Category: Vulnerability

CVE-2025-21333, CVE-2025-21334, CVE-2025-21335

A set of zero-day vulnerabilities have been identified in Microsoft Hyper-V, allowing attackers to escalate privileges and gain SYSTEM-level access. These flaws exist in the NT Kernel Integration Virtualization Service Provider (VSP) and impact multiple Windows Server and Windows desktop environments running Hyper-V.

Why is this critical? These vulnerabilities enable attackers to escape virtual machines (VMs) and execute malicious code on the host system, leading to potential lateral movement across networks. This poses a significant threat to enterprise environments leveraging Hyper-V for virtualization and cloud deployments.

Quick Facts

• Impact: Full system compromise via privilege escalation.

• Severity Level: Critical

• CVSS Score: 9.8

• Affected Systems:

  • Windows Server 2019

  • Windows Server 2022

  • Windows 10 & 11 (if Hyper-V is enabled)

• Exploit Status: Active exploitation suspected; proof-of-concept (PoC) exploits available.

Shield53 Response

Shield53 has taken the following measures to mitigate risks for our customers:

1. IOC Sweeps & Threat Monitoring – Actively scanning for indicators of compromise within monitored environments.

2. Proactive Security Guidance – Issuing custom hardening recommendations for enterprise Hyper-V deployments.

3. Incident Response Readiness – Assisting organizations in identifying and responding to potential exploitation attempts.

Immediate Steps to Protect Your Systems

1. Apply Security Patches Immediately:

   • Microsoft has released patches as part of their January 2025 Patch Tuesday Update. Install them without delay.

2. Restrict Access to Hyper-V Management:

   • Limit access to only authorized administrators.

   • Use role-based access control (RBAC) to reduce exposure.

3. Monitor for Suspicious Activity:

   • Audit Windows Event Logs for unusual privilege escalation attempts.

   • Investigate unauthorized access to Hyper-V settings.

4. Disable Hyper-V if Unused:

   • If Hyper-V is not required, disable the feature to reduce attack surfaces.

5. Implement Network Segmentation:

   • Isolate virtualized workloads to prevent lateral movement in case of exploitation.

Key Takeaways

• Patch Immediately to close known exploitation paths.

• Monitor and Log Activities for unusual system behavior.

• Enforce Strict Access Controls on virtualized environments.

• Consider Disabling Hyper-V if not in use to reduce risk.

References

• Microsoft Security Advisory

• CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 Analysis

• Shield53 Threat Intelligence Reports

Shield53 remains committed to securing your enterprise against emerging threats. For customized mitigation strategies or further assistance, contact our security advisory team.

Shield53 Blog: SAP January 2025 Patch Day Resolves Critical NetWeaver Vulnerabilities

 

Published Date: January 17, 2025
Author: Shield53 Security Team

Overview

On January 2025 Patch Day, SAP released 14 new security notes addressing critical vulnerabilities in its enterprise solutions. Among these are two Hot News vulnerabilities in NetWeaver AS for ABAP and ABAP Platform, each with a CVSS score of 9.9, highlighting their critical nature. These flaws could enable attackers to compromise sensitive credentials and communication channels, posing significant risks to business operations.

As a global leader in cybersecurity, Shield53 urges organizations to take immediate action to apply these critical patches to safeguard their SAP environments.

Key Vulnerabilities Addressed

1. CVE-2025-0070 – Improper Authentication (CVSS 9.9)

   • Description: This vulnerability affects the internal RFC communication between HTTP clients and servers within the same system. An attacker could steal credentials and impersonate an internal caller, enabling unauthorized access.

   • Impact: Compromises confidentiality, integrity, and availability of the affected applications.

2. CVE-2025-0066 – Information Disclosure (CVSS 9.9)

   • Description: Under specific conditions, attackers could read decrypted, plaintext credential information required for system-to-system communication.

   • Impact: Exposes sensitive information, increasing the risk of lateral movement within the environment.

3. CVE-2025-0063 – SQL Injection (CVSS 8.8)

   • Description: This flaw in NetWeaver’s handling of the Informix database could allow attackers to manipulate or exfiltrate data.

4. CVE-2025-0061 and CVE-2025-0060 – High-Severity Vulnerabilities in BusinessObjects BI

   • Description: These flaws enable attackers to exploit weaknesses in the Business Intelligence platform, potentially impacting data integrity.

5. CVE-2025-0069 – DLL Hijacking in SAPSetup

   • Description: This vulnerability could allow unauthorized execution of malicious DLLs in the SAPSetup utility.

Additional medium- and low-severity vulnerabilities were addressed across Business Workflow, NetWeaver, GUI for Windows, and BusinessObjects platforms.

