYSTEM privileges.
   2. Chained Exploitation
      It could be combined with remote code execution vulnerabilities or exploited through third-party software interacting with the CLFS driver, forming a multi-stage attack path.

This vulnerability is already being exploited, and due to its low complexity and high impact, it remains a serious concern.

Multiple Microsoft Office Vulnerabilities: Overview

• CVE-2025-29791 is a type confusion vulnerability classified as “Access of Resource Using Incompatible Type” (CWE-843). It occurs when the application accesses a resource using an incorrect type, which can lead to unintended behavior and potentially code execution.
• CVE-2025-27749, CVE-2025-27748, and CVE-2025-27745 are use-after-free (UAF) vulnerabilities (CWE-416). These occur when memory that has already been freed is accessed again, causing memory corruption and potentially allowing arbitrary code execution.

Potential Impact

• Remote Code Execution: Attackers could execute arbitrary code on the affected system.
• Data Theft: Access to sensitive data is possible.
• Malware Installation: Malicious software could be deployed.
• System Takeover: With code execution, full control of the system is possible.

CVSS Overview

• Score: 7.8 (Base) / 6.8 (Temporal)
• Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required

These vulnerabilities are not currently exploited in the wild. No public proof of concept is available.

Exploitation Scenarios

• Opening a Malicious File:
  An attacker could craft a malicious Excel file. When opened, it could trigger one of the vulnerabilities. For CVE-2025-29791, this would involve type confusion. For the UAF vulnerabilities (CVE-2025-27749, CVE-2025-27748, CVE-2025-27745), it would involve accessing freed memory, resulting in memory corruption and code execution.
• Chained with Other Vulnerabilities:
  These issues could be combined with social engineering or other remote code execution vulnerabilities. For instance, a phishing email might be used to trick a user into opening a malicious file, which then exploits one of these flaws. They could also be chained with other exploits to escalate privileges or move laterally within a network.

Microsoft Office is widely used across organizations, meaning the potential exposure is significant.

While the requirement for user interaction adds a layer of difficulty, attackers often rely on social engineering to overcome it. In some cases, the Preview Pane could serve as an attack vector, allowing the vulnerability to trigger without explicitly opening the file.

Two Remote Desktop Gateway Vulnerabilities: Overview

• CVE-2025-27482 involves “Sensitive Data Storage in Improperly Locked Memory” (CWE-591). This occurs when sensitive data is stored in memory that isn’t properly locked, potentially allowing unauthorized access and code execution.
• CVE-2025-27480 is a use-after-free (UAF) vulnerability (CWE-416). It arises when memory is accessed after it has been freed, which can lead to memory corruption and arbitrary code execution.

Both vulnerabilities affect the Remote Desktop Gateway service, a key component of Windows Remote Desktop Services used for remote access and management.

Potential Impact

• Remote Code Execution: Attackers could execute arbitrary code on the affected system.
• Data Breach: Sensitive data stored in unlocked memory could be exposed.
• System Compromise: Full control of the system is possible, leading to unauthorized access, data theft, and malware installation.
• Lateral Movement: These vulnerabilities could serve as an entry point to move across a network and compromise additional systems.

CVSS Overview

• Score: 8.1 (Base) / 7.1 (Temporal)
• Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
  • Attack Vector: Network
  • Attack Complexity: High (requires a race condition)
  • Privileges Required: None
  • User Interaction: None

These vulnerabilities are not currently exploited in the wild, and no proof of concept has been made public. However, the “Exploitation More Likely” tag suggests a higher chance of future exploitation once technical details are released.

Exploitation Scenarios

• CVE-2025-27482: An attacker could connect to a system running the Remote Desktop Gateway role and trigger a race condition to access sensitive data in improperly locked memory, leading to code execution.
• CVE-2025-27480: This vulnerability could be exploited by creating a use-after-free condition through a race scenario, allowing arbitrary code execution.
• Chained Attacks: These vulnerabilities could be used alongside other exploits—such as social engineering or additional remote code execution flaws—to gain initial access, escalate privileges, or move within a network.

