Meshtastic just released an eye-watering 9.5 CVSS CVE, warning about public/private keys being re-used among devices. And I’m the one that wrote the code. Not to mention, I triaged and …read more

Jun 05, 2025Ravie LakshmananNetwork Security / Vulnerability Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems. The security defect, tracked as CVE-2025-20286, carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential vulnerability. "A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company said in an advisory. The networking equipment maker, which credited Kentaro Kawane of GMO Cybersecurity for reporting the flaw, noted it's aware of the existence of a proof-of-concept (PoC) exploit. There is no evidence that it has been maliciously exploited in the wild. Cisco said the issue stems from the fact that credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, causing different deployments to share the same credentials as long as the software release and cloud platform are the same. Put differently, the static credentials are specific to each release and platform, but are not valid across platforms. As the company highlights, all instances of Cisco ISE release 3.1 on AWS will have the same static credentials. However, credentials that are valid for access to a release 3.1 deployment would not be valid to access a release 3.2 deployment on the same platform. Furthermore, Release 3.2 on AWS would not have the same credentials as Release 3.2 on Azure. Successful exploitation of the vulnerability could permit an attacker to extract the user credentials from the Cisco ISE cloud deployment and then use it to access Cisco ISE deployed in other cloud environments through unsecured ports. This could ultimately allow unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. That said, Cisco ISE is only affected in cases where the Primary Administration node is deployed in the cloud. Primary Administration nodes that are on-premises are not impacted. The following versions are affected - AWS - Cisco ISE 3.1, 3.2, 3.3, and 3.4 Azure - Cisco ISE 3.2, 3.3, and 3.4 OCI - Cisco ISE 3.2, 3.3, and 3.4 While there are no workarounds to address CVE-2025-20286, Cisco is recommending that users restrict traffic to authorized administrators or run the "application reset-config ise" command to reset user passwords to a new value. However, it bears noting that running the command will reset Cisco ISE to the factory configuration. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More Unpatched systems are a ticking time bomb. Fifty-seven percent of cyberattack victims acknowledge that available patches would have prevented breaches, yet nearly one-third admit failing to act, compounding the risk. Ponemon research shows organizations now take an alarming average of 43 days to detect cyberattacks, even after a patch is released, up from 36 days the previous year. According to the Verizon 2024 Data Breach Investigations Report, attackers’ ability to exploit vulnerabilities surged by 180% from 2023 to 2024. Chronic firefighting makes manual or partially automated patching overly burdensome, further pushing patching down teams’ priority lists. Relying on manual or partially automated patching systems is considered too time-consuming, further reducing patching to the bottom of a team’s action item list. This is consistent with an Ivanti study that found that the majority (71%) of IT and security professionals think patching is overly complex, cumbersome and time-consuming. When it comes to patching, complacency kills Attackers aggressively exploit legacy Common Vulnerabilities and Exposures (CVEs), often ten or more years old. A sure sign of how effective attackers’ tradecraft is becoming at targeting legacy CVEs is their success with vulnerabilities in some cases, 10-plus years old. A sure sign that attackers are finding new ways to weaponize old vulnerabilities is reflected in the startling stat that 76% of vulnerabilities leveraged by ransomware were reported between 2010 and 2019. The misalignment between IT and security teams compounds delays, with 27% lacking cohesive patch strategies and nearly a quarter disagreeing on patch schedules. One of the unexpected benefits of automating patch management is breaking the impasse between IT and security when it comes to managing the patch workload.    “Typically, on average, an enterprise may patch 90% of desktops within two to four weeks, 80% of Windows servers within six weeks and only 25% of Oracle Databases within six months from patch release date”, writes Gartner in their recent report, “We’re not patching our way out of vulnerability exposure.” The report states that “the cold, hard reality is that no one is out patching threat actors at scale in any size organization, geography or industry vertical.” Ring deployment: proactive defense at scale Every unpatched endpoint or threat surface invites attackers to exploit it. Enterprises are losing the patching race, which motivates attackers even more. In the meantime, patching has become exponentially more challenging for security and IT teams to manage manually. Approximately a decade ago, ring deployment began to rely on Microsoft-dominated networks. Since then, ring deployments