Author: chris.stewart

Overview

A recently disclosed zero-day vulnerability (ZDI-CAN-25373) in Microsoft Windows has been actively exploited by multiple state-sponsored threat actors since 2017. The vulnerability involves malicious Windows Shortcut (.LNK) files, allowing attackers to execute hidden commands, gain elevated privileges, and compromise systems without user awareness.

Despite widespread exploitation, Microsoft has no plans to release an official patch, categorizing the issue as low severity. Given the ongoing threats, Shield53 strongly advises organizations to implement immediate security controls to mitigate potential risks.

Vulnerability Details

• CVE Identifier: ZDI-CAN-25373

• Impact: Remote execution of malicious commands

• Attack Vector: Windows Shortcut (.LNK) files

• Affected Systems: All supported versions of Windows

• Exploit Status: Actively exploited by multiple state-sponsored APT groups

• Microsoft Response: No official patch planned; security mitigations recommended

This vulnerability enables malicious .LNK files to execute hidden commands when accessed by a user, facilitating the deployment of malware, credential theft, and persistent access within compromised systems.

Threat Actors and Exploitation

Security researchers have identified nearly 1,000 malicious .LNK file samples actively used in cyber operations, with at least 11 advanced persistent threat (APT) groups leveraging this exploit. Key actors include:

• Evil Corp (Water Asena) – Russian cybercriminal group linked to financial theft and ransomware deployment.

• Kimsuky (Earth Kumiho) – North Korean cyber espionage group targeting South Korea.

• ScarCruft (Earth Manticore) – North Korean hacking team conducting intelligence-gathering operations.

• Bitter (Earth Anansi) – South Asian cyber espionage group focused on high-value targets.

The primary targets of these attacks include government agencies, financial institutions, defense contractors, and telecommunications providers across the United States, Canada, South Korea, Vietnam, and Brazil.

Implications for Organizations

Without an official patch from Microsoft, this vulnerability remains a significant risk, particularly for organizations in highly targeted sectors. If exploited, organizations could face:

• Unauthorized system access and persistence by advanced adversaries.

• Exfiltration of sensitive data including financial records and proprietary information.

• Deployment of sophisticated malware to facilitate further exploitation.

Given its low detection rate and stealthy execution method, ZDI-CAN-25373 poses a long-term threat to businesses that do not implement proper mitigations.

Recommended Mitigation Strategies

Since Microsoft has not released an official patch, Shield53 recommends implementing the following security controls immediately:

1. Restrict Execution of .LNK Files

• Block execution of untrusted .LNK files received via email, external devices, or network shares.

• Configure Group Policy to restrict the execution of shortcut files in unapproved directories.

2. Enhance Endpoint Security

• Deploy behavior-based Endpoint Detection and Response (EDR) solutions to detect abnormal shortcut file executions.

• Regularly update antivirus and threat intelligence feeds to identify and block malicious .LNK-based payloads.

3. Strengthen Network Protections

• Monitor for suspicious command execution activities, particularly those initiated by explorer.exe processes.

• Implement network segmentation and access controls to limit lateral movement if an attacker gains access.

4. Implement Security Awareness Training

• Educate employees on the risks associated with opening shortcut files from untrusted sources.

• Train users to recognize social engineering attempts that could distribute malicious .LNK files.

5. Regular Security Audits and Threat Hunting

• Conduct proactive threat hunting to identify potential exploit attempts within the network.

• Review security logs and track unauthorized access patterns indicative of this attack.

Conclusion

The active exploitation of ZDI-CAN-25373 highlights the continued risks posed by unpatched Windows vulnerabilities. Without an official patch from Microsoft, organizations must proactively strengthen their security posture by implementing robust detection and mitigation strategies.

Shield53 recommends that businesses immediately assess their exposure and deploy preventive controls to mitigate this threat. Organizations requiring further assistance in securing their Windows environments can contact Shield53 for expert guidance.

