Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 8-14 February
Microsoft fixes four 0-day vulnerabilities in its February Patch Tuesday
Microsoft has released its February 2025 Patch Tuesday fixing 55 security flaws. Included in this Patch Tuesday are four 0-day vulnerabilities, two of which are reportedly being actively exploited. These vulnerabilities have been named CVE-2025-21391, CVSSv3 7.1 according to Microsoft and which allows attackers to delete files from the system, and CVE-2025-21418, with CVSSv3 7.8 according to the vendor and which grants SYSTEM privileges in Windows.
Microsoft has not released further information about the attacks in which these flaws were being actively exploited. Moreover, the other two 0-day flaws that have been patched are CVE-2025-21194, CVSSv3 7.1 according to Microsoft, which allows security evasion on Surface devices, and CVE-2025-21377, CVSSv3 6.5 according to vendor, which exposes user NTLM hashes. In addition, three critical remote code execution flaws have been fixed. The update also includes previous patches for Microsoft Edge and Dynamics 365.
Ivanti patches multiple vulnerabilities, three critical
Ivanti has released its February security bulletin, providing patches for eight vulnerabilities, three of them critical, one high and four medium. The highest rated vulnerability is CVE-2025-22467 (CVSSv3 9.9 according to the vendor), a buffer overflow in Ivanti Connect Secure that allows authenticated attackers to trigger memory corruption and execute arbitrary code on the system.
The other two critical vulnerabilities are CVE-2024-38657 (CVSSv3 9.1 according to Ivanti), an external filename control vulnerability in Ivanti Connect Secure and Ivanti Policy Secure, and CVE-2024-10644 (CVSSv3 9.1 according to Ivanti), a code injection issue in Ivanti Connect Secure and Ivanti Policy Secure. It should be noted that the company has stated that it is not aware of any attacks exploiting these vulnerabilities at the time of the bulletin's release.
MitM bug fixed in OpenSSL
OpenSSL has patched a new vulnerability in its secure communications library. The flaw was reported by Apple researchers, being tracked as CVE-2024-12797 and with no CVSS score assigned at this time. OpenSSL contains an open source implementation of the SSL and TLS protocols. As such, TLS/DTLS connections from clients using RFC7250 raw public keys (RPKs) may be vulnerable to man-in-the-middle (MitM) attacks due to issues with server authentication checks in SSL_VERIFY_PEER mode.
The vulnerability affects TLS clients that enable RPKs and rely on SSL_VERIFY_PEER to detect authentication failures by enabling the sending of RPKs instead of an X.509 certificate chain. However, OpenSSL noted that RPKs are disabled by default on TLS clients and servers. The affected versions are OpenSSL 3.4, 3.3 and 3.2, with the vulnerability mitigated in versions 3.4.1, 3.3.2 and 3.2.4.
Cl0p ransomware attacks 43 organizations exploiting a critical vulnerability
The Cl0p ransomware group has listed 43 new victims on its leak site, although as of this writing the threat actor has not yet published the exfiltrated data. According to an analysis published by Cyfirma, among these newly published victims the most affected sectors are industrial (37%), retail (26%) and transport (14%), with 72% of organizations located in the U.S.
The researchers claim that the group, which has been active since at least early 2019 and would have been linked to actor TA505 (EvilCorp), gained initial access by exploiting critical vulnerability CVE-2024-50623 (CVSSv3 9.8) in Cleo, allowing remote code execution. The researchers also note that, at the time their analysis was published, more than 1.6 million assets were reportedly using vulnerable versions of the software.
Quishing 2.0: new malware distribution technique using QR codes
Tripwire researchers have published a new article warning about the rise of quishing, a fraud technique based on spoofed QR codes. Attackers use these codes to redirect victims to fraudulent sites, steal credentials and distribute malware. Among the most common tactics are the inclusion of malicious QR codes in emails, printed in public places or used in misleading offers. The evolution of the attack, which Tripwire has dubbed quishing 2.0, combines redirects to legitimate sites to circumvent security measures.
To mitigate the risk, the researchers emphasize the importance of carrying out the necessary security measures, recommending especially the training of personnel, the implementation of multi-factor authentication systems and the use of advanced email security solutions.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