have proliferated across on-premise and cloud-based patch and risk management systems. Ring deployment provides a phased, automated strategy, shrinking attacker windows and breach risks. Ring deployment rolls out patches incrementally through carefully controlled stages or “rings:” Test Ring (1%): Core IT teams quickly validate patch stability. Early Adopter Ring (5–10%): A broader internal group confirms real-world compatibility. Production Ring (80–90%): Enterprise-wide rollout after stability is conclusively proven. Ivanti’s recent release of ring deployment is designed to give security teams greater control over when patches will be deployed, to which systems and how each sequence of updates will be managed. By addressing patching issues early, the goal is to minimize risks and reduce and eliminate disruptions. Gartner’s ring deployment strategy escalates patches from internal IT outward, providing continuous validation and dramatically reducing deployment risk. Source: Gartner, “Modernize Windows and Third-Party Application Patching,” p. 6. Ring deployment crushes MTTP, ends reactive patching chaos Relying on outdated vulnerability ratings to lead patch management strategies only increases the risk of a breach as enterprises race to keep up with growing patch backlogs. That’s often when patching becomes cybersecurity’s endless nightmare, with attackers looking to capitalize on the many legacy CVEs that remain unprotected. Gartner’s take in their recent report “Modernize windows and third-party application patching” makes the point brutally clear, showing how traditional patching methods routinely fail to keep pace. In contrast, enterprises embracing ring deployment are getting measurable results. Their research finds ring deployment achieves a “99% patch success within 24 hours for up to 100,000 PCs,” leaving traditional methods far behind. During an interview with VentureBeat, Tony Miller, Ivanti’s VP of enterprise services, emphasized that “Ivanti Neurons for Patch Management and implementing Ring Deployment is an important part of our Customer Zero journey.” He said the company uses many of its own products, which allows for a quick feedback loop and gives developers insight into customers’ pain points. Miller added: “We’ve tested out Ring Deployment internally with a limited group, and we are in the process of rolling it out organization-wide. In our test group, we have benefited from deploying patches based on real-world risk, and ensuring that updates don’t interrupt employee productivity–a significant challenge for any IT organization.” VentureBeat also spoke with Jesse Miller, SVP and director of IT at Southstar Bank, about leveraging Ivanti’s dynamic Vulnerability Risk Rating (VRR), an AI-driven system continuously recalibrated with real-time threat intelligence, live exploit activity, and current attack data. Miller stated clearly: “This is an important change for us and the entire industry. Judging a patch based on its CVSS now is like working in a vacuum. When judging how impactful something can be, you have to take everything from current events, your industry, your environment and more into the equation. Ultimately, we are just making wiser decisions as we are not disregarding CVSS scoring; we are simply adding to it.” Miller also highlighted his team’s prioritization strategy: “We have been able to focus on prioritizing Zero-Day and Priority patches to get out first, as well as anything being exploited live in the wild. Using patch prioritization helps us eliminate our biggest risk first so that we can reduce our attack surface as quickly as possible.” By combining ring deployment and dynamic VRR technology, Ivanti Neurons provides enterprises with structured visual orchestration of incremental patch rollouts. This approach sharply reduces Mean-Time-to-Patch (MTTP), accelerating patches from targeted testing through full deployment and significantly decreasing the exposure windows that attackers exploit. Caption: The Ivanti Neurons interface visually manages deployment rings, success thresholds, patching progress and streamlining operational clarity. Source: Ivanti Neurons Comparing Ivanti Neurons, Microsoft Autopatch, Tanium and ServiceNow: Key strengths and gaps When selecting enterprise patch management solutions, apparent differences emerge among leading providers, including Microsoft Autopatch, Tanium, ServiceNow and Ivanti Neurons. Microsoft Autopatch relies on ring deployment but is restricted to Windows environments, including Microsoft 365 applications. Ivanti Neurons expands on this concept by covering a broader spectrum, including Windows, macOS, Linux and various third-party applications. This enables enterprise-wide patch management for organizations with large-scale, diverse infrastructure. Tanium stands out for its robust endpoint visibility and detailed reporting features, but its infrastructure requirements typically align better with resource-intensive enterprises. Meanwhile, ServiceNow’s strength lies in workflow automation and IT service management integrations. Executing actual patches often demands significant additional customization or third-party integrations. Ivanti Neurons aims to differentiate by integrating