Category: Vulnerability Management

Multiple zero-day vulnerabilities in Broadcom VMware ESXi and other products

On Tuesday, March 4, 2025, Broadcom published a critical security advisory (VMSA-2025-0004) on 3 new zero-day vulnerabilities affecting multiple VMware products, including ESXi, Workstation, and Fusion. The most severe of the vulnerabilities is CVE-2025-22224, a critical vulnerability in ESXi and Workstation. Notably, these are not remotely exploitable vulnerabilities — they require an attacker to have existing privileged access on a VM that is running on an affected VMware hypervisor.

  • CVE-2025-22224 (CVSS 9.3): A Time-of-Check Time-of-Use (TOCTOU) vulnerability in VMware ESXi and Workstation that can lead to an out-of-bounds write condition. An attacker with local administrative privileges on a virtual machine could exploit this issue to execute code as the virtual machine's VMX process running on the host.
  • CVE-2025-22225 (CVSS 8.2): An arbitrary write vulnerability in VMware ESXi that allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.
  • CVE-2025-22226 (CVSS 7.1): An information disclosure vulnerability in VMware ESXi, Workstation, and Fusion that arises from an out-of-bounds read in the Host Guest File System (HGFS). An attacker with administrative privileges to a virtual machine could exploit this issue to leak memory from the VMX process.

Broadcom has published an FAQ with additional information for VMware customers.

All 3 vulnerabilities were reported to Broadcom by Microsoft Threat Intelligence Center. Broadcom’s advisory indicates for all 3 CVEs that Broadcom “has information to suggest that exploitation has occurred in the wild.” Shortly after Broadcom published their advisory, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added all 3 CVEs to the Known Exploited Vulnerabilities (KEV) list.

Based on the information in the advisory, it appears that the 3 vulnerabilities can be chained together: “This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”

There is no known public exploit code for any of the CVEs at time of publication. Nevertheless, given that ESXi hypervisors are popular targets for both financially motivated and state-sponsored adversaries, Rapid7 recommends applying vendor-supplied fixes on an expedited basis.

Affected products

The following products are vulnerable to CVE-2025-2224, CVE-2025-22225, and CVE-2025-2226:

  • Broadcom VMware ESXi 7.0 and 8.0
  • Broadcom VMware Cloud Foundation 4.5.x and 5.x
  • Broadcom VMware Telco Cloud Platform 5.x, 4.x, 3.x, and 2.x
  • Broadcom VMware Telco Cloud Infrastructure 3.x and 2.x

The following products are vulnerable to CVE-2025-22224 and CVE-2025-22226:

  • Broadcom VMware Workstation 17.x

The following product is vulnerable to CVE-2025-22226:

  • Broadcom VMware Fusion 13.x

For the most complete information on affected and fixed versions, see Broadcom’s advisory and FAQ.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 on Broadcom VMware ESXi hypervisors, Fusion, and Workstation products with vulnerability checks expected to be available in today’s (Tuesday, March 4) content release.

Patch Tuesday - February 2025

Microsoft is addressing 56 vulnerabilities this February 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation for two of the vulnerabilities published today, which is reflected in CISA KEV. Microsoft is aware of public disclosure for two other vulnerabilities. This is now the fifth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of just three critical remote code execution (RCE) vulnerabilities. Eleven browser vulnerabilities have already been published separately this month, and are not included in the total.

Ancillary Function Driver: zero-day EoP

All versions of Windows receive patches today for CVE-2025-21418, a heap-based buffer overflow in the Windows Ancillary Function Driver (AFD). Successful exploitation leads to SYSTEM privileges. The AFD has been around for decades; it handles foundational networking functionality, so it is necessarily a kernel driver which interacts with a great deal of user-supplied input. It is perhaps not very shocking that AFD has been the site of a significant number of problems over the years: specifically, elevation of privilege (EoP) vulnerabilities. Microsoft is aware of existing exploitation in the wild, and with low attack complexity, low privilege requirements, and no requirement for user interaction, CVE-2025-21418 is one to prioritize for patching. The relatively low CVSSv3 base score of 7.8 and severity rating of Important may appear relatively mild; however, broad similarities exist between this vuln and CVE-2024-38193, which Rapid7 flagged as ripe for malware abuse on the day it was published, and which has subsequently been linked to exploitation by North Korean state-associated threat actor tracked as Lazarus.

Windows Storage: zero-day EoP

Ever wanted to delete a file on a Windows box, but pesky permissions prevented you from achieving your goal? CVE-2025-21391 might be just what you need: an elevation of privilege (EoP) vulnerability in the Windows Storage service for which Microsoft is aware of exploitation in the wild. No user interaction is required, and attack complexity is low, and the weakness is given as “CWE-59: Improper Link Resolution Before File Access” but what are attackers hoping to achieve here? Although the advisory provides scant detail, and even offers some vague reassurance that “an attacker would only be able to delete targeted files on a system”, it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service. As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links.

NTLMv2 disclosure: zero-day spoofing

It’s almost surprising when any particular Patch Tuesday doesn’t involve plugging one or two holes through which NTLM hashes can leak. CVE-2025-21377 describes an NTLMv2 hash disclosure vulnerability where exploitation ultimately results in the attacker gaining the ability to authenticate as the targeted user. Minimal user interaction with a malicious file is required, including selecting, inspecting, or “performing an action other than opening or executing the file.” This trademark linguistic ducking and weaving may be Microsoft’s way of saying “if we told you any more, we’d give the game away.” Accordingly, Microsoft assesses exploitation as more likely. The advisory acknowledges researchers from 0patch by ACROS Security — who also reported last month’s NTLM hash disclosure zero-day vuln CVE-2025-21308 — as well as others from Securify and Cathay Pacific; this might be the first instance of an airline receiving credit for reporting a Microsoft zero-day vulnerability.

Surface: zero-day container escape

A wide array of Microsoft Surface machines are vulnerable to CVE-2025-21194 until patched, although the most recent Surface Pro 10 and 11 series are not listed as vulnerable. The vulnerability is described as a security feature bypass, and exploitation could lead to container escape from a UEFI host machine and compromise of the hypervisor. Surface devices receive updates via Windows Update, although the advisory also gives brief instructions for users who wish to apply the updates manually. Microsoft describes the vulnerability as publicly disclosed.

LDAP server: critical RCE

Any security advisory which lists multiple weakness types typically describes a complex vulnerability, and Windows LDAP critical remote code execution (RCE) CVE-2025-21376 is no exception. Successful exploitation requires an attacker to navigate multiple challenges, including winning a race condition. The prize: code execution on the Windows LDAP server. Although Microsoft seldom specifies the privilege level of code execution on LDAP server vulnerabilities, Rapid7 has noted previously that the LDAP service runs in a SYSTEM context, and that is the only safe assumption. All versions of Windows receive a patch.

DHCP client: critical RCE

Today sees the publication of a slightly mysterious critical RCE in the Windows DHCP Client Service. Exploitation of CVE-2025-21379 requires an attacker to intercept and potentially modify communications between the Windows DHCP client and the requested resource, which implies either that an attacker can break encryption, or that no encryption is present in the DHCP communication; this risk is highlighted in Microsoft’s own spec for DHCP implementation.

