May 19, 2025Ravie LakshmananBrowser Security / Vulnerability Mozilla has released security updates to address two critical security flaws in its Firefox browser that could be potentially exploited to access sensitive data or achieve code execution. The vulnerabilities, both of which were exploited as a zero-day at Pwn2Own Berlin, are listed below - CVE-2025-4918 - An out-of-bounds access vulnerability when resolving Promise objects that could allow an attacker to perform read or write on a JavaScript Promise object CVE-2025-4919 - An out-of-bounds access vulnerability when optimizing linear sums that could allow an attacker to perform read or write on a JavaScript object by confusing array index sizes In other words, successful exploitation of either of the flaws could permit an adversary to achieve out-of-bounds read or write, which could then be abused to access otherwise sensitive information or result in memory corruption that could pave the way for code execution. The vulnerabilities affect the following versions of the Firefox browser - All versions of Firefox before 138.0.4All versions of Firefox Extended Support Releasebefore 128.10.1 All versions of Firefox ESR before 115.23.1 Edouard Bochin and Tao Yan from Palo Alto Networks have been credited with finding and reporting CVE-2025-4918. The discovery of CVE-2025-4919 has been credited to Manfred Paul. It's worth noting that both shortcomings were demonstrated at the Pwn2Own Berlin hacking contest last week for which they were awarded each. With web browsers continuing to be an attractive vector for malware delivery, users are advised to update their instances to the latest version to safeguard against potential threats. "Neither of the attacks managed to break out of our sandbox, which is required to gain control over the user's system," Mozilla said in a statement. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE     #firefox #patches #zerodays #exploited #pwn2own

A patch and a workaround are available but Ivanti urges users patch up. #ivanti #patches #two #zerodays #that

May 14, 2025Ravie LakshmananEndpoint Security / Vulnerability Microsoft on Tuesday shipped fixes to address a total of 78 security flaws across its software lineup, including a set of five zero-days that have come under active exploitation in the wild. Of the 78 flaws resolved by the tech giant, 11 are rated Critical, 66 are rated Important, and one is rated Low in severity. Twenty-eight of these vulnerabilities lead to remote code execution, 21 of them are privilege escalation bugs, and 16 others are classified as information disclosure flaws. The updates are in addition to eight more security defects patched by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update. The five vulnerabilities that have come under active exploitation in the wild are listed below - CVE-2025-30397 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability CVE-2025-30400 (CVSS score: 7.8) - Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability CVE-2025-32701 (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability CVE-2025-32706 (CVSS score: 7.8) - Windows Common Log File System Driver Elevation of Privilege Vulnerability CVE-2025-32709 (CVSS score: 7.8) - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability While the first three flaws have been credited to Microsoft's own threat intelligence team, Benoit Sevens of Google Threat Intelligence Group and the CrowdStrike Advanced Research Team have been acknowledged for the discovery of CVE-2025-32706. An anonymous researcher has been credited with reporting CVE-2025-32709. "Another zero-day vulnerability has been identified in the Microsoft Scripting Engine, a key component used by Internet Explorer and Internet Explorer mode in Microsoft Edge," Alex Vovk, CEO and co-founder of Action1, said about CVE-2025-30397. "Attackers can exploit the flaw via a malicious web page or script that causes the scripting engine to misinterpret object types, resulting in memory corruption and arbitrary code execution in the context of the current user. If the user has administrative privileges, attackers could gain full system control – enabling data theft, malware installation, and lateral movement across networks." CVE-2025-30400 is the third privilege escalation flaw in DWM Core Library to be weaponized in the wild since 2023. In May 2024, Microsoft issued patches for CVE-2024-30051, which Kaspersky said was used in attacks distributing QakBot (aka Qwaking Mantis) malware. "Since 2022, Patch Tuesday has addressed 26 elevation of privilege vulnerabilities in DWM," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News. "In fact, the April 2025 release included fixes for five DWM Core Library elevation of privilege vulnerabilities. Prior to CVE-2025-30400, only two DWM elevation of privilege bugs were exploited as zero days – CVE-2024-30051 in 2024 and CVE-2023-36033 in 2023." CVE-2025-32701 and CVE-2025-32706 are the seventh and eighth privilege escalation flaws to be discovered in the CLFS component and have been exploited in real-world attacks since 2022. Last month, Microsoft revealed that CVE-2025-29824 was exploited in limited attacks to target companies in the U.S., Venezuela, Spain, and Saudi Arabia. CVE-2025-29824 is also said to have been exploited as a zero-day by threat actors linked to the Play ransomware family as part of an attack targeting an unnamed organization