Patch Tuesday March 2025

Patch Tuesday March 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Microsoft Vulnerabilities

Welcome to this month’s Patch Tuesday. Microsoft has released 57 security updates, similar to last month’s count, but this time with six critical vulnerabilities and six zero-days addressed. Additionally, one more vulnerability has a publicly available proof of concept. Here are the details of the most notable critical updates.

Multiple Zero-Day Vulnerabilities in Windows File System Drivers

Microsoft has identified several zero-day vulnerabilities affecting core Windows file system components, specifically the NTFS and Fast FAT file system drivers.

1. Windows NTFS Information Disclosure Vulnerability (CVE-2025-24984)

This vulnerability (CWE-532) results from improper handling of sensitive kernel or heap memory data in NTFS log files. NTFS records certain filesystem events without adequately sanitizing memory contents, potentially exposing sensitive data from running processes or kernel memory heaps.

• Affected Systems: All Windows systems using NTFS, widely deployed in enterprise environments.
• Impact: Attackers with physical access can extract portions of heap memory, potentially recovering sensitive information such as cryptographic keys, tokens, or cached credentials.
• CVSS Score: Base 4.6, Temporal 4.3
• Publicly Disclosed: No
• Exploited in the Wild: Yes (“Exploitation Detected”)
• Proof of Concept (PoC): Likely exists privately among threat actors.

Exploitation Details:

• Attack Vector: Physical (requires direct access, e.g., via USB plug-in).
• Attack Complexity: Low
• Privileges Required: None

2. Windows NTFS Remote Code Execution Vulnerability (CVE-2025-24993)

A heap-based buffer overflow (CWE-122) triggered by mounting specially crafted Virtual Hard Disk (VHD) files. Malformed metadata structures cause the NTFS driver to mishandle memory, leading to memory corruption and arbitrary code execution.

• Affected Systems: All Windows systems using NTFS.
• Impact: Full system compromise; code execution at driver-level privileges may allow kernel-level access.
• CVSS Score: Base 7.8, Temporal 7.2
• Publicly Disclosed: No
• Exploited in the Wild: Yes (active exploitation detected)
• PoC: Highly probable given confirmed exploitation.

Exploitation Details:

• Attack Vector: Local (maliciously crafted VHD file).
• Attack Complexity: Low
• Privileges Required: None (victim’s privileges suffice).
• User Interaction: Required (victim must mount the malicious VHD).

While labeled “Remote” by Microsoft, exploitation occurs locally—the attacker is remote but must trick a victim into executing the payload.

3. Windows NTFS Out-of-Bounds Read Information Disclosure Vulnerability (CVE-2025-24991)

An out-of-bounds (OOB) read vulnerability (CWE-125) caused by improper constraint checks when parsing NTFS metadata. Crafted VHDs can trigger an over-read in kernel-mode memory, potentially leaking sensitive heap data.

• Affected Systems: All Windows systems using NTFS.
• Impact: Potential exposure of sensitive kernel data, including cryptographic keys, tokens, and file contents.
• CVSS Score: Base 5.5, Temporal 5.1
• Publicly Disclosed: No
• Exploited in the Wild: Yes
• PoC: Likely available among threat actors.

Exploitation Details:

• Attack Vector: Local (maliciously crafted VHD file).
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required (victim must mount the malicious VHD).

4. Windows Fast FAT File System Driver Remote Code Execution Vulnerability (CVE-2025-24985)

A combination of integer overflow (CWE-190) and heap-based buffer overflow (CWE-122). Specially crafted FAT-formatted Virtual Hard Disks exploit improper arithmetic validation, leading to memory corruption and arbitrary code execution with kernel-level privileges.

• Affected Systems: All Windows systems supporting FAT/FAT32 (widely used for legacy compatibility and removable storage).
• Impact: Full system compromise via kernel-level execution.
• CVSS Score: Base 7.8, Temporal 7.2
• Publicly Disclosed: No
• Exploited in the Wild: Yes
• PoC: Likely active among advanced threat actor circles.

Exploitation Details:

• Attack Vector: Local (malicious FAT-formatted VHD file).
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required (victim must mount the malicious VHD).

Although Microsoft categorizes this as “Remote,” exploitation still requires local execution by the victim.

Attack Chain and Insider Threat Implications

Attackers can chain these vulnerabilities to maximize impact:

• Information disclosure flaws (CVE-2025-24984, CVE-2025-24991) can leak sensitive memory data, aiding privilege escalation.
• Remote code execution vulnerabilities (CVE-2025-24985, CVE-2025-24993) can leverage leaked data to improve exploit reliability and effectiveness.

