Cyber Exposure Alerts

The open-source LLM known as DeepSeek has attracted much attention in recent weeks with the release of DeepSeek V3 and DeepSeek R1, and in this blog, The Tenable Security Response Team answers some of the frequently asked questions (FAQ) about it.BackgroundThe Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding DeepSeek.FAQWhat is DeepSeek?DeepSeek typically refers to the large language model (LLM) produced by a Chinese company named DeepSeek, founded in 2023 by Liang Wenfeng.What is a large language model?A large language model, or LLM, is a machine-learning model that has been pre-trained on a large corpus of data, which enables it to respond to user inputs using natural, human-like responses.Why is there so much interest in the DeepSeek LLM?In January 2025, DeepSeek published two new LLMs: DeepSeek V3 and DeepSeek R1. The interest surrounding these models is two-fold: first, they are open-source, meaning anyone can download and run these LLMs on their local machines and, second, they were reportedly trained using less-powerful hardware, which was believed to be a breakthrough in this space as it revealed that such models could be developed at a lower cost.What are the differences between DeepSeek V3 and DeepSeek R1?DeepSeek V3 is an LLM that employs a technique called mixture-of-experts (MoE) which requires less compute power because it only loads the required “experts” to respond to a prompt. It also implements a new technique called multi-head latent attention (MLA), which significantly reduces the memory usage and performance during training and inference (the process of generating a response from user input).In addition to MoE and MLA, DeepSeek R1 implements a multitoken prediction (MTP) architecture first introduced by Meta. Instead of just predicting the next word each time the model is executed, DeepSeek R1 predicts the next two tokens in parallel.DeepSeek R1 is an advanced LLM that utilizes reasoning, which includes chain-of-thought (CoT), revealing to the end user how it responds to each prompt. According to DeepSeek, performance of its R1 model “rivals” OpenAI’s o1 model.Example of DeepSeek’s chain-of-thought (CoT) reasoning modelWhat are the minimum requirements to run a DeepSeek model locally?It depends. DeepSeek R1 has 671 billion parameters and requires multiple expensive high-end GPUs to run. There are distilled versions of the model starting at 1.5 billion parameters, going all the way up to 70 billion parameters. These distilled models are able to run on consumer-grade hardware. Here is the size on disk for each model:DeepSeek R1 modelsSize on disk1.5b1.1 GB7b4.4 GB8b4.9 GB14b9.0 GB32b22 GB70b43 GB671b404 GBTherefore, the lower the parameters, the less resources are required and the higher the parameters, the more resources are required.The number of parameters also influences how the model will respond to prompts by the user. Most modern computers, including laptops that have 8 to 16 gigabytes of RAM, are capable of running distilled LLMs with 7 billion or 8 billion parameters.What makes DeepSeek different from other LLMs?Benchmark testing conducted by DeepSeek showed that its DeepSeek R1 model is on par with many of the existing models from OpenAI, Claude and Meta at the time of its release. Additionally, many of the companies in this space have not open-sourced their frontier LLMs, which gives DeepSeek a unique advantage.Finally, its CoT approach is verbose, revealing more of the nuances involved in how LLMs respond to prompts compared to other reasoning models. The latest models from OpenAI (o3) and Google (Gemini 2.0 Flash Thinking) reveal additional reasoning to the end user, though in a less verbose fashion.What is a frontier model?A frontier model refers to the most advanced LLMs available that include complex reasoning and problem-solving capabilities. Currently, OpenAI’s o1 and o3 models along with DeepSeek R1 are the only frontier models available.DeepSeek was created by a Chinese company. Is it safe to use?It depends. Deploying the open-source version of DeepSeek on a system is likely safer to use versus DeepSeek’s website or mobile applications, since it doesn’t require a connection to the internet to function. However, there are genuine privacy and security concerns about using DeepSeek, specifically through its website and its mobile applications available on iOS and Android.What are the concerns surrounding using DeepSeek’s website and mobile applications?DeepSeek’s data collection disclosure is outlined in its privacy policy, which specifies the types of data collected when using its website or mobile applications. It’s important to note that data is stored on secure servers in the People’s Republic of China, although the retention terms are unclear. Since DeepSeek operates in China, its terms of service are subject to Chinese law, meaning that consumer privacy protections, such as the EU’s GDPR and similar global regulations, do not apply. If you choose to download DeepSeek models and run them locally, you face a lower risk regarding data privacy.Has DeepSeek been banned anywhere or is it being reviewed for a potential ban?As of February 13, several countries have banned or are investigating DeepSeek for a potential ban, including Italy, Taiwan, South Korea and Australia, as well as several states in the U.S. have banned DeepSeek from government devices including Texas, New York, Virginia along with several entities of the U.S. federal government including the U.S. Department of Defense, U.S. Navy and the U.S. Congress. This list is likely to continue to grow in the coming weeks and months.Is Tenable looking into safety and security concerns surrounding LLMs like DeepSeek?Yes, Tenable Research is actively researching LLMs, including DeepSeek, and will be sharing more of our findings in future publications on the Tenable blog.Get more informationDeepSeek-R1: Incentivizing Reasoning Capability in LLMs via Reinforcement LearningJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

3Critical52Important0Moderate0LowMicrosoft addresses 55 CVEs with three rated critical and four zero-day vulnerabilities, including two that were exploited in the wild.Microsoft patched 55 CVEs in its February 2025 Patch Tuesday release, with three rated critical and 52 rated as important. Our counts omitted one vulnerability reported by HackerOne.This month’s update includes patches for:Active Directory Domain ServicesAzure Active DirectoryAzure FirmwareAzure Network WatcherMicrosoft AutoUpdate (MAU)Microsoft Digest AuthenticationMicrosoft High Performance Compute Pack (HPC) Linux Node AgentMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office SharePointMicrosoft PC ManagerMicrosoft Streaming ServiceMicrosoft SurfaceMicrosoft WindowsOutlook for AndroidVisual StudioVisual Studio CodeWindows Ancillary Function Driver for WinSockWindows CoreMessagingWindows DHCP ClientWindows DHCP ServerWindows DWM Core LibraryWindows Disk Cleanup ToolWindows InstallerWindows Internet Connection Sharing (ICS)Windows KerberosWindows KernelWindows LDAP – Lightweight Directory Access ProtocolWindows Message QueuingWindows NTLMWindows Remote Desktop ServicesWindows Resilient File System (ReFS) Deduplication ServiceWindows Routing and Remote Access Service (RRAS)Windows Setup Files CleanupWindows StorageWindows Telephony ServerWindows Telephony ServiceWindows Update StackWindows Win32 Kernel SubsystemRemote code execution (RCE) vulnerabilities accounted for 38.2% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 34.5%.ImportantCVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityCVE-2025-21418 is an EoP vulnerability in the Ancillary Function Driver for WinSock for Microsoft Windows. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM level privileges.Microsoft notes this vulnerability was exploited in the wild as a zero-day. At the time this blog post was published, there was no other information about this exploitation.Since 2022, there have been nine Ancillary Function Driver for WinSock EoP vulnerabilities patched across Patch Tuesday releases, including three in 2022, three in 2023, and three in 2024, including one that was exploited in the wild as a zero-day (CVE-2024-38193) by the North Korean APT known as the Lazarus Group to implant the FudModule rootkit.ImportantCVE-2025-21391 | Windows Storage Elevation of Privilege VulnerabilityCVE-2025-21391 is an EoP vulnerability in Windows Storage. It was assigned a CVSSv3 score of 7.1 and is rated important. A local, authenticated attacker could exploit this vulnerability to delete files from a system. According to Microsoft, this vulnerability does not disclose confidential information to an attacker, rather, it only provides them with the capability to delete data, which may include data that could result in service disruption.Microsoft notes this vulnerability was exploited in the wild as a zero-day. At the time this blog post was published, there was no other information about this exploitation.Since 2022, there have been seven Windows Storage EoP vulnerabilities patched across Patch Tuesday releases, including two in 2022, one in 2023 and four in 2024. However, this is the first Windows Storage EoP vulnerability exploited in the wild.ImportantCVE-2025-21194 | Microsoft Surface Security Feature Bypass VulnerabilityCVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface. This vulnerability was assigned a CVSSv3 score of 7.1 and was publicly disclosed prior to a patch being available from Microsoft. According to the advisory, exploitation requires multiple steps, including an attacker successfully gaining access to the same network as the device. Additionally, exploitation requires the attacker to convince the user to reboot their device. With multiple requirements for exploitation, this flaw was assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.ImportantCVE-2025-21377 | NTLM Hash Disclosure Spoofing VulnerabilityCVE-2025-21377 is a New Technology LAN Manager (NTLM) Hash disclosure spoofing vulnerability that was publicly disclosed prior to a patch being made available. Despite the medium severity CVSSv3 score of 6.5, Microsoft assesses this vulnerability as “Exploitation More Likely.” Successful exploitation requires an attacker to convince a user to interact with a malicious file, such as inspecting the file or “performing an action other than opening or executing the file.” Exploitation would allow an attacker to obtain a user’s NTLMv2 hash, which could then be used to authenticate as that user.Microsoft’s advisory also notes that users that only install “Security Only” updates will also need to install Internet Explorer (IE) Cumulative updates in order to be fully protected against this vulnerability.CriticalCVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution VulnerabilityCVE-2025-21376 is a critical RCE vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP). This vulnerability was assigned a CVSSv3 score of 8.1, rated as critical and assessed as “Exploitation More Likely” according to Microsoft. Successful exploitation requires winning a race condition via a specially crafted request necessary to exploit a buffer overflow. If successful, the attacker could achieve RCE on an affected host.This is the first LDAP RCE in 2025, with three having been patched in the December 2024 Patch Tuesday release, each of which were also rated as critical.ImportantCVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution VulnerabilityCVE-2025-21400 is a RCE vulnerability affecting Microsoft SharePoint Server. This vulnerability was assigned a CVSSv3 score of 8.0 and rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. Exploitation requires an attacker to coerce the victim machine to first connect to a malicious server. This vulnerability was credited to cjm00n of Cyber Kunlun Lab and Zhiniang Peng.ImportantCVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 | Windows Core Messaging Elevation of Privileges VulnerabilityCVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 are EoP vulnerabilities affecting Windows Core Messaging. Two of the three vulnerabilities were assigned CVSSv3 scores of 7.0, while CVE-2025-21358 was assigned a CVSSv3 score of 7.8. Exploitation of these flaws could allow an attacker to elevate their privileges to SYSTEM.According to Microsoft, exploitation for CVE-2025-21184 and CVE-2025-21414 requires an attacker to gather information about the target as well as take additional measures to prepare a target for exploitation. Despite the differing requirements necessary for exploitation, Microsoft assesses all three of these vulnerabilities as “Exploitation More Likely.”Tenable SolutionsA list of all the plugins released for Microsoft’s February 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s February 2025 Security UpdatesTenable plugins for Microsoft February 2025 Patch Tuesday Security UpdatesJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

A zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 1000 was reportedly exploited in the wild according to researchers.Update January 23: The Analysis and Identifying affected systems sections have been updated to include confirmation of exploitation from SonicWall and how to identify assets using Tenable Attack Surface Management.View Change LogBackgroundOn January 22, SonicWall published a security advisory (SNWLID-2025-0002) for a newly disclosed vulnerability in its Secure Mobile Access (SMA) 1000 product, a remote access solution.CVEDescriptionCVSSv3CVE-2025-23006SonicWall SMA 1000 Deserialization of Untrusted Data Vulnerability9.8AnalysisCVE-2025-23006 is a deserialization of untrusted data vulnerability in the appliance management console (AMC) and central management console (CMC) of the SonicWall SMA 1000. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable device. Successful exploitation would grant the attacker arbitrary command execution on the device. The advisory specifies that “specific conditions” could allow for OS command execution, though it’s unclear from the information provided by SonicWall what those conditions might be.Possible active exploitation in the wildAccording to SonicWall’s Product Security Incident Response Team (PSIRT), there are reports of “possible active exploitation” of this flaw “by threat actors.” While specific details are not known at this time, the vulnerability was reported to SonicWall by researchers at Microsoft Threat Intelligence Center (MSTIC).In a knowledge base article, SonicWall explicitly said that CVE-2025-23006 “has been confirmed as being actively exploited in the wild” and that the vulnerability should “be treated with the utmost severity.”Historical exploitation of SonicWall SMA vulnerabilitiesSonicWall products have been a frequent target for attackers over the years. Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies. The following are a list of known SMA vulnerabilities that have been exploited in the wild:CVEDescriptionTenable Blog LinksYearCVE-2019-7481SonicWall SMA100 SQL Injection Vulnerability12019CVE-2019-7483SonicWall SMA100 Directory Traversal Vulnerability-2019CVE-2021-20016SonicWall SSLVPN SMA100 SQL Injection Vulnerability1, 2, 3, 4, 52021CVE-2021-20038SonicWall SMA100 Stack-based Buffer Overflow Vulnerability1, 2, 32021Proof of conceptAt the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-23006. If and when a public PoC exploit becomes available for CVE-2025-23006, we anticipate a variety of attackers will attempt to leverage this flaw as part of their attacks.SolutionSonicWall has released version 12.4.3-02854 to address this vulnerability, which impacts version 12.4.3-02804 and earlier. According to SonicWall, SMA 100 series and SonicWall Firewall devices are not impacted.The advisory also provides a workaround to reduce potential impact. This involves restricting access to the AMC and CMC to trusted sources. The advisory also notes to review the best practices guide on securing SonicWall appliances.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-23006 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Tenable Attack Surface Management customers are able to identify these assets using a filtered search for SMA devices: Get more informationSonicWall SNWLID-2025-0002 Security AdvisoryProduct Notice: Urgent Security Notification – SMA 1000 (CVE-2025-23006)Change LogUpdate January 23: The Analysis and Identifying affected systems sections have been updated to include confirmation of exploitation from SonicWall and how to identify assets using Tenable Attack Surface Management.Join Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor.BackgroundThroughout 2024, attacks from sophisticated advanced persistent threat (APT) actors associated with the People’s Republic of China (PRC) were a major focus for U.S. government organizations, including the Cybersecurity and Infrastructure Security Agency (CISA). In a previous blog post, we examined Volt Typhoon, a PRC state-sponsored actor known to target critical infrastructure. However in September, the Wall Street Journal reported on another PRC actor, Salt Typhoon, citing anonymous sources who said that the group had breached multiple U.S. telecommunications providers. While several outlets reported on speculation of the report, in early October, CISA and the Federal Bureau of Investigation (FBI) offered official confirmation of the attacks when they released a joint statement that “the U.S. Government is investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” By December, a White House press call confirmed that at least eight U.S. telecommunications providers had been breached, with that figure increasing to at least nine telecommunications companies by December 27. As new details emerge on Salt Typhoon and its targets, this Tenable Research blog examines the tactics, techniques and procedures (TTPs) employed, including the exploitation of known vulnerabilities associated with this threat actor.AnalysisSalt Typhoon is a sophisticated threat group whose targets include the telecommunications, government and technology sectors. The group is tracked under several monikers, including FamousSparrow, GhostEmperor, Earth Estries and UNC2286. This APT has most recently been in the news for breaching multiple U.S. telecommunications providers; however it’s believed that its targets in this sector span the globe. In the U.S, government officials claimed that Salt Typhoon’s targets include government officials primarily involved in “political activity,” sparking CISA and joint partners to release guidance on visibility and security hardening of communications infrastructure as well prompting the White House to issue the Executive Order titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” Based on various reports on Salt Typhoon, its primary objective appears to be espionage.In mid-December, CISA released the document “Mobile Communications Best Practice Guidance,” with an emphasis on using end-to-end encryption for secure communications. While it’s unclear what information may have been accessed by Salt Typhoon, CISA and other government agencies, including the Federal Communications Commission (FCC) have been actively helping and providing security guidance to the impacted organizations, as communications infrastructure is a matter of national security.Known CVEs commonly exploited by Salt TyphoonSalt Typhoon typically gains initial access to its victim networks by targeting external-facing assets using known vulnerabilities. While not an exhaustive list, the table below highlights some of the CVEs known to have been exploited by Salt Typhoon.CVEDescriptionCVSSv3 ScoreVPRCVE-2021-26855Microsoft Exchange Server Server-Side Request Forgery Vulnerability (ProxyLogon)9.89.8CVE-2022-3236Sophos Firewall Code Injection Vulnerability9.87.4CVE-2023-48788FortiClient Enterprise Management Server (FortiClientEMS) SQL Injection Vulnerability9.89.4CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability9.19.8CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability8.26.7*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on January 23 and reflects VPR at that time.Several of these vulnerabilities have been routinely exploited by APT and ransomware groups alike, including CVE-2021-26855, also known as ProxyLogon, and related Microsoft Exchange vulnerabilities including CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Ivanti Connect Secure/Policy Secure and Fortinet FortiClientEMS have each been the subject of Tenable Research blog posts and CVE-2022-3236, the SQL injection flaw in Sophos Firewall, was featured in our “2022 Threat Landscape Report.”Of these five CVEs, four of them were exploited in the wild as zero-day vulnerabilities. While it’s unknown if Salt Typhoon exploited any of these flaws as zero-days, the level of sophistication from the group does suggest it has the technical ability to develop and exploit zero-day flaws in its attacks.Despite these CVEs having had patches available, an analysis of anonymized Tenable scan data reveals that of nearly 30,000 instances impacted by ProxyLogon, a staggering 91% remain unpatched. In a stark contrast, an analysis of over 20,000 devices impacted by both Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887), our data found that these devices were fully remediated in over 92% of cases.As part of CISA’s guidance for enhanced visibility and hardening, the agency mentioned Cisco network equipment. While CISA didn’t mention specific Cisco device models or