Excel: critical RCE

As if spreadsheets weren’t dangerous enough by themselves, today sees publication of CVE-2025-21381, a critical RCE in Excel. As usual for this class of attack, the advisory clarifies that “remote” in this case refers to the location of the attacker, since user interaction is required, and the code execution will be in the context of the user on their local machine. The Outlook Preview Pane is an attack vector, so simply glancing at an email containing a specially crafted malicious spreadsheet is enough for the attack to succeed, although an attacker could also convince a user to download and open a file from a website, or perhaps simply drop a few USB sticks in the parking lot.

Microsoft lifecycle update

In Microsoft product lifecycle news, SQL Server 2019 moves from mainstream support to extended support on 2025-02-28.

Summary charts

Patch Tuesday - February 2025

Patch Tuesday - February 2025

Patch Tuesday - February 2025

Summary tables

Apps vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21322 Microsoft PC Manager Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21259 Microsoft Outlook Spoofing Vulnerability No No 5.3

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21198 Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability No No 9
CVE-2025-21188 Azure Network Watcher VM Extension Elevation of Privilege Vulnerability No No 6

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21342 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 8.8
CVE-2025-21408 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 8.8
CVE-2025-21279 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 6.5
CVE-2025-21283 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability No No 6.5
CVE-2025-21253 Microsoft Edge for IOS and Android Spoofing Vulnerability No No 5.3
CVE-2025-21267 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.4
CVE-2025-21404 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.3
CVE-2025-0451 Chromium: CVE-2025-0451 Inappropriate implementation in Extensions API No No N/A
CVE-2025-0445 Chromium: CVE-2025-0445 Use after free in V8 No No N/A
CVE-2025-0444 Chromium: CVE-2025-0444 Use after free in Skia No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21206 Visual Studio Installer Elevation of Privilege Vulnerability No No 7.3
CVE-2025-24042 Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability No No 7.3
CVE-2025-24039 Visual Studio Code Elevation of Privilege Vulnerability No No 7.3

Developer Tools Mariner vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-32002 HackerOne: CVE-2023-32002 Node.js Module._load() policy Remote Code Execution Vulnerability No No N/A

Device vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21194 Microsoft Surface Security Feature Bypass Vulnerability No Yes 7.1

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21406 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21407 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21190 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21200 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21371 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21201 Windows Telephony Server Remote Code Execution Vulnerability No No 8.8
CVE-2025-21208 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2025-21410 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2025-21368 Microsoft Digest Authentication Remote Code Execution Vulnerability No No 8.8
CVE-2025-21369 Microsoft Digest Authentication Remote Code Execution Vulnerability No No 8.8
CVE-2025-21376 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 8.1
CVE-2025-21359 Windows Kernel Security Feature Bypass Vulnerability No No 7.8
CVE-2025-21373 Windows Installer Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21420 Windows Disk Cleanup Tool Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21418 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Yes No 7.8
CVE-2025-21375 Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21181 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2025-21419 Windows Setup Files Cleanup Elevation of Privilege Vulnerability No No 7.1
CVE-2025-21377 NTLM Hash Disclosure Spoofing Vulnerability No Yes 6.5
CVE-2025-21352 Internet Connection Sharing (ICS) Denial of Service Vulnerability No No 6.5
CVE-2025-21347 Windows Deployment Services Denial of Service Vulnerability No No 6
CVE-2025-21350 Windows Kerberos Denial of Service Vulnerability No No 5.9
CVE-2025-21337 Windows NTFS Elevation of Privilege Vulnerability No No 3.3

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21177 Microsoft Dynamics 365 Sales Elevation of Privilege Vulnerability No No 8.7

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21400 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8
CVE-2025-21392 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2025-21397 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2025-21381 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2025-21386 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2025-21387 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2025-21390 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2025-21394 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2025-21383 Microsoft Excel Information Disclosure Vulnerability No No 7.8
CVE-2025-24036 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability No No 7

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21367 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21358 Windows Core Messaging Elevation of Privileges Vulnerability No No 7.8
CVE-2025-21351 Windows Active Directory Domain Services API Denial of Service Vulnerability No No 7.5
CVE-2025-21182 Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability No No 7.4
CVE-2025-21183 Windows Resilient File System (ReFS) Deduplication Service Elevation of Privilege Vulnerability No No 7.4
CVE-2025-21391 Windows Storage Elevation of Privilege Vulnerability Yes No 7.1
CVE-2025-21379 DHCP Client Service Remote Code Execution Vulnerability No No 7.1
CVE-2025-21184 Windows Core Messaging Elevation of Privileges Vulnerability No No 7
CVE-2025-21414 Windows Core Messaging Elevation of Privileges Vulnerability No No 7
CVE-2025-21349 Windows Remote Desktop Configuration Service Tampering Vulnerability No No 6.8
CVE-2025-21212 Internet Connection Sharing (ICS) Denial of Service Vulnerability No No 6.5
CVE-2025-21216 Internet Connection Sharing (ICS) Denial of Service Vulnerability No No 6.5
CVE-2025-21254 Internet Connection Sharing (ICS) Denial of Service Vulnerability No No 6.5
CVE-2025-21179 DHCP Client Service Denial of Service Vulnerability No No 4.8

Executive summary

Fortinet firewalls hit with new zero-day attack, older data leak

Rapid7 is investigating two separate events affecting Fortinet firewall customers:

  • Zero-day exploitation of CVE-2024-55591, an authentication bypass vulnerability in FortiOS and FortiProxy disclosed earlier this week. Successful exploitation could allow remote attackers to gain super-admin privileges via crafted requests to the Node.js websocket module.
  • A January 15, 2025 dark web post from a threat actor who looks to have published IPs, passwords, and configuration data from 15,000 FortiGate firewalls. The data leaked online appears to be several years old (2022). Rapid7 has not attributed any CVEs to the leaked data at this time.

FortiGate data leak

On Wednesday, January 15, 2025, a threat actor named “Belsen Group” published a trove of Fortinet FortiGate firewall data on the dark web, allegedly from 15,000 organizations. The data released included IP addresses, passwords, and firewall configuration information — a potentially significant risk for organizations whose data was leaked.

Security researcher Kevin Beaumont has an initial analysis of the leaked data, along with his assessment that the data leaked this week appears to be from 2022. After conducting our own outreach to potentially affected organizations, Rapid7 has also confirmed that at least some of the leaked data originated from 2022 incidents where customer firewalls were compromised. Based on Beaumont’s analysis and observations from our own investigations, it’s likely that the data dump published by the threat actor contains primarily or entirely older data.

Rapid7 has not attributed the data leak to a specific CVE at this time. Beaumont said his observations from incident responses indicate that CVE-2022-40684 (a Fortinet firewall zero-day flaw from 2022) may have been the initial access vector that allowed for the large-scale firewall data leak.

New Fortinet zero-day CVE also exploited in the wild

Separately, on Tuesday, January 14, 2025, Fortinet disclosed CVE-2024-55591, a new zero-day vulnerability affecting FortiOS and FortiProxy. Security firm Arctic Wolf had previously published a blog on threat activity targeting Fortinet firewall management interfaces exposed to the public internet, saying that “a zero-day vulnerability is likely” but an initial access vector had not been confirmed. According to Arctic Wolf, the campaign “involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes.”

