Root certificate will expire on 14 March — users need to update Firefox to prevent add-on breakage

On 14 March a root certificate (the resource used to prove an add-on was approved by Mozilla) will expire, meaning Firefox users on versions older than 128 (or ESR 115) will not be able to use their add-ons. We want developers to be aware of this in case some of your users are on older versions of Firefox that may be impacted.

Should you see bug reports or negative reviews reflecting the effects of the certificate expiration, we recommend alerting your users to this support article that summarizes the issue and guides them through the process of updating Firefox so their add-ons work again

Apple just released an emergency security update for a flaw- update your devices right now

Apple has patched its third zero-day flaw of the year with a new emergency security update for iPhones, iPads, Macs and its other devices.

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in vision OS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • ​​​​​​​Chrome prior to 134.0.6998.88/.89 for Windows and Mac
  • Chrome prior to 134.0.6998.88 for Linux

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

TacticInitial Access (TA0001):

Technique: Drive-By Compromise (T1189):

  • Type Confusion in V8. (CVE-2025-1920, CVE-2025-2135)
  • Out of bounds write in GPU. (CVE-TBD)
  • Use after free in Inspector. (CVE-2025-2136)
  • Out of bounds read in V8. (CVE-2025-2137)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
       
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
     
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
       
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
       
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Google:
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-2137

Multiple Vulnerabilities in Fortinet Products Could Allow for Remote Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered Fortinet Products, the most severe of which could allow for remote code execution.

  • FortiManager is a network and security management tool that provides centralized management of Fortinet devices from a single console.
  • FortiManager Cloud is a cloud-based service for centralized management, monitoring, and automation of Fortinet devices across multiple sites
  • FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines.
  • FortiProxy is a secure web gateway that attempts to protects users against internet-borne attacks, and provides protection and visibility to the network against unauthorized access and threats.
  • FortiAnalyzer is a log management, analytics, and reporting platform that provides organizations with a single console to manage, automate, orchestrate, and respond, enabling simplified security operations, proactive identification and remediation of risks, and complete visibility of the entire attack landscape..
  • FortiSandbox 5.0 is a security solution that utilizes a combination of AI/ML, static, and dynamic analysis, inline blocking, and scalable virtual environments to identify, analyze, contextualize, prioritize, and protect against advanced threats in real-time.
  • FortiPAM provides privileged account management, session monitoring and management, and role-based access control to secure access to sensitive assets and mitigate data breaches.
  • FortiNDR is Fortinet’s AI-driven Network Detection and Response (NDR) solution.
  • FortiWeb is a web application firewall (WAF) that protects web applications and APIs from attacks that target known and unknown exploits and helps maintain compliance with regulations.
  • FortiSIEM is a Security Information and Event Management (SIEM) solution from Fortinet that provides real-time infrastructure and user awareness for accurate threat detection, analysis, and reporting.
  • FortiIsolator is a Fortinet browser isolation solution that protects users from web-borne threats by creating a visual air gap between users’ browsers and websites, executing web content in a remote, disposable container.
  • Fortimail is like a Swiss army knife for email, consisting of anti-spam, anti-virus, content filtering, DLP and email archiving.
  • FortiClient is a Fabric Agent that delivers protection, compliance, and secure access in a single, modular lightweight client.
  • FortiADC is an application delivery controller (ADC) with advanced security features that help ensure application security, availability, and optimization, 