Why These Updates Are Critical

SAP NetWeaver is the backbone of many enterprise systems, including ERP, CRM, and SCM applications. Exploiting these vulnerabilities could allow attackers to:

• Access and manipulate sensitive data.

• Impersonate legitimate users and disrupt workflows.

• Compromise inter-system communication to gain broader control over the environment.

SAP has noted no active exploitation of these vulnerabilities in the wild; however, attackers often target unpatched SAP systems shortly after vulnerabilities are disclosed.

Recommended Actions

To protect your SAP environment, Shield53 advises the following:

1. Apply Patches Immediately

   • Implement the updates provided in SAP’s security notes for all affected systems.

   • Prioritize the patches for CVE-2025-0070 and CVE-2025-0066 due to their critical nature.

2. Restrict System Access

   • Limit external access to SAP systems, particularly those involving inter-system communications.

   • Implement role-based access controls (RBAC) to restrict unauthorized users.

3. Monitor for Indicators of Compromise (IOCs)

   • Enable enhanced logging and monitor system activity for unusual patterns, such as unauthorized credential use or SQL queries.

4. Secure Communication Channels

   • Harden the configurations of RFC communication and enforce encryption for all system-to-system communications.

5. Conduct Security Assessments

   • Perform a full vulnerability assessment of your SAP environment to identify and mitigate other potential risks.

Shield53’s Commitment

At Shield53, we are committed to helping organizations secure their critical business applications. Our team is equipped with the expertise to assist in applying patches, monitoring system health, and mitigating threats related to SAP vulnerabilities.

For more information or assistance in implementing these recommendations, contact the Shield53 Security Team.

Stay secure, stay proactive.
– Shield53 Security Team

References

• SAP Security Notes

• SAP NetWeaver Documentation

• Onapsis Research on SAP Vulnerabilities

• NVD Entry for CVE-2025-0070

Published Date: January 17, 2025

Critical Security Vulnerability Alert

CVE-2025-21298: Microsoft Windows OLE RCE Vulnerability

Overview

A critical Remote Code Execution (RCE) vulnerability has been identified in Microsoft Windows Object Linking and Embedding (OLE), tracked as CVE-2025-21298. The vulnerability has a CVSSv3 score of 9.8, making it critical, and is assessed as “Exploitation More Likely.”

An attacker could leverage this vulnerability by delivering a specially crafted email to the target. If the victim opens the email using a vulnerable version of Microsoft Outlook or previews it via the preview pane, the attacker could execute arbitrary code remotely on the target system.

Impact

• Type: Remote Code Execution

• Severity: Critical

• CVSSv3 Score: 9.8

• CVE ID: CVE-2025-21298

Frequently Asked Questions (FAQ)

1. Why is CVE-2025-21298 considered critical?
Exploitation of this vulnerability is simple and highly impactful. In email-based attack scenarios, an attacker can craft a malicious email designed to exploit OLE vulnerabilities. Upon opening or previewing the email in a vulnerable version of Microsoft Outlook, the victim’s machine may allow the execution of malicious code.

2. Which products are affected?
This vulnerability impacts Microsoft Office versions utilizing the OLE functionality.

3. How likely is exploitation?
Microsoft has classified this vulnerability as “Exploitation More Likely,” emphasizing the urgency of mitigation efforts.

Mitigation Recommendations

To protect your systems, Shield53 recommends the following steps:

1. Apply Microsoft Security Updates

• Microsoft has issued security patches addressing this vulnerability. Apply these updates immediately to reduce the risk of exploitation.

2. Configure Plain Text Email Viewing

• Reading emails in plain text format significantly reduces the risk of triggering malicious OLE objects.

• Note: This configuration might limit the display of rich content (e.g., images and specialized fonts). For guidance, refer to Microsoft’s documentation on plain text emails.

3. Be Cautious with RTF Attachments

• Avoid opening emails containing Rich Text Format (RTF) files or other potentially suspicious content from untrusted sources.

4. Enforce the Principle of Least Privilege (PoLP)

• Limit user permissions to restrict the potential damage in case of a successful exploitation.

References

1. Microsoft Security Response Center (MSRC):

   • Microsoft’s official advisory for CVE-2025-21298.

2. National Vulnerability Database (NVD):

   • CVE-2025-21298 entry.

3. Microsoft Support Documentation:

   • Configuring Outlook to read emails in plain text.

4. CVSS Scoring Details:

   • Common Vulnerability Scoring System (CVSS).