Insider Threat Risk:
These vulnerabilities are particularly concerning for high-security enterprises, critical infrastructure, and financial institutions. Since some require physical access, insider threats pose a significant risk.

Broader Security Implications

These vulnerabilities exist in fundamental OS drivers critical to Windows operations, making them a global security risk. Potentially affected organizations include:

• Public sector entities
• Tech and IT giants
• Healthcare providers
• Financial institutions
• Critical infrastructure
• Government agencies

Exploitation Feasibility:
The primary attack vectors—USB insertion and mounting malicious VHD files—are accessible to attackers who gain an initial foothold through phishing, social engineering, or insider access.

Since these vulnerabilities allow attackers to bypass application-level security entirely, gaining kernel-level or direct memory access, they pose severe and long-term operational risks. Their active exploitation suggests that advanced persistent threat (APT) groups and cybercriminal organizations are already leveraging them.

Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (CVE-2025-24983)

A newly disclosed zero-day vulnerability, CVE-2025-24983, affects the Windows Win32 Kernel Subsystem. It results from a CWE-416: Use After Free condition, where a kernel-mode component continues referencing memory after it has been freed. Improper memory handling in critical kernel operations allows attackers to exploit freed memory for privilege escalation.

The vulnerability stems from a race condition in the Kernel Subsystem, where multiple threads attempt to allocate, free, or access shared memory simultaneously. If the timing aligns correctly, the kernel may reference stale memory, enabling attackers to manipulate kernel structures or execute malicious payloads with elevated privileges.

Affected Systems:

• Windows 10, Windows 11 (desktop and endpoint systems)
• Windows Server 2016, 2019, 2022

Given its kernel-level nature, the vulnerability impacts both desktop workstations and mission-critical servers, significantly expanding the attack surface.

Potential Impact:

• Privilege Escalation: Attackers can elevate access from standard user privileges to full SYSTEM privileges, gaining complete control over the machine.
• Data Compromise: Unauthorized access to sensitive data, credentials, encryption keys, and system information.
• System Manipulation: Attackers can alter security settings, disable logging and auditing, and establish persistence.
• System Instability: Kernel corruption from exploitation may lead to OS crashes, instability, or denial-of-service conditions.

CVSS Metrics (CVSS 3.1 Score: Base 7.0, Temporal 6.5)

• Attack Vector: Local (requires local access, either physically or through remote authenticated sessions)
• Attack Complexity: High (exploitation depends on precise race condition timing, increasing difficulty)
• Privileges Required: Low (no prior administrative rights needed—standard user privileges suffice)
• User Interaction: None (no user action required for exploitation)
• Impact Scope: Unchanged (limited to the directly targeted system)

Exploitation Status

• Public Disclosure: No (details are not publicly available, reducing widespread exploitation risk)
• Exploited in the Wild: Yes (Microsoft has confirmed real-world exploitation)
• Proof of Concept (PoC): Exists privately among threat actors, with active exploitation detected.

Attack Scenarios:

CVE-2025-24983 provides a direct path from low privileges to SYSTEM access, making it an attractive target for attackers with initial access via phishing, malware, compromised credentials, or insider threats.

Although classified as high complexity, well-resourced attackers—including state-sponsored groups and cybercriminal organizations—have historically overcome such constraints through automation and repeated attempts. Race-condition vulnerabilities in kernel subsystems have proven to be reliably exploitable, given sufficient attacker persistence and environment predictability.

Organizations heavily dependent on Windows infrastructure—including enterprises, governments, and critical infrastructure sectors—are at risk. Kernel-level privilege escalation vulnerabilities remain highly valuable to attackers, as they serve as a key pivot point in advanced cyberattacks, enabling deeper network infiltration and persistent access.

Microsoft Management Console Security Feature Bypass Vulnerability (CVE-2025-26633)

Microsoft has identified CVE-2025-26633, a security feature bypass vulnerability in the Microsoft Management Console (MMC). It stems from CWE-707: Improper Neutralization, where attacker-supplied inputs are not properly validated, allowing adversaries to bypass security checks and perform unauthorized actions.

Exploitation Mechanism

Attackers craft specially designed MMC files that exploit flaws in input handling. Due to improper validation, these files can bypass built-in security mechanisms, enabling unauthorized actions that compromise the confidentiality, integrity, and availability of affected systems.

Affected Systems

All supported Microsoft Windows versions using Microsoft Management Console.

