Weekly Threat Landscape Digest – Week 3

1.Microsoft January 2025 Security Updates

• Microsoft has released updates addressing 159 vulnerabilities, including eight zero-days, with three actively exploited in the wild. Timely application of these patches is critical to maintain system security.

Actively Exploited Zero-Days

• CVE-2025-21333, CVE-2025-21334, CVE-2025-21335:
  • Impact: Elevation of Privilege via Windows Hyper-V NT Kernel Integration VSP.
  • Risk: Attackers can gain SYSTEM privileges on Windows devices by exploiting flaws in the communication layer between virtual machines and the host OS.

Publicly Disclosed Zero-Days

• CVE-2025-21275: Windows App Package Installer Elevation of Privilege.
• CVE-2025-21308: Windows Themes Spoofing.
• CVE-2025-21186, CVE-2025-21366, CVE-2025-21395: Microsoft Access Remote Code Execution.

Critical Vulnerabilities

• CVE-2025-21298: Windows OLE Remote Code Execution
  • Exploited via a malicious email sent through Microsoft Outlook. Previewing the email may trigger the exploit.
• CVE-2025-21307: Reliable Multicast Transport Driver (RMCAST) Remote Code Execution
  • Exploited via specially crafted PGM packets on open Windows server ports.
• CVE-2025-21311: Windows NTLM Privilege Escalation
  • Exploits cryptographic weaknesses in NTLMv1, enabling attackers to intercept or tamper with authentication processes.

Actions

• Apply all January 2025 security updates from Microsoft immediately.
• Review system configurations for vulnerabilities and mitigate risks accordingly.

References

• Microsoft Security Update Guide – January 2025
  
  

2. Critical Vulnerability in FortiOS and FortiProxy (CVE-2024-55591)

• A severe vulnerability (CVSS 9.6) allows unauthenticated attackers to bypass authentication in FortiOS and FortiProxy, granting “super-admin” access. Exploited actively in the wild with activities such as admin account creation and unauthorized SSL VPN access.
• Affected Versions:
  • FortiOS: 7.0.0–7.0.16
  • FortiProxy: 7.0.0–7.0.19, 7.2.0–7.2.12
• Mitigation:
  • Upgrade to patched versions: FortiOS 7.0.17+, FortiProxy 7.0.20+/7.2.13+.
  • Disable HTTP/HTTPS admin interfaces and limit IP access if upgrade isn’t possible.

For more details, refer to the Fortinet PSIRT Advisory.

3. Critical Vulnerabilities in Ivanti Products

• Multiple critical and high-severity vulnerabilities have been identified across Ivanti products, potentially exposing systems to exploitation.

Affected Products and CVEs

1. Ivanti Endpoint Manager (EPM)
   • CVE IDs: CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159
   • Type: Absolute Path Traversal
   • Severity: Critical (CVSS 9.8)
   • Resolved Versions:
     • EPM 2024 January 2025 Security Update
     • EPM 2022 SU6 January 2025 Security Update
2. Ivanti Avalanche
   • CVE IDs: CVE-2024-13181, CVE-2024-13180, CVE-2024-13179
   • Type: Path Traversal
   • Severity: High
   • Resolved Version: Ivanti Avalanche 6.4.7
3. Ivanti Application Control Engine
   • CVE ID: CVE-2024-10630
   • Type: Race Condition
   • Severity: High (CVSS 7.8)
   • Impact: Allows bypassing application blocking functionality, evading configured protections.
   • Resolved Versions:
     • Ivanti Application Control: 2024.3 HF1, 2024.1 HF4, 2023.3 HF3
     • Ivanti Neurons for App Control: Automatically patched on Dec 12, 2024.
     • Ivanti Security Controls: No patch; migration to other Ivanti solutions recommended.

Mitigation and Recommendations

• Update Affected Products:
  • Install the latest patches as per the resolved versions listed above.
• Migration Guidance:
  • For Ivanti Security Controls, migrate to Ivanti Application Control or Ivanti Neurons for App Control by Dec 31, 2025.
• Monitor Systems: Ensure continuous monitoring for signs of exploitation.

References

• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Application-Control-Engine-CVE-2024-10630?language=en_US 
• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs?language=en_US 
• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs?language=en_US 

4. Adobe January 2025 Security Updates

• Adobe has released critical updates to address multiple vulnerabilities across several products. Exploitation could lead to arbitrary code execution and potential full system compromise.