dynamic risk assessments, phased ring deployments and automated workflows within a single platform. It directly addresses common enterprise challenges in patch management, including visibility gaps, operational complexity and uncertainty about vulnerability prioritization with real-time risk assessments and intuitive visual dashboards. Caption: Ivanti Neurons provides real-time patch status, vulnerability assessments, and risk exposure metrics, ensuring continuous visibility. Source: Ivanti Neurons Transforming patch management into a strategic advantage Patching alone cannot eliminate vulnerability exposure. Gartner’s analysts continue to stress the necessity of integrating compensating controls, including endpoint protection platforms (EPP), multifactor authentication, and network segmentation to reinforce security beyond basic patching. Combining ring deployment with integrated compensating controls that are part of a broader zero-trust framework ensures security, allows IT teams to shrink exposure windows, and better manage cyber risks. Ivanti’s approach to ring deployment incorporates real-time risk assessments, automated remediation workflows, and built-in threat management, directly aligning patch management with broader business resilience strategies. The design decision to make it part of Neurons for Patch Management delivers the scale enterprises need to improve risk management’s real-time visibility.   Bottom line: Integrating ring deployment with compensating controls and prioritization tools transforms patch management from a reactive burden to a strategic advantage. Daily insights on business use cases with VB Daily If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI. Read our Privacy Policy Thanks for subscribing. Check out more VB newsletters here. An error occured.

What just happened? TP-Link, the most popular router brand in the US, could be banned in the country. The ongoing saga over the firm's alleged links to China and anti-competitive behavior has led Republican lawmakers to urge the Commerce Department to ban sales of the company's products. The seventeen senators and representatives wrote a letter to Commerce Secretary Howard Lutnick this week to support the ongoing investigations into TP-Link. The company is being investigated by the Commerce, Defense, and Justice Departments over whether its China ties pose a security threat and whether the firm engaged in predatory pricing to undercut competitors and dominate the US market. The group essentially claims that TP-Link's cheap prices have helped it become the number one router brand in the US, thereby allowing the Chinese government to launch cyberattacks and surveillance programs against the United States using the devices. The letter also urges Lutnick to prohibit further sales of TP-Link networking products in the United States. The group goes on to accuse TP-Link of having a close association with the Chinese Communist Party, using predatory pricing to eliminate "trusted" US alternatives, and embedding foreign surveillance and destructive capabilities into US networks, all of which make it a "clear and present danger." The letter states that Chinese state actors have exploited TP-Link small and home office (SOHO) networking devices to wage cyberwarfare against the United States. It's also claimed that TP-Link is the only router company that refuses to engage in industry efforts to remediate Chinese state-sponsored bots. // Related Stories "Each day we fail to act, the CCP wins while American competitors suffer, and American security remains at risk," wrote the lawmakers. In a statement responding to the letter, TP-Link told PCMag, "The allegations are categorically false, and we look forward to setting the record straight about our company." "To be clear, TP-Link is not a state-sponsored company, has no 'deep ties' to, and is completely independent from, the Chinese Communist Party." Nine of sixteen best-selling routers on Amazon are TP-Link brands, including the top three models. It's estimated that 60-65% of homes and small businesses in the US use the routers, whose cheap prices help make them so popular. In October 2024, Microsoft exposed "CovertNetwork-1658," a Chinese-run botnet siphoning credentials from Azure since August 2023 via password-spray attacks. The network marshalled 16,000 hijacked SOHO routers, cameras and other IoT nodes – chiefly TP-Link models. The company's routers have a history of vulnerabilities: a CVSS-10 flaw hit the Archer C5400X in May 2024, and 2023 reports tied Chinese state actors to custom malware installed on TP-Link routers. The latter incident arrived soon after the US government said Mirai Botnet operators were using TP-Link routers for DDoS attacks. TP-Link, founded in 1996 by brothers Zhao Jianjun and Zhao Jiaxing, established its US arm in 2008 to handle marketing and support in North America, though ownership and operations remained tied to its Shenzhen-based parent. In 2024, TP-Link USA merged with the company's non-Chinese operations to form TP-Link Systems Inc., headquartered in Irvine, California – a move intended to create an "organizational separation," with distinct ownership, governance, R&D, and supply chains on each side.

