Weekly Threat Landscape Digest – Week 6

1. Critical Vulnerability in Apple macOS Kernel

A newly discovered vulnerability (CVE-2025-24118) in Apple’s macOS kernel (XNU) could allow local attackers to escalate privileges, corrupt memory, and execute code with kernel-level permissions.

Key Details:

• CVE-2025-24118 (CVSS 9.8, Critical)
• Impact: Local privilege escalation, memory corruption, kernel code execution
• Affected Systems: macOS Sonoma, macOS Sequoia, iPadOS
• Exploit Mechanism: Race condition in Safe Memory Reclamation (SMR)
• Exploitation Status: Public proof-of-concept (PoC) available

Affected Versions:

• macOS Sonoma 14.7.3, macOS Sequoia 15.3, iPadOS 17.7.4 (patched)

Mitigation:

• Update systems immediately to patched macOS and iPadOS versions
• Monitor system activity for unusual behavior or privilege escalation attempts

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2025-24118
  
  

2. High-Severity Vulnerability in AMD Processors

A newly discovered vulnerability (CVE-2024-56161) in AMD EPYC processors could allow attackers to load malicious CPU microcode, compromising the security of confidential computing workloads.

Key Details:

• CVE-2024-56161 (CVSS 7.2, High)
• Impact: Unauthorized microcode execution, compromise of SEV-SNP guests, loss of data confidentiality and integrity
• Exploitation Method: Attackers with local admin privileges can exploit a flaw in AMD’s microcode patch loader
• Risk: Potential compromise of Dynamic Root of Trust Measurement

Affected Versions:

• EPYC 7001 (Naples), 7002 (Rome), 7003 (Milan/Milan-X)
• EPYC 9004 (Genoa/Genoa-X, Bergamo, Siena)

Mitigation:

• Apply AMD’s latest microcode updates for affected platforms
• Update system BIOS and SEV firmware where required
• Reboot systems to enable the mitigation

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2024-56161

3. Active Directory Privilege Escalation Vulnerability

A newly discovered elevation of privilege vulnerability (CVE-2025-21293) in Active Directory Domain Services (AD DS) allows attackers to escalate privileges to SYSTEM level by exploiting excessive permissions in the “Network Configuration Operators” group. A proof-of-concept (PoC) exploit has been publicly released, increasing the risk of exploitation.

Key Details:

• CVE-2025-21293 (CVSS 8.8, High)
• Exploits excessive permissions in the “Network Configuration Operators” group
• Attackers can create registry subkeys under critical service-related keys
• Public proof-of-concept (PoC) exploit available

Affected Systems:

• Active Directory Domain Services (AD DS) on Windows Servers

Mitigation:

• Install January 2025 security updates from Microsoft
• Audit and remove unauthorized users from the “Network Configuration Operators” group

Reference:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21293

4. Critical Vulnerabilities in Zyxel Routers

Multiple critical vulnerabilities in Zyxel routers (CVE-2025-0890 & CVE-2024-40891) allow unauthenticated attackers to execute arbitrary code and gain full control over affected devices. These vulnerabilities are actively exploited in the wild.

Key Details:

• CVE-2024-40891 (CVSS 9.8, Critical) – Authenticated command injection via Telnet
• CVE-2025-0890 (CVSS 8.8, High) – Default credentials present (e.g., “supervisor:zyad1234”, “zyuser:1234”)
• Risk: Remote code execution, data theft, disruption of internet services
• Exploitation Status: Actively being exploited

Affected Devices:

• VMG Series: VMG1312-B10A/B10B/B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A
• SBG Series: SBG3300, SBG3500

Mitigation:

• Replace vulnerable devices (end-of-life models)
• Disable Telnet access immediately
• Change default credentials to strong, unique passwords
• Monitor network traffic for signs of exploitation
• Segment network devices to isolate affected routers

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-0890
• https://nvd.nist.gov/vuln/detail/CVE-2024-40891
• https://vulncheck.com/blog/zyxel-telnet-vulns

5. F5 Networks Quarterly Security Updates

F5 Networks has released its quarterly security update, addressing multiple vulnerabilities affecting BIG-IP, BIG-IP Next, and NGINX. Several of these vulnerabilities could lead to remote code execution, privilege escalation, and denial of service.