Fortinet’s advisory for CVE-2024-55591 includes indicators of compromise (IOCs) and notes that the vulnerability was reported as exploited in the wild at time of disclosure. No individual or firm is explicitly credited for discovering the vulnerability in Fortinet’s advisory, and Fortinet has not confirmed that CVE-2024-55591 is the zero-day vulnerability Arctic Wolf speculated was being leveraged threat activity.

Rapid7 MDR threat hunters have observed activity from IP addresses publicly attributed to the threat campaign targeting CVE-2024-55591, but our team has so far only noted connections consistent with scanning or reconnaissance activity and not exploitation.

Zero-day vulnerabilities in Fortinet FortiOS, the operating system that runs on FortiGate firewalls, have been a relatively common occurrence in recent years and have been leveraged in a wide range of financially motivated, state-sponsored, and other attacks. In addition to CVE-2024-55591, prominent FortiOS zero-day flaws have included:

Like CVE-2022-40684, CVE-2024-55591 is an authentication bypass using an alternate path or channel (CWE-288). While it does not currently appear likely that CVE-2024-55591 is the vulnerability that enabled the collection and release of FortiGate firewall configuration data on January 15, 2025, the vulnerability is nevertheless being exploited in the wild and should be treated with urgency.

Mitigation guidance

According to Fortinet’s advisory, the following products and versions are vulnerable to CVE-2024-55591:

  • Fortinet FortiOS 7.0.0 through 7.0.16 (fixed in 7.0.17 or above)
  • Fortinet FortiProxy 7.2.0 through 7.2.12 (fixed in 7.2.13 or above)
  • Fortinet FortiProxy 7.0.0 through 7.0.19 (fixed in 7.0.20 or above)

Per Fortinet, other versions of FortiOS (6.4, 7.2, 7.4, 7.6) and FortiProxy (2.0, 7.4, 7.6) are not affected. Customers should update to a fixed version immediately, without waiting for a regular patch cycle to occur, and review Fortinet’s IOCs to aid investigations into suspicious activity. Indicators include examples of administrative or local users added by adversaries.

Customers should also ensure that firewall management interfaces are not exposed to the public internet and limit IP addresses that can reach administrative interfaces. If your organization was impacted by the January 15, 2025 FortiGate firewall data leak, you should change administrative and local user passwords immediately. FortiOS also supports multi-factor authentication (MFA) for local user accounts, which Rapid7 strongly recommends implementing.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-55591 with vulnerability checks available in the January 15, 2025 content release. Customers already have coverage for all other FortiOS vulnerabilities mentioned in this blog from past content releases.

Patch Tuesday - January 2025

Microsoft is addressing 161 vulnerabilities this January 2025 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and/or public disclosure for eight of the vulnerabilities published today, with three listed on CISA KEV. This is now the fourth consecutive month where Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today also sees the publication of nine critical remote code execution (RCE) vulnerabilities. Unusually, Microsoft has not yet published any browser vulnerabilities this month.

Access: triple zero-day RCE

Today sees the publication of three very similar zero-day Microsoft Access vulnerabilities: CVE-2025-21366, CVE-2025-21395, and CVE-2025-21186. In each case, Microsoft notes public disclosure, but does not claim evidence of exploitation in the wild. Successful exploitation leads to code execution via heap-based buffer overflow, and requires that an attacker convince the user to download and open a malicious file. Curiously, in each case, one portion of the advisory FAQ describes the update protection as “blocking potentially malicious extensions from being sent in an email”, but the remainder of the advisory doesn’t clarify how this would prevent malicious activity. Typically, patches provide protection by blocking malicious files upon receipt of a malicious email attachment, rather than preventing a malicious attachment from being sent in the first place, since an attacker is free to send whatever they like from any system they control. The FAQ does mention that users who would otherwise have interacted with a malicious attachment will instead receive a notification that there was an attachment but “it cannot be accessed”, which is perhaps the best play on words we’ve seen from MSRC in a while.

Hyper-V NT Kernel Integration VSP: triple zero-day EoP

Microsoft is addressing a trio of related Windows Hyper-V NT Kernel Integration VSP elevation of privilege vulnerabilities today: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335. Microsoft is aware of exploitation in the wild for all three, as seen on both the Microsoft advisories and CISA KEV. In each case, exploitation leads to SYSTEM privileges. The advisories are short on additional detail, beyond a brief acknowledgement of Anonymous — presumably an undisclosed party, rather than the hacktivist collective — on CVE-2025-21333. While we can sometimes infer context from prior examples, in this case there aren’t any; there is no mention of Hyper-V NT Kernel Integration VSP in any vulnerability published by Microsoft, at least as far back as 2017. If we look back five years, CVE-2020-16885 does describe an elevation of privilege vulnerability in the Windows storage VSP driver, but there isn’t a lot to go on there either.

The Virtualization Service Provider (VSP) resides in the root partition of a Hyper-V instance, and provides synthetic device support to child partitions over the Virtual Machine Bus (VMBus): it’s the foundation of how Hyper-V allows the child partition to trick itself into thinking that it’s a real computer. Given that the entire thing is a security boundary, it’s perhaps surprising that no Hyper-V NT Kernel Integration VSP vulnerabilities have been acknowledged by Microsoft until today, but it won’t be at all shocking if more now emerge. The advisories published today do not clarify whether the elevation of privilege is only to SYSTEM within the child partition, but container escape specialists will surely be hunting for exploits in this area.

Windows Themes: zero-day NTLM disclosure

Many enterprise users or even admins may not think about Windows Themes very often, but consider CVE-2025-21308: a spoofing vulnerability where successful exploitation leads to improper disclosure of an NTLM hash, which allows an attacker to impersonate the user from whom it was acquired. Microsoft does not have evidence of in-the-wild exploitation, but does note public disclosure. The advisory FAQ dances around the exploitation methodology without explaining; what we learn is that once an attacker had somehow delivered a malicious file to the target system, a user would need to manipulate the malicious file, but not necessarily click or open it. Without further detail, we can only speculate, but it’s plausible that simply opening a folder containing the file in Windows Explorer — including the Downloads folder — or inserting a USB drive, would be enough to trigger the vulnerability and see your NTLM hash leak silently for collection by the threat actor.

Some good news: Microsoft has removed NTLMv1 support from Windows 11 24H2 and Server 2025 onwards. Less good: it has been a whole two months since Microsoft last patched a zero-day NTLM disclosure vulnerability; that flaw was within MSHTML/Trident, and Windows 11 24H2 and Server 2025 were still vulnerable, since NTLMv2 is still supported across the board. On the advisory for CVE-2025-21308, Microsoft does link to documents describing a mitigation technique: restricting NTLM traffic. This is certainly worth a look, since a representative of reporting research organization 0patch has confirmed that NTLMv2 is affected by CVE-2025-21308.

Windows Installer: zero-day EoP

Installing or updating software often requires elevated privileges, and researchers and threat actors have known this for a long time. The advisory for CVE-2025-21275 doesn’t weigh us down with lengthy explanations, it simply says that successful exploitation leads to SYSTEM privileges. Microsoft is aware of public disclosure of this vulnerability, but not in-the-wild exploitation. CVE-2025-21275 is the latest in a long line of Windows Installer elevation of privilege vulnerabilities; Microsoft has now published 37 Windows Installer elevation of privilege vulnerabilities in total since the start of 2020, although only five of those have been zero-days, with only CVE-2024-38014 known by Microsoft to have been exploited prior to publication in September 2024.