Impact

• Attackers can bypass security features, allowing them to execute unauthorized actions.
• Security policies enforced by MMC may be circumvented, potentially leading to long-term persistence and stealthy malicious activities.
• Can be combined with other entry-point vulnerabilities (e.g., browser- or document-based exploits) to establish a foothold before escalating attacks.

CVSS Metrics (CVSS 3.1 Score: Base 7.0, Temporal 6.5)

• Attack Vector: Local (Attackers must execute their payloads on the victim’s system, often via social engineering or file-sharing.)
• Attack Complexity: High (Exploitation requires precise setup and targeting, making mass exploitation less likely.)
• Privileges Required: None (Attackers do not need prior system privileges to exploit this vulnerability.)
• User Interaction: Required (Victims must open a malicious MMC file, typically delivered through phishing or social engineering.)

Exploitation Status

• Public Disclosure: No (Details remain undisclosed, limiting widespread attacks for now.)
• Exploited in the Wild: Yes (Microsoft has confirmed real-world exploitation.)
• Proof of Concept (PoC): Exists (Confirmed functional exploit, though not publicly available.)

Attack Scenarios

• Targeted Social Engineering: Attackers distribute malicious MMC files through phishing, chat messages, or file-sharing services, tricking users into opening them.
• Enterprise Security Evasion: By bypassing MMC’s security features, attackers can manipulate system policies, disable logging, or alter administrative settings without detection.
• Persistence and Lateral Movement: Threat actors can maintain access to compromised systems by leveraging legitimate administrative tools, making their activities harder to detect.

Security Implications

While security feature bypass vulnerabilities often receive less attention than remote code execution flaws, they are critical for attackers looking to evade defenses. MMC is a core administrative tool, and exploiting it allows adversaries to blend in with legitimate system activity, making detection more challenging.

Although user interaction is required, the threshold is low—simply opening a malicious MMC file. Given the increasing sophistication of spear-phishing campaigns, attackers can craft highly convincing lures to trick users into execution.

Organizations should focus on:

• User awareness training to recognize phishing attempts targeting administrative tools.
• Enhanced monitoring for suspicious MMC activity and unexpected administrative operations.
• Restricting MMC file execution where feasible to limit exposure to this attack.

With confirmed real-world exploitation and its potential for stealthy security bypasses, CVE-2025-26633 should be treated as a high-priority risk for enterprises using MMC in their administrative workflows.

Microsoft Access Remote Code Execution Vulnerability (CVE-2025-26630)

CVE-2025-26630 is a remote code execution (RCE) vulnerability in Microsoft Access caused by a use-after-free condition (CWE-416). The flaw occurs when Access improperly manages pointers to dynamic memory during certain operations, leading to references to memory that has already been freed. Exploiting this issue allows attackers to overwrite memory and execute arbitrary code within the context of the affected user.

Affected Systems

All supported versions of Microsoft Access, a widely used component of the Microsoft Office suite for database management.

Exploit Details

• Attack Vector: Local (The payload executes on the victim’s device; attackers must convince users to open malicious files.)
• Attack Complexity: Low (Once a victim opens a crafted Access file, execution occurs reliably without additional conditions.)
• Privileges Required: None (Attackers do not need prior system access, making standard user accounts vulnerable.)
• User Interaction: Required (The victim must open a malicious Access file, typically delivered via phishing or social engineering.)

Severity and Exploitation Status

• CVSS Base Score: 7.8 (High)
• CVSS Temporal Score: 6.8
• Publicly Disclosed: Yes (Details are publicly known, increasing the risk of exploitation.)
• Exploited in the Wild: No (No confirmed attacks have been observed yet.)
• Exploitability Assessment: Less Likely (While easy to exploit under controlled conditions, attackers may currently prioritize other vulnerabilities.)
• Proof of Concept (PoC): Potentially Available (Public disclosure suggests PoC code may exist privately or among security researchers.)

Attack Scenarios

• An attacker delivers a malicious .accdb file (Microsoft Access database) via spear-phishing emails, disguising it as a legitimate document.
• The victim downloads and opens the file, triggering the use-after-free vulnerability.
• Malicious code executes, allowing the attacker to gain local access, exfiltrate data, or implant malware.

Security Considerations

While this vulnerability requires user interaction, its low complexity makes it a potential tool for targeted phishing attacks. The public disclosure significantly increases the likelihood of future exploitation, particularly as attackers refine delivery methods. Microsoft has confirmed that previewing files in the Preview Pane does not trigger the vulnerability, reducing risk from casual exposure.