in the U.S., Broadcom-owned Symantec revealed earlier this month. CVE-2025-32709, likewise, is the third privilege escalation flaw in the Ancillary Function Driver for WinSock component to have come under abuse within a span of a year, after CVE-2024-38193 and CVE-2025-21418. It's worth noting that the exploitation of CVE-2024-38193 has been attributed to the North Korea-linked Lazarus Group. The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add all five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by June 3, 2025. Microsoft's Patch Tuesday update also addresses a privilege escalation bug in Microsoft Defender for Endpoint for Linux (CVE-2025-26684, CVSS score: 6.7) that could permit an authorized attacker to elevate privileges locally. Stratascale researcher Rich Mirch, who is one of the two researchers, acknowledged for reporting the vulnerability, said the issue is rooted in a Python helper script that includes a function ("grab_java_version()") to determine the Java Runtime Environment (JRE) version. "The function determines the location of the Java binary on disk by checking the /proc/<PID>/exe symbolic link and then executes the java -version command," Mirch explained. "The problem is the Java binary could be running from an untrusted location. A malicious local unprivileged user can create a process with the name java or javaw, which will eventually be executed with root privileges to determine the version of the JRE." Another notable flaw is a spoofing vulnerability affecting Microsoft Defender for Identity (CVE-2025-26685, CVSS score: 6.5) that allows an attacker with LAN access to perform spoofing over an adjacent network. "The lateral movement path detection feature can itself potentially be exploited by an adversary to obtain an NTLM hash," Adam Barnett, lead software engineer at Rapid7, said in a statement. "The compromised credentials in this case would be those of the Directory Services account, and exploitation relies on achieving fallback from Kerberos to NTLM." The vulnerability with the maximum-severity is CVE-2025-29813 (CVSS score: 10.0), a privilege escalation flaw in Azure DevOps Server that allows an unauthorized attacker to elevate privileges over a network. Microsoft said the shortcoming has been already deployed in the cloud and there is no action required on the part of customers. Software Patches from Other Vendors In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including — Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE     Source: https://thehackernews.com/2025/05/microsoft-fixes-78-flaws-5-zero-days.html #microsoft #fixes #flaws #zerodays #exploited #cvss #bug #impacts #azure #devops #server

Microsoft has issued fixes for a total of five new zero-day vulnerabilities out of a grand total of just over 70 addressable common vulnerabilities and exposures (CVEs) on the fifth Patch Tuesday of 2025 – over 80 when third-party issues are accounted for. In numerical order, this month’s zero days are as follows: CVE-2025-30400, an elevation of privilege (EoP) vulnerability in Microsoft DWM Core Library; CVE-2025-30397, a memory corruption leading to remote code execution (RCE) vulnerability in Scripting Engine; CVE-2025-32701, an EoP vulnerability in Windows Common Log File System Driver (CLFS); CVE-2025-32706, a second EoP flaw in CLFS; CVE-2025-32709, an EoP issue in Windows Ancillary Function Driver for WinSock (AFD.sys). All five of these CVEs are listed by Microsoft as being exploited in the wild, but have not yet been made public. They are all rated as being of Important severity, and all save the Scripting Engine flaw carry CVSS ratings of 7.8. Mike Walters, president and co-founder of patch management specialist Action1, said that the two CLFS issues stood out as particularly dangerous given its importance in computing – the CLFS is a critical component that providers logging services to user- and kernel-mode applications, and is widely used by various system services and third-party applications. “Attackers exploiting these vulnerabilities can escalate privileges to system level, granting them full control to run arbitrary code, install malware, modify data, or disable security protections,” said Walters. “With low complexity and minimal privileges needed, these flaws pose a serious risk, especially given the confirmed in-the-wild exploitation [and] while no public exploit code is currently available, the presence of active attacks suggests that targeted campaigns, potentially involving advanced persistent threats (APTs), are already underway. “Organisations should prioritise immediate assessment and remediation of these vulnerabilities to prevent potential compromise. Any organisation running Windows systems – across enterprise, government, education, or consumer sectors – could be exposed. Given Windows’ global footprint, millions of devices are likely at risk,” said Walters. CVE-2025-30400 in DWM Core Library should also be high on security admins’ patching lists, observed Kev Breen, senior director of threat research at Immersive. He explained: “If exploited, it would allow attackers to gain system-level permission on the affected host. With this level of privilege, attackers would be able to gain full control over the host, including any security tools and user accounts, potentially allowing for domain-level access to be compromised. “This CVE is marked as ‘Exploitation Detected’ by the