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • FortiADC 5.3 all versions
  • FortiADC 5.4 all versions
  • FortiADC 6.0 all versions
  • FortiADC 6.1 all versions
  • FortiADC 6.2 all versions
  • FortiADC 7.0 all versions
  • FortiADC 7.1.0 through 7.1.3
  • FortiADC 7.2.0 through 7.2.1
  • FortiADC 7.4.0
  • FortiAnalyzer 6.2 all versions
  • FortiAnalyzer 6.4 all versions
  • FortiAnalyzer 7.0 all versions
  • FortiAnalyzer 7.2.0 through 7.2.5
  • FortiAnalyzer 7.4.0 through 7.4.2
  • FortiAnalyzer-BigData 6.4 all versions
  • FortiAnalyzer-BigData 7.0 all versions
  • FortiAnalyzer-BigData 7.2.0 through 7.2.7
  • FortiAnalyzer-BigData 7.4.0 through 7.4.1
  • FortiClientLinux 6.4 all versions
  • FortiClientLinux 7.0 all versions
  • FortiClientLinux 7.2.0 through 7.2.5
  • FortiClientLinux 7.4.0
  • FortiClientMac 6.4 all versions
  • FortiClientMac 7.0 all versions
  • FortiClientMac 7.2.0 through 7.2.8
  • FortiClientMac 7.4.0 through 7.4.2
  • FortiClientWindows 6.4 all versions
  • FortiClientWindows 7.0 all versions
  • FortiClientWindows 7.2.0 through 7.2.4
  • FortiClientWindows 7.4.0
  • FortiIsolator 2.4.0 through 2.4.5
  • FortiMail 6.4 all versions
  • FortiMail 7.0 all versions
  • FortiMail 7.2 all versions
  • FortiMail 7.4.0 through 7.4.3
  • FortiMail 7.6.0 through 7.6.1
  • FortiManager 4.3.4 through 4.3.8
  • FortiManager 5.0 all versions
  • FortiManager 5.2 all versions
  • FortiManager 5.4 all versions
  • FortiManager 5.6 all versions
  • FortiManager 6.0 all versions
  • FortiManager 6.2 all versions
  • FortiManager 6.4 all versions
  • FortiManager 7.0 all versions
  • FortiManager 7.2.0 through 7.2.5
  • FortiManager 7.4.0 through 7.4.3
  • FortiNDR 1.5 all versions
  • FortiNDR 7.0.0 through 7.0.5
  • FortiNDR 7.1.0 through 7.1.1
  • FortiNDR 7.2.0 through 7.2.1
  • FortiNDR 7.4.0
  • FortiOS 6.2 all versions
  • FortiOS 6.4.0 through 6.4.15
  • FortiOS 7.0.0 through 7.0.15
  • FortiOS 7.2.0 through 7.2.9
  • FortiOS 7.4.0 through 7.4.4
  • FortiPAM 1.0 all versions
  • FortiPAM 1.1 all versions
  • FortiPAM 1.2 all versions
  • FortiPAM 1.3.0 through 1.3.1
  • FortiPAM 1.4.0 through 1.4.2
  • FortiProxy 7.0.0 through 7.0.19
  • FortiProxy 7.2.0 through 7.2.12
  • FortiProxy 7.4.0 through 7.4.6
  • FortiProxy 7.6.0
  • FortiSandbox 3.0 all versions
  • FortiSandbox 3.1 all versions
  • FortiSandbox 3.2 all versions
  • FortiSandbox 4.0 all versions
  • FortiSandbox 4.2 all versions
  • FortiSandbox 4.4.0 through 4.4.6
  • FortiSandbox 5.0.0
  • FortiSIEM 5.1 all versions
  • FortiSIEM 5.2 all versions
  • FortiSIEM 5.3 all versions
  • FortiSIEM 5.4 all versions
  • FortiSIEM 6.1 all versions
  • FortiSIEM 6.2 all versions
  • FortiSIEM 6.3 all versions
  • FortiSIEM 6.4 all versions
  • FortiSIEM 6.5 all versions
  • FortiSIEM 6.6 all versions
  • FortiSIEM 6.7 all versions
  • FortiSIEM 7.0 all versions
  • FortiSIEM 7.1 all versions
  • FortiSIEM 7.2 all versions
  • FortiSRA 1.4.0 through 1.4.2
  • FortiWeb 7.0 all versions
  • FortiWeb 7.2 all versions
  • FortiWeb 7.4 all versions
  • FortiWeb 7.6.0

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for remote code execution. Details of the vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

  • A cross site request forgery vulnerability in FortiNDR may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests. (CVE-2023-48790)
  • An exposure of sensitive information to an unauthorized actor vulnerability in FortiSIEM may allow a remote unauthenticated attacker who acquired knowledge of the agent’s authorization header by other means to read the database password via crafted api requests. (CVE-2023-40723)
  • An incorrect authorization vulnerability in FortiSandbox may allow a low priviledged administrator to execute elevated CLI commands via the GUI console menu. (CVE-2024-45328)
  • Multiple improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerabilities in FortiIsolator may allow an authenticated attacker with at least read-only admin permission and CLI access to execute unauthorized code via specifically crafted CLI commands. (CVE-2024-55590)
  • A use of externally-controlled format string vulnerability in FortiOS, FortiProxy, FortiPAM, FortiSRA and FortiWeb may allow a privileged attacker to execute unauthorized code or commands via specially crafted HTTP or HTTPS commands. (CVE-2024-45324)
  • An improper neutralization of special elements used in an OS Command vulnerability in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. (CVE-2024-52961)
  • A Use of Hard-coded Cryptographic Key vulnerability in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI. (CVE-2024-54027)
  • An improper neutralization of input during web page generation (‘Cross-site Scripting’) vulnerability in FortiADC GUI may allow an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests. (CVE-2023-37933)