CVE-2025-26630 poses a notable risk due to Microsoft Access’s widespread enterprise use and the simplicity of execution once a victim interacts with a malicious file. Although there are no confirmed attacks yet, organizations should remain alert to evolving threats leveraging this vulnerability.

Google Chrome

The latest Google Chrome update addresses 14 security vulnerabilities, many of which were identified through automated testing tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL. Google has awarded $27,000 in bounties for nine of these flaws. Here are three of the most notable vulnerabilities:

1. CVE-2025-1914: Out-of-Bounds Read in V8 (High Severity)

This vulnerability affects Chrome’s V8 JavaScript engine, which is responsible for executing scripts on web pages. An out-of-bounds (OOB) read occurs when memory offsets or array indexing logic are improperly validated, allowing the engine to access memory outside its allocated buffer.
In V8, this typically happens when certain JavaScript inputs or objects manipulate internal memory management routines incorrectly. While OOB reads alone do not enable direct code execution, they can leak memory addresses, heap layouts, cryptographic keys, or other sensitive data. Attackers often use such leaks in multi-stage exploits, where CVE-2025-1914 provides memory layout information that facilitates follow-up attacks, such as use-after-free (UAF) or buffer overflow exploits.
Although rated high severity, security researchers view OOB reads in V8 as particularly dangerous, as they significantly lower the complexity of browser exploitation when combined with advanced memory corruption techniques.

2. CVE-2025-1916: Use-After-Free in Profiles (Medium Severity)

This use-after-free (UAF) vulnerability resides in Chrome’s Profiles component, which manages user sessions, stored data, and browser settings. It occurs when the system incorrectly retains pointers to deallocated objects, leading to potential memory reuse in unintended operations.
The issue likely stems from flawed lifecycle management, particularly race conditions, asynchronous events, or incorrect reference counting during profile teardown. UAF flaws are particularly dangerous as they can lead to remote memory corruption, allowing attackers to overwrite critical pointers or object metadata.
Although rated medium severity, CVE-2025-1916 could be a key component of an exploit chain, especially when combined with a memory leak like CVE-2025-1914 or JavaScript-based heap-spraying techniques. Such combinations could enable arbitrary remote code execution (RCE), leading to scenarios like credential theft, system compromise, or the deployment of persistent malware that bypasses traditional security defenses.

3. CVE-2025-1915: Improper Path Restriction in DevTools (Medium Severity)

This vulnerability affects Chrome’s DevTools, the built-in debugging and developer toolkit. It results from improper enforcement of directory restrictions, allowing attackers to bypass sandboxing protections and access restricted filesystem locations.
Typically, such flaws arise from insufficient validation of file paths within DevTools or overly permissive input handling. While classified as medium severity, this vulnerability poses a significant risk to developers and users handling sensitive data, as it could expose configuration files, authentication tokens, private project code, or other locally stored information.
Attackers could exploit this flaw to access sensitive development files, leak internal project data, or compromise authentication credentials. In targeted attacks, CVE-2025-1915 could serve as an entry point for supply-chain compromises, allowing attackers to gather intelligence before executing further exploits.
While these vulnerabilities vary in severity, they highlight the importance of timely updates, as attackers often chain multiple flaws together to escalate privileges, bypass security measures, and achieve full system compromise.

Android

Google has released patches for 43 vulnerabilities in the March 2025 Android security update, including two zero-day flaws that have been actively exploited in targeted attacks.

One of the zero-days, CVE-2024-50302, is a high-severity information disclosure vulnerability in a Linux kernel driver. It was exploited by Serbian intelligence services to unlock seized devices during investigations. The exploit was part of an Android exploit chain developed by Israeli digital forensics company Cellebrite.

This exploit chain, which also included CVE-2024-53104, a zero-day patched last month, was discovered by Amnesty International in mid-2014 through log analysis on an unlocked device in Serbia. Google stated that it was already aware of these vulnerabilities and their potential exploitation risks before the reports emerged. Patches were provided to OEM partners in a January 18 advisory.

The second zero-day, CVE-2024-43093, is an elevation of privilege (EoP) vulnerability in the Android Framework. It allows local attackers to access restricted directories by exploiting improper Unicode normalization in file path filtering, bypassing security checks without requiring additional execution privileges or user interaction.

Beyond these zero-day fixes, the March 2025 update also addresses 11 remote code execution vulnerabilities affecting various Android components.

Google’s update follows its standard release structure, providing two patch levels: 2025-03-01 and 2025-03-05. The latter includes all fixes from the first, along with updates for third-party components and kernel subcomponents, which may not apply to all Android devices.

