CyberSecurity news

FlagThis - #patch

@msrc.microsoft.com //

Microsoft's May 2025 Patch Tuesday Addresses Exploited Zero-Days - Microsoft has issued its May 2025 Patch Tuesday updates, addressing 71 CVEs, including five zero-days exploited in the wild and two publicly known, with CISA urging administrators to patch these flaws by June 3, 2025.
Microsoft has released its May 2025 Patch Tuesday updates, addressing a total of 71 or 72 vulnerabilities, depending on the source, across its software. This includes fixes for five actively exploited zero-day vulnerabilities and two publicly known vulnerabilities. The updates target flaws in various Windows components, including the Windows Common Log File System (CLFS), DWM Core Library, Scripting Engine, and Winsock.

Among the critical issues addressed are elevation of privilege (EoP) and remote code execution (RCE) vulnerabilities. Specifically, two zero-days in the CLFS (CVE-2025-32701 and CVE-2025-32706) allow attackers to gain SYSTEM privileges. Another zero-day (CVE-2025-30400) is a use-after-free vulnerability in the Windows Desktop Window Manager (DWM) Core Library, which can also lead to privilege escalation. A scripting engine memory corruption vulnerability (CVE-2025-30397) could allow for remote code execution if a user visits a malicious web page while using Internet Explorer mode in Edge.

The Cybersecurity and Infrastructure Security Agency (CISA) has added all five exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging administrators to patch these flaws by June 3, 2025. Security experts emphasize the importance of prioritizing these updates to prevent potential privilege escalation, code execution, and other malicious activities. The identified vulnerabilities highlight the ongoing risk posed by CLFS exploitation and the need for continuous monitoring and patching efforts.

Recommended read:
References :
  • borncity.com: Microsoft Security Update Summary (May 13, 2025)
  • Threats | CyberScoop: Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days
  • isc.sans.edu: Microsoft Patch Tuesday: May 2025, (Tue, May 13th)
  • Tenable Blog: Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)
  • CyberInsider: Microsoft Patches Five Actively Exploited Flaws in May 2025 Windows 11 Update
  • securityaffairs.com: Microsoft Patch Tuesday security updates for May 2025 fixed 5 actively exploited zero-days
  • www.bleepingcomputer.com: Microsoft May 2025 Patch Tuesday fixes 5 exploited zero-days, 72 flaws
  • The Hacker News: Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server
  • krebsonsecurity.com: Patch Tuesday, May 2025 Edition
  • socradar.io: May 2025 Patch Tuesday: 78 Flaws, 5 Exploited, & Critical SAP Fixes
  • thecyberexpress.com: Microsoft Patch Tuesday May 2025: 5 Zero Days, 8 High-Risk Vulnerabilities
  • www.action1.com: May 2025 Vulnerability Digest Recording
  • Blog RSS Feed: May 2025 Patch Tuesday Analysis
  • Action1: Watch this webinar to explore the latest Microsoft patches from May 2025 Patch Tuesday and updates on third-party application vulnerabilities addressed in the past month.
  • www.computerworld.com: May’s Patch Tuesday serves up 78 updates, including 5 zero-day fixes
  • borncity.com: Microsoft confirms Bitlocker boot problems after Windows 10/11 May 2025 update
  • cyberpress.org: KB5058379 Windows 10 Patch Causes Boot Failures, Demands BitLocker Unlock
@support.broadcom.com //

VMware Tools Flaw Allows VM Tampering Urgent Patch - A moderate-severity vulnerability (CVE-2025-22247) in VMware Tools could allow attackers with limited access to a guest VM to tamper with local files, leading to unauthorized actions.
Broadcom has issued an urgent patch to address a moderate-severity vulnerability, CVE-2025-22247, affecting VMware Tools versions 11.x.x and 12.x.x. The flaw, characterized as an insecure file handling vulnerability, could be exploited by attackers with limited access within a guest virtual machine (VM). This could allow them to tamper with local files and trigger insecure file operations, potentially leading to further security breaches within the virtual environment. The vulnerability impacts VMware Tools running on Windows and Linux operating systems, while macOS is reportedly unaffected.

Broadcom's security advisory highlights that VMware Tools contains this insecure file handling vulnerability which can be exploited by an attacker with non-administrative privileges within a guest VM. The successful exploitation of CVE-2025-22247 could allow the attacker to tamper with local files, leading to unauthorized actions. VMware has released VMware Tools version 12.5.2 to remediate this vulnerability. For Windows 32-bit systems, the fix is included in VMware Tools 12.4.7, also part of the 12.5.2 release.

For Linux systems, the advisory notes that updates addressing CVE-2025-22247 will be distributed by individual Linux vendors. It is crucial for Linux users to stay informed about updates from their respective distribution vendors. System administrators are urged to take immediate action by updating to the latest versions of VMware Tools to mitigate the risks associated with this vulnerability. Sergey Bliznyuk of Positive Technologies has been credited for reporting the vulnerability.