Details of lower severity vulnerabilities:

  • An Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in FortiWeb API endpoint may allow an authenticated attacker with admin privileges to access and modify the filesystem. (CVE-2024-55597)
  • An incorrect authorization vulnerability in FortiSIEM may allow an authenticated attacker to perform unauthorized operations on incidents via crafted HTTP requests. (CVE-2024-55592)
  • Two improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability in FortiAnalyzer, FortiManager & FortiAnalyzer-BigData may allow a privileged attacker to execute unauthorized code or commands via specifically crafted CLI requests. (CVE-2024-33501)
  • A client-side enforcement of server-side security vulnerability in FortiSandbox may allow an authenticated attacker with at least read-only permission to execute unauthorized commands via crafted requests. (CVE-2024-52960)
  • Multiple improper neutralization of special elements used in an OS Command vulnerabilities in FortiSandbox may allow a privileged attacker to execute unauthorized commands via crafted requests. (CVE-2024-54018)
  • Multiple improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerabilities in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. (CVE-2024-32123)
  • A stack-buffer overflow vulnerability in FortiMail CLI may allow a privileged attacker to execute arbitrary code or commands via specifically crafted CLI commands. (CVE-2024-46663)
  • Two improper handling of syntactically invalid structure vulnerabilities in FortiWeb may allow an unauthenticated attacker to bypass web firewall protections via HTTP/S crafted requests. (CVE-2023-42784, CVE-2024-55594)
  • An improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability in FortiSandbox may allow a privileged attacker to execute unauthorized code or commands via specifically crafted HTTP requests. (CVE-2024-54026)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code in the context of the system. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Fortinet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
       
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
       
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
       
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
       
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Fortinet:
https://www.fortiguard.com/psirt/FG-IR-23-353
https://www.fortiguard.com/psirt/FG-IR-23-117
https://www.fortiguard.com/psirt/FG-IR-24-130
https://www.fortiguard.com/psirt/FG-IR-24-305
https://www.fortiguard.com/psirt/FG-IR-24-439
https://www.fortiguard.com/psirt/FG-IR-24-261
https://www.fortiguard.com/psirt/FG-IR-24-377
https://www.fortiguard.com/psirt/FG-IR-24-178
https://www.fortiguard.com/psirt/FG-IR-24-325
https://www.fortiguard.com/psirt/FG-IR-24-110
https://www.fortiguard.com/psirt/FG-IR-24-124
https://www.fortiguard.com/psirt/FG-IR-24-306
https://www.fortiguard.com/psirt/FG-IR-24-331
https://www.fortiguard.com/psirt/FG-IR-24-327
https://www.fortiguard.com/psirt/FG-IR-23-115
https://www.fortiguard.com/psirt/FG-IR-24-353
https://www.fortiguard.com/psirt/FG-IR-23-216 

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45328
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55590
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45324
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52961
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37933
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55597
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55592
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42784
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-55594

Critical Patches Issued for Microsoft Products, March 11, 2025 – PATCH NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

THREAT INTELLIGENCE:
Microsoft has reported that CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, and CVE-2025-26633 have been exploited in the wild. 

SYSTEMS AFFECTED:

  • .NET
  • ASP.NET Core & Visual Studio
  • Azure Agent Installer
  • Azure Arc
  • Azure CLI
  • Azure PromptFlow
  • Kernel Streaming WOW Thunk Service Driver
  • Microsoft Edge (Chromium-based)
  • Microsoft Local Security Authority Server (lsasrv)
  • Microsoft Management Console
  • Microsoft Office
  • Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office Word
  • Microsoft Streaming Service
  • Microsoft Windows
  • Remote Desktop Client
  • Role: DNS Server
  • Role: Windows Hyper-V
  • Visual Studio
  • Visual Studio Code
  • Windows Common Log File System Driver
  • Windows Cross Device Service
  • Windows exFAT File System
  • Windows Fast FAT Driver
  • Windows File Explorer
  • Windows Kernel Memory
  • Windows Kernel-Mode Drivers
  • Windows MapUrlToZone
  • Windows Mark of the Web (MOTW)
  • Windows NTFS
  • Windows NTLM
  • Windows Remote Desktop Services
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Subsystem for Linux
  • Windows Telephony Server
  • Windows USB Video Driver
  • Windows Win32 Kernel Subsystem 

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. 