Mozilla Firefox

Firefox 136 addresses 25 security vulnerabilities, including 18 high-risk issues, 17 of which stem from memory-related flaws such as buffer overflows and garbage collection errors. These vulnerabilities could allow attackers to execute malicious code by tricking users into opening specially crafted web pages. Below are three of the most critical vulnerabilities patched in this release:

1. CVE-2025-1930 – Use-After-Free in AudioIPC (Sandbox Escape)

The AudioIPC component in Firefox’s audio subsystem manages communication between sandboxed content processes and privileged browser processes. The vulnerability arises when handling malformed StreamData objects on Windows, leading to a use-after-free condition in the privileged browser process.

This flaw is rooted in improper lifecycle management of audio streams handled via Inter-Process Communication (IPC). When a compromised content process sends maliciously crafted StreamData messages to the AudioIPC interface, the browser process may prematurely free memory while retaining pointers to it. Any subsequent access triggers memory corruption.

The most dangerous aspect of this vulnerability is its ability to bypass Firefox’s sandbox, which is designed to isolate web content and prevent system-wide exploits. Exploitation could allow attacker-controlled content processes to execute arbitrary code at a higher privilege level, potentially leading to full system compromise, unauthorized data access, persistent malware infections, or lateral movement within a network.

2. CVE-2025-1932 – Out-of-Bounds Access in XSLT Sorting

XSLT is used in Firefox’s XML processing engine to transform documents into structured layouts, relying on sorting functions in the txNodeSorter component. This vulnerability stems from an inconsistent comparator function, causing incorrect bounds checking when sorting XML nodes.

By injecting maliciously crafted XML and XSL files, attackers can exploit this flaw to trigger an out-of-bounds (OOB) access. During the sorting process, Firefox incorrectly references memory outside intended array boundaries, leading to memory corruption.

Out-of-bounds vulnerabilities can be particularly dangerous as they enable arbitrary read/write conditions, allowing attackers to manipulate adjacent memory structures, overwrite function pointers or virtual tables, perform heap grooming, or even achieve remote code execution (RCE) within the browser.

3. CVE-2025-1933 – JIT Corruption in WebAssembly on 64-bit CPUs

This vulnerability affects Firefox’s Just-In-Time (JIT) compiler for WebAssembly (WASM), which compiles WASM modules into optimized native code at runtime. On 64-bit CPUs, Firefox’s JIT engine mishandles return values for 32-bit (i32) WebAssembly functions, leading to potential memory corruption.

Instead of properly sanitizing registers or memory locations, the JIT compiler may leave uninitialized or stale data in memory, allowing WASM code to inadvertently access leftover bits from previous operations.

Since WebAssembly is frequently used for cryptographic functions, secure authentication, and multimedia processing, exploitation of this flaw could allow attackers to corrupt sensitive memory, leak execution flow details, bypass ASLR protections, or escalate privileges by evading key security boundaries.

These vulnerabilities highlight the complexity of modern browser exploitation, where attackers often chain multiple flaws—such as sandbox escapes, privilege escalation vulnerabilities, and information leaks—to craft multi-stage attacks targeting both individual users and enterprise environments

VMware

Broadcom has issued an urgent bulletin warning customers about three zero-day VMware vulnerabilities actively exploited in real-world attacks, as reported by Microsoft researchers.

The vulnerabilities—CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226—have CVSS scores of 9.3, 8.2, and 7.1, respectively. They affect VMware ESX, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. When chained together, they could enable a virtual machine sandbox escape, allowing an attacker who has already compromised a guest operating system with administrator or root privileges to break out into the hypervisor itself. Broadcom has confirmed that these vulnerabilities are actively being exploited in the wild.

• CVE-2025-22224 – A critical VCMI heap overflow vulnerability that allows local attackers with administrator privileges on a virtual machine to execute code as a VMX process running on the host.
• CVE-2025-22225 – A flaw in ESXi that enables a VMX process to initiate arbitrary kernel writes, leading to a sandbox escape.
• CVE-2025-22226 – An HGFS information disclosure vulnerability that allows administrative users to trigger memory leaks from a VMX process.

Microsoft has not yet disclosed full details about observed exploitation, but VMware vulnerabilities have long been targeted by ransomware groups, APTs, and other threat actors.

Cisco

Cisco has announced that it has patched a vulnerability in Webex for BroadWorks that could allow unauthorized remote access to credentials. While the issue has not yet been assigned a CVE identifier, Cisco confirmed in its security bulletin that it has implemented configuration changes to address the problem and advises customers to restart the Webex application to apply the fix.

