Microsoft 365 Copilot Training for IT

Join us at Microsoft 365 Copilot Training for IT to learn how to use Microsoft Copilot to simplify your everyday tasks. During this free event, discover how Copilot can help you enhance efficiency, simplify complex tasks, and optimize technical workflows. You’ll be able to: Use Copilot to summarize the information in a product spec document for a network security product and create a project plan to implement the product. Use Copilot in PowerPoint to create and customize a business presentation based on the product plan that you created for the new network security product. Use Copilot in Word to modify a technical implementation report for a customer who is planning to install your new network security product. Use Copilot in Outlook to draft an email that provides highlights from the technical implementation report that you created for the customer who is installing your new network security product. Join us at an upcoming event:
Delivery Language: English
Closed Captioning Language: English
Event Delivery: Digital
  Tuesday,
March 25, 2025, 
4:00 – 5:00 PM
(GMT-05:00)
 

Monday,
April 07, 2025, 
12:00 – 1:00 PM
(GMT-05:00)
 Tuesday,
April 22, 2025, 
10:00 – 11:00 AM
(GMT-05:00)
 

Tuesday,
May 06, 2025, 
2:00 – 3:00 PM
(GMT-05:00)
Space is limited. Register for free today.

Draft CSF 2.0 Quick Start Guide: Cybersecurity, ERM & Workforce Development

Draft Released Today for Public Comment— NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide

The Initial Public Draft (IPD) of NIST Special Publication 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide is now published! This document shows how the Workforce Framework for Cybersecurity (NICE Framework) and the Cybersecurity Framework (CSF) 2.0 can be used together to address cybersecurity risk.

This QSG draws on three key NIST resources to enable users to align their cybersecurity, ERM, and workforce management practices in a streamlined process: The Cybersecurity Framework (CSF) 2.0. The Workforce Framework for Cybersecurity (NICE Framework). The NIST IR 8286 series, Integrating Cybersecurity and Enterprise Risk Management (ERM).

This publication is the most recent within a portfolio of CSF 2.0 quick start guides released since February 26, 2024. These resources provide different audiences with tailored pathways into the CSF 2.0 and make the Framework easier to put into action. View all CSF 2.0 quick start guides here

The comment period for NIST Special Publication 1308, NIST Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick Start Guide is open through April 25, 2025, at 11:59 PM.

Read the Quick Start Guide

Multiple Vulnerabilities in Google Android OSCould Allow for Remote Code Execution

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, threat actors could install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat Intelligence Google indicates limited, targeted exploitation of CVE-2024-43093 and CVE-2024-50302.
Systems Affected
Android OS patch levels prior to 2025-03-05
Risk
Government:
– Large and medium government entities: High – Small government entities: High
Businesses: – Large and medium business entities: High
– Small business entities: High
Home Users: Low
Recommendations
Apply appropriate mitigations provided by Google to vulnerable systems immediately after appropriate testing. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict execution of code to a virtual environment on or in transit to an endpoint system.
Reference
Android:
https://source.android.com/docs/security/bulletin/2025-03-01

Wire Transfer Fraud for Real Estate Transactions

Threat actors can perform reconnaissance by searching for and weaponizing publicly disclosed data and using a variety of impersonation techniques to convince their target that they are known and trusted parties involved in real estate transactions, including attorneys, real estate agents, brokers, title agencies, escrow services, mortgage companies, third-party vendors, buyers, and sellers. To appear legitimate, they spoof a familiar contact’s source name or email address or use domain names that mimic a trusted source in spearphishing attacks. The messages typically instruct the target to transfer funds, divulge sensitive information, or submit account credentials via phishing links to the threat actors posing as trusted individuals.
Threat actors target and gain unauthorized access to legitimate email accounts using compromised credentials. Compromised email accounts contain a wealth of information, including personally identifiable information (PII), various forms of identification, legal documentation, settlement statements, closing disclosures, and pre-closing transactions. One part or a combination of this information can be used to commit further malicious activities, such as identity theft and fraud. Real estate wire transfer scams can result in system compromises, data breaches, financial losses, and reputational damages.
The NJCCIC continues to receive reports of impersonation scams and wire transfer fraud in real estate transactions. Threat actors targeted numerous New Jersey title agencies and real estate attorneys, compromised email accounts, and sent fraudulent wire transfer instructions. The funds were typically transferred before the scheme was discovered. Threat actors are likely to increase their targeting as spring and early summer approaches, as these seasons generally are peak for real estate, both selling and buying.