Despite the high attack complexity, the lack of required privileges and user interaction makes these vulnerabilities particularly concerning. While triggering a race condition reliably requires effort, attackers can develop working exploit code over time, increasing the risk of exploitation.

Two LDAP Vulnerabilities: Overview

CVE-2025-26670 and CVE-2025-26663 are classified as use-after-free (UAF) vulnerabilities (CWE-416). These occur when memory that has already been freed is accessed again, leading to memory corruption and potentially allowing arbitrary code execution. These specific vulnerabilities affect the Windows LDAP client, making it possible for a remote attacker to execute code over the network. Since LDAP is widely used for authentication and directory access in enterprise environments, the impact can be significant.

Potential Impact

• Remote Code Execution: Attackers could execute arbitrary code on the affected system, enabling malware installation, system modification, or unauthorized access.
• Data Breach: Sensitive information stored on the system or within the directory services could be exposed.
• System Compromise: With RCE, an attacker could take full control of the system, move laterally across the network, and deploy additional payloads.
• Service Disruption: Exploiting these vulnerabilities could destabilize or crash services that rely on the LDAP client.

CVSS Overview

• Score: 8.1 (Base) / 7.1 (Temporal)
• Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
  • Attack Vector: Network
  • Attack Complexity: High (involves a race condition)
  • Privileges Required: None
  • User Interaction: None

These vulnerabilities are not currently exploited in the wild, and no proof of concept has been publicly released. However, they are marked as “Exploitation More Likely,” meaning the risk of exploitation increases once technical details become public.

Exploitation Scenarios

An unauthenticated attacker could send a sequence of specially crafted requests to a vulnerable LDAP server, triggering a use-after-free condition. If successful, this could lead to remote code execution. The attack relies on winning a race condition, which adds complexity but does not make exploitation impossible.

Chaining with Other Vulnerabilities

These issues could be paired with other vulnerabilities—such as those exploited through phishing or additional remote code execution flaws—to build more advanced attack chains. For instance, an attacker might gain initial access through these LDAP vulnerabilities and then use other exploits to escalate privileges or spread across the network.

While the attack requires precision and timing, the lack of required privileges or user interaction makes these vulnerabilities especially dangerous. Over time, attackers may develop reliable methods to trigger the race condition, increasing the likelihood of successful exploitation.

Google Chrome

CVE-2025-2783 Vulnerability was found in Chrome: Kaspersky Lab experts discovered a sophisticated targeted attack exploiting a zero-day vulnerability in Chrome, which allows bypassing the sandbox without any additional user actions.

Attackers distributed personalized phishing emails with invitations to “Primakov Readings” that led to a fake website primakovreadings[.]info, targeting government organizations, educational institutions and media outlets. On March 25, Google released a patch for the CVE-2025-2783 vulnerability in the Mojo component, which was caused by a logical communication error between the Chrome sandbox and Windows. Analysis of the incident points to a likely state-sponsored APT group targeting Russian organizations using a critical vulnerability in Chrome, underscoring the need for a quick software update.

Mozilla Firefox

Firefox 137 addresses 14 vulnerabilities, 13 of which are rated as high severity. All critical issues stem from memory-related problems, such as buffer overflows and use-after-free conditions. These flaws could potentially allow attackers to execute malicious code by tricking users into opening specially crafted web pages.
The three most notable vulnerabilities are:

• CVE-2025-3028 (Use-After-Free in XSLTProcessor): This highlights the risks of improper memory handling in components that manage dynamic content transformations. Exploitation could allow arbitrary code execution, security bypasses, and full system compromise.
• CVE-2025-3032 (Leaking File Descriptors from the Fork Server): This shows how small lapses in low-level resource management can weaken sandbox protections. Attackers could gain access to privileged resources, leading to privilege escalation or isolation bypass.
• CVE-2025-3029 (URL Bar Spoofing via Non-BMP Unicode Characters): This demonstrates how flaws in rendering user interface elements can be exploited for deception. By using complex Unicode characters, attackers can spoof URLs and mislead users, aiding phishing and other social engineering attacks.