🔒 Stay Secure. Stay Vigilant.
– Shield53 Security Team

References

• The Hacker News

• Microsoft Security Advisory

• Threat Intelligence Reports on ZDI-CAN-25373

CVE-2025-21333, CVE-2025-21334, CVE-2025-21335

A set of zero-day vulnerabilities have been identified in Microsoft Hyper-V, allowing attackers to escalate privileges and gain SYSTEM-level access. These flaws exist in the NT Kernel Integration Virtualization Service Provider (VSP) and impact multiple Windows Server and Windows desktop environments running Hyper-V.

Why is this critical? These vulnerabilities enable attackers to escape virtual machines (VMs) and execute malicious code on the host system, leading to potential lateral movement across networks. This poses a significant threat to enterprise environments leveraging Hyper-V for virtualization and cloud deployments.

Quick Facts

• Impact: Full system compromise via privilege escalation.

• Severity Level: Critical

• CVSS Score: 9.8

• Affected Systems:

  • Windows Server 2019

  • Windows Server 2022

  • Windows 10 & 11 (if Hyper-V is enabled)

• Exploit Status: Active exploitation suspected; proof-of-concept (PoC) exploits available.

Shield53 Response

Shield53 has taken the following measures to mitigate risks for our customers:

1. IOC Sweeps & Threat Monitoring – Actively scanning for indicators of compromise within monitored environments.

2. Proactive Security Guidance – Issuing custom hardening recommendations for enterprise Hyper-V deployments.

3. Incident Response Readiness – Assisting organizations in identifying and responding to potential exploitation attempts.

Immediate Steps to Protect Your Systems

1. Apply Security Patches Immediately:

   • Microsoft has released patches as part of their January 2025 Patch Tuesday Update. Install them without delay.

2. Restrict Access to Hyper-V Management:

   • Limit access to only authorized administrators.

   • Use role-based access control (RBAC) to reduce exposure.

3. Monitor for Suspicious Activity:

   • Audit Windows Event Logs for unusual privilege escalation attempts.

   • Investigate unauthorized access to Hyper-V settings.

4. Disable Hyper-V if Unused:

   • If Hyper-V is not required, disable the feature to reduce attack surfaces.

5. Implement Network Segmentation:

   • Isolate virtualized workloads to prevent lateral movement in case of exploitation.

Key Takeaways

• Patch Immediately to close known exploitation paths.

• Monitor and Log Activities for unusual system behavior.

• Enforce Strict Access Controls on virtualized environments.

• Consider Disabling Hyper-V if not in use to reduce risk.

References

• Microsoft Security Advisory

• CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 Analysis

• Shield53 Threat Intelligence Reports

Shield53 remains committed to securing your enterprise against emerging threats. For customized mitigation strategies or further assistance, contact our security advisory team.

Shield53 Blog: SAP January 2025 Patch Day Resolves Critical NetWeaver Vulnerabilities

 

Published Date: January 17, 2025
Author: Shield53 Security Team

Overview

On January 2025 Patch Day, SAP released 14 new security notes addressing critical vulnerabilities in its enterprise solutions. Among these are two Hot News vulnerabilities in NetWeaver AS for ABAP and ABAP Platform, each with a CVSS score of 9.9, highlighting their critical nature. These flaws could enable attackers to compromise sensitive credentials and communication channels, posing significant risks to business operations.

As a global leader in cybersecurity, Shield53 urges organizations to take immediate action to apply these critical patches to safeguard their SAP environments.

Key Vulnerabilities Addressed

1. CVE-2025-0070 – Improper Authentication (CVSS 9.9)

   • Description: This vulnerability affects the internal RFC communication between HTTP clients and servers within the same system. An attacker could steal credentials and impersonate an internal caller, enabling unauthorized access.

   • Impact: Compromises confidentiality, integrity, and availability of the affected applications.

2. CVE-2025-0066 – Information Disclosure (CVSS 9.9)

   • Description: Under specific conditions, attackers could read decrypted, plaintext credential information required for system-to-system communication.

   • Impact: Exposes sensitive information, increasing the risk of lateral movement within the environment.

3. CVE-2025-0063 – SQL Injection (CVSS 8.8)

   • Description: This flaw in NetWeaver’s handling of the Informix database could allow attackers to manipulate or exfiltrate data.