The vulnerability affects Cisco Webex for BroadWorks version 45.2 and could allow an authenticated user to access plaintext credentials in client and server logs if SIP communications are configured without encryption. The flaw stems from sensitive information being exposed in SIP headers and impacts only Cisco BroadWorks (on-premises) and Cisco Webex for BroadWorks (hybrid cloud/local) instances running in Windows environments.

Cisco recommends that administrators enable secure transport for SIP communications to encrypt data in transit as a temporary workaround until the configuration change is fully deployed. Additionally, credential rotation is advised to mitigate potential exposure.

Cisco’s Product Security Incident Response Team (PSIRT) states that there is no evidence of malicious exploitation or public disclosures related to this vulnerability.

Paragon Partition Manager

Microsoft has identified five vulnerabilities in the BioNTdrv.sys driver, part of Paragon Partition Manager, Hard Disk Manager, Backup and Recovery, and related products. One of these vulnerabilities has been exploited as a zero-day in Bring Your Own Vulnerable Driver (BYOVD) attacks by ransomware groups to gain SYSTEM privileges on Windows.

The affected vulnerabilities include:

• CVE-2025-0288 – Arbitrary kernel memory writes
• CVE-2025-0287 – Null pointer dereference
• CVE-2025-0286 – Arbitrary kernel memory writes
• CVE-2025-0285 – Arbitrary kernel memory allocation
• CVE-2025-0289 – Insecure access to kernel resources

According to CERT/CC, an attacker with local access could exploit these flaws to escalate privileges or cause a denial-of-service. Because the BioNTdrv.sys driver is signed by Microsoft, it can be used in BYOVD attacks, even on systems where Paragon Partition Manager is not installed.

Since BioNTdrv.sys is a kernel-level driver, these vulnerabilities allow attackers to execute commands with elevated privileges while bypassing security measures. The flaws affect versions 1.3.0 and 1.5.1 and have been fixed in version 2.0.0. Paragon has included the fix in Hard Disk Manager 17.45.0 and released a security patch for older versions.

Some features in Paragon Hard Disk Manager will be unavailable without the updated BioNTdrv.sys driver. However, the patch is only available for Windows 10, Windows 11, and Windows Server 2016–2025, as earlier versions are considered insecure. Microsoft has also added vulnerable driver versions to its Vulnerable Driver Blocklist.

While it’s unclear which ransomware groups are exploiting this vulnerability, BYOVD attacks have been widely used by groups like Scattered Spider, Lazarus, BlackByte, and LockBit. Users should update all affected Paragon applications or apply the available security patch as soon as possible.

Parallels Desktop

A serious privilege escalation vulnerability in Parallels Desktop has left all known versions of the software vulnerable, including the latest release. The issue has been exacerbated by a flawed patch, which not only failed to fix the problem but also introduced a new vulnerability.

To make matters worse, public proof-of-concept (PoC) exploits are available, while the vendor has not responded to inquiries for months. Last week, security researcher Mickey Jin released a PoC demonstrating a bypass for CVE-2024-34331, a privilege escalation vulnerability that was originally patched in September 2024. The flaw, first reported by Nikolai Grimaluk in May 2024, stems from a lack of code signature verification in Parallels Desktop for Mac.

The original Parallels patch was supposed to prevent execution of untrusted code by verifying that the createinstallmedia tool was signed by Apple before granting it root privileges. However, this check was not properly implemented, allowing attackers to bypass it using at least two methods:

• TOCTOU attack (Time-of-Check to Time-of-Use) – Exploits a race condition between verifying that createinstallmedia is signed by Apple and executing it with root privileges. The attacker installs a fake macOS installer, waits for Parallels to verify the signed binary, and then swaps it for a malicious script before execution.
• do_repack_manual function attack – Allows arbitrary file overwriting by the root user. Attackers use symbolic links to redirect privileged folder access, forcing Parallels to overwrite critical system files.

Jin reported the bypass methods to Parallels in June 2024, but despite multiple follow-ups—including the last one on February 19, 2025—the company has not responded.

The TOCTOU exploit works on the latest version, 20.2.1 (55876), and all versions prior to 19.4.0. Parallels attempted to mitigate the issue in 19.4.1 by switching from do_repack_createinstallmedia to do_repack_manual, which blocked the first exploit. However, this introduced a new vulnerability, making a second exploit possible. In 20.2.1, the change was reversed, making the original exploit effective again.

As a result, all known versions of Parallels Desktop remain vulnerable to at least one exploit, and Parallels has yet to comment on the issue.