vulnerabilities, its guidance does note that PRC-affiliated actors have targeted Cisco-specific devices and as such, care should be taken to ensure organizations in the communications sector and beyond are properly securing and hardening their Cisco network devices. CISA’s recommendations include disabling Cisco’s Smart Install service, which is often abused by attackers and should be properly configured or disabled to prevent abuse.Post-Compromise ActivitySalt Typhoon is known for maintaining a stealthy presence on victim networks and remaining undetected for a significant time period. It maintains persistence by utilizing custom malware including GhostSpider, SnappyBee and the Masol remote access trojan (RAT).It’s been reported that the group has been active for several years and may have breached and maintained access at telecommunications providers for months before being detected. In a recent blog by outgoing CISA Director Jen Easterly, she revealed that “CISA threat hunters previously detected the same actors in U.S. government networks.”The “eyes” of the various “Typhoons”Each suspected state-sponsored PRC actor includes the family name of “Typhoon.” In recent months, CISA and security vendors have issued several warnings regarding the various “Typhoon” groups, including Volt Typhoon, Flax Typhoon, and Salt Typhoon. Volt Typhoon’s focus is persistence and stealth, targeting critical infrastructure while Flax Typhoon’s focus is on attack infrastructure, building botnets from compromised Internet of Things (IoT) devices.While each group’s targets and activities are unique, the “eye” of each of these typhoons is they target unpatched and often well-known vulnerabilities for initial access, targeting public-facing servers. Despite the persistence of these threat actors, it’s vital that organizations routinely patch public-facing devices and quickly mitigate known and exploited vulnerabilities. This is underscored in commentary from the Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel:“In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting.”Identifying affected systemsTenable offers several solutions to help identify potential exposures and attack paths as well as to identify systems vulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend using the Tenable One Exposure Management Platform. Tenable One extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.Tenable Plugin CoverageA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-26855, CVE-2022-3236, CVE-2023-48788, CVE-2024-21887 and CVE-2023-46805. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to these CVEs, we also recommend scanning with plugin ID 105161 to identify if Cisco Smart Install is enabled on any Cisco devices in your network.Tenable Attack Path Analysis techniquesThe following are a list of attack paths associated with Salt Typhoon and the associated Tenable Attack Path Analysis techniques:MITRE ATT&CK IDDescriptionTenable Attack Path techniquesT1003.003OS Credential Dumping: NTDST1003.003_WindowsT1021Remote ServicesT1021.002_WindowsT1047Windows Management InstrumentationT1047_WindowsT1053.005Create or Modify System Process: Windows ServiceT1053.005_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1059.003Command and Scripting Interpreter: Windows Command ShellT1059.003_WindowsT1068Exploitation for Privilege EscalationT1068_WindowsT1078Valid AccountsT1078.001_ICST1078.003_WindowsT1078.004_AzureT1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1082System Information DiscoveryT1082T1087Account DiscoveryT1087.004_AzureT1087.004_AWST1134Access Token ManipulationT1134.005_WindowsT1190Exploit Public-Facing ApplicationT1190_AwsT1190_WAST1203Exploitation for Client ExecutionT1203_WindowsT1482Domain Trust DiscoveryT1482_WindowsT1547Boot or Logon Autostart ExecutionT1547.002_WindowsT1547.005_WindowsT1574Hijack execution flowT1574.007_WindowsT1574.009_WindowsT1574.010_WindowsT1574.011_WindowsTenable Identity Exposure Indicators of Exposure and Indicators of AttackThe following are a list of Indicators of Exposure and Indicators of Attack for Tenable Identity Exposure:MITRE ATT&CK IDDescriptionIndicatorsT1003.003OS Credential Dumping: NTDSI-NtdsExtractionT1021Remote ServicesC-LAPS-UNSECURE-CONFIGC-AAD-PRIV-SYNCC-USERS-REVER-PWDST1036MasqueradingC-CONFLICTED-OBJECTST1055.001Process Injection: Dynamic-link Library InjectionI-DnsAdminsT1068Exploitation for Privilege EscalationI-SamNameImpersonationT1078Valid AccountsMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTC-PASSWORD-DONT-EXPIREC-USER-PASSWORDC-PRIV-ACCOUNTS-SPNC-NATIVE-ADM-GROUP-MEMBERSC-AAD-SSO-PASSWORDC-MSA-COMPLIANCEC-PASSWORD-POLICYC-REVER-PWD-GPOC-CLEARTEXT-PASSWORDC-DC-ACCESS-CONSISTENCYC-PROP-SET-SANITYC-SLEEPING-ACCOUNTSC-KERBEROS-CONFIG-ACCOUNTHIGH-NUMBER-OF-ADMINISTRATORSMISSING-MFA-FOR-PRIVILEGED-ACCOUNTC-AUTH-SILOC-KRBTGT-PASSWORDC-AAD-PRIV-SYNCC-SERVICE-ACCOUNTC-PASSWORD-NOT-REQUIREDC-ADMIN-RESTRICT-AUTHC-ADMINCOUNT-ACCOUNT-PROPSC-DANGEROUS-SENSITIVE-PRIVILEGESC-PKI-DANG-ACCESSC-EXCHANGE-MEMBERSC-PASSWORD-HASHES-ANALYSISC-ADM-ACC-USAGEC-DANG-PRIMGROUPIDC-DSHEURISTICST1134Access Token ManipulationC-ACCOUNTS-DANG-SID-HISTORYT1190Exploit Public-Facing ApplicationAPPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATIONT1203Exploitation for Client ExecutionC-OBSOLETE-SYSTEMSTenable Web App ScanningMITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASGet more informationTenable Blog: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored ActorsWall Street Journal: China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ CyberattackTenable Blog: New Cybersecurity Executive Order: What It Means for Federal AgenciesThe White House: Executive Order on Strengthening and Promoting Innovation in the Nation’s CybersecurityCISA: Mobile Communications Best Practice GuidanceCISA: Enhanced Visibility and Hardening Guidance for Communications InfrastructureCISA: Strengthening America’s Resilience Against the PRC Cyber ThreatsTenable Blog: Top 20 CVEs Exploited by People’s Republic of China State-Sponsored Actors (AA22-279A)Tenable Blog: Finding Proxylogon and Related Microsoft Exchange Vulnerabilities: How Tenable Can HelpTenable Blog: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure GatewaysTenable Blog: CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection VulnerabilityTenable Whitepaper: Tenable 2022 Threat Landscape ReportJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Oracle addresses 186 CVEs in its first quarterly update of 2025 with 318 patches, including 30 critical updates.BackgroundOn January 21, Oracle released its Critical Patch Update (CPU) for January 2025, the first quarterly update of the year. This CPU contains fixes for 186 CVEs in 318 security updates across 27 Oracle product families. Out of the 318 security updates published this quarter, 9.4% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 56.6%, followed by high severity patches at 32.4%.This quarter’s update includes 30 critical patches across 18 CVEs.SeverityIssues PatchedCVEsCritical3018High10355Medium180109Low54Total318186AnalysisThis quarter, the Oracle REST Data Services product family contained the highest number of patches at 