High-Severity CVEs:

• CVE-2025-20029: BIG-IP iControl REST & tmsh vulnerability (CVSS 8.8)
• CVE-2025-23239: BIG-IP iControl REST vulnerability (CVSS 8.7)
• CVE-2025-24320: BIG-IP Configuration Utility vulnerability (CVSS 8.0)
• CVE-2025-21087: TMM vulnerability (CVSS 7.5 – 8.9)
• CVE-2025-20045 & CVE-2025-22846: BIG-IP SIP ALG vulnerabilities (CVSS 7.5 – 8.7)
• CVE-2025-24326: BIG-IP ASM BADoS vulnerability (CVSS 7.5 – 8.9)

Mitigation:

• Upgrade affected systems to the latest patched versions
• Apply hotfixes for BIG-IP and NGINX where available
• Monitor for abnormal activity and restrict unnecessary network exposure

Reference:

• https://my.f5.com/manage/s/article/K000149540?utm_source=f5support&utm_medium=RSS 

6. Critical Vulnerabilities in Cisco Identity Services Engine (ISE)

Cisco has released patches for two critical vulnerabilities in its Identity Services Engine (ISE), a widely used network security policy management platform. These vulnerabilities could allow authenticated attackers to execute arbitrary commands with root privileges and bypass authorization controls.

Key Details:

• CVE-2025-20124 (CVSS 9.9, Critical) – Insecure Java deserialization leading to remote command execution with root privileges
• CVE-2025-20125 (CVSS 9.1, Critical) – Authorization bypass allowing unauthorized access to sensitive data and system modifications
• Risk: Remote code execution, unauthorized system modifications, privilege escalation

Affected Versions and Fixes:

• ISE 3.0 and earlier: Migrate to a fixed release
• ISE 3.1: Update to 3.1P10
• ISE 3.2: Update to 3.2P7
• ISE 3.3: Update to 3.3P4
• ISE 3.4: Not vulnerable

Mitigation:

• Update Cisco ISE immediately to the latest patched version
• Review system configurations for unauthorized modifications
• Monitor network activity for suspicious access attempts

Reference:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF

7. High-Severity Vulnerability in HP Anyware Agent for Linux

A high-severity vulnerability (CVE-2025-1003) in HP Anyware Agent for Linux could allow authenticated attackers to bypass authentication mechanisms and escalate privileges, potentially compromising affected systems.

Key Details:

• CVE-2025-1003 (CVSS 8.5, High)
• Impact: Authentication bypass, privilege escalation
• Exploitation Risk: Attackers with access could elevate privileges and gain unauthorized control

Affected Versions:

• HP Anyware Agent for Linux versions prior to 24.07.5 and 24.10.2

Mitigation:

• Update HP Anyware Agent to version 24.10.2 or later
• Monitor system logs for unusual authentication attempts
• Apply security best practices to restrict access

Reference:

• https://support.hp.com/us-en/document/ish_11920613-11920636-16/hpsbhf03997

8. Security Updates – Mozilla Products

Mozilla has released security updates for Firefox, Firefox ESR, and Thunderbird, addressing multiple high-impact vulnerabilities, including use-after-free issues, memory safety bugs, and potential arbitrary code execution.

Key Details:

• CVE-2025-1009, CVE-2025-1010: Use-after-free vulnerabilities in XSLT and Custom Highlight API (High impact)
• CVE-2025-1011: WebAssembly code generation bug leading to crashes and potential code execution
• CVE-2025-1016, CVE-2025-1017, CVE-2025-1020: Memory safety bugs exploitable for arbitrary code execution
• CVE-2025-1018, CVE-2025-1019: Fullscreen notification issues allowing spoofing attacks
• CVE-2025-1013: Privacy leak in private browsing
• CVE-2025-1014: Certificate length checking issue

Fixed Versions:

• Firefox 135
• Firefox ESR 115.20 or 128.7
• Thunderbird 135
• Thunderbird ESR 128.7

Mitigation:

• Update all affected Mozilla products immediately to the latest patched versions

Reference:

• https://www.mozilla.org/en-US/security/advisories/

9. Security Updates – Google Chrome

Google has released security updates for Chrome, addressing multiple vulnerabilities, including two high-severity use-after-free flaws that could lead to arbitrary code execution, application crashes, or data breaches.