May 14, 2025Ravie LakshmananVulnerability / Endpoint Security Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution. The vulnerabilities in question are listed below - CVE-2025-4427 (CVSS score: 5.3) - An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials CVE-2025-4428 (CVSS score: 7.2) - A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system The flaws impact the following versions of the product - 11.12.0.4 and prior (Fixed in 11.12.0.5) 12.3.0.1 and prior (Fixed in 12.3.0.2) 12.4.0.1 and prior (Fixed in 12.4.0.2) 12.5.0.0 and prior (Fixed in 12.5.0.1) Ivanti, which credited CERT-EU for reporting the issues, said it's "aware of a very limited number of customers who have been exploited at the time of disclosure" and that the vulnerabilities are "associated with two open-source libraries integrated into EPMM." The company, however, did not disclose the names of the impacted libraries. It's also not known what other software applications relying on the two libraries could be affected. Furthermore, the company said it's still investigating the cases, and that it does not have reliable indicators of compromise associated with the malicious activity. "The risk to customers is significantly reduced if they already filter access to the API using either the built-in Portal ACLs functionality or an external web application firewall," Ivanti noted. "The issue only affects the on-prem EPMM product. It is not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti Sentry, or any other Ivanti products." Separately, Ivanti has also shipped patches to contain an authentication bypass flaw in on-premise versions of Neurons for ITSM (CVE-2025-22462, CVSS score: 9.8) that could allow a remote unauthenticated attacker to gain administrative access to the system. There is no evidence that the security defect has been exploited in the wild. With zero-days in Ivanti appliances becoming a lightning rod for threat actors in recent years, it's imperative that users move quickly to update their instances to the latest versions for optimal protection. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

May 14, 2025Ravie LakshmananEndpoint Security / Vulnerability Microsoft on Tuesday shipped fixes to address a total of 78 security flaws across its software lineup, including a set of five zero-days that have come under active exploitation in the wild. Of the 78 flaws resolved by the tech giant, 11 are rated Critical, 66 are rated Important, and one is rated Low in severity. Twenty-eight of these vulnerabilities lead to remote code execution, 21 of them are privilege escalation bugs, and 16 others are classified as information disclosure flaws. The updates are in addition to eight more security defects patched by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update. The five vulnerabilities that have come under active exploitation in the wild are listed below - CVE-2025-30397 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability CVE-2025-30400 (CVSS score: 7.8) - Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability CVE-2025-32701 (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability CVE-2025-32706 (CVSS score: 7.8) - Windows Common Log File System Driver Elevation of Privilege Vulnerability CVE-2025-32709 (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability While the first three flaws have been credited to Microsoft's own threat intelligence team, Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team have been acknowledged for the discovery of CVE-2025-32706. An anonymous researcher has been credited with reporting CVE-2025-32709. "Another zero-day vulnerability has been identified in the Microsoft Scripting Engine, a key component used by Internet Explorer and Internet Explorer mode in Microsoft Edge," Alex Vovk, CEO and co-founder of Action1, said about CVE-2025-30397. "Attackers can exploit the flaw via a malicious web page or script that causes the scripting engine to misinterpret object types, resulting in memory corruption and arbitrary code execution in the context of the current user. If the user has administrative privileges, attackers could gain full system control – enabling data theft, malware installation, and lateral movement across networks." CVE-2025-30400 is the third privilege escalation flaw in DWM Core Library to be weaponized in the wild since 2023. In May 2024, Microsoft issued patches for CVE-2024-30051, which Kaspersky said was used in attacks distributing QakBot (aka