Affected Products and Vulnerabilities

1. Adobe Photoshop
   • CVE-2025-21127: Uncontrolled Search Path Element (Critical, CVSS 7.3)
   • CVE-2025-21122: Integer Underflow (Critical, CVSS 7.8)
2. Adobe Substance 3D Stager
   • CVE-2025-21128: Stack-based Buffer Overflow (Critical, CVSS 7.8)
   • CVE-2025-21129: Heap-based Buffer Overflow (Critical, CVSS 7.8)
   • CVE-2025-21130 to CVE-2025-21132: Out-of-bounds Write (Critical, CVSS 7.8)
3. Adobe Illustrator on iPad
   • CVE-2025-21133, CVE-2025-21134: Integer Underflow (Critical, CVSS 7.8)
4. Adobe Animate
   • CVE-2025-21135: Integer Underflow (Critical, CVSS 7.8)
5. Adobe Substance 3D Designer
   • CVE-2025-21136, CVE-2025-21138: Out-of-bounds Write (Critical, CVSS 7.8)
   • CVE-2025-21137, CVE-2025-21139: Heap-based Buffer Overflow (Critical, CVSS 7.8)

Actions

• Apply all relevant security updates for affected Adobe products.
• Refer to Adobe’s security bulletins for details on fixed versions.

References

• https://helpx.adobe.com/security/products/animate/apsb25-05.html 
• https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-04.html  
• https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html
• https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html   
• https://helpx.adobe.com/security/products/photoshop/apsb25-02.html  

5. Multiple Vulnerabilities in Schneider Electric Products

• Schneider Electric has disclosed multiple vulnerabilities across its product line, which, if exploited, could result in denial of service, unauthorized access, remote code execution, or data exposure.

Key Vulnerabilities and Affected Products

1. Modicon M580 PLCs, BMENOR2200H, and EVLink Pro AC
   • CVE-2024-11425: Buffer Size Miscalculation (Critical)
   • Affects Modicon M580 CPUs, BMENOR2200H, and EVLink Pro AC.
2. Pro-face GP-Pro EX and Remote HMI
   • CVE-2024-12399: Message Integrity Bypass (Critical)
   • Affects all versions of Pro-face GP-Pro EX and Remote HMI.
3. Wind River VxWorks DHCP Server
   • Vulnerability in communication modules of Modicon M580 and Modicon Quantum.
4. Web Designer for Modicon Communication Modules
   • CVE-2024-12476: Improper XML External Entity Reference (Critical)
   • Affects Web Designer modules like BMXNOR0200H, BMXNOE0110(H).
5. Web Server on Modicon M340 and Communication Modules
   • CVE-2024-12142: Exposure of Sensitive Information (High)
   • Affects Modicon M340 processors and other BMX modules.
6. RemoteConnect and SCADAPack x70 Utilities
   • CVE-2024-12703: Deserialization of Untrusted Data (High)
   • Affects all versions of RemoteConnect and SCADAPack x70 Utilities.
7. FlexNet Publisher Component
   • Impacts EcoStruxure Control Expert, Process Expert, and other tools.
8. PowerLogic™ HDPM6000
   • CVE-2024-10497, CVE-2024-10498: Memory Buffer and Authorization Bypass (High)
   • Affects versions prior to v0.62.7.
9. EcoStruxure™ Power Build Rapsody
   • CVE-2024-11139: Memory Buffer Exploit (High).
10. BadAlloc Vulnerabilities

• Includes CVE-2020-28895, CVE-2020-35198, and CVE-2021-22156, leading to potential DoS or remote code execution.

Actions

• Apply patches or mitigations as recommended by Schneider Electric.
• Refer to Schneider Electric’s Security Notifications for detailed information.

   

6. High-Severity Vulnerability in Zoom Workplace App for Linux

• A high-severity type confusion vulnerability (CVE-2025-0147) has been identified in the Zoom Workplace App, Zoom Meeting SDK, and Zoom Video SDK for Linux. This flaw allows privilege escalation via network access.

Details

• CVE ID: CVE-2025-0147
• Severity: High (CVSS 8.8)
• Impact: Authorized users can exploit this vulnerability to escalate privileges on the system.

Affected Products

• Zoom Workplace App for Linux (versions prior to 6.2.10)
• Zoom Meeting SDK for Linux (versions prior to 6.2.10)
• Zoom Video SDK for Linux (versions prior to 6.2.10)

Mitigation

• Update to Zoom version 6.2.10 or later to address this vulnerability.