WinRAR

A critical vulnerability in WinRAR (CVE-2025-31334) has been discovered that allows attackers to bypass Windows’ Mark of the Web (MotW) protection and execute malicious code without triggering any warnings. Although the CVSS rating averages 6.8, the real-world risk is significantly higher due to WinRAR’s widespread use and the vulnerability’s ability to evade built-in Windows defenses.

The attack method is simple: a user downloads an archive that appears harmless. Inside, alongside legitimate files, is a symbolic link disguised as a regular document or executable. Opening the link silently triggers the malware.

Attack vector: visiting a website hosting a malicious archive
Malware delivery: no confirmed attacks yet, but a similar vulnerability (CVE-2023-38831) was previously used to distribute DarkMe and Agent Tesla.
While not yet widely exploited, the risk is critical for systems with misconfigured security policies.
Recommendations:

• Update WinRAR to version 7.11 or later
• Restrict the ability of normal users to create symbolic links
• Avoid opening or extracting suspicious archives from unknown sources

The vulnerability was discovered by Taihei Shimamine of Mitsui Bussan Secure Directions (Japan) and confirmed by JPCERT/CC. This marks the second MotW bypass reported within a year, following CVE-2025-0411 in 7-Zip.

WinRAR is used by over 500 million users worldwide.

Apple

Apple has released patches for actively exploited zero-day vulnerabilities affecting older versions of its operating systems. In addition, updates addressing multiple security issues have been applied to the latest stable versions of iOS, iPadOS, and macOS.

The first backported fix addresses CVE-2025-24200, discovered by Citizen Lab. The vulnerability was related to mobile forensic techniques and could disable “restricted USB mode” on locked devices. Apple originally patched it in iOS 18.3.1, iPadOS 18.3.1, and 17.7.5 on February 10, 2025.

The second backported vulnerability, CVE-2025-24201, allowed attackers to escape the WebKit sandbox using specially crafted web content. Apple described it as being used in “extremely sophisticated” attacks and fixed it on March 11, 2025, with the release of iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. Patches for both CVE-2025-24200 and CVE-2025-24201 have now also been included in iOS 16.7.11 and 15.8.4, and iPadOS 16.7.11 and 15.8.4.

The third backport, CVE-2025-24085, involves a privilege escalation issue in the Core Media framework. It was originally addressed in late January 2025 through updates to iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3. The fix has since been extended to iPadOS 17.7.6 and macOS Sonoma 14.7.5 and Ventura 13.7.5.

Alongside these backports, Apple has also issued security updates for its latest operating systems and software, including Safari and Xcode. The latest release—iOS 18.4 and iPadOS 18.4—addresses 77 vulnerabilities, including:

• CVE-2025-30456: Application sandbox bypass enabling root privilege escalation
• CVE-2025-24097: Arbitrary file metadata access
• CVE-2025-31182: Arbitrary file deletion

Linux

Microsoft reports that its AI-powered Security Copilot tool has helped uncover 20 previously unknown vulnerabilities in the open-source GRUB2, U-Boot, and Barebox bootloaders. GRUB2 (GRand Unified Bootloader) is the default bootloader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices.

Researchers identified 11 issues in GRUB2, including integer overflows (CVE-2025-0677, -0678, -0684 to -0686, CVE-2025-1125), out-of-bounds reads (CVE-2025-0689), out-of-range writes (CVE-2025-0690), buffer overflows (CVE-2024-56737), command execution flaws (CVE-2025-1118), and side-channel vulnerabilities (CVE-2024-56738). Most of these are classified as medium severity, except CVE-2025-0678, which is rated high with a CVSS v3.1 score of 7.8.

Additionally, nine buffer overflow vulnerabilities were found in U-Boot and Barebox while analyzing SquashFS, EXT4, CramFS, JFFS2, and symbolic link handling. These flaws typically require physical access to exploit.

The vulnerabilities affect systems with UEFI Secure Boot and, in some cases, could be used to bypass protections and execute arbitrary code. While exploiting U-Boot or Barebox flaws would likely require local access, past bootkit attacks—such as BlackLotus—have shown that similar compromises can be achieved via malware. In the case of GRUB2, these vulnerabilities could potentially be leveraged to bypass Secure Boot, install hidden bootkits, or defeat security mechanisms like BitLocker.