Browser Extensions and Malicious Downloads Install Infostealers

Cybercriminals use information-stealing malware, also known as infostealers, to gather data about users, their devices, and their networks. This information can include personal information, account information like online passwords, and other sensitive data. Infostealers are installed on victim devices in several ways, such as malicious browser extensions and downloads.
Users download browser extensions for a variety of reasons. After an extension is downloaded from official web stores, threat actors surreptitiously purchase or hijack popular extensions for malicious purposes and capitalize on the trust the extension has gained. Users often continue to use the extension even after it has been taken over by the new vendor, as they are likely unaware of the change. Oftentimes, the new vendor will also update permissions related to the extension, allowing them to access, read, and modify files on the users’ system and more, as noted in image 1. Some threat actors use the extension to inject code into the system’s browser to facilitate malvertising and search engine optimization fraud, which leads into the second stage of their operation.
Image 1
If threat actors can manipulate search results and the online advertising viewed by users, they can push them to initiate malicious downloads. For example, the NJCCIC’s security operations center (SOC) team noted that malicious software known as pdfconverters[.]exe is often obtained by users searching for free worksheets, calendars, and more. While this program can convert documents, its real purpose is acting as a RedLine infostealer. A screenshot of the site and associated URLs advertising this download is noted in images 2 and 3.
Image 2
Image 3
Users who navigate to the sites advertising malicious downloads are often redirected there by other sites. Image 4 shows how a user is referred to these sites by malvertisements (column 3).
Image 4
Once pdfconverters[.]exe is downloaded, the threat actors exfiltrate information to command and control (C2) domains through WebView2, which occurs in a window that is hidden from the user. A screenshot of the WebView2 history in image 5 shows those domains being contacted; however, this was not visible in the user’s regular browsing history.
Image 5
Once the infostealer has been installed on the user’s device, it can gather sensitive information including the data, files, and images on the device; browsing history; account passwords, and more. Image 6 shows an example of the browser information that would be viewable by the threat actors, who could easily decrypt the passwords associated with the noted websites.
Image 6
For technical analysis and IOCs, please continue reading…

Root certificate will expire on 14 March — users need to update Firefox to prevent add-on breakage

On 14 March a root certificate (the resource used to prove an add-on was approved by Mozilla) will expire, meaning Firefox users on versions older than 128 (or ESR 115) will not be able to use their add-ons. We want developers to be aware of this in case some of your users are on older versions of Firefox that may be impacted.

Should you see bug reports or negative reviews reflecting the effects of the certificate expiration, we recommend alerting your users to this support article that summarizes the issue and guides them through the process of updating Firefox so their add-ons work again

Apple just released an emergency security update for a flaw- update your devices right now

Apple has patched its third zero-day flaw of the year with a new emergency security update for iPhones, iPads, Macs and its other devices.

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in vision OS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • ​​​​​​​Chrome prior to 134.0.6998.88/.89 for Windows and Mac
  • Chrome prior to 134.0.6998.88 for Linux

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

TacticInitial Access (TA0001):

Technique: Drive-By Compromise (T1189):

  • Type Confusion in V8. (CVE-2025-1920, CVE-2025-2135)
  • Out of bounds write in GPU. (CVE-TBD)
  • Use after free in Inspector. (CVE-2025-2136)
  • Out of bounds read in V8. (CVE-2025-2137)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
       
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
     
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
       
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
       
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Google:
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2137

Multiple Vulnerabilities in Fortinet Products Could Allow for Remote Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered Fortinet Products, the most severe of which could allow for remote code execution.