Qwaking Mantis) malware. "Since 2022, Patch Tuesday has addressed 26 elevation of privilege vulnerabilities in DWM," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News. "In fact, the April 2025 release included fixes for five DWM Core Library elevation of privilege vulnerabilities. Prior to CVE-2025-30400, only two DWM elevation of privilege bugs were exploited as zero days – CVE-2024-30051 in 2024 and CVE-2023-36033 in 2023." CVE-2025-32701 and CVE-2025-32706 are the seventh and eighth privilege escalation flaws to be discovered in the CLFS component and have been exploited in real-world attacks since 2022. Last month, Microsoft revealed that CVE-2025-29824 was exploited in limited attacks to target companies in the U.S., Venezuela, Spain, and Saudi Arabia. CVE-2025-29824 is also said to have been exploited as a zero-day by threat actors linked to the Play ransomware family as part of an attack targeting an unnamed organization in the U.S., Broadcom-owned Symantec revealed earlier this month. CVE-2025-32709, likewise, is the third privilege escalation flaw in the Ancillary Function Driver for WinSock component to have come under abuse within a span of a year, after CVE-2024-38193 and CVE-2025-21418. It's worth noting that the exploitation of CVE-2024-38193 has been attributed to the North Korea-linked Lazarus Group. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add all five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by June 3, 2025. Microsoft's Patch Tuesday update also addresses a privilege escalation bug in Microsoft Defender for Endpoint for Linux (CVE-2025-26684, CVSS score: 6.7) that could permit an authorized attacker to elevate privileges locally. Stratascale researcher Rich Mirch, who is one of the two researchers, acknowledged for reporting the vulnerability, said the issue is rooted in a Python helper script that includes a function ("grab_java_version()") to determine the Java Runtime Environment (JRE) version. "The function determines the location of the Java binary on disk by checking the /proc/<PID>/exe symbolic link and then executes the java -version command," Mirch explained. "The problem is the Java binary could be running from an untrusted location. A malicious local unprivileged user can create a process with the name java or javaw, which will eventually be executed with root privileges to determine the version of the JRE." Another notable flaw is a spoofing vulnerability affecting Microsoft Defender for Identity (CVE-2025-26685, CVSS score: 6.5) that allows an attacker with LAN access to perform spoofing over an adjacent network. "The lateral movement path detection feature can itself potentially be exploited by an adversary to obtain an NTLM hash," Adam Barnett, lead software engineer at Rapid7, said in a statement. "The compromised credentials in this case would be those of the Directory Services account, and exploitation relies on achieving fallback from Kerberos to NTLM." The vulnerability with the maximum-severity is CVE-2025-29813 (CVSS score: 10.0), a privilege escalation flaw in Azure DevOps Server that allows an unauthorized attacker to elevate privileges over a network. Microsoft said the shortcoming has been already deployed in the cloud and there is no action required on the part of customers. Software Patches from Other Vendors In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including — Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

May 14, 2025Ravie LakshmananVulnerability / Network Security Fortinet has patched a critical security flaw that it said has been exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems. The vulnerability, tracked as CVE-2025-32756, carries a CVSS score of 9.6 out of 10.0. "A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests," the company said in an advisory. The company said it observed the flaw being exploited in the wild on FortiVoice systems, but did not disclose the scale of the attacks and the identity of the threat actors behind them. It further noted that the threat actor performed device network scans, erased system crash logs, and enabled fcgi debugging to log credentials from the system or SSH login attempts. The issue affects the following products and versions - FortiCamera 1.1, 2.0 (Migrate to a fixed release) FortiCamera 2.1.x (Upgrade to 2.1.4 or above) FortiMail 7.0.x (Upgrade to 7.0.9 or above) FortiMail 7.2.x (Upgrade to 7.2.8 or above) FortiMail 7.4.x (Upgrade to 7.4.5 or above) FortiMail 7.6.x (Upgrade to 7.6.3 or above) FortiNDR 1.1, 1.2, 1.3, 1.4, 1.5, 7.1 (Migrate to a fixed release) FortiNDR 7.0.x (Upgrade to 7.0.7 or above) FortiNDR 7.2.x (Upgrade to 7.2.5 or above) FortiNDR 7.4.x (Upgrade to 7.4.8 or above) FortiNDR 7.6.x (Upgrade to 7.6.1 or above) FortiRecorder 6.4.x (Upgrade to 6.4.6 or above) FortiRecorder 7.0.x (Upgrade to 7.0.6 or above) FortiRecorder 7.2.x (Upgrade to 7.2.4 or above) FortiVoice 6.4.x (Upgrade to 6.4.11 or above) FortiVoice 7.0.x (Upgrade to 7.0.7 or above) FortiVoice 7.2.x (Upgrade to 7.2.1 or above) Fortinet said the vulnerability was discovered by its product security team based on the threat actor activity that originated from the below IP addresses - 198.105.127.124 43.228.217.173 43.228.217.82 156.236.76.90 218.187.69.244 218.187.69.59 Users of FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera are recommended to apply the necessary fixes to secure their devices from active exploitation attempts. If immediate patching is not an option, it's advised to disable the HTTP/HTTPS administrative interface as a temporary workaround. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Microsoft has issued fixes for a total of five new zero-day vulnerabilities out of a grand total of just over 70 addressable common vulnerabilities and exposures (CVEs) on the fifth Patch Tuesday of 2025 – over 80 when third-party issues are accounted for. In numerical order, this month’s zero days are as follows: CVE-2025-30400, an elevation of privilege (EoP) vulnerability in Microsoft DWM Core Library; CVE-2025-30397, a memory corruption leading to remote code execution (RCE) vulnerability in Scripting Engine; CVE-2025-32701, an EoP vulnerability in Windows Common Log File System Driver (CLFS); CVE-2025-32706, a second EoP flaw in CLFS; CVE-2025-32709, an EoP issue in Windows Ancillary Function Driver for WinSock (AFD.sys). All five of these CVEs are listed by Microsoft as being exploited in the wild, but have not yet been made public. They are all rated as being of Important severity, and all save the Scripting Engine flaw carry CVSS ratings of 7.8. Mike Walters, president and co-founder of patch management specialist Action1, said that the two CLFS issues stood out as particularly dangerous given its importance in computing – the CLFS is a critical component that providers logging services to user- and kernel-mode applications, and is widely used by various system services and third-party applications. “Attackers exploiting these vulnerabilities can escalate privileges to system level, granting them full control to run arbitrary code, install malware, modify data, or disable security protections,” said Walters. “With low complexity and minimal privileges needed, these flaws pose a serious risk, especially given the confirmed in-the-wild exploitation [and] while no public exploit code is currently available, the presence of active attacks suggests that targeted campaigns, potentially involving advanced persistent threats (APTs), are already underway. “Organisations should prioritise immediate assessment and remediation of these vulnerabilities to prevent potential compromise. Any organisation running Windows systems – across enterprise, government, education, or consumer sectors – could be exposed. Given Windows’ global footprint, millions of devices are likely at risk,” said Walters. CVE-2025-30400 in DWM Core Library should also be high on security admins’ patching lists, observed Kev Breen, senior director of threat research at Immersive. He explained: “If exploited, it would allow attackers to gain system-level permission on the affected host. With this level of privilege, attackers would be able to gain full control over the host, including any security tools and user accounts, potentially allowing for domain-level access to be compromised. “This CVE is marked as ‘Exploitation Detected’ by the Microsoft team, meaning patches should be applied immediately as threat groups, including ransomware affiliates, will be quick to leverage this once more details become public.” Breen added that once this happens, cyber teams and threat hunters should work quickly to review their systems for indicators of compromise (IoCs) to ensure that they haven’t been hit in the window between the point at which threat actors began at-scale exploitation, and the patch was released. Breen’s colleague, cyber threat intelligence researcher Ben Hopkins, ran the rule over the remaining exploited zero-days, CVE-20205-30397 