PGM: critical RCE

Microsoft’s in-house research teams are a reliable source of vulnerability discovery in Microsoft products, and today we get patches for the self-discovered CVE-2025-21307, a critical RCE in the Windows Reliable Multicast Transport Driver (RMCAST) with a CVSSv3 base score of 9.8. The vulnerability is only exploitable on a system where a program is listening on a Pragmatic General Multicast (PGM) port.

In 2025, you might very well expect that any service that a major commercial operating system exposes to the network would provide at least some form of authentication capability, but if so, prepare to be disappointed by the Windows implementation of PGM. The concept was first described in RFC 3208, which was published in 2001 in an Experimental state and stayed that way. As Microsoft themselves put it, “the PGM specification [RFC3208] is ambiguous in a number of areas”. Given the lack of required user interaction and remote attack vector for CVE-2025-21307, it’s well worth asking yourself: does our firewall allow a PGM receiver to receive inbound traffic from the public internet? If so, the second-best time to prevent that is right now.

OLE: critical RCE

Outlook admins who force their users to read emails in plain text only can skip this paragraph, but everyone else should be aware of CVE-2025-21298, a Windows Object Linking and Embedding (OLE) critical RCE with a CVSSv3 base score of 9.8. The eternal threat of the malicious inbound email finds expression again here; just previewing the wrong email in Outlook is all it takes for an attacker to achieve code execution in the context of the user. All versions of Windows receive a patch.

Microsoft lifecycle update

In Microsoft product lifecycle news, Visual Studio 2022 17.6 LTSC receives its last update today.

Summary Charts

Patch Tuesday - January 2025
Patch Tuesday - January 2025
Patch Tuesday - January 2025
Windows Telephony Service looming large this month

Summary tables

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21380 Azure Marketplace SaaS Resources Information Disclosure Vulnerability No No 8.8
CVE-2025-21403 On-Premises Data Gateway Information Disclosure Vulnerability No No 6.4

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21178 Visual Studio Remote Code Execution Vulnerability No No 8.8
CVE-2025-21176 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability No No 8.8
CVE-2025-21172 .NET and Visual Studio Remote Code Execution Vulnerability No No 7.5
CVE-2025-21171 .NET Remote Code Execution Vulnerability No No 7.5
CVE-2024-50338 GitHub: CVE-2024-50338 Malformed URL allows information disclosure through git-credential-manager No No 7.4
CVE-2025-21405 Visual Studio Elevation of Privilege Vulnerability No No 7.3
CVE-2025-21173 .NET Elevation of Privilege Vulnerability No No 7.3

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21307 Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability No No 9.8
CVE-2025-21298 Windows OLE Remote Code Execution Vulnerability No No 9.8
CVE-2025-21411 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21413 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21233 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21236 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21237 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21243 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21244 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21252 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21266 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21282 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21302 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21303 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21306 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21273 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21286 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21305 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21339 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21246 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21417 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21250 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21240 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21238 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21223 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21409 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21245 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21293 Active Directory Domain Services Elevation of Privilege Vulnerability No No 8.8
CVE-2025-21297 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2025-21309 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2025-21295 SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability No No 8.1
CVE-2025-21294 Microsoft Digest Authentication Remote Code Execution Vulnerability No No 8.1
CVE-2025-21287 Windows Installer Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21378 Windows CSC Service Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21281 Microsoft COM for Windows Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21389 Windows upnphost.dll Denial of Service Vulnerability No No 7.5
CVE-2025-21300 Windows upnphost.dll Denial of Service Vulnerability No No 7.5
CVE-2025-21276 Windows MapUrlToZone Denial of Service Vulnerability No No 7.5
CVE-2025-21218 Windows Kerberos Denial of Service Vulnerability No No 7.5
CVE-2025-21220 Microsoft Message Queuing Information Disclosure Vulnerability No No 7.5
CVE-2025-21251 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2025-21270 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2025-21277 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2025-21285 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2025-21289 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2025-21290 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2025-21230 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2025-21231 IP Helper Denial of Service Vulnerability No No 7.5
CVE-2025-21296 BranchCache Remote Code Execution Vulnerability No No 7.5
CVE-2025-21331 Windows Installer Elevation of Privilege Vulnerability No No 7.3
CVE-2025-21211 Secure Boot Security Feature Bypass Vulnerability No No 6.8
CVE-2024-7344 Cert CC: CVE-2024-7344 Howyar Taiwan Secure Boot Bypass No No 6.7
CVE-2025-21249 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21255 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21258 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21260 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21263 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21265 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21327 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21341 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21226 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21227 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21228 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21229 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21232 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21256 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21261 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21310 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21324 Windows Digital Media Elevation of Privilege Vulnerability No No 6.6
CVE-2025-21308 Windows Themes Spoofing Vulnerability No Yes 6.5
CVE-2025-21217 Windows NTLM Spoofing Vulnerability No No 6.5
CVE-2025-21272 Windows COM Server Information Disclosure Vulnerability No No 6.5
CVE-2025-21288 Windows COM Server Information Disclosure Vulnerability No No 6.5
CVE-2025-21278 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability No No 6.2
CVE-2025-21242 Windows Kerberos Information Disclosure Vulnerability No No 5.9
CVE-2025-21336 Windows Cryptographic Information Disclosure Vulnerability No No 5.6
CVE-2025-21316 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5
CVE-2025-21318 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5
CVE-2025-21319 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5
CVE-2025-21320 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5
CVE-2025-21321 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5
CVE-2025-21274 Windows Event Tracing Denial of Service Vulnerability No No 5.5
CVE-2025-21374 Windows CSC Service Information Disclosure Vulnerability No No 5.5
CVE-2025-21215 Secure Boot Security Feature Bypass Vulnerability No No 4.6
CVE-2025-21213 Secure Boot Security Feature Bypass Vulnerability No No 4.6
CVE-2025-21269 Windows HTML Platforms Security Feature Bypass Vulnerability No No 4.3
CVE-2025-21268 MapUrlToZone Security Feature Bypass Vulnerability No No 4.3
CVE-2025-21329 MapUrlToZone Security Feature Bypass Vulnerability No No 4.3
CVE-2025-21328 MapUrlToZone Security Feature Bypass Vulnerability No No 4.3
CVE-2025-21189 MapUrlToZone Security Feature Bypass Vulnerability No No 4.3
CVE-2025-21332 MapUrlToZone Security Feature Bypass Vulnerability No No 4.3
CVE-2025-21210 Windows BitLocker Information Disclosure Vulnerability No No 4.2
CVE-2025-21214 Windows BitLocker Information Disclosure Vulnerability No No 4.2
CVE-2025-21312 Windows Smart Card Reader Information Disclosure Vulnerability No No 2.4

ESU Windows Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21338 GDI+ Remote Code Execution Vulnerability No No 7.8

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21187 Microsoft Power Automate Remote Code Execution Vulnerability No No 7.8

