Security professionals and system administrators are on high alert as Microsoft, Fortinet, and Ivanti have each released critical security advisories regarding actively exploited zero-day vulnerabilities affecting their respective products. These vulnerabilities pose a significant risk to organizations, potentially leading to unauthorized access, data breaches, and system compromise. Immediate patching and implementation of recommended workarounds are strongly advised to mitigate potential threats.
Microsoft Patches Address Actively Exploited and Publicly Disclosed Vulnerabilities
Microsoft’s recent Patch Tuesday release included fixes for a concerning number of vulnerabilities, including five that are already being actively exploited in the wild, along with two publicly disclosed zero-day vulnerabilities. The actively exploited flaws represent a serious threat, as malicious actors are actively leveraging them to compromise systems. This necessitates a swift and decisive response from organizations to protect their digital assets. Proactive measures are always preferable, and the identification of active exploitation underscores the importance of continuous monitoring and threat intelligence. It’s not just a matter of applying the patches, but also understanding the potential impact and scope of these vulnerabilities.
The patching process also needs to consider the order of operations. Which servers and systems are the most critical? Which are the most vulnerable? A detailed risk assessment is crucial to ensure that resources are allocated effectively and that the most critical assets are protected first. Furthermore, the patching process needs to be well-documented and repeatable. This will ensure that future patches can be applied efficiently and effectively.
Security teams should also consider implementing additional security measures to protect against these vulnerabilities. This might include hardening systems, implementing stricter access controls, and increasing monitoring and alerting. By taking a layered approach to security, organizations can reduce their risk of being compromised.
Actively Exploited Vulnerabilities in Detail
The following vulnerabilities have been identified as being actively exploited:
- Microsoft DWM Core Library (CVE-2025-30400): This vulnerability in the Desktop Window Manager (DWM) Core Library could allow an attacker to elevate their privileges to SYSTEM level. This means an attacker could gain complete control over the affected system. The SYSTEM level privilege is the highest level of access that can be granted on a Windows system. An attacker with this level of access can do anything they want, including installing malware, stealing data, and disrupting services.
- Windows Common Log File System (CVE-2025-32701 and CVE-2025-32706): Two separate vulnerabilities within the Windows Common Log File System (CLFS) could also allow an attacker to achieve SYSTEM level privileges. The CLFS is a general-purpose logging service used by various components of Windows. The fact that there are two separate vulnerabilities in the CLFS highlights the complexity of modern operating systems and the challenges of securing them. Attackers are constantly looking for weaknesses in these systems, and they only need to find one to compromise an entire system.
- Windows Ancillary Function Driver (CVE-2025-32709): A vulnerability in the Windows Ancillary Function Driver could similarly lead to elevation of privileges to SYSTEM level. The ancillary function driver plays a crucial role in the interaction between hardware and the operating system, making its compromise particularly dangerous. This type of vulnerability often involves intricate memory management issues and requires a deep understanding of the Windows kernel architecture to exploit successfully.
- Microsoft Scripting Engine (CVE-2025-30397): A memory corruption vulnerability exists in the Microsoft Scripting Engine that could enable an attacker to execute arbitrary code. This could allow an attacker to run malicious software on the affected system. The Microsoft Scripting Engine is used to execute scripts in web browsers and other applications. A memory corruption vulnerability in this engine could allow an attacker to inject malicious code into a script and execute it on the affected system. This is a particularly dangerous type of vulnerability because it can be used to compromise systems without the user’s knowledge or consent.
Publicly Disclosed Vulnerabilities
In addition to the actively exploited vulnerabilities, Microsoft also addressed two publicly disclosed zero-day vulnerabilities:
- Microsoft Defender (CVE-2025-26685): An identity spoofing vulnerability exists in Microsoft Defender that could allow an attacker to spoof another account over an adjacent network. This is particularly concerning because Microsoft Defender is designed to protect systems from malware and other threats. If an attacker can spoof another account, they can bypass the security measures implemented by Microsoft Defender and gain access to sensitive data.
- Visual Studio (CVE-2025-32702): A remote code execution vulnerability in Visual Studio could allow an unauthenticated attacker to execute code locally. Visual Studio is a powerful development environment used by millions of developers around the world. A remote code execution vulnerability in Visual Studio could allow an attacker to compromise the systems of these developers, potentially leading to supply chain attacks. This highlights the interconnected nature of the software development ecosystem and the need for robust security practices throughout the development lifecycle.