Recommended read:
References :
  • securityonline.info: VMware Tools Update Addresses Insecure File Handling Vulnerability
  • Open Source Security: Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools
  • thecyberexpress.com: New VMware Tools Vulnerability Allows Attackers to Tamper with Virtual Machines, Broadcom Issues Urgent Patch
  • securityonline.info: VMware Tools Update Addresses Insecure File Handling Vulnerability
  • Rescana: Patch Now: Secure VMware Tools from Insecure File Handling Vulnerability CVE-2025-22247
  • Open Source Security: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools
@cyberscoop.com //

SonicWall Customers Confronting Resurgence of Exploited Vulnerabilities - SonicWall has addressed actively exploited vulnerabilities in its SMA 100 appliances that could allow remote code execution if chained, urging users to update to the latest version.
SonicWall customers are facing a resurgence of actively exploited vulnerabilities, posing a significant threat to their network security. The company recently addressed three flaws in its Secure Mobile Access (SMA) 100 appliances, including a potential zero-day vulnerability. These vulnerabilities can be chained together to achieve remote code execution, potentially granting attackers root-level access to affected systems. The network security vendor has been making frequent appearances on CISA's Known Exploited Vulnerabilities catalog.

Multiple security flaws in SMA 100 Series devices have been actively exploited recently. The disclosed vulnerabilities, identified as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, affect SMA 100 appliances and could enable attackers to run code as root. Specifically, CVE-2025-32819 allows for arbitrary file deletion, potentially resetting the device to factory settings, while CVE-2025-32820 enables overwriting system files, potentially causing denial-of-service. CVE-2025-32821 can lead to shell command injections, further facilitating remote code execution.

SonicWall has released patches for these vulnerabilities in version 10.2.1.15-81sv. Security researchers at Rapid7 discovered the vulnerabilities and worked with SonicWall to validate the effectiveness of the patches before public disclosure. Users of SMA 100 series devices, including SMA 200, 210, 400, 410, and 500v, are strongly advised to update their systems to the latest version to mitigate the risk of exploitation. CISA has added SonicWall SMA100 flaws to its Known Exploited Vulnerabilities catalog and urges federal agencies to remediate these issues immediately.

Recommended read:
References :
CISA@All CISA Advisories //

CISA Warns of Actively Exploited Apache, SonicWall Flaws - CISA added CVE-2024-38475 in Apache HTTP Server and CVE-2023-44221 in SonicWall SMA100 series to its catalog of known exploited vulnerabilities.
CISA has added two new vulnerabilities, CVE-2024-38475 and CVE-2023-44221, to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities affect Apache HTTP Server and SonicWall SMA100 series appliances, posing significant risks to organizations that utilize these technologies. The agency is urging organizations to take immediate action to mitigate potential exploits. The addition to the KEV catalog highlights the active exploitation of these flaws in the wild, increasing the urgency for patching and remediation.

The vulnerabilities impacting SonicWall SMA 100 devices are particularly concerning due to the potential for complete system takeover and session hijacking. Cybersecurity researchers at watchTowr have discovered that malicious actors are actively combining these vulnerabilities. CVE-2024-38475, an Apache HTTP pre-authentication arbitrary file read vulnerability discovered by Orange Tsai, allows unauthorized file reading. CVE-2023-44221, a post-authentication command injection flaw discovered by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd, enables attackers to execute arbitrary commands on affected systems.

The combination of these two vulnerabilities allows attackers to extract sensitive information, such as administrator session tokens, effectively bypassing login credentials. Once this initial foothold is established, the command injection vulnerability can be exploited to execute arbitrary commands, potentially leading to session hijacking and full system compromise. The vulnerabilities affect SMA 100 series appliances, including models SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. watchTowr has warned of active exploitation of these vulnerabilities, urging organizations to apply available patches to secure their systems.

Recommended read:
References :
  • watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
  • thecyberexpress.com: CISA Adds Two New Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • thecyberexpress.com: CISA Adds Two New Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
info@thehackernews.com (The@The Hacker News //

Microsoft Patches Actively Exploited CLFS Zero-Day Flaw - Microsoft's April Patch Tuesday addressed 134 vulnerabilities, including a zero-day exploited by the RansomEXX ransomware gang, targeting organizations in the U.S., Venezuela, Spain, and Saudi Arabia.
Microsoft has issued a critical security update as part of its April 2025 Patch Tuesday to address a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS). The vulnerability, classified as an elevation of privilege flaw, is being actively exploited by the RansomEXX ransomware gang to gain SYSTEM privileges on compromised systems. According to Microsoft, the attacks have targeted a limited number of organizations across various sectors and countries, including the IT and real estate sectors in the United States, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.