MongoDB

OPSWAT has disclosed two critical vulnerabilities in the Mongoose Object Data Modeling (ODM) library for MongoDB, which could lead to remote code execution (RCE) on Node.js servers.

• CVE-2024-53900 – Allows attackers to execute arbitrary JavaScript code on a MongoDB server via the $where operator.
• CVE-2025-23061 – A bypass of the CVE-2024-53900 patch, allowing $where injection through $or queries.

The Mongoose library, widely used in production environments, simplifies JavaScript-to-MongoDB object mapping but has a flaw in its document-linking feature that attackers can exploit for RCE.

The fix for CVE-2024-53900 attempted to block direct use of $where, but attackers discovered they could bypass it by nesting $where inside $or queries. Since Mongoose only checks top-level properties, malicious payloads can pass through undetected and trigger RCE via the sift library.

A prototype PoC has been released, and users are urged to upgrade to Mongoose version 8.9.5 or later.

Ivanti

Ivanti has released updates to fix multiple critical vulnerabilities in Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could be exploited for remote code execution (RCE).

• CVE-2024-38657 – Allows remote attackers with admin privileges to write arbitrary files.
• CVE-2025-22467 – A stack buffer overflow that allows RCE.
• CVE-2024-10644 – A code injection flaw that enables unauthorized command execution.
• CVE-2024-47908 – A command injection vulnerability in the CSA web-based console.

Ivanti claims it is not aware of active exploitation, but several of its products have been targeted by advanced attackers.

Meanwhile, CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS 9.8) have received public PoCs, courtesy of Horizon3.ai researchers. These vulnerabilities in Ivanti Endpoint Manager (EPM) could allow unauthorized attackers to compromise EPM servers and then move laterally to EPM clients.

Citrix

Citrix has released security updates to address a privilege escalation vulnerability in NetScaler Console (formerly NetScaler ADM) and NetScaler Agent. Tracked as CVE-2024-12284, the flaw has a CVSS v4 score of 8.8 and could allow authenticated attackers to execute commands without additional authorization under certain conditions.

The issue stems from poor privilege management and affects deployments where the NetScaler Console Agent is enabled. An attacker with existing access to the NetScaler console could exploit this vulnerability to escalate privileges and carry out post-compromise actions. However, since only authenticated users can exploit the flaw, the overall risk is somewhat limited.

Affected Versions:

• NetScaler Console 14.1 (prior to 14.1-38.53) and 13.1 (prior to 13.1-56.18)
• NetScaler Agent 14.1 (prior to 14.1-38.53) and 13.1 (prior to 13.1-56.18)

These issues have been addressed in NetScaler Console 14.1-38.53, 13.1-56.18, and later versions.

Cloud Software Group strongly advises NetScaler Console and NetScaler Agent users to install the latest updates immediately, as no workarounds are available. Customers using the NetScaler Console service on Citrix do not need to take any action.

Microsoft Bing

Microsoft has released security updates for two critical vulnerabilities affecting Bing and Power Pages, one of which is actively being exploited. The issues are tracked as:

• CVE-2025-21355 (CVSS 8.6) – A remote code execution (RCE) vulnerability in Microsoft Bing
• CVE-2025-24989 (CVSS 8.2) – An elevation of privilege (EoP) vulnerability in Microsoft Power Pages

CVE-2025-21355 – Microsoft Bing RCE
According to Microsoft’s security bulletin, a missing authentication check in a critical Bing feature allows unauthorized remote code execution. This flaw can be exploited over the network without any user interaction or client-side action.

CVE-2025-24989 – Microsoft Power Pages EoP
This vulnerability, actively exploited in attacks, was reported by a Microsoft employee. Power Pages, a low-code SaaS platform for creating and managing business websites, was affected by an improper access control issue that could allow attackers to escalate privileges and potentially bypass login controls.

The flaw has already been patched in the service, and all affected customers have been notified. No manual patching is required, but some users may need to scan their instances for signs of compromise.

At this time, Microsoft has not disclosed further details on attacks leveraging CVE-2025-24989.

Juniper

Juniper Networks has patched a critical authentication bypass vulnerability in Session Smart Routers (SSRs) that could allow an attacker to gain full control of the device. Tracked as CVE-2025-21589, the issue was discovered during internal security testing and also affects Session Smart Conductor and WAN Assurance Managed Routers.

According to Juniper’s Security Incident Response Team (SIRT), there is no evidence that the vulnerability has been exploited in real-world attacks. The fix is available in SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, and later versions.