  • FortiManager is a network and security management tool that provides centralized management of Fortinet devices from a single console.
  • FortiManager Cloud is a cloud-based service for centralized management, monitoring, and automation of Fortinet devices across multiple sites
  • FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines.
  • FortiProxy is a secure web gateway that attempts to protects users against internet-borne attacks, and provides protection and visibility to the network against unauthorized access and threats.
  • FortiAnalyzer is a log management, analytics, and reporting platform that provides organizations with a single console to manage, automate, orchestrate, and respond, enabling simplified security operations, proactive identification and remediation of risks, and complete visibility of the entire attack landscape..
  • FortiSandbox 5.0 is a security solution that utilizes a combination of AI/ML, static, and dynamic analysis, inline blocking, and scalable virtual environments to identify, analyze, contextualize, prioritize, and protect against advanced threats in real-time.
  • FortiPAM provides privileged account management, session monitoring and management, and role-based access control to secure access to sensitive assets and mitigate data breaches.
  • FortiNDR is Fortinet’s AI-driven Network Detection and Response (NDR) solution.
  • FortiWeb is a web application firewall (WAF) that protects web applications and APIs from attacks that target known and unknown exploits and helps maintain compliance with regulations.
  • FortiSIEM is a Security Information and Event Management (SIEM) solution from Fortinet that provides real-time infrastructure and user awareness for accurate threat detection, analysis, and reporting.
  • FortiIsolator is a Fortinet browser isolation solution that protects users from web-borne threats by creating a visual air gap between users’ browsers and websites, executing web content in a remote, disposable container.
  • Fortimail is like a Swiss army knife for email, consisting of anti-spam, anti-virus, content filtering, DLP and email archiving.
  • FortiClient is a Fabric Agent that delivers protection, compliance, and secure access in a single, modular lightweight client.
  • FortiADC is an application delivery controller (ADC) with advanced security features that help ensure application security, availability, and optimization, 

