Patch Tuesday February 2025

Patch Tuesday February 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Microsoft Vulnerabilities

This Patch Tuesday, Microsoft has fixed 56 vulnerabilities—significantly fewer than last month—including just three classified as critical. Two zero-days have been patched, while an older zero-day received additional updates. Additionally, two more vulnerabilities have publicly available proof-of-concept exploits. Here are the key details on the most notable critical updates.

Windows Storage Elevation of Privilege Vulnerability (CVE-2025-21391)

The first zero-day of the day, CVE-2025-21391, is a critical elevation of privilege vulnerability affecting Microsoft Windows. It stems from improper link resolution before file access (CWE-59), where symbolic links (symlinks) or shortcuts are not handled correctly during file operations. Exploiting this flaw allows an attacker to delete targeted files, impacting system integrity and availability.

The issue lies in how Windows Storage resolves file paths and follows links. Due to insufficient validation, attackers can create malicious symlinks that redirect file operations to critical system files or user data, leading to unauthorized deletion. The lack of strict validation mechanisms before file access increases the risk of exploitation.

All Windows versions containing the vulnerable Windows Storage component are potentially affected, including both server and desktop editions used in enterprise and personal environments.

Potential Impact:

• Integrity Loss: Attackers can delete or manipulate files, leading to data corruption or loss.
• Availability Disruption: Deleting critical system or application files can make services or the entire system unavailable.
• Operational Downtime: Businesses may face disruptions while recovering lost data.
• No Confidentiality Breach: The vulnerability does not allow data exfiltration.

Exploit Details:

• Attack Vector: Local – The attacker must have local access, either physically or via remote login.
• Attack Complexity: Low – Exploitation does not require advanced techniques.
• Privileges Required: Low – Even standard user privileges are sufficient.

Additional Information:

• CVSS Score: 7.1 (High), Temporal score: 6.6
• Publicly Disclosed: No
• Exploited in the Wild: Yes – Reports confirm active exploitation.
• Proof of Concept: Likely exists, possibly shared privately among threat actors.

Possible Attack Scenarios:

While this vulnerability enables file deletion, combining it with other exploits could escalate privileges and cause more severe damage. Possible attack strategies include:

• Bypassing Security Measures: Deleting logs or security configurations to cover tracks or disable defenses.
• Facilitating Other Attacks: Removing critical files to crash services, then exploiting them upon restart.
• Persistent Disruption: Repeatedly forcing system recoveries while introducing malware.
• Data Manipulation: Used alongside malware to both alter and delete files, complicating recovery efforts.

Organizations using Windows at scale are particularly at risk due to the widespread use of Windows Storage. Potentially millions of organizations worldwide could be at risk. The number of affected systems depends on Windows version adoption rates and existing security measures.

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (CVE-2025-21418)

The second zero-day, CVE-2025-21418, is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys), a kernel-mode driver that provides network socket services. It arises from a heap-based buffer overflow (CWE-122) due to improper memory handling. When the system allocates memory from the heap without properly validating the size or amount of data copied, an overflow can occur, leading to memory corruption or arbitrary code execution.

The root cause is insufficient validation of user-supplied input, allowing low-privileged users to send specially crafted data that overflows the buffer.

Affected Systems:

All Windows versions containing the vulnerable AFD.sys driver are potentially impacted, including:

• Windows 10
• Windows 11
• Windows Server (2016 and later)

Potential Impact:

Successful exploitation grants SYSTEM privileges, the highest level in Windows, enabling an attacker to:

• Install programs
• View, modify, or delete data
• Create accounts with full user rights
• Alter system configurations and security settings

Exploit Details:

• Attack Vector: Local – The attacker must have local access, either physically or through a remote session.
• Attack Complexity: Low – Exploitation is straightforward and reliable.
• Privileges Required: Low – A standard user account is sufficient.
• User Interaction: None – No action is required from other users.

Additional Information:

• CVSS Score: 7.8 (High), Temporal score: 7.2
• Publicly Disclosed: No – Technical details have not been made public.
• Exploited in the Wild: Yes – Reports confirm active exploitation.
• Proof of Concept: While not publicly available, the presence of exploitation suggests exploit code exists, likely shared among threat actors.