85, accounting for 26.7% of the total patches, followed by Oracle Health Sciences Applications at 39 patches, which accounted for 12.3% of the total patches.A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle REST Data Services8559Oracle Health Sciences Applications394Oracle Communications Applications3124Oracle Graph Server and Client2815Oracle Construction and Engineering2621Oracle Analytics2314Oracle Communications2218Oracle Hospitality Applications166Oracle Java SE63Oracle MySQL64Oracle Database Server52Oracle Secure Backup41Oracle TimesTen In-Memory Database41Oracle Commerce33Oracle Big Data Spatial and Graph20Oracle E-Business Suite21Oracle Financial Services Applications20Oracle Fusion Middleware21Oracle Hyperion22Oracle Insurance Applications21Oracle PeopleSoft20Oracle Application Express10Oracle Blockchain Platform11Oracle Essbase11Oracle GoldenGate11Oracle Enterprise Manager11Oracle JD Edwards10SolutionCustomers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2025 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Patch Update Advisory – January 2025Oracle January 2025 Critical Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.Update February 11: The blog has been updated to include a new CVE issued by Fortinet, CVE-2025-24472View Change LogBackgroundOn January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.CVEDescriptionCVSSv3CVE-2024-55591FortiOS and FortiProxy Authentication Bypass Vulnerability9.6On February 11, Fortinet updated their advisory to include an additional CVE, CVE-2025-24472. The description of the vulnerability itself was updated to include a new attack vector and the additional CVE was assigned a lower CVSSv3 score of 8.1.AnalysisCVE-2024-55591 and CVE-2025-24472 are authentication bypass vulnerabilities in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit these vulnerabilities by sending a specially crafted request to a Node.js websocket module or by sending specially crafted CSF proxy requests. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According the Fortinet, CVE-2024-55591 has been exploited in the wild.In the update to their advisory on February 11, Fortinet credited Sonny of watchTowr for reporting CVE-2025-24472, the newly added CVE to their February 11 update.Zero Day Campaign May Have Been Active Since NovemberResearchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.Historical exploitation of Fortinet FortiOS and FortiProxyFortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:CVEDescriptionPatchedTenable BlogCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsAA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyCVE-2020-12812FortiOS Improper Authentication VulnerabilityJuly 2020CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT ActorsCVE-2019-5591FortiOS Default Configuration VulnerabilityJuly 2019CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT ActorsCVE-2018-13379FortiOS Path Traversal/Arbitrary File Read VulnerabilityAugust 2019CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the WildProof of conceptAt the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.SolutionFortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.Affected ProductAffected VersionFixed VersionFortiOS 7.07.0.0 through 7.0.16Upgrade to 7.0.17 or aboveFortiProxy 7.07.0.0 through 7.0.19Upgrade to 7.0.20 or aboveFortiProxy 7.27.2.0 through 7.2.12Upgrade to 7.2.13 or aboveFortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:Affected Product(s)Vulnerability DescriptionSecurity AdvisoryCVSSv3/SeverityFortiOS, FortiProxy, FortiMail, FortiSwitch, FortiVoiceEnterprise, FortiNDR, FortiWLC, FortiADC, FortiAuthenticator, FortiRecorder, FortiDDoS-F, FortiDDoS, FortiSOAR and FortiTesterAn externally controlled reference to a resource may allow an unauthenticated attacker to poison web caches between an affected device and an attacker using crafted HTTP requestsFG-IR-23-4944.1 / MediumFortiAnalyzer, FortiAnalyzer Cloud, FortiAuthenticator, FortiManager, FortiManager Cloud, FortiOS, FortiProxy, FortiSASEAn unauthenticated attacker with access to the Security Fabric protocol may be able to brute force an affected product to bypass authentication.FG-IR-24-2218.0 / HighFortiOSAn authenticated, remote attacker may be able to prevent access to the GUI using specially crafted requests and causing a denial of service (DoS) condition.FG-IR-24-2504.8 / MediumFortiOSAn authenticated attacker may be able to cause a DoS condition due to a NULL pointer dereference vulnerability in the SSLVPN web portal.FG-IR-23-4736.2 / MediumFortiManager, FortiOS, FortiProxy, FortiRecorder, FortiSASE, FortiVoice and FortiWebA path traversal vulnerability may be exploited by a remote attacker with access to the security fabric interface, allowing the attacker to access and modify arbitrary files.FG-IR-24-2597.1 / HighFortiOSAn unauthenticated attacker may be able to exploit an out-of-bounds write vulnerability to cause a DoS condition.FG-IR-24-3733.5 / LowFortiOSAn unauthenticated attacker may be able to exploit an out-of-bounds read vulnerability to cause a DoS condition.FG-IR-24-2667.5 / HighFortiOSAn authenticated attacker with low privileges may be able to cause a DoS condition due to two NULL pointer dereference vulnerabilities.FG-IR-23-2936.4 / MediumFortiOSAn unauthenticated attacker may be able to exploit a resource allocation vulnerability to cause a DoS condition using multiple large file uploads.FG-IR-24-2197.1 / HighFortiOSAn authenticated attacker may be able to exploit an integer overflow vulnerability to cause a DoS condition.FG-IR-24-2673.2 / LowFortiOSAn authenticated attacker may be able to exploit an improper access control vulnerability.FG-IR-23-4074.7 / MediumFortiOS, FortiProxy and FortiSASEAn unauthenticated attacker may be able to exploit a http response splitting vulnerability in FortiOS, FortiProxy and FortiSASEFG-IR-24-2826.4 / MediumFortiOSAn unauthenticated attacker may be able to exploit a man-in-the-middle vulnerability to intercept sensitive information.FG-IR-24-3263.5 / LowIdentifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2024-55591 and CVE-2025-24472 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets: Change LogUpdate February 11: The blog has been updated to include a new CVE issued by Fortinet, CVE-2025-24472Get more informationFortinet FG-IR-24-535 Security AdvisoryArctic Wolf Blog – Console Chaos: A Campaign Targeting Publicly Exposed Management Interfaces on Fortinet FortiGate FirewallsJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