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • FortiADC 5.3 all versions
  • FortiADC 5.4 all versions
  • FortiADC 6.0 all versions
  • FortiADC 6.1 all versions
  • FortiADC 6.2 all versions
  • FortiADC 7.0 all versions
  • FortiADC 7.1.0 through 7.1.3
  • FortiADC 7.2.0 through 7.2.1
  • FortiADC 7.4.0
  • FortiAnalyzer 6.2 all versions
  • FortiAnalyzer 6.4 all versions
  • FortiAnalyzer 7.0 all versions
  • FortiAnalyzer 7.2.0 through 7.2.5
  • FortiAnalyzer 7.4.0 through 7.4.2
  • FortiAnalyzer-BigData 6.4 all versions
  • FortiAnalyzer-BigData 7.0 all versions
  • FortiAnalyzer-BigData 7.2.0 through 7.2.7
  • FortiAnalyzer-BigData 7.4.0 through 7.4.1
  • FortiClientLinux 6.4 all versions
  • FortiClientLinux 7.0 all versions
  • FortiClientLinux 7.2.0 through 7.2.5
  • FortiClientLinux 7.4.0
  • FortiClientMac 6.4 all versions
  • FortiClientMac 7.0 all versions
  • FortiClientMac 7.2.0 through 7.2.8
  • FortiClientMac 7.4.0 through 7.4.2
  • FortiClientWindows 6.4 all versions
  • FortiClientWindows 7.0 all versions
  • FortiClientWindows 7.2.0 through 7.2.4
  • FortiClientWindows 7.4.0
  • FortiIsolator 2.4.0 through 2.4.5
  • FortiMail 6.4 all versions
  • FortiMail 7.0 all versions
  • FortiMail 7.2 all versions
  • FortiMail 7.4.0 through 7.4.3
  • FortiMail 7.6.0 through 7.6.1
  • FortiManager 4.3.4 through 4.3.8
  • FortiManager 5.0 all versions
  • FortiManager 5.2 all versions
  • FortiManager 5.4 all versions
  • FortiManager 5.6 all versions
  • FortiManager 6.0 all versions
  • FortiManager 6.2 all versions
  • FortiManager 6.4 all versions
  • FortiManager 7.0 all versions
  • FortiManager 7.2.0 through 7.2.5
  • FortiManager 7.4.0 through 7.4.3
  • FortiNDR 1.5 all versions
  • FortiNDR 7.0.0 through 7.0.5
  • FortiNDR 7.1.0 through 7.1.1
  • FortiNDR 7.2.0 through 7.2.1
  • FortiNDR 7.4.0
  • FortiOS 6.2 all versions
  • FortiOS 6.4.0 through 6.4.15
  • FortiOS 7.0.0 through 7.0.15
  • FortiOS 7.2.0 through 7.2.9
  • FortiOS 7.4.0 through 7.4.4
  • FortiPAM 1.0 all versions
  • FortiPAM 1.1 all versions
  • FortiPAM 1.2 all versions
  • FortiPAM 1.3.0 through 1.3.1
  • FortiPAM 1.4.0 through 1.4.2
  • FortiProxy 7.0.0 through 7.0.19
  • FortiProxy 7.2.0 through 7.2.12
  • FortiProxy 7.4.0 through 7.4.6
  • FortiProxy 7.6.0
  • FortiSandbox 3.0 all versions
  • FortiSandbox 3.1 all versions
  • FortiSandbox 3.2 all versions
  • FortiSandbox 4.0 all versions
  • FortiSandbox 4.2 all versions
  • FortiSandbox 4.4.0 through 4.4.6
  • FortiSandbox 5.0.0
  • FortiSIEM 5.1 all versions
  • FortiSIEM 5.2 all versions
  • FortiSIEM 5.3 all versions
  • FortiSIEM 5.4 all versions
  • FortiSIEM 6.1 all versions
  • FortiSIEM 6.2 all versions
  • FortiSIEM 6.3 all versions
  • FortiSIEM 6.4 all versions
  • FortiSIEM 6.5 all versions
  • FortiSIEM 6.6 all versions
  • FortiSIEM 6.7 all versions
  • FortiSIEM 7.0 all versions
  • FortiSIEM 7.1 all versions
  • FortiSIEM 7.2 all versions
  • FortiSRA 1.4.0 through 1.4.2
  • FortiWeb 7.0 all versions
  • FortiWeb 7.2 all versions
  • FortiWeb 7.4 all versions
  • FortiWeb 7.6.0

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for remote code execution. Details of the vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

  • A cross site request forgery vulnerability in FortiNDR may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests. (CVE-2023-48790)
  • An exposure of sensitive information to an unauthorized actor vulnerability in FortiSIEM may allow a remote unauthenticated attacker who acquired knowledge of the agent’s authorization header by other means to read the database password via crafted api requests. (CVE-2023-40723)
  • An incorrect authorization vulnerability in FortiSandbox may allow a low priviledged administrator to execute elevated CLI commands via the GUI console menu. (CVE-2024-45328)
  • Multiple improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerabilities in FortiIsolator may allow an authenticated attacker with at least read-only admin permission and CLI access to execute unauthorized code via specifically crafted CLI commands. (CVE-2024-55590)
  • A use of externally-controlled format string vulnerability in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiWeb may allow a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands. (CVE-2024-45324)
  • An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. (CVE-2024-52961)
  • A Use of Hard-coded Cryptographic Key vulnerability in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI. (CVE-2024-54027)
  • An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability in FortiADC GUI may allow an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests. (CVE-2023-37933)

Details of lower severity vulnerabilities:

  • An Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in FortiWeb API endpoint may allow an authenticated attacker with admin privileges to access and modify the filesystem. (CVE-2024-55597)
  • An incorrect authorization vulnerability in FortiSIEM may allow an authenticated attacker to perform unauthorized operations on incidents via crafted HTTP requests. (CVE-2024-55592)
  • Two improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability in FortiAnalyzer, FortiManager & FortiAnalyzer-BigData may allow a privileged attacker to execute unauthorized code or commands via specifically crafted CLI requests. (CVE-2024-33501)
  • A client-side enforcement of server-side security vulnerability in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. (CVE-2024-52960)
  • Multiple improper neutralization of special elements used in an OS Command vulnerabilities in FortiSandbox may allow a privileged attacker to execute unauthorized commands via crafted requests. (CVE-2024-54018)
  • Multiple improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerabilities in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. (CVE-2024-32123)
  • A stack-buffer overflow vulnerability in FortiMail CLI may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI commands. (CVE-2024-46663)
  • Two improper handling of syntactically invalid structure vulnerabilities in FortiWeb may allow an unauthenticated attacker to bypass web firewall protections via HTTP/S crafted requests. (CVE-2023-42784, CVE-2024-55594)
  • An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability in FortiSandbox may allow a privileged attacker to execute unauthorized code or commands via specifically crafted HTTP requests. (CVE-2024-54026)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code in the context of the system. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Fortinet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
       
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
       
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
       
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
       
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Fortinet:
https://www.fortiguard.com/psirt/FG-IR-23-353
https://www.fortiguard.com/psirt/FG-IR-23-117
https://www.fortiguard.com/psirt/FG-IR-24-130
https://www.fortiguard.com/psirt/FG-IR-24-305
https://www.fortiguard.com/psirt/FG-IR-24-439
https://www.fortiguard.com/psirt/FG-IR-24-261
https://www.fortiguard.com/psirt/FG-IR-24-377
https://www.fortiguard.com/psirt/FG-IR-24-178
https://www.fortiguard.com/psirt/FG-IR-24-325
https://www.fortiguard.com/psirt/FG-IR-24-110
https://www.fortiguard.com/psirt/FG-IR-24-124
https://www.fortiguard.com/psirt/FG-IR-24-306
https://www.fortiguard.com/psirt/FG-IR-24-331
https://www.fortiguard.com/psirt/FG-IR-24-327
https://www.fortiguard.com/psirt/FG-IR-23-115
https://www.fortiguard.com/psirt/FG-IR-24-353
https://www.fortiguard.com/psirt/FG-IR-23-216 

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55590
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45324
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37933
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55594

Critical Patches Issued for Microsoft Products, March 11, 2025 – PATCH NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

THREAT INTELLIGENCE:
Microsoft has reported that CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, and CVE-2025-26633 have been exploited in the wild. 

SYSTEMS AFFECTED:

  • .NET
  • ASP.NET Core & Visual Studio
  • Azure Agent Installer
  • Azure Arc
  • Azure CLI
  • Azure PromptFlow
  • Kernel Streaming WOW Thunk Service Driver
  • Microsoft Edge (Chromium-based)
  • Microsoft Local Security Authority Server (lsasrv)
  • Microsoft Management Console
  • Microsoft Office
  • Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office Word
  • Microsoft Streaming Service
  • Microsoft Windows
  • Remote Desktop Client
  • Role: DNS Server
  • Role: Windows Hyper-V
  • Visual Studio
  • Visual Studio Code
  • Windows Common Log File System Driver
  • Windows Cross Device Service
  • Windows exFAT File System
  • Windows Fast FAT Driver
  • Windows File Explorer
  • Windows Kernel Memory
  • Windows Kernel-Mode Drivers
  • Windows MapUrlToZone
  • Windows Mark of the Web (MOTW)
  • Windows NTFS
  • Windows NTLM
  • Windows Remote Desktop Services
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Subsystem for Linux
  • Windows Telephony Server
  • Windows USB Video Driver
  • Windows Win32 Kernel Subsystem 

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. 

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
       
  • Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
       
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar
https://msrc.microsoft.com/update-guide