Critical Vulnerabilities Requiring Prioritization
Beyond the actively exploited and publicly disclosed flaws, Microsoft has also issued patches for six critical vulnerabilities that, while not currently known to be exploited, should be prioritized for patching. These vulnerabilities affect various Microsoft products including:
- Microsoft Office (CVE-2025-30377 and CVE-2025-30386): Two critical vulnerabilities have been identified in Microsoft Office, potentially allowing for remote code execution. These vulnerabilities could allow an attacker to take control of a user’s computer by sending them a malicious Office document. Given the widespread use of Microsoft Office, these vulnerabilities pose a significant risk to organizations of all sizes.
- Microsoft Power Apps (CVE-2025-47733): A critical vulnerability has been discovered in Microsoft Power Apps that could lead to unauthorized access or code execution. Power Apps is a low-code development platform that allows users to create custom applications. A vulnerability in Power Apps could allow an attacker to gain unauthorized access to sensitive data or execute malicious code on the affected system.
- Remote Desktop Gateway Service (CVE-2025-29967): A critical vulnerability exists in the Remote Desktop Gateway Service that could allow an attacker to compromise the system. The Remote Desktop Gateway Service allows users to connect to remote computers over the internet. A vulnerability in this service could allow an attacker to gain access to sensitive data or execute malicious code on the affected system.
- Windows Remote Desktop (CVE-2025-29966): A critical vulnerability has been found in Windows Remote Desktop, potentially leading to remote code execution. Similar to the Remote Desktop Gateway Service vulnerability, this could allow attackers to gain unauthorized access and control over systems.
Fortinet Addresses Critical Vulnerability Across Multiple Products
Fortinet has released a security advisory regarding a critical vulnerability affecting several of its products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This highlights the challenge of maintaining security across a diverse product portfolio. Vendors must invest in robust security testing and code review processes to identify and address vulnerabilities before they can be exploited by attackers. The fact that this vulnerability affects multiple products also suggests that there may be shared code or libraries that are vulnerable. This is a common problem in software development, and it is important to identify and address these shared vulnerabilities to prevent future attacks.
This vulnerability, a stack-based buffer overflow, has been assigned a CVSS v4 severity score of 9.6 (CVSS v3.1: 9.8), indicating its high severity. The vulnerability can be exploited remotely by an unauthenticated attacker by sending HTTP requests containing a specially crafted hash cookie. Successful exploitation could lead to arbitrary code execution, allowing an attacker to take complete control of the affected device. A CVSS score of 9.8 is extremely high, indicating that this is a very dangerous vulnerability. The fact that it can be exploited remotely by an unauthenticated attacker makes it even more concerning. Organizations that use Fortinet products should take immediate steps to patch their systems.
Exploitation Observed in FortiVoice
Fortinet has confirmed that it has observed active exploitation of this vulnerability in FortiVoice devices. Attackers have been scanning device networks, erasing system crash logs, and enabling fcgi debugging to capture credentials entered during system or SSH login attempts. This is a clear indication that attackers are actively targeting Fortinet products. The fact that they are erasing system crash logs suggests that they are trying to cover their tracks. Enabling fcgi debugging is a technique that can be used to capture sensitive information, such as passwords and API keys. Organizations should implement robust monitoring and logging practices to detect and respond to these types of attacks.
Affected Products and Versions
The vulnerability, tracked as CVE-2025-32756, affects the following product versions. Immediate upgrades to the specified fixed versions are strongly recommended:
- FortiVoice:
- 7.2.0: Upgrade to 7.2.1 or above
- 7.0.0 through 7.0.6: Upgrade to 7.0.7 or above
- 6.4.0 through 6.4.10: Upgrade to 6.4.11 or above
- FortiRecorder:
- 7.2.0 through 7.2.3: Upgrade to 7.2.4 or above
- 7.0.0 through 7.0.5: Upgrade to 7.0.6 or above
- 6.4.0 through 6.4.5: Upgrade to 6.4.6 or above
- FortiMail:
- 7.6.0 through 7.6.2: Upgrade to 7.6.3 or above
- 7.4.0 through 7.4.4: Upgrade to 7.4.5 or above
- 7.2.0 through 7.2.7: Upgrade to 7.2.8 or above
- 7.0.0 through 7.0.8: Upgrade to 7.0.9 or above
- FortiNDR:
- 7.6.0: Upgrade to 7.6.1 or above
- 7.4.0 through 7.4.7: Upgrade to 7.4.8 or above
- 7.2.0 through 7.2.4: Upgrade to 7.2.5 or above
- 7.1: Migrate to a fixed release
- 7.0.0 through 7.0.6: Upgrade to 7.0.7 or above
- 1.1 through 1.5: Migrate to a fixed release
- FortiCamera:
- 2.1.0 through 2.1.3: Upgrade to 2.1.4 or above
- 2.0: Migrate to a fixed release
- 1.1: Migrate to a fixed release
The detailed version information provided by Fortinet is crucial for organizations to quickly identify which of their systems are affected and prioritize patching efforts. Regular vulnerability scanning and asset management are essential for maintaining an accurate inventory of software versions and identifying vulnerable systems. Organizations should also develop a patch management process that includes testing patches in a non-production environment before deploying them to production systems. This can help to prevent unforeseen issues and ensure that the patches are effective.