10Critical147Important0Moderate0LowMicrosoft addresses 157 CVEs in the first Patch Tuesday release of 2025 and the largest Patch Tuesday update ever with three CVEs exploited in the wild, and five CVEs publicly disclosed prior to patches being made available.Microsoft patched 157 CVEs in its January 2025 Patch Tuesday release, with 10 rated critical and 147 rated as important. Our counts omitted two vulnerabilities, one reported by GitHub and another reported by CERT/CC. To date, the January 2025 Patch Tuesday release is the largest ever from Microsoft.This month’s update includes patches for:.NET.NET and Visual Studio.NET,.NET Framework, Visual StudioActive Directory Domain ServicesActive Directory Federation ServicesAzure Marketplace SaaS ResourcesBranchCacheIP HelperInternet ExplorerLine Printer Daemon Service (LPD)Microsoft AutoUpdate (MAU)Microsoft Azure Gateway ManagerMicrosoft Brokering File SystemMicrosoft Digest AuthenticationMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office AccessMicrosoft Office ExcelMicrosoft Office OneNoteMicrosoft Office OutlookMicrosoft Office Outlook for MacMicrosoft Office SharePointMicrosoft Office VisioMicrosoft Office WordMicrosoft PurviewMicrosoft Windows Search ComponentPower AutomateReliable Multicast Transport Driver (RMCAST)Visual StudioWindows BitLockerWindows Boot LoaderWindows Boot ManagerWindows COMWindows Client-Side Caching (CSC) ServiceWindows Cloud Files Mini Filter DriverWindows Connected Devices Platform ServiceWindows Cryptographic ServicesWindows DWM Core LibraryWindows Digital MediaWindows Direct ShowWindows Event TracingWindows Geolocation ServiceWindows HelloWindows Hyper-V NT Kernel Integration VSPWindows InstallerWindows KerberosWindows Kernel MemoryWindows MapUrlToZoneWindows Mark of the Web (MOTW)Windows Message QueuingWindows NTLMWindows OLEWindows PrintWorkflowUserSvcWindows Recovery Environment AgentWindows Remote Desktop ServicesWindows SPNEGO Extended NegotiationWindows Security Account ManagerWindows Smart CardWindows SmartScreenWindows Telephony ServiceWindows ThemesWindows UPnP Device HostWindows Virtual Trusted Platform ModuleWindows Virtualization-Based Security (VBS) EnclaveWindows WLAN Auto Config ServiceWindows Web Threat Defense User ServiceWindows Win32K – GRFXRemote code execution (RCE) vulnerabilities accounted for 36.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.5%.ImportantCVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege VulnerabilitiesCVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. An authenticated, local attacker could exploit this vulnerability to elevate privileges to SYSTEM. Two of the three vulnerabilities were unattributed, with CVE-2025-21333 being attributed to an Anonymous researcher.According to Microsoft all three vulnerabilities were exploited in the wild as zero-days. No specific details about the in-the-wild exploitation were public at the time this blog post was released.ImportantCVE-2025-21186, CVE-2025-21366, CVE-2025-21395 | Microsoft Access Remote Code Execution VulnerabilityCVE-2025-21186, CVE-2025-21366 and CVE-2025-21395 are RCE vulnerabilities in Microsoft Access, a database management system. All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. A remote, unauthenticated attacker could exploit this vulnerability by convincing a target through social engineering to download and open a malicious file. Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system. This update “blocks potentially malicious extensions from being sent in an email.”According to Microsoft, these three vulnerabilities were publicly disclosed prior to a patch being available (zero-days). They are attributed to Unpatched.ai, which uses artificial intelligence (AI) to “help find and analyze” vulnerabilities.ImportantCVE-2025-21308 | Windows Themes Spoofing VulnerabilityCVE-2025-21308 is a spoofing vulnerability affecting Windows Themes. This vulnerability received a CVSSv3 score of 6.5 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to convince a user to load a malicious file, then convince the user to “manipulate the specially crafted file.” Microsoft has provided a list of mitigations including disabling New Technology LAN Manager (NTLM) or using group policy to block NTLM hashes. For more information on the mitigation guidance, please refer to the Microsoft advisory.ImportantCVE-2025-21275 | Windows App Package Installer Elevation of Privilege VulnerabilityCVE-2025-21275 is an EoP vulnerability in the Microsoft Windows App Package Installer. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges. These types of flaws are often associated with post-compromise activity, after an attacker has breached a system through other means.According to Microsoft, this vulnerability was publicly disclosed prior to a patch being available. It is attributed to an Anonymous researcher.CriticalCVE-2025-21297, CVE-2025-21309 | Windows Remote Desktop Services Remote Code Execution VulnerabilityCVE-2025-21297 and CVE-2025-21309 are critical RCE vulnerabilities affecting Windows Remote Desktop Services. Both of these vulnerabilities were assigned CVSSv3 scores of 8.1, however CVE-2025-21309 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index, while CVE-2025-21297 was assessed as “Exploitation Less Likely.”According to Microsoft, successful exploitation of these flaws requires an attacker to connect to a system with the Remote Desktop Gateway role and trigger a race-condition that creates a use-after-free scenario which can be leveraged to execute arbitrary code.CriticalCVE-2025-21298 | Windows OLE Remote Code Execution VulnerabilityCVE-2025-21298 is a RCE vulnerability in Microsoft Windows Object Linking and Embedding (OLE). It was assigned a CVSSv3 score of 9.8 and is rated critical. It has been assessed as “Exploitation More Likely.” An attacker could exploit this vulnerability by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane.Microsoft’s advisory for this vulnerability recommends configuring Microsoft Outlook to read email messages “in plain text format” instead of a rich format that will display other types of content, such as photos, animations or specialized fonts. To configure Outlook in this way, please refer to the following article, Read email messages in plain text.Tenable SolutionsA list of all the plugins released for Microsoft’s January 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s January 2025 Security UpdatesTenable plugins for Microsoft January 2025 Patch Tuesday Security UpdatesJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Ivanti disclosed two vulnerabilities in its Connect Secure, Policy Secure and Neurons for ZTA gateway devices, including one flaw that was exploited in the wild as a zero-day.Update January 16: The Proof-of-concept section has been updated to highlight the availability of a public proof-of-concept exploit for CVE-2025-0282.View Change LogBackgroundOn January 8, Ivanti published a security advisory for two vulnerabilities affecting multiple products including Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA) gateways:CVEDescriptionCVSSv3CVE-2025-0282Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways Stack-based Buffer Overflow Vulnerability9.0CVE-2025-0283Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways Stack-based Buffer Overflow Vulnerability7.0AnalysisCVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. An unauthenticated, remote attacker that successfully exploits this flaw would obtain remote code execution on a vulnerable device.CVE-2025-0283 is also a stack-based buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. Unlike CVE-2025-0282, a local, authenticated attacker that successfully exploits this flaw would be able to elevate privileges on a vulnerable device.In-the-wild exploitation observed for CVE-2025-0282In a blog