Key Details:

• CVE-2025-0444: Use-after-free in Skia (High severity)
• CVE-2025-0445: Use-after-free in V8 (High severity)
• CVE-2025-0451: Inappropriate implementation in Extensions API (Medium severity)

Fixed Versions:

• Stable channel updates:
  • Linux: Chrome 133.0.6943.53
  • Windows/Mac: Chrome 133.0.6943.53/54
• Extended stable updates:
  • Windows/Mac: Chrome 132.0.6834.194
• Android: Chrome 133 (133.0.6943.49)

Mitigation:

• Update Google Chrome immediately to the latest stable version

References:

• https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop.html
• https://chromereleases.googleblog.com/

10. Critical Vulnerability in Veeam Backup & Replication

A critical vulnerability (CVE-2025-23114) has been identified in the Veeam Updater component, allowing attackers to execute arbitrary code with root-level permissions through a Man-in-the-Middle (MitM) attack. The flaw affects multiple Veeam backup products.

Key Details:

• CVE-2025-23114 (CVSS 9.0, Critical)
• Impact: Arbitrary code execution with root privileges
• Attack Vector: Man-in-the-Middle attack targeting Veeam Updater
• Affected Products:
  • Veeam Backup for Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud, Oracle Linux Virtualization Manager, and Red Hat Virtualization

Patched Versions:

• Veeam Backup for Salesforce: 7.9.0.1124
• Veeam Backup for Nutanix AHV: 9.0.0.1125
• Veeam Backup for AWS: 9.0.0.1126
• Veeam Backup for Microsoft Azure: 9.0.0.1128
• Veeam Backup for Google Cloud: 9.0.0.1128
• Veeam Backup for Oracle Linux Virtualization Manager & Red Hat Virtualization: 9.0.0.1127

Mitigation:

• Update affected Veeam products immediately to the latest versions
• Verify the installed version of the Veeam Updater component
• Segment network traffic to prevent Man-in-the-Middle exploitation
• Enable automatic updates for all Veeam appliances

Reference:

• https://www.veeam.com/kb4712
  
  

11. Critical Vulnerabilities in Azure AI Face Service and Microsoft Account

Microsoft has addressed two critical security vulnerabilities impacting its Azure AI Face Service and Microsoft Account platforms, which could allow attackers to escalate privileges and gain unauthorized access.

Key Details:

• CVE-2025-21396 (CVSS 7.5, High) – Missing authorization flaw in Microsoft Account enabling unauthorized privilege escalation over a network
• CVE-2025-21415 (CVSS 9.9, Critical) – Authentication bypass in Azure AI Face Service allowing privilege escalation through spoofed authentication
• Exploitation Risk: PoC exploit for CVE-2025-21415 has been publicly disclosed, increasing the likelihood of attacks

Mitigation:

• Verify system updates and ensure all Azure AI Face Service and Microsoft Account integrations are up to date
• Enable multi-factor authentication (MFA) for all accounts and services
• Monitor for unusual authentication activity and privilege escalation attempts
• Conduct security audits to identify misconfigurations or unauthorized access
• Train employees on phishing and social engineering tactics that could exploit authentication flaws

References:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21415

12. High-Severity Vulnerability in Moxa PT Switches

A high-severity vulnerability (CVE-2024-7695) in Moxa PT switches could allow attackers to launch denial-of-service (DoS) attacks, potentially disrupting critical infrastructure operations.

