Vulnerability Digest

April 2025
Sean Carroll William Busler
Lead Technical Product Engineer Technical Product Engineer
Agenda
1 Top Attacks of the Month 3 Software Updates
▪ Ivanti Under Siege with Advanced Malware ▪ Google ▪ Splunk
▪ Oracle Cloud Compromised ▪ Mozilla Firefox ▪ VMware

▪ Massive Exploitation of DrayTek Routers ▪ Apple ▪ Linux ecosystem

▪ NGINX
▪ WinRAR
▪ Fortinet
2 Microsoft Patch Tuesday ▪ Next.js

▪ Veeam
▪ Overview
▪ Apache
▪ Zero-day Vulnerabilities
• Cisco
▪ Critical Vulnerabilities

Demo and Q&A!

Housekeeping

You’ll get the Feel free to ask Take a short poll You’ll get the
slides via email questions during and survey; we recording within
the ppt via chat appreciate your 24h
or Q&A feedback!

© Action1 Corporation. All rights reserved.

Top Attacks of the Month
Ivanti Under Siege with Advanced Malware

• RESURGE malware exploits unpatched Ivanti VPNs

• Linked to China-based APTs and advanced persistence techniques

Oracle Cloud Compromised via Middleware Flaw

• Oracle Cloud breach leaked 6M credentials

• Middleware flaw suspected; Oracle slow to respond

Massive Exploitation of DrayTek Routers

• Mass reboots tied to attacks on DrayTek routers

• Firmware flaws exploited; global ISP outages reported

Fortinet Firewalls Hit by SuperBlack Ransomware

• Fortinet firewalls exploited to deploy SuperBlack ransomware

• Ransomware shares code and tactics with LockBit

© Action1 Corporation. All rights reserved.

Microsoft Patch Tuesday Overview

121 11 1
Fixed Vulnerabilities Critical Vulnerabilities Zero-day Vulnerabilities
Fixed

© Action1 Corporation. All rights reserved.

April 2025 Microsoft Vulnerabilities & Patch Prioritization

CVE ID Product / Component CVSS Score Exploited in Wild Priority Recommendation

CVE-2025-29824 Windows CLFS Driver (Privilege Escalation) 7.8 Yes High

CVE-2025-29791 Microsoft Office (Type Confusion RCE) 7.8 No Medium

CVE-2025-
Microsoft Office (UAF RCE) 7.8 No Medium
2774/48/45

CVE-2025-27482 Remote Desktop Gateway (Memory Exposure) 8.1 No High

CVE-2025-27480 Remote Desktop Gateway (Use-After-Free) 8.1 No High

CVE-2025-26670/63 Windows LDAP Client (Use-After-Free) 8.1 No High

= Exploited in the wild = Public PoC or suspected = Patch available, no known exploitation

Prioritize patching High-risk CVEs within the next 72 hours!

High Priority Software Updates
(Actively Exploited Threats)

**Google Chrome (CVE-2025-2783 [CVSS **Apache Tomcat (CVE-2025-24813)**

9.6])** - Exploited RCE via PUT + GET method using
- Zero-day exploited via phishing with base64 payloads
sandbox bypass - Requires no authentication; session
- Targets included Russian govt, academia, deserialization leads to code execution
media via fake "Primakov Readings" site - Upgrade to 9.0.99+, 10.1.35+, or 11.0.3+
- Likely state-sponsored APT; patch released immediately
March 25 for Mojo component
**Cisco Smart Licensing Utility (CVE-2024-
**Apple (CVE-2025-24200, CVE-2025- 20439, CVE-2024-20440)**
24201, CVE-2025-24085)** - Active exploitation confirmed via honeypots
- USB mode bypass, WebKit sandbox escape, - CVE-20439 acts as backdoor via hardcoded
Core Media escalation password
- Used in sophisticated real-world attacks, - Patch issued Sept 2024; exploitation
patched via multiple OS updates observed in April 2025
- Backports released for older iOS/macOS
versions to close attack window
Medium Priority Software Updates
(PoC Available – High Risk, Not Yet Exploited)

