Overview
Microsoft has released security updates to address 159 vulnerabilities in Microsoft products. Six vulnerabilities are outlined below, of which three are critical severity and three others that are actively exploited:
- CVE-2025-21298 - Windows OLE Remote Code Execution Vulnerability
This critical vulnerability involves a ‘Use After Free’ flaw in Windows and Windows Server, with a CVSSv3 score of 9.8. Exploiting this issue enables remote, unauthenticated attackers to execute arbitrary code. - CVE-2025-21307 - RMCAST Remote Code Execution Vulnerability
A ‘Use After Free’ vulnerability affecting the Reliable Multicast Transport Driver (RMCAST) in Windows and Windows Server. It holds a CVSSv3 score of 9.8, and successful attacks could lead to remote code execution by unauthenticated attackers. - CVE-2025-21311 - Windows NTLM V1 Privilege Escalation Vulnerability
This vulnerability arises from an ‘Incorrect Implementation of Authentication Algorithm’ in NTLM V1 on Windows and Windows Server. With a CVSSv3 score of 9.8, it could allow an unauthenticated attacker to elevate their privileges. - CVE-2025-21333 - Hyper-V Kernel Integration VSP Privilege Escalation Vulnerability
A heap-based buffer overflow in Hyper-V NT Kernel Integration VSP on Windows and Windows Server, rated 7.8 on the CVSSv3 scale. This flaw could grant SYSTEM-level access to attackers and is currently being actively exploited. - CVE-2025-21334 - Hyper-V Kernel Integration VSP Privilege Escalation Vulnerability
This ‘Use After Free’ vulnerability in Hyper-V NT Kernel Integration VSP impacts Windows and Windows Server with a CVSSv3 score of 7.8. It could allow attackers to gain SYSTEM privileges and is under active exploitation. - CVE-2025-21335 - Hyper-V Kernel Integration VSP Privilege Escalation Vulnerability
Similar to CVE-2025-21334, this ‘Use After Free’ issue in Hyper-V NT Kernel Integration VSP has a CVSSv3 rating of 7.8. Successful exploitation grants SYSTEM privileges, and it is also being actively exploited.
Ivanti has released a security advisory to address 16 vulnerabilities impacting its Endpoint Manager (EPM) products, a comprehensive solution for managing device endpoints within a network.
Among these, four vulnerabilities CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-1315 carry a CVSSv3 score of 9.8 and could enable an unauthenticated, remote attacker to exploit path traversal to access sensitive information.
Additionally, other high-severity vulnerabilities that could lead to remote code execution (RCE), privilege escalation, or denial-of-service (DoS) have also been mitigated.
Fortinet has issued a security advisory regarding a critical flaw in FortiOS and FortiProxy. FortiOS serves as the operating system for Fortinet devices, such as SSLVPNs and Next-Generation Firewalls (NGFW), while FortiProxy functions as a secure web gateway with advanced filtering and inspection capabilities.
The vulnerability, identified as CVE-2024-55591, is an 'authentication bypass' issue with a CVSSv3 severity rating of 9.6. Exploitation allows a remote, unauthenticated attacker to craft specific requests targeting the Node.js WebSocket module, potentially granting them super-admin access.
Fortinet has published a security advisory addressing a critical vulnerability in FortiSwitch. FortiSwitch is a scalable network switch solution that integrates with Fortinet's infrastructure.
The vulnerability, identified as CVE-2023-37936, is categorized as a 'hard-coded cryptographic key' issue and carries a CVSSv3 severity score of 9.6. A remote attacker with possession of the cryptographic key could exploit this flaw to execute remote code without authentication.
SAP has released its January 2025 security updates, addressing several vulnerabilities across various product lines. Notably, critical issues impact the SAP NetWeaver product line, a core software stack supporting many SAP applications, including the mySAP Business Suite.
Key vulnerabilities in NetWeaver AS for ABAP and ABAP Platform include:
- CVE-2025-0070: An 'improper authentication' flaw (CVSSv3 score: 9.9) that could allow privilege escalation by authenticated low-privilege attackers.
- CVE-2025-0066: An 'incorrect permission assignment' issue (CVSSv3 score: 9.9) that may lead to information disclosure.
- CVE-2025-0063: An SQL injection vulnerability (CVSSv3 score: 8.8) due to improper neutralisation of special elements in SQL commands.
Additionally, the updates address 13 other vulnerabilities across multiple products.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Microsoft – Security Updates
Ivanti – Security Advisory
Fortiguard – PSIRT CVE-2024-55591
Fortiguard – PSIRT CVE-2023-37936
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.