Attack Scenarios:

On its own, this vulnerability allows an attacker with low privileges to escalate to SYSTEM privileges, granting full control over the system. Potential attack paths include:

• Initial Access via Social Engineering or Malware: Attackers could gain low-privileged access through phishing or malware distribution and then use this vulnerability to escalate privileges.
• Combination with Remote Code Execution (RCE): If paired with an RCE vulnerability, an attacker could remotely compromise a system and elevate privileges to SYSTEM.
• Disabling Security Tools: Gaining SYSTEM privileges allows attackers to disable security software, logs, and alerts, complicating detection and response.
• Targeted Attacks: Sophisticated groups or nation-state actors may use this as part of multi-stage attacks to infiltrate secure environments.

Risk Considerations:

Organizations with large Windows deployments face significant risk due to the widespread presence of AFD.sys across systems. The combination of low attack complexity, minimal privileges required, and confirmed exploitation in the wild makes this a serious threat requiring immediate attention.

NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-21377)

CVE-2025-21377, which has a proof of concept, is a spoofing vulnerability in Microsoft Windows that can lead to the disclosure of a user’s NTLMv2 hash. It stems from improper handling of file names or paths (CWE-73: External Control of File Name or Path). The vulnerability allows external input to manipulate file paths without proper validation, enabling an attacker to trick the system into sending the NTLMv2 hash over the network. Once captured, this hash can potentially be used to authenticate as the victim.

Affected Systems:

All supported versions of Microsoft Windows are affected, including both client and server editions. The vulnerability impacts core Windows components, including:

• MSHTML Platform – Used by Internet Explorer mode in Microsoft Edge and applications that rely on the WebBrowser control.
• EdgeHTML and Scripting Platforms – Used by WebView, Universal Windows Platform (UWP) applications, and other legacy applications.

Potential Impact:

Attackers can obtain a user’s NTLMv2 hash, which can then be used to authenticate within the network. As per CVSS (C:H), successful exploitation results in a complete confidentiality breach for the affected account, potentially granting unauthorized access to network resources and facilitating further exploitation.

Exploit Details:

• Attack Vector: Network – The vulnerability can be exploited remotely.
• Attack Complexity: Low – Exploitation does not require special conditions.
• Privileges Required: None – Attackers do not need prior access or authentication.
• User Interaction: Required – A user must interact with a malicious file, though minimal interaction is sufficient.

Additional Information:

• CVSS Score: 6.5 (Medium), Temporal score: 6.0
• Publicly Disclosed: Yes – Technical details have been made public.
• Exploited in the Wild: No – No confirmed instances of exploitation.
• Exploitability Assessment: Exploitation is considered likely due to public disclosure.
• Proof of Concept: Likely exists, increasing the risk of exploitation.

Attack Scenarios:

• Pass-the-Hash Attacks: Attackers can use captured NTLMv2 hashes to authenticate as the compromised user, gaining access to network resources.
• Phishing & Social Engineering: Users could be tricked into interacting with malicious files that trigger NTLMv2 hash disclosure.
• Privilege Escalation & Lateral Movement: Combining this vulnerability with others could allow attackers to escalate privileges, access sensitive systems, or deploy malware.
• Persistent Access: Compromised credentials could be used for long-term access, making detection and remediation more challenging.

Risk Considerations:

Organizations using Windows systems that do not exclusively rely on Kerberos for authentication are at risk. CVE-2025-21377 presents a significant threat by exposing NTLMv2 hashes, potentially leading to unauthorized access across networks.

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2025-21376)

CVE-2025-21376 is a critical remote code execution (RCE) vulnerability affecting the Windows Lightweight Directory Access Protocol (LDAP) service. It results from a combination of multiple weaknesses:

• CWE-362: Race condition due to improper synchronization of concurrent processes.
• CWE-191: Integer underflow, causing incorrect calculations in buffer size management.
• CWE-122: Heap-based buffer overflow, leading to memory corruption and potential code execution.

The vulnerability arises from improper handling of concurrent LDAP requests. A race condition allows an attacker to manipulate the timing of operations, triggering an integer underflow that miscalculates buffer sizes. This, in turn, causes a heap-based buffer overflow, enabling an attacker to execute arbitrary code on the affected system.

Potential Impact:

An unauthenticated attacker could exploit this flaw to execute code with the privileges of the LDAP service, leading to:

• Unauthorized access to sensitive directory data.
• Modification or deletion of directory entries.
• Lateral movement within the network.

Exploit Details:

• Attack Vector: Network – Exploitable remotely by sending specially crafted LDAP packets.
• Attack Complexity: High – Exploitation requires precise timing to manipulate the race condition.
• Privileges Required: None – No authentication is needed; any attacker with network access can attempt exploitation.
• User Interaction: None – No action from legitimate users is required.