in Scripting Engine and CVE-2025-32709 in AFD.sys “A scripting engine memory corruption vulnerability occurs when the Microsoft scripting engine mishandles objects in memory, in this case leading to an elevation of privilege being performed by an attacker,” he explained. “This specific vulnerability exists … involves access to a resource using (‘type confusion’) which allows attackers to execute code over a network. Type confusion in this context occurs when a program mistakenly treats a piece of data as a different type than it actually is, which leads to undefined and unpredictable behaviour, allowing the attacker to execute arbitrary code and elevate their privileges,” said Hopkins For the layperson, this means that having attained system-level privileges, a threat actor could easily access sensitive data and look for opportunities to pivot to other, more valuable parts of the victim’s network. Turning to the issue affecting AFD.sys, a core Windows kernel-mode driver that supports network socket operations by bridging from WinSock (Windows Sockets API) in user space, and lower-level network drivers in the kernel, Hopkins explained that an unauthorized attacker could exploit a condition in which memory that has been deallocated can still be accessed to inject controlled data into memory and influence how the program behaves, ultimately granting them the ability to elevate their privileges. In both cases, what this means is that having attained system-level privileges, a threat actor could easily access sensitive data and look for opportunities to pivot to other, more valuable parts of the victim’s network. Two additional zero-days have been publicly-disclosed today (13 May) but have not yet been reported as coming under attack at the time of writing. These are CVE-2025-26685, a spoofing vulnerability in Microsoft Defender for Identity, and CVE-2025-32702, an RCE vulnerability in Visual Studio. Both of these are rated of Important severity, carrying CVSS scores of 6.5 and 7.8 respectively. Finally, the May update brings a total of 11 critical flaws affecting Azure Automation, Azure DevOps, Azure Storage Resource, Microsoft Dataverse, Microsoft msagsfeedback.zurewebsites.net, Microsoft Office, Microsoft Power Apps, Microsoft Virtual Machine Bus and Remote Desktop Client (RDP). In their impact, these issues run the gamut from EoP to spoofing to information disclosure, and six of them lead to RCE, said Microsoft. Of the critical issues, Walters’ co-CEO and co-founder at Action1, Alex Vovk, told Computer Weekly that the two RDP flaws stood out in particular. These are tracked as CVE-2025-29966 and CVE-2025-29967. “Both vulnerabilities pose critical risks, including remote code execution, full system compromise, and data breaches,” remarked Vovk. “Given the broad adoption of remote desktop services, many organizations are potentially exposed. CVE-2025-29966 and CVE-2025-29967 underscore the urgent need to secure both client and server components in remote access environments.” Read more about Patch Tuesday April 2025: Microsoft is correcting 124 vulnerabilities in its March Patch Tuesday, one of which is being actively exploited in the wild, and 11 of which are ‘critical’. March 2025: The third Patch Tuesday of 2025 brought fixes for 57 flaws and a hefty number of zero-days. February 2025: Microsoft corrected 57 vulnerabilities, two of which are being actively exploited in the wild, and three of which are ‘critical’. January 2025: The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws. December 2024: Microsoft has fixed over 70 CVEs in its final Patch Tuesday update of the year, and defenders should prioritise a zero-day in the Common Log File System Driver, and another impactful flaw in the Lightweight Directory Access Protocol. November 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from November’s Patch Tuesday update. October 2024: Stand-out vulnerabilities in Microsoft’s latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform. September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilities will keep admins busy. August 2024: Microsoft patches six actively exploited zero-days among over 100 issues during its regular monthly update. July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-day singled out for urgent attention. June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address in Microsoft’s latest Patch Tuesday update. May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention.