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21385 Microsoft Purview Information Disclosure Vulnerability No No 8.8
CVE-2025-21363 Microsoft Word Remote Code Execution Vulnerability No No 7.8
CVE-2025-21344 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.8
CVE-2025-21361 Microsoft Outlook Remote Code Execution Vulnerability No No 7.8
CVE-2025-21345 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2025-21356 Microsoft Office Visio Remote Code Execution Vulnerability No No 7.8
CVE-2025-21365 Microsoft Office Remote Code Execution Vulnerability No No 7.8
CVE-2025-21402 Microsoft Office OneNote Remote Code Execution Vulnerability No No 7.8
CVE-2025-21364 Microsoft Excel Security Feature Bypass Vulnerability No No 7.8
CVE-2025-21354 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2025-21362 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2025-21360 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21366 Microsoft Access Remote Code Execution Vulnerability No Yes 7.8
CVE-2025-21395 Microsoft Access Remote Code Execution Vulnerability No Yes 7.8
CVE-2025-21186 Microsoft Access Remote Code Execution Vulnerability No Yes 7.8
CVE-2025-21348 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 7.2
CVE-2025-21346 Microsoft Office Security Feature Bypass Vulnerability No No 7.1
CVE-2025-21357 Microsoft Outlook Remote Code Execution Vulnerability No No 6.7
CVE-2025-21393 Microsoft SharePoint Server Spoofing Vulnerability No No 6.3

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2025-21311 Windows NTLM V1 Elevation of Privilege Vulnerability No No 9.8
CVE-2025-21239 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21241 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21248 Windows Telephony Service Remote Code Execution Vulnerability No No 8.8
CVE-2025-21292 Windows Search Service Elevation of Privilege Vulnerability No No 8.8
CVE-2025-21291 Windows Direct Show Remote Code Execution Vulnerability No No 8.8
CVE-2025-21224 Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability No No 8.1
CVE-2025-21370 Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21234 Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21235 Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21335 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability Yes No 7.8
CVE-2025-21333 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability Yes No 7.8
CVE-2025-21334 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability Yes No 7.8
CVE-2025-21382 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21271 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21275 Windows App Package Installer Elevation of Privilege Vulnerability No Yes 7.8
CVE-2025-21304 Microsoft DWM Core Library Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21315 Microsoft Brokering File System Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21372 Microsoft Brokering File System Elevation of Privilege Vulnerability No No 7.8
CVE-2025-21326 Internet Explorer Remote Code Execution Vulnerability No No 7.8
CVE-2025-21343 Windows Web Threat Defense User Service Information Disclosure Vulnerability No No 7.5
CVE-2025-21330 Windows Remote Desktop Services Denial of Service Vulnerability No No 7.5
CVE-2025-21207 Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability No No 7.5
CVE-2025-21299 Windows Kerberos Security Feature Bypass Vulnerability No No 7.1
CVE-2025-21314 Windows SmartScreen Spoofing Vulnerability No No 6.5
CVE-2025-21313 Windows Security Account Manager (SAM) Denial of Service Vulnerability No No 6.5
CVE-2025-21301 Windows Geolocation Service Information Disclosure Vulnerability No No 6.5
CVE-2025-21193 Active Directory Federation Server Spoofing Vulnerability No No 6.5
CVE-2025-21202 Windows Recovery Environment Agent Elevation of Privilege Vulnerability No No 6.1
CVE-2025-21225 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability No No 5.9
CVE-2025-21257 Windows WLAN AutoConfig Service Information Disclosure Vulnerability No No 5.5
CVE-2025-21340 Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability No No 5.5
CVE-2025-21280 Windows Virtual Trusted Platform Module Denial of Service Vulnerability No No 5.5
CVE-2025-21284 Windows Virtual Trusted Platform Module Denial of Service Vulnerability No No 5.5
CVE-2025-21317 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5
CVE-2025-21323 Windows Kernel Memory Information Disclosure Vulnerability No No 5.5
CVE-2025-21219 MapUrlToZone Security Feature Bypass Vulnerability No No 4.3
CVE-2025-0282: Ivanti Connect Secure zero-day exploited in the wild

On Wednesday, January 8, 2025, Ivanti disclosed two CVEs affecting Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282 is a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the target device. CVE-2025-0283 is a stack-based buffer overflow that allows local authenticated attackers to escalate privileges on the device.

Ivanti’s advisory indicates that CVE-2025-0282 has been exploited in the wild against a limited number of Connect Secure devices. Per the vendor, Ivanti Policy Secure and Neurons for ZTA are not known to have been exploited in the wild at time of disclosure. Google’s Mandiant division and Microsoft’s Threat Intelligence Center (MSTIC) are credited with the discovery of the two issues, which almost certainly means further intelligence will be released soon on one or more zero-day threat campaigns targeting Ivanti devices.

Ivanti also has a short blog available on the new CVEs here.

Mitigation guidance

The following products and versions are vulnerable to CVE-2025-0282:

  • Ivanti Connect Secure 22.7R2 through 22.7R2.4
  • Ivanti Policy Secure 22.7R1 through 22.7R1.2
  • Ivanti Neurons for ZTA 22.7R2 through 22.7R2.3

The following products and versions are vulnerable to CVE-2025-0283:

  • Ivanti Connect Secure 22.7R2.4 and prior, 9.1R18.9 and prior
  • Ivanti Policy Secure 22.7R1.2 and prior
  • Ivanti Neurons for ZTA 22.7R2.3 and prior

Ivanti has a full table of affected versions and corresponding solution estimates in its advisory. As of 1 PM ET on Wednesday, January 8, patches are available for both CVEs in Ivanti Connect Secure (22.7R2.5), but the CVEs are unpatched in Ivanti Policy Secure and Neurons for ZTA (patches appear to be expected January 21, 2025, per the advisory).

Customers should apply available Ivanti Connect Secure patches immediately, without waiting for a typical patch cycle to occur. Ivanti’s advisory notes that “Exploitation of CVE-2025-0282 can be identified by the Integrity Checker Tool (ICT). We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.”

For the latest information, please refer to the vendor advisory.

Rapid7 customers

Our VM engineering team is researching options for coverage of CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure and expects vulnerability checks to be available to InsightVM and Nexpose customers no later than Thursday, January 9, 2025.

Patch Tuesday - December 2024

Microsoft is addressing 70 vulnerabilities this December 2024 Patch Tuesday. Microsoft has evidence of in-the-wild exploitation and public disclosure for one of the vulnerabilities published today, and this is reflected in a CISA KEV entry. For the third month in a row, Microsoft has published zero-day vulnerabilities on Patch Tuesday without evaluating any of them as critical severity at time of publication. Today sees the publication of 16 critical remote code execution (RCE) vulnerabilities, which is more than usual. Two browser vulnerabilities have already been published separately this month, and are not included in the total.

Common Log File System: zero-day EoP

This month’s zero-day vulnerability is CVE-2024-49138, an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, a general-purpose Windows logging service that can be used by software clients running in user-mode or kernel-mode. Exploitation leads to SYSTEM privileges, and if this all sounds familiar, it should.

There have been a series of zero-day elevation of privilege vulnerabilities in CLFS over the past few years. Past offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252; today’s addition of CVE-2024-49138 is the first CLFS zero-day vulnerability which Microsoft has published in 2024. Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution.

Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one. Expect more CLFS zero-day vulnerabilities to emerge in the future, unless Microsoft decides to perform a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws. Patches are available for all versions of Windows.

Groups of critical RCE

Patterns emerge when we consider the 16 critical RCE vulnerabilities published today as a whole, which might somewhat reduce the level of alarm that unusually large number might otherwise cause weary defenders.