**WinRAR (CVE-2025-31334 [CVSS 6.8])** **Firefox 137 (CVE-2025-3028, -3029, -3032)**

- MotW bypass via symbolic link in archive - Memory handling flaws: UAF, descriptor leaks,
- No confirmed exploitation, but high-risk UI spoofing
due to 500M+ users - Public technical details available
- Related flaws were used by DarkMe, Agent - Could enable code execution or phishing
Tesla malware deception
**Next.js (CVE-2025-29927 [CVSS 9.1])**
- Middleware bypass via forged x-
middleware-subrequest header
- Akamai observed scanning activity days
after disclosure
- Exploitation could expose privileged admin
pages
Medium Priority Software Updates
(PoC Available – High Risk, Not Yet Exploited)

**Veeam Backup & Replication (CVE-2025-23120 [CVSS 9.8])**

- Deserialization flaw in .NET components affecting domain-joined
servers
- Technical details published; real-world exploitation expected soon
- Fixed in version 12.3.1 (build 12.3.1.1139)
**NGINX Ingress Controller (CVE-2025-1097, -1098, -24514, -1974)**
- Remote code execution via malicious ingress object configuration
- Impacts 6,500+ exposed Kubernetes clusters; 43% of internet-facing
use
- Fixed in Ingress-NGINX Controller 1.12.1 and 1.11.5
Software Updates: Low Priority
(Watchlist, No Exploitation Yet, But Worth Action)

**Linux Bootloaders (CVE-2025-0678 [CVSS **Splunk (CVE-2025-20229 [CVSS 8.0],

7.8], others)** others)**
- 20 new flaws in GRUB2, U-Boot, Barebox via AI - Remote code execution and log leakage in
tool discovery Gateway App
- Affect Secure Boot integrity and may allow - No exploitation reported; phishing vector
bootkit installs possible
- Most require local access; patching still critical - Patched in Splunk Enterprise 9.4.1, Secure
for sensitive systems Gateway 3.8.38

**Fortinet (Multiple CVEs)** VMware Tools for Windows (CVE-2025-22230

- 18 vulnerabilities in FortiOS, FortiProxy, FortiSIEM, [CVSS 7.8])
and others -Authentication bypass from guest VM to higher
- Include RCE, XSS, auth bypass; no exploitation privileges
seen - No attacks observed; limited to Windows
- Recommended: patch systems and review guests
access permissions - Fix available in VMware Tools 12.5.1
Recommendations & Takeaways

• Prioritize actively exploited CVEs: Patch Chrome, Tomcat, Cisco Smart

Licensing, and Apple devices within 24–48 hours
• Audit middleware and sandbox escapes: Evaluate Next.js, Firefox,
Splunk use cases for security bypass risks
• Review domain trust and guest isolation: Veeam and VMware flaws
show dangers in domain-joined services
• Contain blast radius of PoC vulnerabilities: Restrict Internet-facing
access to WinRAR, NGINX, Fortinet appliances
• Monitor exploit trends and threat intel: Exploits evolve quickly post-
disclosure—subscribe to live feeds for updates
 Take a short poll!

© Action1 Corporation. All rights reserved.

Thank you! Questions?

Sign up to Action1 Switch to Action1 for Free

action1.com/signup action1.com/switch

Patching That Just Free for all your endpoints until

Works your current contract expires
 Useful Links

Action1 – GitHub Action1 – Discord Action1 – Reddit

LINK LINK LINK
 Love Action1? Spread the word!

Reddit: r/sysadmin, r/msp

Love Action1? Spread the word!
Review us on G2 and get
a $25 gift card of your choice!

Scan the code, or visit:

on.action1.com/G2review

Check out what others say about Action1 LINK