Indicators of Compromise and Mitigation Steps
Fortinet has provided indicators of compromise (IOCs) in its security alert to help organizations detect potential exploitation attempts. If immediate patching is not feasible, Fortinet recommends temporarily disabling the HTTP/HTTPS administrative interface as a mitigating measure. IOCs are critical for proactive threat hunting and incident response. Organizations should integrate these IOCs into their security information and event management (SIEM) systems and other security tools to detect potential exploitation attempts. Disabling the HTTP/HTTPS administrative interface can reduce the attack surface, but it may also impact the functionality of the affected products. Organizations should carefully consider the tradeoffs before implementing this mitigation measure.
Ivanti Addresses Remote Code Execution Vulnerabilities in Endpoint Manager Mobile
Ivanti has released a security advisory addressing two vulnerabilities affecting its Endpoint Manager Mobile (EPMM) solution. These vulnerabilities, when chained together, can lead to unauthenticated remote code execution. Ivanti has stated that the vulnerabilities are associated with open-source code used in EPMM, rather than Ivanti’s core code. This underscores the importance of securing the entire software supply chain, including open-source components. Organizations should implement processes for auditing and managing the open-source components used in their products. This includes tracking vulnerabilities in these components and applying patches as needed. The fact that these vulnerabilities can be chained together also highlights the importance of considering the potential interactions between different vulnerabilities.
Vulnerability Details
- CVE-2025-4427 (Medium Severity): This is an authentication bypass flaw with a CVSS v3.1 severity score of 5.3. An attacker could exploit this to bypass authentication mechanisms and gain unauthorized access to the system. Authentication bypass vulnerabilities are particularly dangerous because they can allow attackers to gain access to sensitive data or functionality without having to provide valid credentials.
- Remote Code Execution Vulnerability (High Severity): This vulnerability has a CVSS v3.1 severity score of 7.2, indicating a high potential impact. By exploiting this flaw, an attacker could execute arbitrary code on the affected system remotely. Remote code execution vulnerabilities are among the most dangerous types of vulnerabilities because they can allow attackers to take complete control of an affected system.
Affected Products and Versions
The following versions of Ivanti Endpoint Mobile Manager are affected by these vulnerabilities. Upgrade to the latest versions as soon as possible:
- Ivanti Endpoint Mobile Manager
- 11.12.0.4 and prior: Upgrade to 11.12.0.5 and later
- 12.3.0.1 and prior: Upgrade to 12.3.0.2 and later
- 12.4.0.1 and prior: Upgrade to 12.4.0.2 and later
- 12.5.0.0 and prior: Upgrade to 12.5.0.1 and later
The detailed version information, as with the Fortinet advisory, is critical for organizations to quickly identify affected systems.
Mitigation Strategies
Ivanti strongly advises users to upgrade to the latest version of EPMM as soon as possible. However, risk can be significantly reduced by filtering access to the API using the built-in Portal ACLs or an external Web Application Firewall (WAF). These measures can help prevent unauthorized access and exploitation of the vulnerabilities. Implementing defense-in-depth strategies, such as using Portal ACLs and WAFs, is crucial for mitigating the risk of exploitation. These measures can provide an additional layerof protection even if the vulnerabilities are not immediately patched. Organizations should also consider implementing multi-factor authentication (MFA) to further protect against unauthorized access. MFA can make it much more difficult for attackers to bypass authentication mechanisms.
In conclusion, the recent security advisories from Microsoft, Fortinet, and Ivanti highlight the ever-present need for vigilance and proactive security measures. Organizations must prioritize patching and implementing recommended workarounds to protect themselves from these actively exploited vulnerabilities and potential future attacks. Regularly monitoring security advisories and promptly addressing identified risks are essential components of a robust security posture. The potential consequences of failing to address these vulnerabilities could be severe, ranging from data breaches and financial losses to reputational damage and business disruption. The collaboration between vendors and the security community is paramount in identifying and mitigating these threats, ensuring a safer and more secure digital environment for all. Continuous monitoring, robust incident response plans, and employee training are all crucial elements in maintaining a strong security posture. Organizations should also consider participating in threat intelligence sharing programs to stay informed about the latest threats and vulnerabilities. By working together, vendors, security professionals, and organizations can create a more secure digital world.