Additional Information:

• CVSS Score: 8.1 (High), Temporal score: 7.1
• Publicly Disclosed: No – Technical details have not been made public.
• Exploited in the Wild: No – No confirmed reports of active exploitation.
• Exploitability Assessment: More likely – Despite its complexity, the critical nature of the vulnerability and LDAP’s importance make it a potential target for advanced attackers.

Attack Scenarios:

An attacker sends multiple carefully timed LDAP requests to trigger the race condition. By manipulating request timing, they disrupt synchronization within LDAP’s concurrent processing. This leads to an integer underflow, causing a heap-based buffer overflow that enables code execution with high privileges.

While the attack is complex, skilled adversaries may use it as part of a broader campaign to establish an initial foothold or escalate privileges within a network.

Risk Considerations:

Organizations relying on Windows Active Directory for authentication and directory services are at significant risk due to LDAP’s central role. The widespread use of Windows Server in enterprise environments means many organizations could be affected.

Google Chrome

Google has released Chrome 131, addressing several serious memory vulnerabilities, including three affecting the JavaScript V8 engine.

The first vulnerability, CVE-2024-12692, is a type confusion bug in the V8 engine. Google awarded $55,000 to the researcher who reported it, indicating the severity of the flaw, which could potentially lead to remote code execution (RCE).

The second issue, CVE-2024-12693, is an out-of-bounds memory access bug in the V8 engine. This memory corruption flaw earned a $20,000 bounty for its discovery.

Two additional vulnerabilities were also addressed:

• CVE-2024-12694: A high-severity post-release exploitation issue in compositing.
• CVE-2024-12695: An out-of-bounds write vulnerability in the V8 engine. No bounty has been assigned yet.

The updated Chrome version is now available as 131.0.6778.204/.205 for Windows and macOS, and 131.0.6778.204 for Linux. Google confirmed no evidence of these vulnerabilities being exploited in real-world attacks.

To mitigate memory corruption flaws, Google has implemented measures to enhance Chrome’s security and has made significant progress by adopting Rust in its codebase. This transition has already resulted in fewer memory security bugs in Android over the past five years, with similar improvements expected in Chrome as the migration continues.Google Chrome 133 addresses 12 vulnerabilities, many of which were identified through automated testing tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL.
Below are the most serious vulnerabilities, including their technical nature, root causes, potential impacts, and exploitation scenarios:

• CVE-2025-0444: Use-After-Free in Skia
  This high-severity use-after-free (UAF) flaw affects Skia, Google’s open-source 2D graphics library used for rendering images, shapes, and text in Chrome. The vulnerability occurs due to improper handling of graphics objects during rendering. If an object is freed but its reference is not properly cleared, subsequent operations may attempt to access freed memory, leading to undefined behavior. Exploiting this flaw can result in arbitrary code execution within the browser process, allowing an attacker to run malicious code on the user’s machine. Potential impacts include data theft, malware installation, or full system compromise. Since Skia handles web content rendering, this vulnerability can be triggered remotely via a specially crafted webpage, making it particularly dangerous.
• CVE-2025-0445: Use-After-Free in V8
  This high-severity UAF vulnerability affects V8, Chrome’s JavaScript and WebAssembly engine. V8 compiles JavaScript into optimized machine code for execution. The flaw stems from improper object handling during garbage collection, where certain objects may be freed prematurely while still in use, leading to a use-after-free condition. Exploitation can allow arbitrary code execution within the browser context, enabling attackers to execute malicious scripts, access sensitive information, or run unauthorized code on a user’s device. Given the ubiquity of JavaScript in web pages, this significantly expands the attack surface.
  
• CVE-2025-0451: Inappropriate Implementation in Extensions API
  This medium-severity vulnerability involves improper implementation in the Extensions API, which developers use to create browser extensions. The issue arises from insufficient validation and enforcement of permissions, allowing extensions to request or gain access to resources they should not have. Attackers could exploit this flaw to perform unauthorized actions, access or modify sensitive data, or interfere with other extensions and browser features. This could lead to privacy breaches, data theft, or execution of unauthorized code.

From an attacker’s perspective, these vulnerabilities offer opportunities for sophisticated exploit chains. By combining multiple flaws, attackers could bypass security layers, escalate privileges, and maintain persistence on a compromised system. For instance, a malicious extension exploiting CVE-2025-0451 could serve as an entry point, leveraging use-after-free vulnerabilities to execute code and gain deeper access to the system.