LDAP: critical RCE

A trio of Windows LDAP critical RCE vulnerabilities receive patches this month, including CVE-2024-49112, which has a  CVSSv3 base score of 9.8, which is the highest of any of the vulnerabilities which Microsoft has published today. Exploitation is via a specially crafted set of LDAP calls, and leads to code execution within the context of the LDAP service; although the advisory doesn’t specify, the LDAP service runs in a SYSTEM context. Microsoft advises defenders who still permit domain controllers to receive inbound RPC calls from untrusted networks or to access the internet to stop doing that.

LSASS: critical RCE

Another potential cause for concern this month: CVE-2024-49126 is a critical RCE in the Local Security Authority Subsystem Service (LSASS). Exploitation could potentially be carried out remotely, and the attacker needs no privileges, nor does the user need to perform any action; the only silver lining is that an attacker must win a race condition. Although the advisory says that code execution would be in the context of the server’s account, it might be safest to assume that code execution would be in a SYSTEM context.

Hyper-V: container escape

CVE-2024-49117 describes a container escape for Hyper-V; exploitation requires that the attacker make specially crafted file operation requests on the virtual machine (VM) to hardware resources on the VM, which could result in remote code execution on the hypervisor. The FAQ on the advisory sets out that no special privileges are required in the context of the VM, so any level of access is enough to break free from the VM. We also learn that the container escape could be lateral, where an attacker moves from one VM to another, rather than to the hypervisor.

Remote Desktop Services: 8 critical RCEs

All eight critical RCE vulnerabilities in Remote Desktop Services published today (e.g. CVE-2024-49106) share a number of similarities: they have identical CVSS vectors, exploitation requires that an attacker win a race condition, and the same research group is credited in each case.

Microsoft lifecycle update

There are no significant Microsoft product lifecycle transitions this month.

Summary charts

Patch Tuesday - December 2024
Patch Tuesday - December 2024
Patch Tuesday - December 2024

Summary tables

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49041 Microsoft Edge (Chromium-based) Spoofing Vulnerability No No 4.3
CVE-2024-12053 Chromium: CVE-2024-12053 Type Confusion in V8 No No N/A

Developer Tools vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49063 Microsoft/Muzic Remote Code Execution Vulnerability No No 8.4

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49068 Microsoft SharePoint Elevation of Privilege Vulnerability No No 8.2
CVE-2024-43600 Microsoft Office Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49069 Microsoft Excel Remote Code Execution Vulnerability No No 7.8
CVE-2024-49142 Microsoft Access Remote Code Execution Vulnerability No No 7.8
CVE-2024-49070 Microsoft SharePoint Remote Code Execution Vulnerability No No 7.4
CVE-2024-49059 Microsoft Office Elevation of Privilege Vulnerability No No 7
CVE-2024-49064 Microsoft SharePoint Information Disclosure Vulnerability No No 6.5
CVE-2024-49062 Microsoft SharePoint Information Disclosure Vulnerability No No 6.5
CVE-2024-49065 Microsoft Office Remote Code Execution Vulnerability No No 5.5

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49057 Microsoft Defender for Endpoint on Android Spoofing Vulnerability No No 8.1
CVE-2024-43594 System Center Operations Manager Elevation of Privilege Vulnerability No No 7.3

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49093 Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability No No 8.8
CVE-2024-49117 Windows Hyper-V Remote Code Execution Vulnerability No No 8.8
CVE-2024-49106 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49108 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49115 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49119 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49123 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49132 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49116 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49076 Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49074 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49114 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49075 Windows Remote Desktop Services Denial of Service Vulnerability No No 7.5
CVE-2024-49107 WmsRepair Service Elevation of Privilege Vulnerability No No 7.3
CVE-2024-49097 Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability No No 7
CVE-2024-49095 Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability No No 7
CVE-2024-49073 Windows Mobile Broadband Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-49092 Windows Mobile Broadband Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-49077 Windows Mobile Broadband Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-49078 Windows Mobile Broadband Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-49083 Windows Mobile Broadband Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-49110 Windows Mobile Broadband Driver Elevation of Privilege Vulnerability No No 6.8
CVE-2024-49094 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability No No 6.6
CVE-2024-49101 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability No No 6.6
CVE-2024-49111 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability No No 6.6
CVE-2024-49081 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability No No 6.6
CVE-2024-49109 Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability No No 6.6
CVE-2024-49087 Windows Mobile Broadband Driver Information Disclosure Vulnerability No No 4.6
CVE-2024-49098 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability No No 4.3
CVE-2024-49099 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability No No 4.3
CVE-2024-49103 Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability No No 4.3

Windows ESU vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2024-49112 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 9.8
CVE-2024-49085 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-49086 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-49102 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-49104 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-49125 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 8.8
CVE-2024-49080 Windows IP Routing Management Snapin Remote Code Execution Vulnerability No No 8.8
CVE-2024-49120 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49128 Windows Remote Desktop Services Remote Code Execution Vulnerability No No 8.1
CVE-2024-49126 Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability No No 8.1
CVE-2024-49127 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability No No 8.1
CVE-2024-49122 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability No No 8.1
CVE-2024-49118 Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability No No 8.1
CVE-2024-49124 Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability No No 8.1
CVE-2024-49072 Windows Task Scheduler Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49138 Windows Common Log File System Driver Elevation of Privilege Vulnerability Yes Yes 7.8
CVE-2024-49088 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49090 Windows Common Log File System Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2024-49079 Input Method Editor (IME) Remote Code Execution Vulnerability No No 7.8
CVE-2024-49129 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability No No 7.5
CVE-2024-49121 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability No No 7.5
CVE-2024-49113 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability No No 7.5
CVE-2024-49096 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability No No 7.5
CVE-2024-49089 Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability No No 7.2
CVE-2024-49091 Windows Domain Name Service Remote Code Execution Vulnerability No No 7.2
CVE-2024-49084 Windows Kernel Elevation of Privilege Vulnerability No No 7
CVE-2024-49082 Windows File Explorer Information Disclosure Vulnerability No No 6.8
Widespread exploitation of Cleo file transfer software (CVE-2024-50623)

On Monday, December 9, multiple security firms began privately circulating reports of in-the-wild exploitation targeting Cleo file transfer software. Late the evening of December 9, security firm Huntress published a blog on active exploitation of three different Cleo products (docs):

  • Cleo VLTrader, a server-side solution for “mid-enterprise organizations”
  • Cleo Harmony, which provides file transfer capabilities for “large enterprises”
  • Cleo LexiCom, a desktop-based client for communication with major trading networks  

Huntress’s blog says the exploitation they’re seeing across Cleo products results from an insufficient patch for CVE-2024-50623, a vulnerability disclosed in Cleo VLTrader, Cleo Harmony, and Cleo LexiCom in October 2024. Cleo indicated that the vulnerability was fixed in version 5.8.0.21 of all three solutions, but according to Huntress, 5.8.0.21 remains vulnerable to exploitation. CVE-2024-50623 is a cross-site scripting issue (CWE-79) that allows for unauthenticated remote code execution on target systems.

Update: Cleo evidently communicated with customers on December 10 acknowledging a "critical vulnerability in Cleo Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory."

As of December 10, Rapid7 MDR has confirmed successful exploitation of this issue in customer environments; similar to Huntress, our team has observed enumeration and post-exploitation activity and is investigating multiple incidents.