post, Ivanti confirmed that they have observed in-the-wild exploitation of CVE-2025-0282 in “a limited number of customers” of Ivanti Connect Secure devices. They reiterate that they have not observed exploitation against Ivanti Policy Secure or Neurons for ZTA gateways.On-going investigation reveals preliminary insight into malicious activityOn January 8, researchers at Google Mandiant published a blog post outlining their preliminary findings related to the in-the-wild exploitation of CVE-2025-0282. While the researchers have yet to link the attacks to any particular advanced persistent threat (APT) group or cluster, they have identified several malware samples on compromised systems, including the SPAWN ecosystem of malware (e.g. SPAWNANT, SPAWNMOLE and PAWNSNAIL) as well as newly discovered malware such as a credential harvesting tool called DRYHOOK and a dropper called PHASEJAM. For more information, please visit the Google Mandiant blog.Historical exploitation of Ivanti Connect SecureIvanti Connect Secure, formerly known as Pulse Connect Secure, has been frequently targeted by attackers of all types, including advanced persistent threat (APT) groups as well as ransomware affiliates and opportunistic cybercriminals.CVEDescriptionTenable PublicationsYearCVE-2019-11510Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability1, 2, 3, 4, 52019CVE-2019-11539Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability1, 2, 3, 42019CVE-2020-8218Ivanti Pulse Connect Secure Code Injection VulnerabilityTenable 2020 Threat Landscape Retrospective2020CVE-2020-8243Ivanti Pulse Connect Secure Code Injection Vulnerability1, 22020CVE-2020-8260Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability1, 22020CVE-2021-22893Ivanti Pulse Connect Secure Authentication Bypass Vulnerability1, 22021CVE-2021-22894Ivanti Pulse Connect Secure Buffer Overflow VulnerabilityCVE-2021-22893: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild2021CVE-2021-22899Ivanti Pulse Connect Secure Command Injection VulnerabilityCVE-2021-22893: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild2021CVE-2021-22900Ivanti Pulse Connect Secure Multiple Unrestricted Uploads VulnerabilityCVE-2021-22893: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild2021CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability1, 22024CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability1, 22024CVE-2024-21893Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) VulnerabilityCVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways2024Because of the historical exploitation of these devices, customers are strongly advised to apply the available patch for these flaws as soon as possible.Proof of conceptOn January 16, researchers at watchTowr released a public proof-of-concept (PoC) exploit for CVE-2025-0282 on GitHub. The GitHub repository notes that the PoC is “broken in non-trivial ways” adding that it will “require effort to work.” It also points to watchTowr’s technical write-up, Exploitation Walkthrough and Techniques – Ivanti Connect Secure RCE (CVE-2025-0282) on its blog.SolutionIvanti has released the following patches for Connect Secure, Policy Secure and Neurons for ZTA Gateways.Affected ProductAffected Versions (CVE-2025-0282)Affected Versions (CVE-2025-0283)Fixed VersionIvanti Connect Secure22.7R2 through 22.7R2.422.7R2.4 and below9.1R18.9 and below22.7R2.5Ivanti Policy Secure22.7R1 through 22.7R1.222.7R1.2 and belowUnavailable until January 21Ivanti Neurons for ZTA gateways22.7R2 through 22.7R2.322.7R2.3 and below22.7R2.5 (Unavailable until January 21)Ivanti customers can utilize its Integrity Checker Tool (ICT) to identify exploitation of CVE-2025-0282.For Connect Secure customers, Ivanti recommends performing a factory reset of devices prior to upgrading to version 22.7R2.5 “out of an abundance of caution” for those with clean ICT scan results and to “ensure any malware is removed” where ICT results “show signs of compromise.”Identifying affected systemsA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-0282 and CVE-2025-0283 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Tenable Attack Surface Management customers are able to quickly identify these assets by leveraging the built in subscription labeled Ivanti Connect Secure (ICS) – v1. Get more informationSecurity Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)Security Update: Ivanti Connect Secure, Policy Secure and Neurons for ZTA GatewaysChange LogUpdate January 16: The Proof-of-concept section has been updated to highlight the availability of a public proof-of-concept exploit for CVE-2025-0282.Update January 9: The Analysis section has been updated to include preliminary details from Mandiant’s on-going investigation into these attacks.Join Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Microsoft addressed over 1000 CVEs as part of Patch Tuesday releases in 2024, including 22 zero-day vulnerabilities.BackgroundMicrosoft’s Patch Tuesday, a monthly release of software patches for Microsoft products, has just celebrated its 21st anniversary. After a wrap-up covering the 20th anniversary in 2023, the Tenable Security Response Team (SRT) chose to keep the tradition and cover trends and significant vulnerabilities from the 2024 Patch Tuesday releases.AnalysisIn 2024, Microsoft patched 1,009 CVEs throughout the year across a multitude of products. In contrast, 2023 saw 909 CVE’s patched and in 2022, 917 CVE’s were patched. While Microsoft has yet to break its 2020 record with 1,245 CVE’s patched, 2024 was still significant, as it is only the second time since Patch Tuesday’s inception that Microsoft patched over 1,000 CVE’s in a year.Year over year, we see a steady increase in CVEs patched, with the exception of the outlier in 2020, a peak CVE count we have not yet seen matched.In 2024, the largest CVE count was observed in April, with Microsoft releasing patches for 147 CVEs. Only three months saw CVE counts over 100, with an average of 84 CVE’s patched per month.Patch Tuesday 2024 by severityEach month, Microsoft categorizes vulnerabilities into four main severity levels: low, moderate, important and critical.Just as in 2023, 2024 saw the majority of vulnerabilities rated as important, accounting for 93.6% of all CVEs patched, followed by critical at 5.4%. Moderate accounted for 1.1%, while there were no CVEs rated as low in 2024.Patch Tuesday 2024 by impactIn addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass and tampering.Once again in 2024, RCE vulnerabilities led the impact category, accounting for 39.7%, while EoP vulnerabilities accounted for 28.8%. DoS vulnerabilities ranked third, accounting for 10%, followed by information disclosure flaws at 8.3% and security feature bypass vulnerabilities at 8.0%. Last year, there were no vulnerabilities categorized as tampering, but this year, there were just four, which accounted for 0.4%.Patch Tuesday 2024 zero-day vulnerabilitiesAccording to Statista, Microsoft’s Windows operating system (OS) has a 72% market share as of February 2024, making it the most prominent OS. With the largest market share, Microsoft remains a top target for cybercriminals and advanced persistent threat (APT) groups. On occasion, these groups find and exploit vulnerabilities that remain unknown to Microsoft, known as zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available. These zero-day vulnerabilities are often leveraged in limited, targeted attacks, however exploitation of these flaws can vary in depth and breadth.In 2024, Microsoft patched 22 CVEs that were identified as zero-day vulnerabilities. Of the 22 zero-day vulnerabilities patched in 2024, 36.4% were EoP flaws. EoP vulnerabilities are often leveraged by APT actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity. Following EoP flaws, security feature bypass vulnerabilities accounted for 27.3% of zero-days in 2024. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 18.2% of zero-day flaws.While these zero-days made up a small portion of the overall CVE’s addressed by Microsoft in 2024, we analyzed some of the most notable zero-day vulnerabilities of 2024. The table below includes these CVE’s with some details around their exploitation activity.CVEDescriptionExploitation ActivityCVE-2024-21338Windows Kernel Elevation of Privilege VulnerabilityExploited by the Lazarus APT Group to deploy the FudModule rootkitCVE-2024-21412Internet Shortcut Files Security Feature Bypass VulnerabilityWater Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. This APT has also exploited this CVE to deploy the DarkMe remote access trojan (RAT)CVE-2024-30051Windows DWM Core Library Elevation of Privilege VulnerabilityUsed to deploy QakBot malwareCVE-2024-30088Windows Kernel Elevation of Privilege VulnerabilityExploited by APT34 (aka OilRig)CVE-2024-38112Windows MSHTML Platform Spoofing VulnerabilityExploited by APT group Void Banshee to deploy the malware known as Atlantida stealer.CVE-2024-38178Scripting Engine Memory Corruption VulnerabilityExploited by APT37 (aka RedEyes, Reaper, ScarCruft, Group123 and TA-RedAnt)CVE-2024-38193Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityExploited by the Lazarus APT Group (aka Diamond Sleet) to deploy the FudModule rootkitCVE-2024-38213Windows Mark of the Web Security Feature Bypass VulnerabilityWater Hydra (aka DarkCasino) exploited this in a campaign named DarkGate. Vulnerability was named “Copy2Pwn” by Trend Micro’s Zero Day Initiative (ZDI)CVE-2024-43451NTLM Hash Disclosure Spoofing VulnerabilityExploited by APT known as UAC-0194 to deploy Spark RAT malware.CVE-2024-43461Windows MSHTML Platform Spoofing VulnerabilityExploited by APT group Void Banshee in an attack chain with CVE-2024-38112CVE-2024-49039Windows Task Scheduler Elevation of Privilege VulnerabilityExploited by the threat actor tracked as RomCom to deploy the RomCom RAT malware.ConclusionAs we reflect on Patch Tuesday vulnerabilities in 2024, despite the year over year CVE counts being steady, we observed a small increase this year. While there will always be outliers, it is likely that 2025 will continue to follow an upward trend. In June, Microsoft announced that CVE’s would be issued for vulnerabilities in cloud-based products, even when no end user action is required. This could lead to a sharp increase in the number of CVEs assigned next year.View the video below for a summary of key takeaways:The SRT will continue to blog about Patch Tuesday each month along with other significant vulnerabilities that represent risk across the threat landscape, ensuring our readers are equipped with the most up to date information about the exposures that require immediate action.Get more informationTenable Blog: Microsoft Patch Tuesday 2023 Year in ReviewJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

16Critical54Important0Moderate0LowMicrosoft addresses 70 CVEs with 16 rated critical, including one zero-day that was exploited in the wild.Microsoft patched 70 CVEs in its December 2024 Patch Tuesday release, with 16 rated critical, and 54 rated as important.This month’s update includes patches for:GitHubMicrosoft Defender for EndpointMicrosoft OfficeMicrosoft Office AccessMicrosoft Office ExcelMicrosoft Office PublisherMicrosoft Office SharePointMicrosoft Office WordRemote Desktop ClientRole: DNS ServerRole: Windows Hyper-VSystem Center Operations ManagerWindows Cloud Files Mini Filter DriverWindows Common Log File System DriverWindows File ExplorerWindows IP Routing Management SnapinWindows KernelWindows Kernel-Mode DriversWindows LDAP – Lightweight Directory Access ProtocolWindows Local Security Authority Subsystem Service (LSASS)Windows Message QueuingWindows Mobile BroadbandWindows PrintWorkflowUserSvcWindows Remote DesktopWindows Remote Desktop ServicesWindows Resilient File System (ReFS)Windows Routing and Remote Access Service (RRAS)Windows Task SchedulerWindows Virtualization-Based Security (VBS) EnclaveWindows Wireless Wide Area Network ServiceWmsRepair ServiceRemote code execution (RCE) vulnerabilities accounted for 42.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 38.6%.ImportantCVE-2024-49138 | Windows Common Log File System Driver Elevation of Privilege VulnerabilityCVE-2024-49138 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time this blog post was published.In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.This is the ninth vulnerability in the Windows CLFS driver patched in 2024, and the first that was exploited in the wild as a zero-day this year. In 2023, there were 10 CLFS vulnerabilities patched, including two zero-day vulnerabilities in the CLFS driver that were exploited (CVE-2023-28252, CVE-2023-23376). CLFS driver vulnerabilities have been a popular attack vector and exploited in the wild by ransomware operators in the last few years according to researchers.ImportantCVE-2024-49070 | Microsoft SharePoint Remote Code Execution VulnerabilityCVE-2024-49070 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 7.4 and is rated as important. Microsoft’s advisory notes that complexity is high and successful exploitation requires the attacker to first prepare the target in order to improve reliability of an exploit. While no details have been provided, Microsoft assessed this vulnerability as “Exploitation More Likely.”In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.CriticalCVE-2024-49118, CVE-2024-49122 | Microsoft Message Queuing (MSMQ) Remote Code Execution VulnerabilityCVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”In order for a system to be vulnerable, the MSMQ service must be added and enabled. According to Microsoft, if the service is enabled on a Windows installation, a service named “Message Queueing” will be running on TCP port 1801. Tenable customers can use Plugin ID 174933 to identify systems that have this service running.CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February’s Patch Tuesday (CVE-2024-21363) release.CriticalCVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution VulnerabilityCVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.Tenable SolutionsA list of all the plugins released for Microsoft’s December 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s December 2024 Security UpdatesTenable plugins for Microsoft December 2024 Patch Tuesday Security UpdatesJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.