Mozilla Firefox

Firefox 135 addresses 19 vulnerabilities, including 13 classified as high-risk due to memory-related issues such as buffer overflows and use-after-free conditions. These flaws could allow attackers to execute malicious code when users open specially crafted web pages. Below are the most critical vulnerabilities:

• CVE-2025-1009: Use-After-Free in XSLT
  This high-severity use-after-free vulnerability affects Firefox’s implementation of XSLT (Extensible Stylesheet Language Transformations), a language used to convert XML documents into formats like HTML or plain text. The flaw results from improper memory management when processing crafted XSLT data. If an object involved in an XSLT transformation is freed while still being referenced, subsequent operations may trigger a use-after-free condition, leading to memory corruption, arbitrary code execution, or crashes. Exploiting this flaw could allow an attacker to run arbitrary code within the browser, potentially leading to malware installation, data theft, or full system compromise. Since XSLT processing can occur when loading XML content from a website, the vulnerability can be triggered remotely without additional user interaction.
• CVE-2025-1010: Use-After-Free in Custom Highlight API
  Another high-severity use-after-free vulnerability affects Firefox’s Custom Highlight API, which allows web developers to apply custom styling to text selections for features like search result highlighting and spellchecking. The flaw occurs due to improper memory tracking when managing text highlights. If references to highlight objects are not handled correctly, deleting or modifying them can leave dangling pointers in memory. Subsequent interactions with these pointers can cause memory corruption, potentially leading to arbitrary code execution. An attacker exploiting this vulnerability could run malicious code with the same privileges as the browser, compromising user data and system security.
• CVE-2025-1020: Memory Safety Bugs
  This vulnerability addresses multiple memory safety issues present in Firefox 134, including buffer overflows, heap corruptions, and type confusions caused by improper memory handling. These flaws could be exploited together with other vulnerabilities to bypass security features such as sandboxing. If an attacker gains initial code execution within the browser, they could use additional exploits to escalate privileges and execute code at the operating system level.

These vulnerabilities highlight the ongoing risks posed by use-after-free and memory safety flaws, which continue to be among the most significant challenges in browser security.

CloudFlare CDN

Researcher Hackermondev discovered a vulnerability in Cloudflare’s CDN that allowed a user’s location to be revealed by sending an image via Signal or Discord. While ZeroClick attacks generally lack precise geolocation capabilities, this method could track a target to a street or neighborhood, providing a baseline location for further monitoring.

Such information could be particularly useful for military, intelligence, or law enforcement agencies, helping them determine a suspect’s whereabouts or the location of sensitive events. Three months ago, the researcher noticed that Cloudflare caches media resources in the data center closest to the user to speed up downloads. By installing a vulnerable app on a victim’s phone—or running a background app on their laptop—an attacker could send a malicious payload and de-anonymize the target in seconds.
To execute the attack, the researcher sent unique images—such as screenshots or profile avatars—hosted on Cloudflare’s CDN. He then exploited a bug in Cloudflare Workers that allowed requests to be forcibly routed through specific data centers using a tool called Cloudflare Teleport. Normally, Cloudflare’s security policies prevent arbitrary routing, ensuring each request is handled by the nearest data center. However, by comparing cached responses from different Cloudflare data centers, the researcher developed a CDN-based map of users’ approximate locations, returning the airport code of the nearest data center.

Since many apps automatically upload images for push notifications—including Signal and Discord—an attacker could track a target without user interaction, making this a ZeroClick attack. Accuracy ranged from 50 to 300 miles, depending on the number of Cloudflare data centers in a region. The method was more precise in major cities than in rural areas. The researcher reported his findings to Cloudflare, Signal, and Discord. Cloudflare marked the issue as resolved and awarded him $200.
Hackermondev confirmed that the Workers bug was fixed, but geolocation-based attacks remain possible using a modified approach. By reprogramming Teleport to test different CDN locations via a VPN, he found that the method still worked, though it was slightly more difficult. Using a VPN provider with over 3,000 servers in 31 countries, he covered about 54% of Cloudflare’s data centers, allowing tracking in most densely populated areas.

In response to a follow-up inquiry, Cloudflare stated that it was ultimately the user’s responsibility to disable caching. Signal and Discord referred the researcher to Cloudflare, noting that implementing network-level anonymity features was beyond their capabilities.

Cisco

Cisco has released patches for three vulnerabilities, including a critical privilege escalation flaw in Meeting Management and a denial-of-service (DoS) vulnerability in ClamAV, for which a proof-of-concept (PoC) is available.