Microsoft team, meaning patches should be applied immediately as threat groups, including ransomware affiliates, will be quick to leverage this once more details become public.” Breen added that once this happens, cyber teams and threat hunters should work quickly to review their systems for indicators of compromise (IoCs) to ensure that they haven’t been hit in the window between the point at which threat actors began at-scale exploitation, and the patch was released. Breen’s colleague, cyber threat intelligence researcher Ben Hopkins, ran the rule over the remaining exploited zero-days, CVE-20205-30397 in Scripting Engine and CVE-2025-32709 in AFD.sys “A scripting engine memory corruption vulnerability occurs when the Microsoft scripting engine mishandles objects in memory, in this case leading to an elevation of privilege being performed by an attacker,” he explained. “This specific vulnerability exists … involves access to a resource using (‘type confusion’) which allows attackers to execute code over a network. Type confusion in this context occurs when a program mistakenly treats a piece of data as a different type than it actually is, which leads to undefined and unpredictable behaviour, allowing the attacker to execute arbitrary code and elevate their privileges,” said Hopkins For the layperson, this means that having attained system-level privileges, a threat actor could easily access sensitive data and look for opportunities to pivot to other, more valuable parts of the victim’s network. Turning to the issue affecting AFD.sys, a core Windows kernel-mode driver that supports network socket operations by bridging from WinSock (Windows Sockets API) in user space, and lower-level network drivers in the kernel, Hopkins explained that an unauthorized attacker could exploit a condition in which memory that has been deallocated can still be accessed to inject controlled data into memory and influence how the program behaves, ultimately granting them the ability to elevate their privileges. In both cases, what this means is that having attained system-level privileges, a threat actor could easily access sensitive data and look for opportunities to pivot to other, more valuable parts of the victim’s network. Two additional zero-days have been publicly-disclosed today (13 May) but have not yet been reported as coming under attack at the time of writing. These are CVE-2025-26685, a spoofing vulnerability in Microsoft Defender for Identity, and CVE-2025-32702, an RCE vulnerability in Visual Studio. Both of these are rated of Important severity, carrying CVSS scores of 6.5 and 7.8 respectively. Finally, the May update brings a total of 11 critical flaws affecting Azure Automation, Azure DevOps, Azure Storage Resource, Microsoft Dataverse, Microsoft msagsfeedback.zurewebsites.net, Microsoft Office, Microsoft Power Apps, Microsoft Virtual Machine Bus and Remote Desktop Client (RDP). In their impact, these issues run the gamut from EoP to spoofing to information disclosure, and six of them lead to RCE, said Microsoft. Of the critical issues, Walters’ co-CEO and co-founder at Action1, Alex Vovk, told Computer Weekly that the two RDP flaws stood out in particular. These are tracked as CVE-2025-29966 and CVE-2025-29967. “Both vulnerabilities pose critical risks, including remote code execution, full system compromise, and data breaches,” remarked Vovk. “Given the broad adoption of remote desktop services, many organizations are potentially exposed. CVE-2025-29966 and CVE-2025-29967 underscore the urgent need to secure both client and server components in remote access environments.” Read more about Patch Tuesday April 2025: Microsoft is correcting 124 vulnerabilities in its March Patch Tuesday, one of which is being actively exploited in the wild, and 11 of which are ‘critical’. March 2025: The third Patch Tuesday of 2025 brought fixes for 57 flaws and a hefty number of zero-days. February 2025: Microsoft corrected 57 vulnerabilities, two of which are being actively exploited in the wild, and three of which are ‘critical’. January 2025: The largest Patch Tuesday of the 2020s so far brings fixes for more than 150 CVEs ranging widely in their scope and severity – including eight zero-day flaws. December 2024: Microsoft has fixed over 70 CVEs in its final Patch Tuesday update of the year, and defenders should prioritise a zero-day in the Common Log File System Driver, and another impactful flaw in the Lightweight Directory Access Protocol. November 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from November’s Patch Tuesday update. October 2024: Stand-out vulnerabilities in Microsoft’s latest Patch Tuesday drop include problems in Microsoft Management Console and the Windows MSHTML Platform. September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilities will keep admins busy. August 2024: Microsoft patches six actively exploited zero-days among over 100 issues during its regular monthly update. July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-day singled out for urgent attention. June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address in Microsoft’s latest Patch Tuesday update. May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malware that is drawing attention. Source: https://www.computerweekly.com/news/366623992/May-Patch-Tuesday-brings-five-exploited-zero-days-to-fix #may #patch #tuesday #brings #five #exploited #zerodays #fix