May 13, 2025Ravie LakshmananVulnerability / Threat Intelligence A recently disclosed critical security flaw impacting SAP NetWeaver is being exploited by multiple China-nexus nation-state actors to target critical infrastructure networks. "Actors leveraged CVE-2025-31324, an unauthenticated file upload vulnerability that enables remote code execution (RCE)," EclecticIQ researcher Arda Büyükkaya said in an analysis published today. Targets of the campaign include natural gas distribution networks, water and integrated waste management utilities in the United Kingdom, medical device manufacturing plants oil and gas exploration and production companies in the United States, and government ministries in Saudi Arabia that are responsible for investment strategy and financial regulation. The findings are based on a publicly exposed directory uncovered on attacker-controlled infrastructure ("15.204.56[.]106") that contained event logs capturing the activities across multiple compromised systems. The Dutch cybersecurity company has attributed the intrusions to Chinese threat activity clusters tracked as UNC5221, UNC5174, and CL-STA-0048, the last of which was linked to attacks targeting high-value targets in South Asia by exploiting known vulnerabilities in public-facing IIS, Apache Tomcat, and MS-SQL servers to drop web shells, reverse shells, and the PlugX backdoor. It also noted that an uncategorized China-nexus threat actor is conducting a widespread internet scanning and exploitation campaign against SAP NetWeaver systems. The server hosted at the IP address "15.204.56[.]106" has been found to contain multiple files, including - "CVE-2025-31324-results.txt," which has recorded 581 SAP NetWeaver instances compromised and backdoored with a web shell "服务数据_20250427_212229.txt," which lists 800 domains running SAP NetWeaver likely for future targeting "The exposed open-dir infrastructure reveals confirmed breaches and highlights the group's planned targets, offering clear insight into both past and future operations," Büyükkaya noted. The exploitation of CVE-2025-31324 is followed by the threat actor deploying two web shells that are designed to maintain persistent remote access to the infected systems and execute arbitrary commands. In addition, three different Chinese hacking groups have been observed exploiting the SAP NetWeaver vulnerability as part of efforts to maintain remote access, conduct reconnaissance, and drop malicious programs - CL-STA-0048, which has attempted to establish an interactive reverse shell to "43.247.135[.]53," an IP address previously identified as used by the threat actor UNC5221, which has leveraged a web shell to deploy KrustyLoader, a Rust-based malware that can used to serve second-stage payloads like Sliver, set up persistence, and execute shell commands UNC5174, which has leveraged a web shell to download SNOWLIGHT, a loader that initiates a connection with a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE "China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally," Büyükkaya said. "Their focus on widely used platforms like SAP NetWeaver is a strategic move, as these systems are deeply integrated into enterprise environments and often host unpatched vulnerabilities." SAP Patches New NetWeaver Flaw in May 2025 Patch The disclosure comes days after another China-linked unnamed threat actor dubbed Chaya_004 has also been attributed to the exploitation of CVE-2025-31324 to deploy a Go-based reverse shell called SuperShell. SAP security firm Onapsis said it is "seeing significant activity from attackers who are using public information to trigger exploitation and abuse web shells placed by the original attackers, who have currently gone dark." Further analysis of these attacks has led to the discovery of another critical defect in NetWeaver's Visual Composer Metadata Uploader component. Tracked as CVE-2025-42999 (CVSS score: 9.1), it has been described as a deserialization vulnerability that could be exploited by a privileged user to upload untrusted or malicious content. In light of ongoing active exploitation, customers of SAP NetWeaver are recommended to update their instances to the latest version as soon as possible. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    