The most severe issue, CVE-2025-20156 (CVSS 9.9), affects the Meeting Management REST API and allows remote attackers to escalate privileges to administrator. The flaw stems from improper authorization enforcement on REST API users, enabling an attacker to send API requests to a specific endpoint and gain administrator-level control over peripheral nodes managed by Cisco Meeting Management. According to Cisco, all devices running Meeting Management are affected, regardless of configuration settings, and no workaround is available. The issue is fixed in Meeting Management version 3.9.1, and users running version 3.8 or earlier are advised to upgrade. Version 3.10 is not affected.

Cisco has also addressed CVE-2025-20165, a serious vulnerability in the BroadWorks SIP processing subsystem that allows a remote, unauthenticated attacker to cause a DoS condition. The flaw is due to improper handling of certain SIP requests. By flooding a vulnerable system with such requests, an attacker could exhaust memory allocated to BroadWorks servers processing SIP traffic, requiring manual intervention to restore service. The vulnerability is resolved in BroadWorks RI.2024.11, and customers are advised to upgrade, as no workaround is available. Cisco is not aware of any exploitation of these two vulnerabilities.

However, the company warns that a PoC is available for CVE-2025-20128, a medium-severity heap buffer overflow in ClamAV’s Object Linking and Embedding 2 (OLE2) parser. The issue arises from an integer underrun in bounds checking, allowing an attacker to send a crafted file containing OLE2 content. When scanned, ClamAV crashes, triggering a DoS condition. Cisco has patched the vulnerability in Secure Endpoint Connector for Linux (1.25.1), macOS (1.24.4), Windows (7.5.20 and 8.4.3), and cloud (4.2.0). While the PoC demonstrates potential exploitation, there is no evidence of real-world attacks.

Identity Services Engine (ISE) Vulnerabilities

Cisco has also patched critical vulnerabilities in the Identity Services Engine (ISE) that allow remote attackers to execute arbitrary commands and escalate privileges.

• CVE-2025-20124 (CVSS 9.9): A Java deserialization vulnerability in the Cisco ISE API that allows an authenticated remote attacker to execute arbitrary commands as root on a vulnerable device.
• CVE-2025-20125 (CVSS 9.1): An authorization bypass flaw in the Cisco ISE API that allows an authenticated remote attacker with valid read-only credentials to obtain sensitive information, modify host configurations, and restart the host.

An attacker could exploit these flaws by sending a specially crafted serialized Java object or HTTP request to an unspecified API endpoint, resulting in privilege escalation and remote code execution. The vulnerabilities are independent of each other, and no workarounds exist.

Discovered by Deloitte researchers, these issues have been patched in Cisco ISE 3.0 (upgrade required), 3.1 (patched in 3.1P10), 3.2 (patched in 3.2P7), 3.3 (patched in 3.3P4), and 3.4 (not vulnerable). Cisco has no evidence of malicious exploitation but recommends that users update their systems as soon as possible.

Android

Google has released the February 2025 Android security update, addressing 48 vulnerabilities, including a widely exploited zero-day.

Tracked as CVE-2024-53104, the zero-day affects the Android kernel’s USB Video Class (UVC) driver, allowing authenticated local attackers to escalate privileges in low-complexity attacks. The issue stems from improper handling of UVC_VS_UNDEFINED frame types in the uvc_parse_format function of the Linux kernel’s uvcvideo driver. Because the function does not account for these frames when calculating buffer size, it can result in out-of-bounds writes. While Google has not disclosed further technical details, Linux kernel developer Greg Kroah-Hartman reported in December 2024 that the vulnerability has existed since Linux kernel version 2.6.26, released in mid-2008. Developers of GrapheneOS suggest that CVE-2024-53104 may be one of the USB vulnerabilities exploited by forensic data extraction tools.

Google has privately confirmed this, stating that the vulnerability could allow physical privilege escalation without requiring additional execution privileges.

Beyond the actively exploited flaw, the update also addresses a critical vulnerability in Qualcomm’s WLAN component, tracked as CVE-2024-45569. Qualcomm describes it as a firmware memory corruption issue caused by improper array index validation when processing malformed ML IE frames during WLAN host communication. The flaw can be exploited remotely to execute arbitrary code, modify memory, or trigger system failures. The attack is classified as low-complexity and does not require user interaction or elevated privileges.

The February 2025 update is split into two parts:

• 2025-02-01 patch level: Fixes 23 vulnerabilities in Framework, Platform, and System components.
• 2025-02-05 patch level: Resolves 23 additional security flaws in Core, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components.