Microsoft noted that Security Copilot significantly accelerated the vulnerability discovery process, saving roughly a week compared to manual analysis. The tool not only identified previously undocumented flaws but also provided targeted recommendations for mitigation.

Splunk

Splunk has released patches addressing several dozen vulnerabilities across its products, including two critical remote code execution and information disclosure flaws in Splunk Enterprise and the Secure Gateway App.

The remote code execution vulnerability, tracked as CVE-2025-20229 (CVSS 8.0), can be exploited by low-privileged users through file uploads to the $SPLUNK_HOME/var/run/splunk/apptemp directory. The issue stems from missing authorization checks and has been fixed in Splunk Enterprise versions 9.4.0, 9.3.3, 9.2.5, and 9.1.8, as well as Splunk Cloud Platform versions 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208.

Another serious vulnerability affecting both Splunk Enterprise and the Splunk Secure Gateway App has also been resolved. The flaw exposed user session and authorization tokens in plaintext within the splunk_secure_gateway.log file when the /services/ssg/secrets REST endpoint was called. Exploitation would require convincing a user to trigger the request via their browser, making it suitable for phishing scenarios. Fixes are available in Splunk Enterprise versions 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and in Secure Gateway versions 3.8.38 and 3.7.23.

Splunk Mobile, Spacebridge, and Mission Control depend on the functionality of the Secure Gateway App. If these services are not in use, removing or disabling the app may serve as a temporary mitigation.

Splunk also addressed several moderate-severity issues in Splunk Enterprise, including flaws that could lead to service mode changes, security bypass, information disclosure, and manipulation of user data. Additional low-severity issues were patched in the Splunk App for Lookup Editing, as well as vulnerabilities in third-party components used in Splunk Enterprise, the App for Data Science and Deep Learning, DB Connect, Infrastructure Monitoring Add-on, and the Splunk Add-on for Microsoft Cloud Services.

While there are no reports of these vulnerabilities being exploited in the wild, Splunk recommends updating affected instances and applications without delay.

Next.js

A critical vulnerability has been identified in the Next.js React framework that, under certain conditions, could allow attackers to bypass authorization checks. Tracked as CVE-2025-29927, the flaw has a CVSS score of 9.1 out of 10.

Next.js uses an internal x-middleware-subrequest header to prevent recursive requests from causing infinite loops. However, if this header is manipulated, middleware execution can be skipped entirely—allowing requests to bypass crucial checks, including those for authorization cookies. The issue has been fixed in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. As a workaround, it’s recommended to block external requests containing the x-middleware-subrequest header.

The vulnerability was discovered and reported by researcher Rashid Allam (aka zhero / cold-try), who has since published technical details. As noted by JFrog, the flaw makes it easy for attackers to bypass authorization logic in middleware, potentially granting access to pages restricted to administrators or privileged users. JFrog also warned that any application relying solely on middleware for authorization—without additional checks—is likely vulnerable.

Akamai researchers report that hackers have already begun targeting the vulnerability. The first exploitation attempts were observed less than a week after the patch became available. CVE-2025-29927 was publicly disclosed on March 21, one week after the patched versions were released.

Next.js uses middleware to manage HTTP requests, including authentication, authorization, and security headers. The x-middleware-subrequest header helps manage these processes and prevent recursion. Because the header has a predictable value and was not properly validated, attackers can craft requests that imitate it and bypass authentication checks. When the middleware is bypassed, the application skips its normal security routines, potentially exposing restricted areas.

Although only certain versions of Next.js are affected, the exact method of exploitation can vary. According to Rapid7, the impact depends on how middleware is configured and how the application functions. Some applications may use middleware as a front-end layer, while authentication still occurs on the backend. In those cases, bypassing the middleware may not result in unauthorized access if server-side checks are still enforced.