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
       
  • Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
       
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar
https://msrc.microsoft.com/update-guide

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

  • Adobe Acrobat and Reader is used to view, create, print, and manage PDF files on desktop and mobile.
  • Substance 3D Sampler is a 3D scanning software that uses AI to create 3D models and materials from real-world images.
  • Adobe Illustrator is a vector graphics editor and design program.
  • Substance 3D Painter is a 3D painting software that allows users to texture and add materials directly to 3D meshes in real-time.
  • Adobe InDesign is used to create and publish brochures, digital magazines, eBooks, posters, and presentations.
  • Substance 3D Modeler is a 3D modeling and sculpting application.
  • Substance 3D Designer is a 3D design software that is used to generate textures.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

  • Acrobat DC 25.001.20428 and earlier versions
  • Acrobat Reader DC 25.001.20428 and earlier versions
  • Acrobat 2024 24.001.30225 and earlier versions
  • Acrobat 2020 20.005.30748 and earlier versions
  • Acrobat Reader 2020 20.005.30748 and earlier versions
  • Adobe Substance 3D Sampler 4.5.2 and earlier versions
  • Illustrator 2025  29.2.1 and earlier
  • Illustrator 2024  28.7.4 and earlier versions 
  • Adobe Substance 3D Painter 10.1.2 and earlier versions
  • Adobe InDesign ID20.1 and earlier versions
  • Adobe InDesign ID19.5.2 and earlier versions
  • Adobe Substance 3D Modeler 1.15 and earlier versions
  • Adobe Substance 3D Designer 14.1 and earlier versions  

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows 

Tactic: Execution (TA0002)

Technique: Exploitation for Client Execution (T1203): 

Adobe Acrobat and Reader:

  • Use After Free (CVE-2025-27174, CVE-2025-27159, CVE-2025-27160)
  • Access of Uninitialized Pointer (CVE-2025-27158, CVE-2025-27162)
  • Use After Free (CVE-2025-27159, CVE-2025-27160)
  • Out-of-bounds Read (CVE-2025-27161, CVE-2025-24431, CVE-2025-27163, CVE-2025-27164) 

Substance 3D Sampler:

  • Heap-based Buffer Overflow (CVE-2025-24439, CVE-2025-24443)
  • Out-of-bounds Write (CVE-2025-24440, CVE-2025-24441, CVE-2025-24442, CVE-2025-24444, CVE-2025-24445) 

Adobe Illustrator:

  • Untrusted Search Path (CVE-2025-27167)
  • Stack-based Buffer Overflow (CVE-2025-27168)
  • Out-of-bounds Write (CVE-2025-27169)
  • Out-of-bounds Read (CVE-2025-24448, CVE-2025-24449)
  • NULL Pointer Dereference (CVE-2025-27170) 

Substance 3D Painter:

  • Out-of-bounds Write (CVE-2025-24450, CVE-2025-24451) 

Adobe InDesign:

  • Out-of-bounds Write (CVE-2025-24452, CVE-2025-27166, CVE-2025-27175, CVE-2025-27178)
  • Heap-based Buffer Overflow (CVE-2025-24453, CVE-2025-27171, CVE-2025-27177)
  • NULL Pointer Dereference (CVE-2025-27176, CVE-2025-27179) 

Substance 3D Modeler:

  • Heap-based Buffer Overflow (CVE-2025-27173)
  • NULL Pointer Dereference (CVE-2025-21170) 

Substance 3D Designer:

  • Heap-based Buffer Overflow (CVE-2025-21169)
  • Out-of-bounds Write (CVE-2025-27172) 

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights 

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
    • Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
    • Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
       
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
       
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
    • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
       
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
       
  • Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
    • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
    • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
    • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
       
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
       

REFERENCES:

Adobe:
https://helpx.adobe.com/security/Home.html
https://helpx.adobe.com/security/products/acrobat/apsb25-14.html
https://helpx.adobe.com/security/products/substance3d-sampler/apsb25-16.html
https://helpx.adobe.com/security/products/illustrator/apsb25-17.html
https://helpx.adobe.com/security/products/substance3d_painter/apsb25-18.html
https://helpx.adobe.com/security/products/indesign/apsb25-19.html
https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-21.html
https://helpx.adobe.com/security/products/substance3d_designer/apsb25-22.html 

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21170
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24431
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24439
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24440
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24445
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24448
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24451
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24452
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24453
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27158
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27159
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27161
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27162
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27163
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27164
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27167
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27170
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27171
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27173
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27177
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27179

Multiple Vulnerabilities in Mozilla Products Could Allow for Remote Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.