Devices running Android Automotive OS and Wear OS that receive the 2025-02-05 security patch also include fixes for all vulnerabilities covered in the February 2025 Android Security Bulletin.

Apple

A team of researchers from the Georgia Institute of Technology and Ruhr University Bochum, known for their work on Meltdown, Spectre, SGX Fail, and RAMBleed, has disclosed details on two new side-channel attacks—FLOP and SLAP—along with a demonstration of their impact. These newly discovered vulnerabilities in modern Apple processors could allow attackers to extract sensitive information from browsers. Affected devices include all Mac laptops sold after 2022, Mac desktops sold after 2023, and iPhones sold after 2021.

The vulnerabilities stem from flaws in speculative execution, the same mechanism behind high-profile attacks like Spectre and Meltdown. FLOP and SLAP target functions that improve processing speed by predicting future instructions before they execute. However, these predictions can leave exploitable traces in memory. Starting with the M2/A15 generation, Apple processors began predicting kernel memory access addresses, and with the M3/A17 generation, they attempted to predict the data values returned from memory. When these predictions are incorrect, they can lead to unauthorized computations on out-of-range or incorrect data values.

The security risks extend to bypassing browser isolation in Safari and Chrome, allowing cross-origin data leaks. The attacks work remotely via a malicious web page containing JavaScript or WebAssembly, bypassing sandboxing, ASLR, and traditional memory protections. No malware installation is required—just visiting a compromised website is enough to trigger the exploit.
The researchers reported SLAP to Apple on March 24, 2024, and FLOP on September 3, 2024. Apple has confirmed the vulnerabilities and their potential impact and plans to address them in a future security update. Until then, disabling JavaScript in Safari and Chrome is a possible mitigation, though it may break many websites.

Apple Security Updates & Zero-Day Fix

Apple has also released security updates for its mobile and desktop products, including a fix for the first actively exploited zero-day of 2025.

Tracked as CVE-2025-24085, the zero-day affects iOS, iPadOS, macOS, tvOS, watchOS, and visionOS. It is a post-release memory usage flaw in CoreMedia that could allow attackers to take control of a device using a fake media playback app to access sensitive data. Apple has improved memory management to address the issue in:

• iOS 18.3 / iPadOS 18.3
• macOS Sequoia 15.3
• watchOS 11.3
• visionOS 2.3
• tvOS 18.3

Apple has not disclosed specific details about real-world exploitation, but the flaw affects a wide range of devices, including older models like iPhone XS, iPad Pro (13-inch, 12.9-inch 3rd gen, 11-inch 1st gen), iPad Air 3rd gen, iPad 7th gen, iPad mini 5th gen, Apple Watch Series 6, and Apple TV HD/4K.

Additional Security Fixes

• iOS 18.3 / iPadOS 18.3: Fixes 28 vulnerabilities, including issues related to authentication bypass, DoS, remote code execution (RCE), privilege escalation, fingerprinting, file modifications, spoofing, information disclosure, and command injection.
• macOS Sequoia 15.3: Fixes 60 vulnerabilities of similar impact.
• macOS Sonoma 14.7.3 / macOS Ventura 13.7.3: Address 40+ and 30+ vulnerabilities, respectively.
• iPadOS 17.7.4: Fixes 17 vulnerabilities.
• tvOS 18.3 / watchOS 11.3: Fixes 18 vulnerabilities.
• visionOS 2.3: Fixes 21 vulnerabilities.
• Safari 18.3: Fixes 7 browser security issues, including authentication bypass in extensions, UI spoofing, address bar spoofing, fingerprinting, DoS, process crashes, and command injection.

The zero-day appears to have been used in targeted attacks, making it critical for users to install updates as soon as possible.

GarageBand Security Update

In an unusual but significant move, Apple has also released a high-priority security update for GarageBand.

GarageBand 10.4.12 addresses CVE-2024-44142, a remote code execution (RCE) vulnerability triggered by opening a malicious image file. The issue, discovered by Mark Schenefeld, Ph.D., has been fixed by improving bounds checking. While Apple has not confirmed active exploitation, the potential for abuse was evident.

Given the severity of these vulnerabilities, installing the latest Apple security updates is strongly recommended.

7-Zip

Trend Micro has issued a warning about a high-severity vulnerability in 7-Zip that allows attackers to bypass Windows’ Mark of the Web (MotW) security feature and execute code on a victim’s computer when extracting malicious files from an archive.