Reference

• Zoom Security Bulletin

7. Critical Vulnerability in Drupal AI Module

• A critical Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Drupal AI module, particularly in the AI Chatbot and AI Assistants API sub-modules. Exploitation could expose sensitive data, allow configuration modifications, and enable unauthorized actions on affected systems.

Details

• Vulnerability: Cross-Site Request Forgery – SA-CONTRIB-2025-003
• Severity: Critical
• Impact:
  • Forge requests on behalf of privileged users.
  • Access unauthorized indexed data when combined with the AI Search sub-module.
  • Modify site configurations and expose data when used with the external AI Agent module.
  • Custom-built agents with elevated privileges are at higher risk.

Affected Versions

• Versions >1.0.0 and <1.0.2

Mitigation

• Upgrade: Install AI module version 1.0.2 or later.
• Uninstall: If upgrading is not possible, uninstall the AI Chatbot sub-module.

Reference

• Drupal Security Advisory

8. Critical Vulnerability in FortiSwitch Devices

• A critical vulnerability (CVE-2023-37936) has been identified in Fortinet FortiSwitch devices, involving the use of a hard-coded cryptographic key (CWE-321). Exploitation could allow remote attackers to execute unauthorized code using crafted cryptographic requests.

Details

• CVE ID: CVE-2023-37936
• Severity: Critical (CVSS 9.6)
• Impact: Increases the likelihood of encrypted data being recovered and enables remote unauthorized code execution.

Affected Versions

• FortiSwitch:
  • 7.4.0
  • 7.2.0 through 7.2.5
  • 7.0.0 through 7.0.7
  • 6.4.0 through 6.4.13
  • 6.2.0 through 6.2.7
  • 6.0.0 through 6.0.7

Mitigation

• Upgrade to Fixed Versions:
  • FortiSwitch 7.4: Upgrade to 7.4.1 or above.
  • FortiSwitch 7.2: Upgrade to 7.2.6 or above.
  • FortiSwitch 7.0: Upgrade to 7.0.8 or above.
  • FortiSwitch 6.4: Upgrade to 6.4.14 or above.
  • FortiSwitch 6.2: Upgrade to 6.2.8 or above.
  • FortiSwitch 6.0: Migrate to a fixed release.

Reference

• Fortinet PSIRT Advisory

9. Critical Zero-Click Vulnerability in Samsung Devices

• A critical vulnerability (CVE-2024-49415) in Samsung smartphones could allow remote code execution through zero-click attacks, primarily via Rich Communication Services (RCS).

Details

• CVE ID: CVE-2024-49415
• Severity: Critical
• Component: Monkey’s Audio (APE) decoder in the libsaped.so library.
• Vulnerability Type: Out-of-bounds write in the saped_rec function, which could cause a buffer overflow with specially crafted APE files.
• Impact: Remote code execution without user interaction.

Affected Devices

• Samsung Galaxy S23, S24 (all models and versions).
• Other Samsung models potentially affected.

Mitigation

• Apply Samsung’s December 2024 Security Update immediately.
• Enable automatic updates to receive patches promptly.
• Consider temporarily disabling RCS in Google Messages until the update is applied.

Reference

• Samsung Mobile Security Updates

10. SAP January 2025 Security Updates

SAP has issued 14 new Security Notes addressing critical and high-severity vulnerabilities in its products during the January 2025 Security Patch Day.

Critical Vulnerabilities

1. CVE-2025-0070: Improper Authentication in SAP NetWeaver ABAP Server and Platform (CVSS 9.9)
   • Allows unauthorized access, posing significant risks.
2. CVE-2025-0066: Information Disclosure in SAP NetWeaver AS ABAP (Internet Communication Framework) (CVSS 9.9)
   • Exposes sensitive information.

High-Severity Vulnerabilities

• CVE-2025-0063: SQL Injection in SAP NetWeaver AS ABAP and ABAP Platform (CVSS 8.8).
• CVE-2025-0061 & CVE-2025-0060: Multiple issues in SAP BusinessObjects BI Platform (CVSS 8.7).
• CVE-2025-0069: DLL Hijacking in SAPSetup (CVSS 7.8).

Additional Medium and Low-Severity Vulnerabilities

• Information disclosure in SAP Business Workflow, SAP GUI, and NetWeaver components (CVSS 6.0–6.5).
• Cross-Site Scripting (XSS) in SAP NetWeaver AS JAVA (User Admin Application) (CVSS 4.8).
• Buffer overflow vulnerabilities in SAP BusinessObjects BI Platform (Crystal Reports for Enterprise) (CVSS 2.2).