  • Mozilla Firefox is a web browser used to access the Internet.
  • Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.
  • Mozilla Thunderbird is an email client.
  • Mozilla Thunderbird ESR is a version of the email client intended to be deployed in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Thunderbird versions prior to ESR 128.8
  • Thunderbird versions prior to 136
  • Firefox ESR versions prior to 128.8
  • Firefox ESR versions prior to 115.21
  • Firefox versions prior to 136

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-by Compromise (T1189)

  • Overflow when growing an SkRegion’s RunArray. (CVE-2024-43097)
  • AudioIPC StreamData could trigger a use-after-free in the Browser process. (CVE-2025-1930)
  • Use-after-free in WebTransportChild. (CVE-2025-1931)
  • Inconsistent comparator in XSLT sorting led to out-of-bounds access. (CVE-2025-1932)
  • JIT corruption of WASM i32 return values on 64-bit CPUs. (CVE-2025-1933)
  • Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8. (CVE-2025-1937)
  • Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. (CVE-2025-1938)
  • Memory safety bugs fixed in Firefox 136 and Thunderbird 136. (CVE-2025-1943)
  • Tapjacking in Android Custom Tabs using transition animations. (CVE-2025-1939)

Additional lower severity vulnerabilities include: 

  • Crafted email message incorrectly shown as being encrypted. (CVE-2025-26696)
  • Downloading of OpenPGP keys from WKD used incorrect padding. (CVE-2025-26695)
  • Unexpected GC during RegExp bailout processing. (CVE-2025-1934)
  • Clickjacking the registerProtocolHandler info-bar. (CVE-2025-1935)
  • Adding %00 and a fake extension to a jar. (CVE-2025-1936)
  • Disclosure of uninitialized memory when .toUpperCase() causes string to get longer. (CVE-2025-1942)
  • Android Intent confirmation prompt tapjacking using Select options. (CVE-2025-1940)
  • Passkey phishing within Bluetooth range. (CVE-2024-9956)
  • Lock screen setting bypass in Firefox Focus for Android. (CVE-2025-1941)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051:Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026:Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
  • Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021:Restrict Web-Based Content)
    • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
  • Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
    • Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
    • Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
    • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040:Behavior Prevention on Endpoint)
    • Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017:User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9956
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1931
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1932
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1933
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1935
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1936
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1937
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1939
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1940
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1941
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26695
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26696
 
Mozilla:
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-17/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-15/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
Google indicates limited, targeted exploitation of CVE-2024-43093 & CVE-2024-50302. 

SYSTEMS AFFECTED:

  • Android OS patch levels prior to 2025-03-05

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Following the MITRE ATT&CK framework, exploitation of these vulnerabilities can be classified as follows:

Tactic: Execution (TA0002):

Technique: Exploitation for Client Execution (T1203):

  • Multiple vulnerabilities in System that could allow for remote code execution. (CVE-2025-0074, CVE-2025-0075, CVE-2025-0084, CVE-2025-22403, CVE-2025-22408, CVE-2025-22410, CVE-2025-22411, CVE-2025-22412)

Tactic: Privilege Escalation (TA0004):

Technique: Exploitation for Privilege Escalation (T1068):​​​

  • Multiple vulnerabilities in Framework that could allow for elevation of privilege. (CVE-2024-0032, CVE-2024-43093, CVE-2025-0078, CVE-2025-0080, CVE-2025-0087)
  • Multiple vulnerabilities in System that could allow for elevation of privilege. (CVE-2025-22409, CVE-2023-21125, CVE-2025-0079, CVE-2025-22404, CVE-2025-22405, CVE-2025-22406)
  • A vulnerability in Kernel that could allow for elevation of privilege. (CVE-2024-46852)

Details of lower-severity vulnerabilities are as follows:

  • Multiple vulnerabilities in Framework that could allow for information disclosure. (CVE-2024-43090, CVE-2025-0083, CVE-2025-0086)
  • A vulnerability in Framework that could allow for denial of service. (CVE-2024-49740)
  • A vulnerability in System that could allow for denial of service. (CVE-2025-0081)
  • Multiple vulnerabilities in System that could allow for information disclosure. (CVE-2024-49728, CVE-2025-0082, CVE-2025-0092, CVE-2025-0093, CVE-2025-22407, CVE-2025-26417)
  • Multiple vulnerabilities in Kernel that could allow for information disclosure. (CVE-2024-50302, CVE-2025-22413)
  • A vulnerability in Google Play system updates. (CVE-2024-43093)
  • Multiple vulnerabilities in MediaTek components. (CVE-2025-20645, CVE-2025-20644)
  • Multiple vulnerabilities in Qualcomm components. (CVE-2024-49836, CVE-2024-49838, CVE-2024-53014, CVE-2024-53024, CVE-2024-53027)
  • Multiple vulnerabilities in Qualcomm closed-source components. (CVE-2024-43051, CVE-2024-53011, CVE-2024-53025)

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate mitigations provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
    • Safeguard 13.10 : Perform Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
  • Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
    • Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.

REFERENCES:

Android:
https://source.android.com/docs/security/bulletin/2025-03-01
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22413
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26417

Uptick in Facebook Scams

Threat actors compromise accounts using social engineering tactics to convince their targets to take action, divulge sensitive information, or install malware to gain unauthorized access to legitimate user accounts. Once an account is compromised, they impersonate the victim to conduct further malicious activity. Threat actors can change account information, such as name, date of birth, email address, and phone number, and lock the victim out of their account by updating the password and multi-factor authentication (MFA) method. They can also post information and/or images that violate Facebook’s terms and conditions or acceptable use policies. Additionally, they can communicate with the contacts in the victim’s address book to conduct social engineering attacks, send harassing messages, threaten extortion, steal funds, or install malware. Scams can also result in exfiltrated data, identity theft, and financial loss.
The NJCCIC received an uptick in reports of compromised Facebook accounts impacting New Jersey residents and businesses. In the past month, victims reported that their Facebook account was compromised, while others reported that their contact’s account was compromised. Once compromised, the threat actors communicated with the victims’ contacts to lure and defraud them. The threat actors initially monitored Facebook activity to build trust and solicit the victims’ contacts in cryptocurrency investment schemes . However, they later changed their tactics to create posts playing on emotion and claiming to sell expensive items, such as used cars, on behalf of their sick or deceased relative, typically an uncle. The victims’ contacts believed the sale lure was authentic and thought they communicated directly with legitimate users through Facebook Messenger. However, they made $500 to $2,000 payments, typically through Zelle, under false pretenses to the threat actors.
In another example, threat actors messaged the victims’ contacts through Facebook Messenger. The message instructed them to vote to win a prize by clicking the link. If clicked, the Facebook account was compromised. Then, the victims’ contact received an email purportedly from Meta, claiming an issue with their account. To regain access to their account, they needed to verify their identity by submitting the MFA code, the front and back of their official identification, and a one-minute video of themselves.
Threat actors recently reintroduced Facebook page deletion scams from several years ago. They target businesses with phishing emails, claiming to be from Meta and falsely accusing them of violating Facebook’s trademark rights. The urgent messages threaten to permanently delete their Facebook page if they do not respond by clicking the link, which is intended to steal account credentials. Meta does send notifications for rule violations; however, they include a “disagree with decision” or appeal icon directly on the suspended page.
Other Facebook scams include potential victims buying gift cards and sending gift card numbers through Facebook Messenger, non-payment of goods sold on Facebook Marketplace, and requests to purchase Facebook Marketplace goods with pre-paid credit card links to accept the requests and enter financial information. Additionally, scam Facebook groups steal photos, videos, and posts from legitimate groups to promote as their own, engage users, and conduct fraudulent schemes, such as links for fake merchandise intended to collect information from unsuspecting victims.

Eleven11bot Botnet Grows to Over 86,000 Devices, Thousands Geolocate to New Jersey

A new botnet known as Eleven11bot quickly became one of the largest in the last several years, infecting over 86,000 Internet of Things (IoT) devices. The botnet, mainly comprised of security cameras and network video recorders, has been used to launch distributed denial-of-service (DDoS) attacks against telecommunications service providers and online gaming servers. Of the approximate 86,000 infected devices, over 2,300 device IP addresses geolocate to New Jersey.
These devices were likely compromised by brute-forcing weak or common administrator account credentials, using known default credentials, and actively scanning networks for devices exposing Telnet and SSH. Details of this botnet and associated malicious activity serve as a reminder to ensure IoT devices are configured following cybersecurity best practices.