7-Zip added MotW support in June 2022 with version 22.00, automatically applying Zone.Id alternate data streams to files extracted from downloaded archives. These flags alert the operating system, browsers, and applications that the files come from an untrusted source, triggering security measures such as Microsoft Office’s Protected View, which opens flagged documents in read-only mode and disables macros.

However, CVE-2025-0411 allows attackers to bypass these security warnings and execute malicious code. To exploit this flaw, a user must visit a malicious website or open a compromised file. The issue arises from improper handling of archive files, causing 7-Zip to fail to propagate MotW flags to extracted content. This allows an attacker to execute remote code (RCE) within the current user’s context.

7-Zip developers patched the vulnerability on November 30, 2024, with the release of 7-Zip 24.09. The developers noted that 7-Zip File Manager did not properly propagate Zone.Identifier flags when extracting files from nested archives (i.e., an archive within another archive).

Since 7-Zip lacks an automatic update feature, many users are likely still running a vulnerable version, leaving their systems exposed to malware infections. Users should update immediately, as similar flaws—such as CVE-2024-38213 and CVE-2024-21412—have been actively exploited in real-world attacks.

Cacti

A critical vulnerability has been identified in Cacti, an open-source network monitoring and fault management system, allowing an authenticated attacker to execute remote code on vulnerable instances.

Tracked as CVE-2025-22604 (CVSS 9.1), the vulnerability was disclosed by a private researcher using the alias u32i. It stems from a flaw in Cacti’s multi-line SNMP result analyzer, which allows authenticated users to insert incorrect OIDs into the response. When processed by ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), part of each OID is used as a key in an array incorporated into a system command, leading to remote code execution (RCE). A successful exploit would allow an attacker with device management privileges to execute arbitrary code on the server, potentially leading to data theft, modification, or deletion.

CVE-2025-22604 affects all Cacti versions up to and including 1.2.28, with a fix available in version 1.2.29.

The update also addresses CVE-2025-24367 (CVSS 7.2), which allows an authenticated attacker to create arbitrary PHP scripts in the application’s root web directory by abusing graph creation and template functionality, ultimately leading to RCE.

Given Cacti’s history of exploitation in real-world attacks, users should apply the necessary patches immediately to minimize the risk of compromise.

Ivanti

Ivanti has released patches for multiple critical vulnerabilities affecting Avalanche, Application Control Engine, and Endpoint Manager (EPM).

The most serious issues are four path traversal vulnerabilities in Ivanti EPM, allowing unauthenticated remote attackers to access sensitive information. Tracked as CVE-2024-10811, CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161, these flaws have a CVSS score of 9.8 and impact EPM 2024 and 2022 SU6 (updated as of November 2024).

The updates also address 12 high-severity vulnerabilities that could lead to remote code execution (RCE), denial of service (DoS), and privilege escalation (EoP), all of which can be exploited remotely without authentication.

Additionally, Avalanche 6.4.7 has been released, fixing CVE-2024-13179 through CVE-2024-13181, which are high-severity authentication bypass vulnerabilities that could be exploited remotely to steal sensitive information.

Ivanti has stated that there is no evidence of these vulnerabilities being exploited in real-world attacks at this time.

WordPress

WordPress site owners face a new security threat: a serious vulnerability in the W3 Total Cache plugin, which has over one million installations. The flaw could allow attackers to access sensitive information, including cloud application metadata.

W3 Total Cache improves website performance by using various caching techniques to reduce load times and enhance SEO rankings. However, the newly discovered vulnerability, CVE-2024-12365, affects all versions up to 2.8.2. While a patch has been released, hundreds of thousands of websites remain on vulnerable versions, with only 150,000 sites running the latest update.

According to Wordfence, the issue arises from insufficient capability checks in the is_w3tc_admin_page function. This allows attackers to access the plugin’s nonce security value and perform unauthorized actions. Exploitation is possible if the attacker is authenticated with at least subscriber-level access, a privilege that is easy to obtain on many WordPress sites.

Potential Impact

• Server-Side Request Forgery (SSRF): Attackers can send requests that expose sensitive data.
• Information Disclosure: Unauthorized access to system details and metadata.
• Service Abuse: Exploiting caching limits, which can degrade site performance.

In real-world scenarios, attackers could use compromised sites as proxies to send malicious requests to other services, leveraging the gathered information for further attacks.

The best way to mitigate the risk is to update W3 Total Cache to version 2.8.2, which fixes the vulnerability.

To improve security, WordPress site owners should:

• Limit the number of installed plugins to essential ones only.
• Remove outdated or unnecessary plugins.
• Use a web application firewall (WAF) to detect and block exploitation attempts.