Actions

• Apply the updates released in SAP’s January 2025 Patch Day to mitigate these vulnerabilities.
• Review and address the vulnerabilities based on their severity and system applicability.

Reference

• SAP Security Notes – January 2025

11. Vulnerability in Veeam Backup for Microsoft Azure

A high-severity vulnerability (CVE-2025-23082) in Veeam Backup for Microsoft Azure could allow attackers to exploit Server-Side Request Forgery (SSRF), potentially exposing internal network resources or enabling further attacks.

Details

• CVE ID: CVE-2025-23082
• Severity: High (CVSS 7.2)
• Impact: Unauthorized requests via SSRF could enable network enumeration or facilitate malicious activities.

Affected Versions

• Veeam Backup for Microsoft Azure 7.1.0.22 and earlier.

Fixed Versions

• Veeam Backup for Microsoft Azure 7.1.0.59 or later.

Actions

• Upgrade to version 7.1.0.59 or later immediately to mitigate risks.

Reference

• Veeam Advisory – KB4709

12. DNS Misconfiguration Exploited by Russian Botnet

A recently discovered botnet leveraging misconfigured DNS SPF records and compromised MikroTik routers is delivering malware through malspam campaigns. This botnet uses a network of approximately 13,000 compromised devices to spoof legitimate domains and bypass email protections.

Key Findings

• Attack Details:
  • Botnet leverages MikroTik routers configured as SOCKS4 proxies, obscuring the origin of malicious traffic.
  • Malspam campaign impersonates DHL and other entities, delivering trojans via spoofed email domains.
  • DNS SPF misconfiguration (e.g., “v=spf1 +all”) allows any server to send emails on behalf of a legitimate domain.
• Malware Delivery:
  • Emails include malicious zip files with obfuscated JavaScript that executes PowerShell scripts, connecting to a command-and-control server (62.133.60[.]137).

Technical Insights

• Impact:
  • Enables large-scale phishing, spam campaigns, and malware distribution.
  • Threat actors exploit vulnerabilities in MikroTik devices to enable TCP redirectors and open proxies.
• Exploitation:
  • SPF misconfiguration allows spoofing of approximately 20,000 sender domains.
  • Threat actors abuse DNS records to bypass protections like DKIM and DMARC.

Mitigation Recommendations

• SPF Configuration: Ensure SPF records are correctly configured with “v=spf1 include:example.com -all” to prevent unauthorized email sending.
• Firmware Updates: Update MikroTik routers to the latest firmware and disable default admin accounts.
• DNS Audits: Regularly audit DNS records and enforce strong authentication for domain registrar accounts.

Reference

• https://blogs.infoblox.com/threat-intelligence/one-mikro-typo-how-a-simple-dns-misconfiguration-enables-malware-delivery-by-a-russian-botnet/ 
  
  

13. RansomHub Affiliate Leverages Python-Based Backdoor

In Q4 2024, GuidePoint Security uncovered a ransomware affiliate using a Python-based backdoor to maintain persistence and deploy RansomHub encryptors. This malware demonstrates advanced obfuscation and AI-assisted coding techniques, allowing threat actors to evade detection and maintain access to compromised networks.

Key Details

• Malware Overview:
  • Obfuscated Python script operates as a SOCKS5-like reverse proxy.
  • Supports lateral movement via RDP and maintains persistence through scheduled tasks.
  • Deployed approximately 20 minutes after initial access via SocGholish (FakeUpdate) malware.

Threat Actor Activities

• The Python backdoor facilitates lateral movement and persistence, enabling attackers to:
  • Establish tunnels for C2 communication.
  • Use compromised systems as proxies for further malicious activity.
  • Execute ransomware payloads across the network.

Mitigation Recommendations

• Monitor for IoCs, particularly unusual tasks (get-pip2) and connections to known C2 IPs.
• Restrict RDP access and enforce strong authentication mechanisms.
• Update security tools to detect obfuscated scripts and block malicious traffic.

Reference

• https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/ 
  
  

14. Google OAuth Flaw in Abandoned Domains

A vulnerability in Google’s OAuth “Sign in with Google” feature allows attackers to exploit defunct startup domains, re-create employee emails, and access linked SaaS accounts like Slack, Notion, and Zoom.

Key Points

• Discovery: Reported by Trufflesecurity in 2024; remains unfixed.
• Cause: Google’s OAuth sub claim inconsistencies (~0.04%) force SaaS platforms to rely on mutable email and domain claims.
• Impact: Sensitive data, including tax documents and workspace content, can be accessed.
• Scale: ~116,481 defunct domains identified for purchase, with millions of accounts at risk.