4. CVE-2025-0061 and CVE-2025-0060 – High-Severity Vulnerabilities in BusinessObjects BI

   • Description: These flaws enable attackers to exploit weaknesses in the Business Intelligence platform, potentially impacting data integrity.

5. CVE-2025-0069 – DLL Hijacking in SAPSetup

   • Description: This vulnerability could allow unauthorized execution of malicious DLLs in the SAPSetup utility.

Additional medium- and low-severity vulnerabilities were addressed across Business Workflow, NetWeaver, GUI for Windows, and BusinessObjects platforms.

Why These Updates Are Critical

SAP NetWeaver is the backbone of many enterprise systems, including ERP, CRM, and SCM applications. Exploiting these vulnerabilities could allow attackers to:

• Access and manipulate sensitive data.

• Impersonate legitimate users and disrupt workflows.

• Compromise inter-system communication to gain broader control over the environment.

SAP has noted no active exploitation of these vulnerabilities in the wild; however, attackers often target unpatched SAP systems shortly after vulnerabilities are disclosed.

Recommended Actions

To protect your SAP environment, Shield53 advises the following:

1. Apply Patches Immediately

   • Implement the updates provided in SAP’s security notes for all affected systems.

   • Prioritize the patches for CVE-2025-0070 and CVE-2025-0066 due to their critical nature.

2. Restrict System Access

   • Limit external access to SAP systems, particularly those involving inter-system communications.

   • Implement role-based access controls (RBAC) to restrict unauthorized users.

3. Monitor for Indicators of Compromise (IOCs)

   • Enable enhanced logging and monitor system activity for unusual patterns, such as unauthorized credential use or SQL queries.

4. Secure Communication Channels

   • Harden the configurations of RFC communication and enforce encryption for all system-to-system communications.

5. Conduct Security Assessments

   • Perform a full vulnerability assessment of your SAP environment to identify and mitigate other potential risks.

Shield53’s Commitment

At Shield53, we are committed to helping organizations secure their critical business applications. Our team is equipped with the expertise to assist in applying patches, monitoring system health, and mitigating threats related to SAP vulnerabilities.

For more information or assistance in implementing these recommendations, contact the Shield53 Security Team.

Stay secure, stay proactive.
– Shield53 Security Team

References

• SAP Security Notes

• SAP NetWeaver Documentation

• Onapsis Research on SAP Vulnerabilities

• NVD Entry for CVE-2025-0070

Published Date: January 17, 2025

Critical Security Vulnerability Alert

CVE-2025-21298: Microsoft Windows OLE RCE Vulnerability

Overview

A critical Remote Code Execution (RCE) vulnerability has been identified in Microsoft Windows Object Linking and Embedding (OLE), tracked as CVE-2025-21298. The vulnerability has a CVSSv3 score of 9.8, making it critical, and is assessed as “Exploitation More Likely.”

An attacker could leverage this vulnerability by delivering a specially crafted email to the target. If the victim opens the email using a vulnerable version of Microsoft Outlook or previews it via the preview pane, the attacker could execute arbitrary code remotely on the target system.

Impact

• Type: Remote Code Execution

• Severity: Critical

• CVSSv3 Score: 9.8

• CVE ID: CVE-2025-21298

Frequently Asked Questions (FAQ)

1. Why is CVE-2025-21298 considered critical?
Exploitation of this vulnerability is simple and highly impactful. In email-based attack scenarios, an attacker can craft a malicious email designed to exploit OLE vulnerabilities. Upon opening or previewing the email in a vulnerable version of Microsoft Outlook, the victim’s machine may allow the execution of malicious code.

2. Which products are affected?
This vulnerability impacts Microsoft Office versions utilizing the OLE functionality.

3. How likely is exploitation?
Microsoft has classified this vulnerability as “Exploitation More Likely,” emphasizing the urgency of mitigation efforts.

Mitigation Recommendations

To protect your systems, Shield53 recommends the following steps:

1. Apply Microsoft Security Updates

• Microsoft has issued security patches addressing this vulnerability. Apply these updates immediately to reduce the risk of exploitation.