Juniper devices are frequently targeted in mission-critical environments, sometimes within a week of a patch release. While some Mist Cloud-connected devices have already received the update, administrators should manually upgrade all affected systems to a patched version as soon as possible.

For deployments using Conductor, only the Conductor nodes need to be updated, as the fix is automatically applied to connected routers. However, all devices should still be updated to ensure full protection.

OpenSSH

The OpenSSH developers have released updates with fixes for two MitM and DoS vulnerabilities, one of which appeared more than a decade ago. The MiTM vulnerability, tracked as CVE-2025-26465, appeared in December 2014 with the release of OpenSSH 6.8p1 and went undetected for over a decade.

The vulnerability affects OpenSSH clients if the VerifyHostKeyDNS option is enabled. Whether the option is set to “yes” or “ask” (the default is “no”), it requires no user interaction and does not depend on the presence of an SSHFP resource record in the DNS. If enabled, through improper error handling, an attacker can trick a client into accepting a dummy server key by forcing an out-of-memory error during validation. By hijacking the SSH connection and providing a large SSH key with redundant certificate extensions, an attacker can exhaust the client’s memory, bypass host verification, and hijack the session to steal credentials, inject commands, and extract data. Although VerifyHostKeyDNS is disabled by default in OpenSSH, it was enabled by default in FreeBSD from 2013 to 2023, leaving many systems vulnerable to such attacks. The second CVE-2025-26466 is described as a pre-authentication denial of service and appeared in OpenSSH 9.5p1, released in August 2023. The problem is caused by unbounded memory allocation during key exchange, resulting in out-of-control resource consumption. An attacker can repeatedly send small 16-byte ping messages, causing OpenSSH to buffer 256-byte responses without limit. During key exchange, these replies are stored indefinitely, resulting in excessive memory consumption and CPU overloading that can cause the system to crash. The consequences of exploiting CVE-2025-26466 may not be as severe as the first vulnerability, but the fact that it can be exploited before authentication carries a high risk of failure.

The OpenSSH team has released 9.9p2, which fixes both vulnerabilities, and recommends upgrading to it as soon as possible and disabling VerifyHostKeyDNS unless absolutely necessary. For the DoS issue, administrators are advised to enforce strict connection speed limits and monitor SSH traffic for anomalies.

Fortinet

Fortinet has updated its advisory for CVE-2024-55591, warning of an additional vulnerability, CVE-2025-24472 (CVSS 8.1), which has now been patched. This flaw could allow authentication bypass on FortiOS and FortiProxy devices using a specially crafted CSF proxy request, enabling remote attackers to gain super-administrator privileges.
Affected Versions:
• FortiOS: 7.0.0 – 7.0.16
• FortiProxy: 7.0.0 – 7.0.19, 7.2.0 – 7.2.12

watchTowr Labs discovered and reported the vulnerability, which has already been recognized as a zero-day by the security community. Both CVE-2024-55591 and CVE-2025-24472 were exploited in attacks, but Fortinet maintains that only CVE-2024-55591 was actively used to compromise firewalls and corporate networks.

Both vulnerabilities have now been patched in:
• FortiOS 7.0.17 or higher
• FortiProxy 7.0.20/7.2.13 or higher

No further action is needed for customers who have already applied the latest FortiOS and FortiProxy updates.

Progress Software

Progress Software has patched several critical vulnerabilities in LoadMaster, which could allow attackers to execute arbitrary commands or download files from affected systems. Kemp LoadMaster, a high-performance application delivery controller (ADC) and load balancer, is widely used for ensuring availability, scalability, performance, and security in mission-critical environments.

Patched Vulnerabilities

• CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56135 (CVSS 8.4) – Input validation flaws allowing authenticated remote attackers to execute arbitrary system commands via malicious HTTP requests.
• CVE-2024-56134 (CVSS 8.4) – An input validation flaw enabling authenticated remote attackers to download any file from the system using a crafted HTTP request.

Affected Versions

• 7.2.55.0 – 7.2.60.1 (Fixed in 7.2.61.0 GA)
• 7.2.49.0 – 7.2.54.12 (Fixed in 7.2.54.13 LTSF)
• 7.2.48.12 and earlier (Upgrade to LTSF or GA)
• Multi-Tenant LoadMaster 7.1.35.12 and earlier (Fixed in 7.1.35.13 GA)

Progress Software states that it has no evidence of active exploitation. However, given its history of vulnerabilities being leveraged in ransomware attacks, further reports of LoadMaster-related exploits may emerge.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: February 2025 Vulnerability Digest from Action1