Recommendations

• Remove sensitive data from accounts when leaving startups.
• Avoid using work emails for personal registrations.
• SaaS platforms should enforce stricter verification and cross-check domain registration dates.

Reference

• https://www.bleepingcomputer.com/news/security/google-oauth-flaw-lets-attackers-gain-access-to-abandoned-accounts/ 

15. Critical Linux Rootkit Malware Targeting CentOS

Fortinet identified a Linux rootkit malware, “sysinitd”, that gives attackers full remote control of CentOS systems via kernel hooks and user-space processes.

Key Details

• Components:
  • sysinitd.ko: Hijacks TCP traffic using Netfilter hooks.
  • sysinitd: A user-space process disguised as “bash” for executing commands.
  • Installed and persisted via install.sh.
• Impact:
  • Full root-level remote control of compromised systems.
  • Hijacks incoming TCP traffic and enables encrypted attacker communication.

Fortinet Protections

• Detection:
  • BASH/Injector.CSA!tr
  • ELF64/Injector.CSA!tr
• Products: FortiGate, FortiMail, FortiClient, and FortiEDR with up-to-date antivirus protect against this threat.

Recommendations

• Update systems and monitor /proc for unusual entries like /proc/abrtinfo.
• Review and apply Fortinet’s protections.
• Contact FortiGuard Incident Response Team if impacted.

Reference

• Fortinet Research – Linux Rootkit Malware

16. Ransomware Campaign Targets Amazon S3 Buckets

The ransomware group Codefinger exploits Amazon S3 buckets using AWS Server-Side Encryption with Customer Keys (SSE-C), demanding ransoms for decryption keys while leaving victims with unrecoverable data.

Key Details

• Attack Vector:
  • Leverages compromised or publicly exposed AWS credentials, not AWS vulnerabilities.
  • Encrypts S3 bucket data using SSE-C with locally stored AES-256 keys, which are inaccessible to victims.
• Impact:
  • Data becomes irrecoverable without the decryption key.
  • Encrypted files are marked for deletion within seven days to pressure payment.
  • At least two organizations have been impacted.
• Challenges:
  • AWS CloudTrail logging limitations hinder forensic investigations.
  • Lifecycle policies are manipulated to accelerate data deletion.

Mitigation Recommendations

1. Restrict SSE-C usage via IAM policies.
2. Regularly audit and rotate AWS keys.
3. Implement advanced logging to detect unusual activity.
4. Utilize AWS security tools, including IAM roles, Identity Center, and Secrets Manager, to minimize credential exposure.

Reference

• GovInfoSecurity – Ransomware Campaign Targets Amazon S3 Buckets

17. Fortinet Firewalls Hit with Zero-Day Exploitation and Data Leak

Key Details

1. Zero-Day Vulnerability (CVE-2024-55591)
   • Impact: Authentication bypass in FortiOS and FortiProxy.
   • Exploitation: Adversaries gain super-admin privileges via crafted WebSocket requests.
   • Affected Versions:
     • FortiOS: 7.0.0–7.0.16 (fixed in 7.0.17+).
     • FortiProxy: 7.2.0–7.2.12 (fixed in 7.2.13+), 7.0.0–7.0.19 (fixed in 7.0.20+).
   • Mitigation:
     • Update to patched versions immediately.
     • Restrict management interface access and use multi-factor authentication (MFA).
2. FortiGate Data Leak (January 15, 2025)
   • Details: “Belsen Group” leaked 2022-era IPs, passwords, and firewall configurations from 15,000 FortiGate firewalls.
   • Likely Exploitation: Related to CVE-2022-40684 (authentication bypass).
   • Recommendations:
     • Change all passwords.
     • Review network configurations.
3. Historical Context:
   • FortiOS has faced several zero-days in recent years:
     • CVE-2024-21762: Out-of-bounds write (Feb 2024).
     • CVE-2023-27997: Heap-based buffer overflow (June 2023).
     • CVE-2022-42475: Buffer overflow (Dec 2022).

Mitigation Guidance

• Immediate Actions:
  • Update to patched versions of FortiOS and FortiProxy.
  • Limit exposure of firewall management interfaces to the public internet.
  • Implement MFA and monitor for suspicious account activity.
• For Leaked Data:
  • Rotate credentials for impacted firewalls and review access logs.

Reference

• Rapid7 Blog: Fortinet Zero-Day and Data Leak