Next Steps

1. Security Teams: Prioritize patch management for all vulnerable systems.

2. End-Users: Stay vigilant about suspicious emails and follow company guidelines for secure email usage.

3. System Administrators: Review and apply additional security configurations as outlined in Microsoft’s advisories.

For further updates and insights, stay connected with Shield53 Security Alerts. Protect. Defend. Respond.

Security Advisory

Published Date: January 15, 2025

Vulnerability Summary

A critical authentication bypass vulnerability (CWE-288) has been identified in Fortinet’s FortiOS and FortiProxy products. This flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.

Affected Products and Versions

• FortiOS: Versions 7.0.0 through 7.0.16

• FortiProxy 7.0: Versions 7.0.0 through 7.0.19

• FortiProxy 7.2: Versions 7.2.0 through 7.2.12

Patched Versions

To address this vulnerability, upgrade to the following versions:

• FortiOS 7.0: Version 7.0.17 or later

• FortiProxy 7.0: Version 7.0.20 or later

• FortiProxy 7.2: Version 7.2.13 or later

Critical Details

• Vulnerability Impact: Attackers exploiting this vulnerability can execute unauthorized code or commands with super-admin privileges.

• Severity: Critical

• CVSS Score: 9.6

• CVE ID: CVE-2024-55591

Key Observations

Unlike targeted attacks with specific objectives, such as ransomware deployment or credential dumping, this vulnerability provides attackers unrestricted access, enabling them to perform a wide range of actions within the compromised environment.

Mitigation Steps

1. Restrict Access to Management Interfaces

   • Disable public access to the firewall’s management interfaces.

   • Limit IP addresses that can access HTTP/HTTPS administration interfaces.

2. Monitor for Indicators of Compromise (IOCs)

   • Investigate any unusual activity on specific ports, such as:

     • TCP Port 8023 (web-based CLI)

     • TCP Port 9980 (used for REST API queries)

     • Other unexpected open ports (e.g., 4433, 59449, 59450)

   • Hunt for suspicious new or modified admin accounts, particularly from activity starting mid-November 2024.

3. Upgrade Firmware

   • Apply the latest patches immediately to affected devices.

4. Enable Syslog Monitoring

   • Ensure that all firewall devices send logs to a centralized syslog server for continuous monitoring and analysis.

5. Review Security Best Practices

   • Avoid exposing management interfaces to the public internet.

   • Regularly review and update your organization’s firmware upgrade policy to address vulnerabilities proactively.

Frequently Asked Questions (FAQ)

Why is this vulnerability critical?
This zero-day flaw provides attackers with unrestricted super-admin access to compromised systems. Observed exploitation methods include creating admin accounts and configuring SSL VPN tunnels, which could lead to extensive system compromise.

Are there specific observed attacks?
Although no definitive attack patterns have been observed, attackers could exploit this vulnerability to execute arbitrary actions within the environment.

References

• NVD – CVE-2024-55591

• FortiGuard Labs – Intrusion Prevention

• Fortinet System Administrator Best Practices

• Zero-Day Vulnerabilities in Fortinet Firewalls – Industry Insights

In November 2024, two critical vulnerabilities—CVE-2024-8068 and CVE-2024-8069—were identified in Citrix’s Session Recording Manager, a component of Citrix Virtual Apps and Desktops. These vulnerabilities could potentially allow attackers to execute arbitrary code or escalate privileges on affected systems.

Understanding the Vulnerabilities

Citrix’s Session Recording Manager is designed to capture and manage recordings of user sessions, including keyboard and mouse inputs, websites visited, and video streams of desktop activity. The identified vulnerabilities stem from improper deserialization processes within this component.

• CVE-2024-8068: This vulnerability allows an authenticated user within the same Windows Active Directory domain as the session recording server to escalate privileges to the NetworkService account.

• CVE-2024-8069: This issue permits a limited form of remote code execution for attackers with administrative-level access on vulnerable systems.

Discrepancies in Exploitation Potential

There has been some debate regarding the exploitation potential of these vulnerabilities. Citrix maintains that exploitation requires prior authentication and specific conditions, limiting the risk to authenticated users within the same domain. However, researchers from watchTowr, who discovered these flaws, argue that the vulnerabilities could be exploited by unauthenticated attackers, suggesting a broader risk.

Affected Versions

The vulnerabilities impact the following versions of Citrix Session Recording:

• Citrix Virtual Apps and Desktops before version 2407 hotfix 24.5.200.8 (Current Release)

• Citrix Virtual Apps and Desktops 1912 LTSR before CU9 hotfix 19.12.9100.6

• Citrix Virtual Apps and Desktops 2203 LTSR before CU5 hotfix 22.03.5100.11

• Citrix Virtual Apps and Desktops 2402 LTSR before CU1 hotfix 24.02.1200.16

Mitigation and Recommendations

Citrix has released patches to address these vulnerabilities and strongly advises affected customers to update their systems promptly. Administrators should review Citrix’s official advisory for detailed guidance on applying the necessary updates.