Key Details:

• CVE-2024-7695 (CVSS 8.7, High)
• Impact: Out-of-bounds write leading to DoS attacks
• Exploitation Risk: Attackers can overwrite critical system data, causing the switch to crash or become unresponsive

Affected Versions:

• PT-7728 Series – Firmware version 3.9 and earlier
• PT-7828 Series – Firmware version 4.0 and earlier
• PT-G503 Series – Firmware version 5.3 and earlier
• PT-G510 Series – Firmware version 6.5 and earlier
• PT-G7728 Series – Firmware version 6.4 and earlier
• PT-G7828 Series – Firmware version 6.4 and earlier

Mitigation:

• Upgrade firmware immediately to the latest patched version provided by Moxa
• Apply security patches to affected devices
• Monitor network activity for unusual traffic patterns indicative of an attack

Reference:

• https://www.moxa.com/en/support/product-support/security-advisory/mpsa-240162-cve-2024-7695-out-of-bounds-write-vulnerability-identified-in-multiple-pt-switches 

13. Security Updates – Android

Google has released the February 2025 Android security updates, addressing 48 vulnerabilities, including a high-severity zero-day kernel vulnerability actively exploited in the wild.

Key Details:

• CVE-2024-53104 (High severity) – Privilege escalation via improper parsing in the Android Kernel USB Video Class (UVC) Driver
• CVE-2024-45569 (Critical) – Arbitrary code execution, memory corruption, and system crashes due to improper validation in Qualcomm WLAN

Exploitation Risk:

• CVE-2024-53104 allows authenticated local attackers to elevate privileges via a low-complexity attack
• CVE-2024-45569 can be remotely exploited without privileges or user interaction

Android Security Patch Levels:

• 2025-02-01 patch level – Fixes 17 vulnerabilities in the Framework component
• 2025-02-05 patch level – Includes all previous fixes + additional patches for third-party and kernel elements

Mitigation:

• Update all Android devices immediately to the latest patch level
• Monitor device security settings and restrict untrusted app installations

Reference:

• https://source.android.com/docs/security/bulletin/2025-02-01

14. Critical Security Vulnerabilities in MediaTek Chipsets

MediaTek has released its February 2025 Product Security Bulletin, highlighting multiple critical vulnerabilities in its chipsets used in smartphones, tablets, and other devices. These vulnerabilities could lead to remote code execution, privilege escalation, and denial of service.

Key Details:

• CVE-2025-20633, CVE-2025-20632, CVE-2025-20631 (Critical) – WLAN AP Driver Vulnerabilities allowing remote attackers to execute arbitrary code without user interaction
• CVE-2025-20630 (High) – Modem vulnerability enabling remote code execution or local privilege escalation via out-of-bounds writes

Affected Chipsets:

• WLAN AP Driver Issues: MT7603, MT7615, MT7622, MT7915 (SDK release 7.4.0.1 and earlier)
• Modem Issues: Various MediaTek chipsets and software versions

Mitigation:

• Apply firmware and software patches released by MediaTek and device manufacturers
• Regularly check for updates from OEMs and install security patches immediately
• Monitor network activity for any unusual behavior indicating exploitation attempts

Reference:

• https://corp.mediatek.com/product-security-bulletin/February-2025

15. Operation Phantom Circuit: Cyber Espionage Campaign

Security researchers have reported that Lazarus Group launched a global cyberattack, codenamed Operation Phantom Circuit, targeting cryptocurrency and technology developers by embedding malware into trusted development tools. The campaign has compromised over 1,500 systems worldwide since late 2024.

Key Details:

• TTPs: Malware embedded in trusted software updates, spoofed domains, and persistent RDP sessions
• C2 Infrastructure: Hosted on Stark Industries servers, traffic routed through Astrill VPNs and Oculus Proxy nodes in Hasan, Russia
• Exfiltration: Stolen data sent to Dropbox
• Advanced Admin Panel: Lazarus Group used React and Node.js for managing stolen credentials and authentication tokens

Mitigation:

• Audit third-party software and libraries for vulnerabilities
• Deploy EDR solutions to detect suspicious activity
• Monitor network traffic for connections to known malicious IPs and domains
• Enforce multi-factor authentication (MFA) for all systems
• Educate developers and IT staff on software security best practices

Reference:

• https://securityscorecard.com/blog/operation-phantom-circuit-north-koreas-global-data-exfiltration-campaign/ 

16. AsyncRAT Campaign Uses Python Payloads and TryCloudflare Tunnels for Stealth Attacks

A malware campaign has been observed delivering AsyncRAT using Python payloads and leveraging TryCloudflare tunnels to evade detection. This multi-stage attack begins with phishing emails containing Dropbox URLs that download ZIP archives leading to PowerShell execution of malicious JavaScript.

