Microsoft Patch Tuesday, January 2025 Security Update Review

Happy New Year! As the calendar turns to January 2025, Microsoft’s first Patch Tuesday of 2025 has arrived. From zero-days to critical vulnerabilities, here’s what deserves your attention. Here’s a breakdown of what’s been patched. Microsoft Patch’s Tuesday, January 2025 edition addressed 159 vulnerabilities, including 10 critical and 149 important severity vulnerabilities. In this month’s … Continue reading “Microsoft Patch Tuesday, January 2025 Security Update Review”

Ivanti Zero-day Vulnerability Impacts Connect Secure and Policy Secure (CVE-2025-0282)

Ivanti released a security advisory to address critical and high severity vulnerabilities on January 8, 2025. Tracked as CVE-2024-0282 and CVE-2025-0283, the vulnerabilities may allow remote unauthenticated attackers to achieve remote code execution or local authenticated attackers to escalate their privileges on a targeted system. Ivanti mentioned in the advisory that “a limited number of customers … Continue reading “Ivanti Zero-day Vulnerability Impacts Connect Secure and Policy Secure (CVE-2025-0282)”

CISA Warns of Mitel MiCollab Vulnerabilities Active Exploitation (CVE-2024-41713 & CVE-2024-55550)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) updates its Known Exploited Vulnerabilities Catalog by adding two Mitel MiCollab vulnerabilities. Tracked as CVE-2024-41713 and CVE-2024-55550, the vulnerabilities may allow a remote unauthenticated attacker to bypass authentication and view/modify sensitive data. CVE-2024-41713 could be chained with CVE-2024-55550 to allow an unauthenticated, remote attacker to read arbitrary … Continue reading “CISA Warns of Mitel MiCollab Vulnerabilities Active Exploitation (CVE-2024-41713 & CVE-2024-55550)”

WordPress UpdraftPlus Plugin Vulnerability Impacts Millions of Websites (CVE-2024-10957)

WordPress UpdraftPlus plugin is vulnerable to a high-severity PHP object injection vulnerability. Tracked as CVE-2024-10957, the vulnerability may allow an unauthenticated attacker to delete arbitrary files, retrieve sensitive data, or execute code. According to WordPress, more than 3 million websites worldwide use the plugin.

Palo Alto Networks Denial of Service Vulnerability Exploited in the Wild (CVE-2024-3393)

Palo Alto released a security advisory to address an actively exploited vulnerability, tracked as CVE-2024-3393. The vulnerability impacts Palo Alto Networks software (PAN-OS). Successful exploitation of the vulnerability may lead to a Denial of Service (DoS) attack. “Palo Alto Networks is aware of customers experiencing this Denial of Service (DoS) when their firewall blocks malicious … Continue reading “Palo Alto Networks Denial of Service Vulnerability Exploited in the Wild (CVE-2024-3393)”

Adobe ColdFusion Arbitrary File System Read Vulnerability (CVE-2024-53961)

Adobe released a security advisory to address a critical severity vulnerability impacting ColdFusion. Tracked as CVE-2024-53961, the vulnerability may allow attackers to read arbitrary files on vulnerable servers. The vulnerability originates from a path traversal flaw that may lead to providing unauthorized access to attackers and data exposure.

Fortinet FortiWLM Unauthenticated Limited File Read Vulnerability (CVE-2023-34990)

Fortinet released a security advisory to address an unauthenticated file read vulnerability in FortiWLM. Tracked as CVE-2024-34990, the vulnerability has a critical severity rating with a CVSS score of 9.6. Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to read sensitive files. The vulnerability originates from a path traversal issue that may … Continue reading “Fortinet FortiWLM Unauthenticated Limited File Read Vulnerability (CVE-2023-34990)”

CISA Added Cleo Vulnerabilities to its Known Exploited Vulnerabilities Catalog (CVE-2024-50623 & CVE-2024-55956)

Cybersecurity & Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities Catalog with two vulnerabilities in Cleo Harmony, VLTrader, and LexiCom. Tracked as CVE-2024-50623 & CVE-2024-55956, successful exploitation of the vulnerability may lead to remote code execution. CISA urged users to patch the vulnerabilities before January 3, 2025 (CVE-2024-50623) and January 7, 2025 (CVE-2024-55956). Cleo … Continue reading “CISA Added Cleo Vulnerabilities to its Known Exploited Vulnerabilities Catalog (CVE-2024-50623 & CVE-2024-55956)”