File transfer software continues to be a target for adversaries, and for financially motivated threat actors in particular. Rapid7 recommends taking emergency action to mitigate risk related to this threat.

Mitigation guidance

The following products and versions are vulnerable to CVE-2024-50623. The information below contradicts previous vendor guidance, which indicated that 5.8.0.21 resolved the issue. Cleo has updated their advisory as of December 10, 2024 to confirm 5.8.0.21 is still vulnerable.

  • Cleo Harmony before and including version 5.8.0.21
  • Cleo VLTrader before and including version 5.8.0.21
  • Cleo LexiCom before and including version 5.8.0.21

According to Huntress, “Cleo is preparing a new CVE designation and expects a new patch to be released mid-week.”

In the absence of an effective patch for CVE-2024-50623 (and any other CVEs that may be assigned to this exploit), Cleo customers should remove affected products from the public internet, ensuring they are behind a firewall. Per Huntress’s investigation, disabling Cleo’s Autorun Directory, which allows command files to be automatically processed, may also prevent the latter part of the attack chain from being executed.

Huntress’s blog has several descriptions of post-exploitation activity, including attack chain artifacts, commands run, and files dropped for persistence. Rapid7 recommends that affected customers review these indicators and investigate their environments for suspicious activity dating back to at least December 3, 2024.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-50623 on Windows with an authenticated vulnerability check expected to be available in today’s (Tuesday, December 10) content release. Please note that content releases are typically available late in the evening ET on Patch Tuesday.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of rules deployed and alerting on behavior related to this threat:

  • Suspicious Process - XORed Data in PowerShell
  • Suspicious Process - PowerShell System.Net.Sockets.TcpClient
  • Attacker Behavior - Possible Cleo MFT Exploitation 2024
  • Attacker Tool - PowerShell -noni -ep -nop Flags
  • Attacker Behavior - Obfuscated Powershell Script Containing -noni -ep -nop Flags
  • Suspicious Process - Powershell Invoke-WebRequest
Multiple Vulnerabilities in Wowza Streaming Engine (Fixed)

Wowza Streaming Engine below v4.9.1 is vulnerable to multiple vulnerabilities on Linux and Windows. An unauthenticated attacker can poison the Wowza Streaming Engine Manager web dashboard with a stored cross-site scripting (“XSS”) payload. When an administrator views the poisoned dashboard, additional authenticated vulnerabilities will automatically be exploited for remote code execution on the underlying server. The code execution context is privileged: root on Linux, LocalSystem on Windows. These vulnerabilities are tracked as CVE-2024-52052, CVE-2024-52053, CVE-2024-52054, CVE-2024-52055, and CVE-2024-52056. All five were patched on November 20, 2024, with the release of Wowza Streaming Engine v4.9.1.

Product description

Wowza Streaming Engine is media server software used by many organizations for livestream broadcasts, video on-demand, closed captioning, and media system interoperability. The Wowza Streaming Engine Manager component is a web application, and it’s used to manage and monitor Wowza Media Server instances. At the time of publication, approximately 18,500 Wowza Streaming Engine servers are exposed to the public internet, and many of those systems also expose the Manager web application.

Credit

These issues were reported to the Wowza Media Systems team by Ryan Emmons, Lead Security Researcher at Rapid7. The vulnerabilities are being disclosed in accordance with Rapid7's vulnerability disclosure policy. Rapid7 is grateful to the Wowza team for their assistance and collaboration.

Vulnerability details

The testing target was Wowza Streaming Engine v4.8.27+5, the latest version available at the time of research. Rapid7 identified multiple security vulnerabilities as part of this research project, and those vulnerabilities are outlined in the table below.

CVE Description CVSS
CVE-2024-52052 An authenticated administrator can define a custom application property and poison a stream target for high-privilege remote code execution. 9.4
CVE-2024-52053 An unauthenticated attacker can inject client-side JavaScript into the administrator dashboard to automatically hijack admin accounts. 8.7
CVE-2024-52054 An injection permits an administrator user to create an XML file anywhere on the file system. 5.1
CVE-2024-52055 An injection permits an administrator user to read any file on the file system if the target directory contains an XML file. 8.2
CVE-2024-52056 An injection permits an administrator user to delete any directory on the host system if the target directory contains an XML file. 6.9

Exploitation was tested against Wowza Streaming Engine on two different operating systems: Ubuntu Linux 22.04.1 and Windows Server 2022. Based on information provided by the vendor, the unauthenticated injection vulnerability affects all Wowza Streaming Engine Manager versions, while the four authenticated vulnerabilities were introduced in v4.3.0.

Vendor statement

“We at Wowza Media Systems are focused on security excellence, and by partnering with trusted researchers like Rapid7, we proactively respond to and fix vulnerabilities to safeguard our customers' interests.”

Mitigation guidance

Per to the vendor, issues in this disclosure can be remediated by upgrading to Wowza Streaming Engine version 4.9.1 or any future version.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-52052, CVE-2024-52053, CVE-2024-52054, CVE-2024-52055, and CVE-2024-52056 with authenticated vulnerability checks expected to be available in the November 20, 2024 content release.

Disclosure timeline

July 30, 2024 - September 3, 2024: Rapid7 attempts to contact the vendor to disclose vulnerabilities discovered in Wowza Streaming Engine.
September 3, 2024: Rapid7 makes contact with the vendor, who acknowledges disclosure materials.
September 5, 2024 - September 18, 2024: Rapid7 and vendor discuss coordinated vulnerability disclosure steps and timeline.
October 2, 2024: Vendor communicates Q4 remediation timeline.
October 31, 2024: Patch shared with Rapid7 for testing.
November 4, 2024: Rapid7 confirms the patch is successful.
November 5, 2024: Rapid7 provides CVE IDs.
November 15, 2024: Vendor proposes Wednesday, November 20 for coordinated vulnerability disclosure. Rapid7 agrees.
November 20, 2024: This disclosure.

Multiple Vulnerabilities in Wowza Streaming Engine (Fixed)

Wowza Streaming Engine below v4.9.1 is vulnerable to multiple vulnerabilities on Linux and Windows. An unauthenticated attacker can poison the Wowza Streaming Engine Manager web dashboard with a stored cross-site scripting (“XSS”) payload. When an administrator views the poisoned dashboard, additional authenticated vulnerabilities will automatically be exploited for remote code execution on the underlying server. The code execution context is privileged: root on Linux, LocalSystem on Windows. These vulnerabilities are tracked as CVE-2024-52052, CVE-2024-52053, CVE-2024-52054, CVE-2024-52055, and CVE-2024-52056. All five were patched on November 20, 2024, with the release of Wowza Streaming Engine v4.9.1.

Product description

Wowza Streaming Engine is media server software used by many organizations for livestream broadcasts, video on-demand, closed captioning, and media system interoperability. The Wowza Streaming Engine Manager component is a web application, and it’s used to manage and monitor Wowza Media Server instances. At the time of publication, approximately 18,500 Wowza Streaming Engine servers are exposed to the public internet, and many of those systems also expose the Manager web application.

Credit

These issues were reported to the Wowza Media Systems team by Ryan Emmons, Lead Security Researcher at Rapid7. The vulnerabilities are being disclosed in accordance with Rapid7's vulnerability disclosure policy. Rapid7 is grateful to the Wowza team for their assistance and collaboration.