Given the potential risks, organizations are urged to:

• Apply the recommended patches without delay.

• Review and adjust access controls to ensure that only authorized users have access to the Session Recording Manager.

• Monitor systems for any unusual activity that could indicate exploitation attempts.

By taking these proactive measures, organizations can mitigate the risks associated with CVE-2024-8068 and CVE-2024-8069, ensuring the security and integrity of their systems.

Summary:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities in Palo Alto Networks’ Expedition software, identified as CVE-2024-9463 and CVE-2024-9465. These vulnerabilities, which have been actively exploited, could allow unauthenticated attackers to execute arbitrary OS commands or access sensitive database information. Palo Alto Networks released patches on October 9, 2024, to address these issues. Additionally, the company has acknowledged reports of a new unauthenticated remote command execution vulnerability targeting firewall management interfaces exposed to the internet.

Risks:

Exploitation of these vulnerabilities poses significant risks, including:

• Unauthorized execution of OS commands with root privileges.

• Exposure of sensitive information such as usernames, cleartext passwords, device configurations, and API keys.

• Potential for attackers to create and read arbitrary files on compromised systems.

• Increased risk of unauthorized access and control over network devices, leading to data breaches and system compromises.

Affected Versions:

The specific versions of Expedition software affected by CVE-2024-9463 and CVE-2024-9465 have not been detailed in the available information. However, Palo Alto Networks addressed these vulnerabilities in updates released on October 9, 2024. Users should consult Palo Alto Networks’ official advisories to determine if their versions are impacted.

Remediation:

To mitigate these vulnerabilities, it is recommended to:

• Apply the security updates provided by Palo Alto Networks as of October 9, 2024.

• Review and secure firewall management interfaces to prevent unauthorized internet exposure.

• Regularly monitor systems for unusual activity and implement robust access controls.

• Stay informed about new patches and advisories from Palo Alto Networks to ensure timely updates.

Conclusion:

Organizations utilizing Palo Alto Networks’ Expedition software should promptly apply the latest security patches to protect against these critical vulnerabilities. Given the active exploitation reported by CISA, immediate action is essential to safeguard network infrastructure and sensitive data. Regular system monitoring and adherence to security best practices are crucial in mitigating potential threats.

Reference:

• CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed

In a recent announcement, Microsoft confirmed the exploitation of a zero-day vulnerability in the Windows Task Scheduler, urging immediate attention from system administrators and security teams. The vulnerability, identified as CVE-2024-49039, is classified as a privilege escalation bug, posing significant risks to users who are unaware of its potential impact.

The Vulnerability Details

This flaw allows attackers to escalate privileges from low-level applications within an isolated environment, known as an AppContainer, to execute code with higher privileges. By exploiting this vulnerability, attackers can bypass security restrictions, executing RPC functions that are typically restricted to privileged accounts. This could potentially lead to unauthorized access to critical system resources.

The vulnerability was discovered by Google’s Threat Analysis Group (TAG) and is considered a significant threat due to its potential use in advanced, targeted attacks. However, Microsoft has not yet provided specific indicators of compromise (IOCs) or detailed telemetry data to help defenders detect exploitation in the wild.

Implications and Risk

Given its high CVSS score of 8.8, this flaw presents substantial risks. The exploit is especially concerning because it could enable attackers to perform operations that should only be allowed for system administrators. If left unpatched, the vulnerability could lead to severe system compromise, making it crucial for organizations to apply Microsoft’s Patch Tuesday updates promptly.

Patch Tuesday Updates

Microsoft’s Patch Tuesday, which occurred on November 12, 2024, addressed this vulnerability along with 90 other security flaws across the Windows ecosystem. While the Task Scheduler flaw is one of the most critical, additional vulnerabilities in other areas, such as .NET, Visual Studio, and Windows Kerberos, also pose remote code execution risks and should be patched immediately.

Steps to Protect Your Systems

To mitigate risks associated with this vulnerability, organizations should:

1. Apply the latest security updates provided by Microsoft without delay.

2. Monitor systems for signs of exploitation using updated threat detection tools.

3. Educate staff to avoid opening untrusted files or engaging with suspicious links that could trigger further exploits.

With cybersecurity threats continuing to evolve, staying proactive with patch management is essential to securing systems against these types of attacks.

For more details on this and other critical vulnerabilities, follow the official Microsoft security updates.