Key Details:

• Attack Chain:
  • Phishing emails with Dropbox URLs deliver ZIP files.
  • LNK files fetch scripts via TryCloudflare URLs, executing PowerShell.
  • Malware families like AsyncRAT, Venom RAT, and XWorm are deployed.
• Tactics:
  • Abuse of legitimate services like Dropbox and Cloudflare to host payloads.
  • JavaScript, PowerShell, and Python payloads used for execution.
  • Mark-of-the-Web (MotW) bypass vulnerability (CVE-2024-38213) used in similar campaigns.

Recent Phishing Campaigns:

• SapphireRAT spread via legal documents and receipts.
• Microsoft 365 credential harvesting using .gov domains.
• Impersonation of tax agencies to steal credentials and distribute AsyncRAT, MetaStealer, Venom RAT.
• Spoofed Microsoft ADFS login pages for MFA code theft.
• Cloudflare Workers leveraged for credential harvesting.

Mitigation:

• Monitor network traffic for suspicious TryCloudflare connections.
• Block phishing emails delivering Dropbox links.
• Apply patches for CVE-2024-38213 and other vulnerabilities.
• Educate users on phishing and social engineering tactics.

Reference:

• https://thehackernews.com/2025/02/asyncrat-campaign-uses-python-payloads.html 

17. Russian Cybercrime Groups Exploiting 7-Zip Flaw to Bypass Windows MotW Protections

A recently patched vulnerability in 7-Zip (CVE-2025-0411, CVSS 7.0) has been actively exploited by Russian cybercrime groups to bypass Windows Mark-of-the-Web (MotW) protections and deliver the SmokeLoader malware through phishing attacks.

Key Details

• CVE-2025-0411 (7-Zip Vulnerability)
  • Allows attackers to bypass MotW protections by double-archiving malicious content.
  • Fixed in 7-Zip version 24.09 (November 2024).
  • Active Exploitation: Detected since September 2024, targeting Ukraine.
• Attack Chain
  • Phishing emails impersonating Ukrainian government agencies deliver malicious ZIP archives.
  • The ZIP file contains an LNK file disguised as a Word document, triggering the attack.
  • The SmokeLoader malware is downloaded from attacker-controlled servers.
• Tactics Used
  • Homoglyph attacks to spoof file extensions.
  • Use of compromised email accounts for authentic-looking phishing campaigns.
  • Financially motivated group UAC-0006 (linked to FIN7 APT) has been distributing SmokeLoader in PrivatBank-themed phishing attacks.

Mitigation

• Update 7-Zip to version 24.09 or later to close the MotW bypass loophole.
• Block phishing emails with ZIP file attachments.
• Disable execution of untrusted files to prevent malware execution.
• Monitor network activity for connections to attacker-controlled C2 servers.

Reference: https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html

18. Stealers on the Rise: A Growing macOS Threat

Security researchers have identified an increase in macOS infostealer malware, with three major threats—Poseidon, Atomic, and Cthulhu Stealer—actively targeting macOS users. These infostealers are being distributed via malvertising, trojanized installers, and phishing campaigns, leading to credential theft, data breaches, and financial losses.

Key Details

• Atomic Stealer (AMOS)
  • Distributed via malvertising and trojanized installers.
  • Targets browser credentials, cryptocurrency wallets, instant messaging apps (Telegram, Discord), and stored notes.
  • Available as malware-as-a-service (MaaS) in hacker forums.
• Poseidon Stealer
  • A fork of Atomic Stealer, sold by a threat actor named Rodrigo4.
  • Uses AppleScript-based trojanized installers to prompt victims for credentials.
  • Steals browser data, cryptocurrency wallets, macOS Notes, and password manager data.
• Cthulhu Stealer
  • Sold as MaaS via Telegram by “Cthulhu Team.”
  • Propagated via fake CleanMyMac installers with credential-stealing popups.
  • Collects browser passwords, crypto wallets, keychain data, FileZilla credentials, and gaming-related accounts.