Vulnerability details

The testing target was Wowza Streaming Engine v4.8.27+5, the latest version available at the time of research. Rapid7 identified multiple security vulnerabilities as part of this research project, and those vulnerabilities are outlined in the table below.

CVE Description CVSS
CVE-2024-52052 An authenticated administrator can define a custom application property and poison a stream target for high-privilege remote code execution. 9.4
CVE-2024-52053 An unauthenticated attacker can inject client-side JavaScript into the administrator dashboard to automatically hijack admin accounts. 8.7
CVE-2024-52054 An injection permits an administrator user to create an XML file anywhere on the file system. 5.1
CVE-2024-52055 An injection permits an administrator user to read any file on the file system if the target directory contains an XML file. 8.2
CVE-2024-52056 An injection permits an administrator user to delete any directory on the host system if the target directory contains an XML file. 6.9

Exploitation was tested against Wowza Streaming Engine on two different operating systems: Ubuntu Linux 22.04.1 and Windows Server 2022. Based on information provided by the vendor, the unauthenticated injection vulnerability affects all Wowza Streaming Engine Manager versions, while the four authenticated vulnerabilities were introduced in v4.3.0.

Vendor statement

“We at Wowza Media Systems are focused on security excellence, and by partnering with trusted researchers like Rapid7, we proactively respond to and fix vulnerabilities to safeguard our customers' interests.”

Mitigation guidance

Per to the vendor, issues in this disclosure can be remediated by upgrading to Wowza Streaming Engine version 4.9.1 or any future version.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2024-52052, CVE-2024-52053, CVE-2024-52054, CVE-2024-52055, and CVE-2024-52056 with authenticated vulnerability checks expected to be available in the November 20, 2024 content release.

Disclosure timeline

July 30, 2024 - September 3, 2024: Rapid7 attempts to contact the vendor to disclose vulnerabilities discovered in Wowza Streaming Engine.
September 3, 2024: Rapid7 makes contact with the vendor, who acknowledges disclosure materials.
September 5, 2024 - September 18, 2024: Rapid7 and vendor discuss coordinated vulnerability disclosure steps and timeline.
October 2, 2024: Vendor communicates Q4 remediation timeline.
October 31, 2024: Patch shared with Rapid7 for testing.
November 4, 2024: Rapid7 confirms the patch is successful.
November 5, 2024: Rapid7 provides CVE IDs.
November 15, 2024: Vendor proposes Wednesday, November 20 for coordinated vulnerability disclosure. Rapid7 agrees.
November 20, 2024: This disclosure.

Zero-Day Exploitation Targeting Palo Alto Networks Firewall Management Interfaces

On Friday, November 8, 2024, cybersecurity firm Palo Alto Networks (PAN) published a bulletin (PAN-SA-2024-0015) advising firewall customers to take steps to secure their firewall management interfaces amid unverified rumors of a possible new vulnerability. Rapid7 threat intelligence teams have also been monitoring rumors of a possible zero-day vulnerability, but those rumors were previously unsubstantiated.

Late in the evening of Thursday, November 14, the Palo Alto Networks advisory was updated to note that PAN had “observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet.” The firm indicated they were actively investigating. The issue was unpatched and had no CVE at time of writing (this has now changed).

Exploitation update: On Monday, November 18, Palo Alto Networks Unit42 released further details the threat activity they observed, which the firm is tracking under the designation "Lunar Peek."  

CVE and fix update: As of Monday, November 18, two CVEs have been assigned for the attacker behavior PAN observed. CVE-2024-0012 (advisory) is an authentication bypass in PAN-OS management web interfaces. It has a CVSS score of 9.3. CVE-2024-9474 (advisory) is a privilege escalation vulnerability in the PAN-OS web management interface that allows administrators to perform actions on the firewall with root privileges. It has a CVSS score of 6.9. The two vulnerabilities can be chained by adversaries to bypass authentication on exposed management interfaces and escalate privileges.

Note: While neither advisory explicitly indicates that the impact of chaining the two vulnerabilities is fully unauthenticated remote code execution as root, it seems likely from the description of the issues and the inclusion of a webshell (payload) in IOCs that adversaries may be able to achieve RCE.

Per the vendor bulletin and Unit42:

  • Risk of exploitation is believed to be limited if access to the management interface access was restricted
  • If the firewall management interface was exposed to the internet, PAN advises customers to monitor for suspicious threat activity (e.g., unrecognized configuration changes or users)
  • Prisma Access and Cloud NGFW are not affected (confirmed November 18)

On Saturday, November 16, PAN added a small number of indicators of compromise (IOCs) to their advisory. IOCs include several IP addresses, which PAN noted could represent legitimate user activity from third-party VPNs, and a webshell checksum. The Unit42 threat analysis released on November 18 contains additional IOCs. Please refer to the Unit42 blog for the latest IOCs.

Affected products

The following versions of PAN-OS are vulnerable to CVE-2024-0012, per the vendor advisory. Customers should apply updates as soon as possible, without waiting for a regular patch cycle to occur.

  • < 11.2.4-h1 (update to 11.2.4-h1 or later to mitigate)
  • < 11.1.5-h1 (update to 11.1.5-h1 or later to mitigate)
  • < 11.0.6-h1 (update to 11.0.6-h1 or later to mitigate)
  • < 10.2.12-h2 (update to 10.2.12-h2 or later to mitigate)

PAN-OS 10.1, Prisma Access, and Cloud NGFW are not affected. Note: Additional fixes and guidance are specified in the advisory.

The following versions of PAN-OS are vulnerable to CVE-2024-9474, per the vendor advisory. Customers should apply updates as soon as possible, without waiting for a regular patch cycle to occur.

  • < 11.2.4-h1 (update to 11.2.4-h1 or later to mitigate)
  • < 11.1.5-h1 (update to 11.1.5-h1 or later to mitigate)
  • < 11.0.6-h1 (update to 11.0.6-h1 or later to mitigate)
  • < 10.2.12-h2 (update to 10.2.12-h2 or later to mitigate)
  • < 10.1.14-h6 (update to 10.1.14-h6 or later to mitigate)

Prisma Access and Cloud NGFW are not affected. Note: Additional fixes and guidance are specified in the advisory.

Mitigation guidance

Customers should update to fixed versions of PAN-OS as soon as possible to mitigate the risk of exploitation for CVE-2024-0012 and CVE-2024-9474.

Palo Alto Networks customers should ensure access to the firewall management interface is configured correctly in accordance with PAN’s recommended best practice deployment guidelines — namely, that access is restricted to trusted internal IPs only and the management interface is not exposed or accessible to the internet. More guidance is available here.

The Palo Alto Networks advisory also has directions on identifying internet-facing management interfaces and/or devices that may otherwise require remediation action. Rapid7 strongly recommends reviewing the advisory and configuration guidance in addition to the IOCs PAN released.

We will update this blog with further information as it becomes available, but as always, we encourage Palo Alto Networks customers to refer to the vendor advisory for the latest information.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-0012 and CVE-2024-9474 with vulnerability checks available as of the Monday, November 18 content release.

Indicators of compromise

See the Unit42 analysis for the latest list of IOCs related to this attack.

Update timeline

Saturday, November 16: Updated to note availability of IOCs.

Monday, November 18: Updated with CVEs, affected products, and information for Rapid7 customers.

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.