Patch Tuesday May 2025

Patch Tuesday May 2025 Updates – Vulnerability Digest from Action1

This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.

Microsoft Vulnerabilities

This Patch Tuesday, Microsoft has released fixes for 70 vulnerabilities, a noticeable drop from the previous month, with only 5 rated as critical. However, the number of zero-days has increased to 5, with two vulnerabilities having proof-of-concept exploits. Here are the key highlights from the most significant critical updates.

Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

This Patch Tuesday, the list of zero-days includes vulnerabilities in the CLFS driver (clfs.sys), a critical Windows component responsible for providing logging services to user-mode and kernel-mode applications. The driver is widely used by various system services and third-party applications for logging.

CVE-2025-32701: Use After Free Elevation of Privilege Vulnerability

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Weakness: CWE-416: Use After Free
• CVSS v3.1 Base Score: 7.8 (High)
• Exploited in the Wild: Yes
• Proof of Concept: Not publicly disclosed

This vulnerability occurs due to a use-after-free condition in the CLFS driver. Improper memory management during specific log file operations can be exploited by attackers through crafted system calls or handle manipulation routines. By manipulating freed memory, attackers can execute arbitrary code in kernel mode, gaining SYSTEM-level privileges.

CVE-2025-32706: Improper Input Validation Elevation of Privilege Vulnerability

• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Weakness: CWE-20: Improper Input Validation
• CVSS v3.1 Base Score: 7.8 (High)
• Exploited in the Wild: Yes
• Proof of Concept: Not publicly disclosed

This vulnerability arises from improper input validation in the CLFS driver. The driver fails to validate input parameters from user-mode applications, allowing an attacker to supply malformed data that can lead to memory corruption. Successful exploitation can result in arbitrary code execution with SYSTEM privileges.

Impact and Mitigation:
Both vulnerabilities affect all supported versions of Windows 10, Windows 11, and their corresponding server versions. Exploiting these vulnerabilities can allow attackers to escalate privileges to SYSTEM level, enabling them to execute arbitrary code, install programs, modify data, and disable security features.

With low attack complexity and minimal privileges required, these vulnerabilities present a significant risk, particularly given the active exploitation observed in the wild. While no public exploit code is currently available, the presence of active attacks suggests that targeted campaigns, potentially involving advanced persistent threats (APTs), are already underway.

Organizations should prioritize immediate assessment and remediation of these vulnerabilities to prevent potential compromise.

Scripting Engine Memory Corruption Vulnerability (CVE-2025-30397)

A new zero-day vulnerability has been identified in the Microsoft Scripting Engine, a key component used by Internet Explorer and Internet Explorer mode in Microsoft Edge. The Scripting Engine processes scripting languages like JavaScript and VBScript, enabling dynamic content on web pages.

The vulnerability is caused by a type confusion error (CWE-843), where the engine incorrectly handles objects in memory. This occurs when the engine allocates a resource as one type but later accesses it as a different, incompatible type. Attackers can exploit this flaw by creating a malicious web page or script that tricks the scripting engine into misinterpreting the type of an object. This misinterpretation leads to memory corruption, potentially allowing the attacker to execute arbitrary code.

Vulnerability Details:

• Impact: Remote Code Execution
• Severity: Important
• Weakness: CWE-843 (Type Confusion)
• CVSS v3.1 Score: 7.5 (High)
• Exploited in the Wild: Yes
• Proof of Concept: No public exploit available
• Attack Vector: Network
• Attack Complexity: High
• Privileges Required: None
• User Interaction: Required

Affected Systems:
All supported versions of Microsoft Windows with the vulnerable scripting engine are impacted, including:

• Client Systems: Windows 7, 8.1, 10, 11
• Server Systems: Windows Server 2008, 2012, 2016, 2019, and respective versions

Potential Impact:
Successful exploitation allows attackers to execute arbitrary code in the context of the current user. If the user has administrative privileges, the attacker could gain full control of the system, allowing them to access sensitive information, install programs, or modify/delete data.

Risk Analysis:

• Widespread Exposure: Given the extensive use of Windows and the affected scripting engines, millions of systems are potentially vulnerable.
• Compatibility Risks: The reliance on Internet Explorer mode in Edge for legacy compatibility increases exposure due to outdated components.
• Threat Actor Focus: Although the attack complexity is high, skilled attackers, including nation-state actors, could develop reliable exploits.
• Targeted Attacks: The requirement for user interaction may limit mass exploitation but does not deter targeted attacks.

Organizations should prioritize patching and implement layered security controls to mitigate the risk, as exploitation has been observed in the wild.

Microsoft Office Remote Code Execution Vulnerabilities

Two critical vulnerabilities have been identified in Microsoft Office, both involving use-after-free conditions that could lead to remote code execution.

CVE-2025-30386: Microsoft Office Remote Code Execution Vulnerability

This vulnerability stems from improper memory management in Microsoft Office. When a specific document or component is processed, memory is allocated and then freed improperly. If the program continues to reference this freed memory, it can lead to memory corruption, potentially allowing an attacker to execute arbitrary code.