Mitigation

• Update macOS security solutions to detect and block infostealers.
• Avoid downloading software from untrusted sources, including unofficial ads.
• Enable system monitoring tools to detect suspicious AppleScript executions.
• Educate employees and individuals on recognizing phishing and malvertising threats.

Reference: https://unit42.paloaltonetworks.com/macos-stealers-growing/

19. Sophisticated Phishing Attack Bypasses Microsoft ADFS MFA

Cybercriminals are leveraging spoofed Microsoft Active Directory Federation Services (ADFS) login pages to steal user credentials and bypass multi-factor authentication (MFA) in a newly observed phishing campaign.

Key Details

• Attack Tactics:
  • Phishing Emails: Spoofed emails impersonating the organization’s IT department.
  • Credential Harvesting: Users unknowingly submit usernames, passwords, and MFA codes.
  • Account Takeover: Stolen credentials allow attackers to move laterally, conduct financial fraud, and send phishing emails.
• Highly Customized Phishing Pages: Attackers mirror real ADFS login portals, adapting to the victim’s MFA setup to increase success rates.

Industries at Risk

Over 150 organizations have been targeted, with the education sector accounting for 50% of attacks. Other affected industries include:

• Healthcare (14.8%)
• Government (12.5%)
• Technology (6.3%)
• Transportation (3.4%)

Most attacks have been observed in the US, Canada, Australia, and Europe, particularly affecting organizations still using legacy ADFS authentication systems.

Mitigation Strategies

• Migrate to Modern Identity Solutions – Transition to Microsoft Entra to reduce reliance on ADFS.
• Security Awareness Training – Educate employees on phishing tactics and social engineering techniques.
• Advanced Email and Network Security – Implement AI-powered email filtering, behavioral monitoring, and phishing detection tools.

By adopting these security measures, organizations can reduce their exposure to ADFS-based phishing attacks and better protect sensitive credentials.

Reference: https://www.infosecurity-magazine.com/news/phishing-attack-bypasses-microsoft/ 

20. Experts Flag Security, Privacy Risks in DeepSeek AI App

Cybersecurity experts have flagged serious security and privacy risks in the DeepSeek AI mobile app, which has been one of the most downloaded free apps on Apple’s App Store and Google Play since its launch on January 25, 2025.

Key Security Concerns

1. Unencrypted Data Transmission
   • DeepSeek disables iOS App Transport Security (ATS), allowing sensitive device data to be sent over unencrypted channels, exposing users to data interception and modification.
2. Device Fingerprinting & Tracking
   • The app collects extensive device data, including device names (which often contain user names), IP addresses, and advertising data, potentially allowing deanonymization of users.
3. Weak Encryption & Hard-Coded Keys
   • DeepSeek encrypts some responses using 3DES (Triple DES), an outdated and deprecated algorithm.
   • The encryption key is hard-coded, making it easy for attackers to extract and decrypt user data.
4. Ties to ByteDance & Data Exposure
   • The app communicates with Volcengine, a ByteDance (TikTok’s parent company) cloud service, raising concerns about data sharing.
   • A publicly exposed DeepSeek database was found leaking chat history, backend data, API secrets, and operational details without authentication.

Government & Organizational Bans

• U.S. House of Representatives restricted the app due to malware exploitation risks.
• Italy, Taiwan, The Pentagon, NASA, and the U.S. Navy have all banned DeepSeek from their networks.

Mitigation & Recommendations

• Remove DeepSeek AI from devices to mitigate data privacy and security risks.
• Block network traffic to known DeepSeek-related infrastructure.
• Avoid sharing sensitive information with AI platforms that lack strong privacy safeguards.

As security concerns escalate, Apple and Google may be pressured to take action against DeepSeek AI.

Reference: https://krebsonsecurity.com/2025/02/experts-flag-security-privacy-risks-in-deepseek-ai-app/