Microsoft Threat Intelligence Center (MSTIC) has attributed the exploitation activity to a group tracked as Storm-2460, which deployed the PipeMagic malware to facilitate the attacks. Successful exploitation of CVE-2025-29824 allows an attacker with a standard user account to escalate privileges, enabling them to install malware, modify system files, disable security features, access sensitive data, and maintain persistent access. This can result in full system compromise and lateral movement across networks, leading to the widespread deployment and detonation of ransomware within the affected environment.

The zero-day vulnerability is located in the CLFS kernel driver and is due to a use-after-free weakness. Microsoft recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks. While Microsoft has issued security updates for impacted Windows versions, patches for Windows 10 x64 and 32-bit systems are pending release. In addition to fixing the zero-day flaw, Microsoft's April 2025 Patch Tuesday includes fixes for 134 other vulnerabilities, with 11 of them classified as critical remote code execution vulnerabilities.

Recommended read:
References :
  • isc.sans.edu: This month, Microsoft has released patches addressing a total of 125 vulnerabilities.
  • The DefendOps Diaries: Microsoft's April 2025 Patch Tuesday addresses 134 vulnerabilities, including a critical zero-day, highlighting the need for robust security.
  • Cyber Security News: Microsoft’s April 2025 Patch Tuesday update has arrived, delivering critical fixes for 121 security vulnerabilities across its broad suite of software products.
  • BleepingComputer: Today is Microsoft's April 2025 Patch Tuesday, which includes security updates for 134 flaws, including one actively exploited zero-day vulnerability.
  • Tenable Blog: Microsoft’s April 2025 Patch Tuesday Addresses 121 CVEs (CVE-2025-29824)
  • Cisco Talos Blog: Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities
  • CyberInsider: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
  • bsky.app: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
  • The DefendOps Diaries: Understanding the Impact of CVE-2025-29824: A Critical Windows Vulnerability
  • Threats | CyberScoop: Microsoft patches zero-day actively exploited in string of ransomware attacks
  • thecyberexpress.com: TheCyberExpress article on Microsoft Patch Tuesday April 2025.
  • cyberinsider.com: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
  • www.microsoft.com: Microsoft Security Blog on CLFS zero-day exploitation.
  • BleepingComputer: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
  • bsky.app: Sky News post on Microsoft April 2025 Patch Tuesday.
  • Cyber Security News: CybersecurityNews article on Windows CLFS Zero-Day Vulnerability Actively Exploited by Ransomware Group
  • Microsoft Security Blog: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
  • Malwarebytes: Microsoft releases April 2025 Patch Tuesday updates, including fixes for 121 vulnerabilities, one of which is an actively exploited zero-day in the Windows Common Log File System (CLFS) driver.
  • isc.sans.edu: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
  • Blog RSS Feed: Report on the April 2025 Patch Tuesday analysis, including CVE-2025-29824.
  • krebsonsecurity.com: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
  • securityonline.info: SecurityOnline discusses Windows CLFS Zero-Day Exploited to Deploy Ransomware
  • securityonline.info: Windows CLFS Zero-Day Exploited to Deploy Ransomware
  • securityaffairs.com: U.S. CISA adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws to its Known Exploited Vulnerabilities catalog
  • www.cybersecuritydive.com: Windows CLFS zero-day exploited in ransomware attacks
  • Security | TechRepublic: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
  • The Register - Software: Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug
  • The Hacker News: Microsoft released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.
  • www.microsoft.com: Read how cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.
  • The Hacker News: PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware
  • securityonline.info: Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgency for users to apply necessary patches.
  • Arctic Wolf: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities.
  • arcticwolf.com: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities. Arctic Wolf has highlighted five vulnerabilities affecting Microsoft Windows in this security bulletin, including one exploited vulnerability and four vulnerabilities that Microsoft has labeled as Critical.Â
  • Know Your Adversary: Hello everyone! I think you already heard about a zero-day vulnerability in the Common Log File System (CLFS) weaponized by RansomEXX affiliates. I'm talking about  CVE 2025-29824 .
  • Sophos News: One actively exploited issue patched; five Critical-severity Office vulns exploitable via Preview Pane
  • Security | TechRepublic: One CVE was used against “a small number of targets.†Windows 10 users needed to wait a little bit for their patches.
  • www.threatdown.com: April’s Patch Tuesday fixes a whopping 126 Microsoft vulnerabilities.
  • Logpoint: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
  • Arctic Wolf: Microsoft Patch Tuesday: April 2025
  • www.logpoint.com: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
  • arcticwolf.com: Microsoft Patch Tuesday: April 2025
  • ciso2ciso.com: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
  • Security Risk Advisors: New CLFS Zero-Day (CVE-2025-29824) Enables Rapid Privilege Escalation, Leading to Ransomware Deployment
  • cyberscoop.com: Microsoft patches zero-day actively exploited in string of ransomware attacks
  • www.tenable.com: Tenable's analysis of the CLFS vulnerability and its exploitation by Storm-2460.
  • Help Net Security: Article on Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed

Posts

Blogs

Research Tools