2. Configure Plain Text Email Viewing

• Reading emails in plain text format significantly reduces the risk of triggering malicious OLE objects.

• Note: This configuration might limit the display of rich content (e.g., images and specialized fonts). For guidance, refer to Microsoft’s documentation on plain text emails.

3. Be Cautious with RTF Attachments

• Avoid opening emails containing Rich Text Format (RTF) files or other potentially suspicious content from untrusted sources.

4. Enforce the Principle of Least Privilege (PoLP)

• Limit user permissions to restrict the potential damage in case of a successful exploitation.

References

1. Microsoft Security Response Center (MSRC):

   • Microsoft’s official advisory for CVE-2025-21298.

2. National Vulnerability Database (NVD):

   • CVE-2025-21298 entry.

3. Microsoft Support Documentation:

   • Configuring Outlook to read emails in plain text.

4. CVSS Scoring Details:

   • Common Vulnerability Scoring System (CVSS).

Next Steps

1. Security Teams: Prioritize patch management for all vulnerable systems.

2. End-Users: Stay vigilant about suspicious emails and follow company guidelines for secure email usage.

3. System Administrators: Review and apply additional security configurations as outlined in Microsoft’s advisories.

For further updates and insights, stay connected with Shield53 Security Alerts. Protect. Defend. Respond.

Security Advisory

Published Date: January 15, 2025

Vulnerability Summary

A critical authentication bypass vulnerability (CWE-288) has been identified in Fortinet’s FortiOS and FortiProxy products. This flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.

Affected Products and Versions

• FortiOS: Versions 7.0.0 through 7.0.16

• FortiProxy 7.0: Versions 7.0.0 through 7.0.19

• FortiProxy 7.2: Versions 7.2.0 through 7.2.12

Patched Versions

To address this vulnerability, upgrade to the following versions:

• FortiOS 7.0: Version 7.0.17 or later

• FortiProxy 7.0: Version 7.0.20 or later

• FortiProxy 7.2: Version 7.2.13 or later

Critical Details

• Vulnerability Impact: Attackers exploiting this vulnerability can execute unauthorized code or commands with super-admin privileges.

• Severity: Critical

• CVSS Score: 9.6

• CVE ID: CVE-2024-55591

Key Observations

Unlike targeted attacks with specific objectives, such as ransomware deployment or credential dumping, this vulnerability provides attackers unrestricted access, enabling them to perform a wide range of actions within the compromised environment.

Mitigation Steps

1. Restrict Access to Management Interfaces

   • Disable public access to the firewall’s management interfaces.

   • Limit IP addresses that can access HTTP/HTTPS administration interfaces.

2. Monitor for Indicators of Compromise (IOCs)

   • Investigate any unusual activity on specific ports, such as:

     • TCP Port 8023 (web-based CLI)

     • TCP Port 9980 (used for REST API queries)

     • Other unexpected open ports (e.g., 4433, 59449, 59450)

   • Hunt for suspicious new or modified admin accounts, particularly from activity starting mid-November 2024.

3. Upgrade Firmware

   • Apply the latest patches immediately to affected devices.

4. Enable Syslog Monitoring

   • Ensure that all firewall devices send logs to a centralized syslog server for continuous monitoring and analysis.

5. Review Security Best Practices

   • Avoid exposing management interfaces to the public internet.

   • Regularly review and update your organization’s firmware upgrade policy to address vulnerabilities proactively.

Frequently Asked Questions (FAQ)

Why is this vulnerability critical?
This zero-day flaw provides attackers with unrestricted super-admin access to compromised systems. Observed exploitation methods include creating admin accounts and configuring SSL VPN tunnels, which could lead to extensive system compromise.

Are there specific observed attacks?
Although no definitive attack patterns have been observed, attackers could exploit this vulnerability to execute arbitrary actions within the environment.

References

• NVD – CVE-2024-55591

• FortiGuard Labs – Intrusion Prevention

• Fortinet System Administrator Best Practices

• Zero-Day Vulnerabilities in Fortinet Firewalls – Industry Insights