While no confirmed cases of real-world exploitation have been reported, Akamai has observed attackers scanning for vulnerable servers. These attempts mimic multiple internal subrequests within a single HTTP request, triggering the redirection logic used in Next.js. The attack pattern closely resembles the proof-of-concept and technical details released by the researcher who discovered the flaw.

VMware

VMware has issued an emergency patch for an authentication bypass vulnerability in its VMware Tools for Windows utility suite. This set of drivers and tools enhances the performance and manageability of virtual machines, enabling features such as improved graphics, mouse integration, and time synchronization between host and guest systems.

The vulnerability, tracked as CVE-2025-22230, allows an attacker with non-administrative privileges in a Windows guest VM to carry out certain high-privilege operations within that environment. According to VMware, the issue is caused by improper access controls and has been assigned a CVSS score of 7.8.

The flaw was discovered by researchers at Positive Technologies. A fix is available in VMware Tools for Windows version 12.5.1. Versions of VMware Tools for Linux and macOS are not affected.

NGINX

Wiz researchers have uncovered critical remote code execution vulnerabilities in the Ingress-NGINX controller for Kubernetes, potentially exposing clusters to remote attacks. The flaws—CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974—are collectively known as IngressNightmare and affect the Ingress-NGINX controller, a commonly used component that functions as a load balancer and reverse proxy for Kubernetes applications.

According to Wiz, 41% of internet-facing Kubernetes clusters use Ingress-NGINX. Of the environments analyzed, 43% had at least one vulnerable instance, and 6,500 exposed clusters—including those belonging to Fortune 500 companies—were found to have publicly accessible, vulnerable controllers.

IngressNightmare targets the controller that processes and validates incoming ingress objects before deployment. The risk is heightened because the controller is exposed over the network and does not require authentication. When the admission controller receives an ingress object, it generates and validates an NGINX configuration against the NGINX binary. Wiz discovered that during this validation phase, a specially crafted ingress object could inject a malicious configuration, triggering the NGINX validator to execute arbitrary code and enabling remote code execution on the controller.

Exploitation of this vulnerability could give an attacker access to all secrets across all namespaces and full control of the Kubernetes cluster. Given the widespread use of Ingress-NGINX in cloud environments—including by major AI firms and Fortune 500 companies—the potential impact is significant. If compromised, attackers could access or modify any data within the affected environment.

Wiz reported the vulnerabilities in December 2024 and January 2025. Patches were released on Monday in Ingress-NGINX Controller versions 1.12.1 and 1.11.5. Users are advised to update immediately or apply temporary mitigations, such as disabling the controller or restricting access to it via the Kubernetes API server.

Veeam

Veeam has patched a critical remote code execution vulnerability, CVE-2025-23120, in its Backup & Replication software. The flaw affects domain-joined installations and allows any domain user to compromise the server. The issue impacts version 12.3.0.310 and all earlier builds of version 12. A fix is available in version 12.3.1 (build 12.3.1.1139), which is now publicly released.

According to watchTowr Labs, which discovered the vulnerability, the issue stems from a deserialization flaw in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. It occurs when the application improperly processes serialized data, allowing attackers to inject malicious objects that can trigger arbitrary code execution.

In 2023, Veeam patched a similar deserialization bug reported by researcher Florian Hauser and introduced a blacklist of known exploitable classes. However, watchTowr identified a new gadget chain not covered by that blacklist, successfully bypassing the previous fix.

The vulnerability only affects Veeam Backup & Replication servers joined to a Windows domain—but in such configurations, any domain user can exploit it. Despite earlier recommendations from Veeam advising against domain-joining backup servers, many organizations have done so, increasing their exposure. These servers remain attractive targets for ransomware operators due to the critical data they manage.

Although there have been no confirmed reports of active exploitation, watchTowr has released technical details that could lead to a proof-of-concept soon. Organizations using Veeam Backup & Replication should update to version 12.3.1 immediately and, where possible, disconnect the server from the domain.

Cisco

SANS researchers are warning of active attempts to exploit two critical vulnerabilities in the Cisco Smart Licensing Utility, identified as CVE-2024-20439 and CVE-2024-20440. This utility is used to activate and manage Cisco software licenses within an organization.