With a high number of vulnerable installations still in use, site administrators should apply the update as soon as possible to reduce the risk of compromise.

RSync

More than 660,000 Rsync servers are potentially vulnerable to six newly discovered vulnerabilities, including a critical heap buffer overflow that allows remote code execution (RCE). Rsync is widely used in backup systems, file distribution, and cloud/server management, making these flaws particularly concerning.

Discovered by Google Cloud and independent researchers, the vulnerabilities can be combined for remote system compromise. The most severe, CVE-2024-12084, enables attackers with anonymous read access—such as on public mirrors—to execute arbitrary code on the Rsync server. Alternatively, attackers running a malicious Rsync server could steal files and execute malicious code on connected clients by overwriting key system files like ~/.bashrc or ~/.popt.

Key Vulnerabilities

• Heap buffer overflow (CVE-2024-12084, CVSS 9.8) – Caused by improper checksum length handling, leading to out-of-bounds writes and RCE. Affects versions 3.2.7 to < 3.4.0.
• Information leak (CVE-2024-12085, CVSS 7.5) – Allows leakage of uninitialized stack data during checksum comparison. Affects all versions below 3.4.0.
• Server leaks arbitrary client files (CVE-2024-12086, CVSS 6.1) – A malicious server can extract client files byte by byte by modifying checksum values during transfers. Affects all versions below 3.4.0.
• Path traversal (CVE-2024-12087, CVSS 6.5) – Due to insufficient symbolic link checks, malicious servers can write files outside intended directories on the client. Affects all versions below 3.4.0.
• Bypassing the –safe-links parameter (CVE-2024-12088, CVSS 6.5) – Symbolic link misassignment leads to path traversal and unauthorized file writes. Affects all versions below 3.4.0.
• Race condition (CVE-2024-12747, CVSS 5.6) – A race condition in symbolic link processing could allow attackers to access sensitive files and escalate privileges. Affects all versions below 3.4.0.

CERT/C has flagged major Linux distributions, including Red Hat, Arch, Gentoo, Ubuntu, NixOS, AlmaLinux OS Foundation, and Triton Data Center, as affected. However, many other vendors have yet to respond. Red Hat’s bulletin warns that there is no practical mitigation for CVE-2024-12084, which can be exploited in the default Rsync configuration unless valid credentials are required.

Shodan scans reveal over 660,000 open Rsync servers, mostly in China (521,000), followed by the US, Hong Kong, South Korea, Russia, and Germany. Of these, 306,517 use the default TCP port 873, while 21,239 run on port 8873, typically used for Rsync via SSH tunneling. Their vulnerability status remains unclear.

Recommended Actions

• Upgrade Rsync to version 3.4.0 immediately.
• Require authentication for Rsync servers.
• Block TCP port 873 at the network perimeter to prevent remote access.

With no viable mitigations for the most severe flaws, immediate patching is essential.

SimpleHelp

Researchers at Horizon3.ai have identified multiple critical vulnerabilities in SimpleHelp remote access software that could lead to information disclosure, privilege escalation (EoP), and remote code execution (RCE). These flaws are easy to exploit but also relatively simple to fix.

Key Vulnerabilities

• CVE-2024-57727: An unauthenticated path traversal vulnerability allowing attackers to download arbitrary files from the SimpleHelp server. This includes serverconfig.xml, which contains hashed passwords for the SimpleHelpAdmin account and other local accounts.
• CVE-2024-57728: An arbitrary file upload vulnerability that enables an attacker with SimpleHelpAdmin privileges to upload files anywhere on the SimpleServer host, potentially leading to RCE.
• CVE-2024-57726: A privilege escalation flaw that allows a low-privileged technician to gain administrator access due to missing authorization checks.

An attacker could chain CVE-2024-57726 and CVE-2024-57728 to escalate privileges to administrator and deploy arbitrary payloads, ultimately taking control of the SimpleHelp server.

Horizon3.ai has withheld additional technical details due to the severity and ease of exploitation of these vulnerabilities. The flaws were disclosed responsibly on January 6, 2025, and patched in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8, released on January 8 and 13.

Recommended Actions

• Update to the latest SimpleHelp version immediately.
• Change the SimpleHelp server administrator password.
• Change passwords for all technician accounts.
• Restrict login IP addresses for administrators and technicians.

Given that remote access tools are frequently targeted by attackers to establish persistent access, applying these patches is critical to securing affected systems.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.