The vulnerabilities were first disclosed in early September 2024, at which time Cisco released patches. According to the company, the flaws could allow a remote, unauthenticated attacker to access sensitive information or take control of services running on affected systems. Technical details for CVE-2024-20439 were made public weeks later, after researchers reverse-engineered Cisco’s patches.

On Wednesday, SANS reported the first observed exploit attempts. According to their analysis, CVE-2024-20439 functions as a backdoor, enabling access to the software through a hard-coded password. CVE-2024-20440 is related to excessive logging behavior that exposes sensitive data—accessible only after the first vulnerability has been exploited.

SANS detected the attacks through honeypots, where the attacker attempted to use default credentials to access exposed Cisco Smart Licensing Utility instances. The broader intent behind the attacks remains unclear, but SANS notes the same actor appears to be targeting other systems, including IoT devices.

Cisco’s advisory states that both vulnerabilities were discovered internally and makes no mention of known exploitation. A spokesperson for the company said Cisco has not received any reports of malicious use and continues to advise customers to apply the available patches.

Apache

A critical remote code execution vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is now being actively exploited. The flaw allows attackers to take control of servers using a simple PUT request. Proof-of-concept exploits were published to GitHub just 30 hours after the vulnerability was discovered last week. Apache disclosed the issue on Monday, March 10, 2025. It affects Tomcat versions 11.0.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.0-M1 to 9.0.98.

Wallarm researchers confirmed the exploitation and noted that traditional security tools may not detect the attack, as the PUT requests appear legitimate and the payload is hidden using base64 encoding. The exploit involves sending a PUT request with a base64-encoded, serialized Java object, which Tomcat stores in the session cache. A follow-up GET request, using a JSESSIONID cookie pointing to the session file, forces Tomcat to deserialize and execute the payload—giving the attacker full control.

The attack requires no authentication and is enabled by Tomcat’s default behavior of accepting partial PUT requests and storing session data in files. The only prerequisite is that the server uses file-based session storage, which is common in many setups.
Apache advises all users to upgrade to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+, which include the necessary fix. As an alternative, users can mitigate the issue by reverting the default servlet configuration to readonly=”true”, disabling partial PUT support, and avoiding the storage of sensitive files in public-facing directories.

Wallarm researchers warn that this is likely just the beginning. Future attacks may involve uploading malicious JSP files, modifying configurations, or placing backdoors outside the session storage directory, expanding the threat beyond the current exploitation campaign.

Fortinet

Fortinet has issued patches for 18 vulnerabilities affecting multiple products, including FortiOS, FortiProxy, FortiPAM, FortiSRA, FortiAnalyzer, FortiManager, FortiAnalyzer-BigData, FortiSandbox, FortiNDR, FortiWeb, FortiSIEM, and FortiADC.

Among the high-severity issues is CVE-2023-48790, a cross-site scripting vulnerability in FortiNDR that could allow an unauthorized attacker to execute arbitrary code or commands. Another critical flaw, CVE-2024-45325, impacts FortiOS, FortiProxy, FortiPAM, FortiSRA, and FortiWeb. It enables a privileged attacker to run arbitrary code or commands by sending specially crafted requests. Technical details for this vulnerability appear to be publicly available.

CVE-2023-40723, also rated high severity, affects FortiSIEM and allows an unauthorized attacker to remotely retrieve the database password using crafted API requests.

In FortiSandbox, Fortinet addressed several high-severity vulnerabilities: CVE-2024-45328 (privilege escalation), CVE-2024-52961 (command injection), and CVE-2024-54027 (unauthorized data access). In FortiIsolator, CVE-2024-55590 was patched to prevent code execution by attackers with read-only administrator access. FortiADC received a fix for CVE-2023-37933, an authenticated XSS vulnerability.

Fortinet also resolved a series of medium-severity vulnerabilities that could be used to execute code, run commands, write arbitrary files, or bypass web firewall protections. One low-severity issue, allowing unauthorized operations, was also fixed.
The company noted that many of these vulnerabilities were discovered internally and said there is no indication of active exploitation.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: April 2025 Vulnerability Digest from Action1