• Impact: Remote Code Execution
• Severity: Critical
• Weakness: CWE-416 (Use After Free)
• CVSS v3.1 Score: 8.4 (High)
• Exploited in the Wild: No
• Proof of Concept: Not publicly available
• Attack Vector: Local (triggered by a malicious document)
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Despite being classified as a local attack vector, the vulnerability is considered remote code execution since an attacker can trigger it by delivering a malicious document. If the user has administrative privileges, the attacker could gain complete control of the system, install programs, access or modify data, and create new accounts.

The vulnerability affects all supported versions of Microsoft Office that contain the flawed memory handling component. Organizations of all sizes, including enterprises, government agencies, and individuals, are at risk. The risk is heightened due to potential exploitation through the Preview Pane, allowing the attack to execute without explicitly opening the malicious attachment.

CVE-2025-30377: Microsoft Office Remote Code Execution Vulnerability

This vulnerability is similar to CVE-2025-30386, involving a use-after-free condition that can be exploited to execute arbitrary code.

• Impact: Remote Code Execution
• Severity: Critical
• Weakness: CWE-416 (Use After Free)
• CVSS v3.1 Score: 8.4 (High)
• Exploited in the Wild: No
• Proof of Concept: Not publicly available
• Attack Vector: Local
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None

While the attack scenarios are similar to CVE-2025-30386, this vulnerability is assessed as less likely to be exploited due to additional conditions or complexities in crafting a working exploit. However, attackers could leverage both vulnerabilities to increase the chances of successful exploitation.

Risk Analysis:

• CVE-2025-30386 presents a higher risk due to the assessment that exploitation is more likely.
• Both vulnerabilities can lead to complete system compromise, data breaches, and further exploitation through malicious code execution.
• The potential use of the Preview Pane as an attack vector increases the urgency of addressing these vulnerabilities, as users may not need to explicitly open the malicious document to trigger the exploit.

Prompt patching is recommended for all affected systems to mitigate the risk of exploitation.

Remote Desktop Services Vulnerabilities

Two critical vulnerabilities in Remote Desktop Services have been patched, both involving heap-based buffer overflows that could lead to remote code execution.

CVE-2025-29966: Remote Desktop Client Remote Code Execution Vulnerability

This vulnerability arises from a heap-based buffer overflow in the Microsoft Remote Desktop Protocol (RDP) client software. Improper handling of data received from a malicious RDP server can lead to memory corruption.

• Impact: Remote Code Execution
• Severity: Critical
• Weakness: CWE-122 (Heap-based Buffer Overflow)
• CVSS v3.1 Score: 8.8 (High)
• Exploited in the Wild: No
• Proof of Concept: Not publicly disclosed
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required

The vulnerability occurs when an attacker-controlled RDP server sends malicious responses during the RDP handshake or session, overflowing a buffer in the client’s memory. If successfully exploited, the attacker can execute arbitrary code with the same privileges as the user running the RDP client.

If the user has administrative privileges, the attacker can gain full control over the client system, access sensitive data, and potentially use the compromised client as a pivot point to infiltrate the organization’s network.

CVE-2025-29967: Remote Desktop Gateway Service Remote Code Execution Vulnerability

Similar to CVE-2025-29966, this vulnerability involves a heap-based buffer overflow, but it affects the Remote Desktop Gateway (RD Gateway) Service.

• Impact: Remote Code Execution
• Severity: Critical
• Weakness: CWE-122 (Heap-based Buffer Overflow)
• CVSS v3.1 Score: 8.8 (High)
• Exploited in the Wild: No
• Proof of Concept: Not publicly disclosed
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None

An attacker can send specially crafted requests to the RD Gateway, causing memory corruption. If successful, the attacker could execute arbitrary code on the server hosting the RD Gateway Service.

Targeted Environments:

• Enterprise businesses using RD Gateway for secure remote access
• Managed Service Providers (MSPs) providing remote desktop services to clients
• Educational institutions using RD Gateway for remote learning systems
• Healthcare facilities managing patient data systems remotely

Attackers could leverage compromised RD Gateways to install persistent malware, exfiltrate data, or deploy ransomware across connected networks. This attack path is particularly concerning for MSPs, as compromising a single gateway could impact multiple client networks.

Impact Analysis:
Both vulnerabilities can lead to remote code execution, enabling attackers to gain full control of targeted systems. While the client-side vulnerability (CVE-2025-29966) can serve as a foothold for further network infiltration, the server-side vulnerability (CVE-2025-29967) poses a higher risk due to its potential to compromise centralized access points like RD Gateways.

Organizations using both vulnerable clients and servers are at greater risk, as attackers could use one compromised component to target the other, amplifying the impact. Prompt patching and heightened monitoring of RDP connections are crucial to mitigating these threats.

Microsoft – April 2025 Windows Update

Microsoft has confirmed that the April 2025 Windows security update creates a new, empty folder named inetpub and has advised users not to delete it. The inetpub folder is typically associated with Internet Information Services (IIS), a web server platform that can be enabled through the Windows Components dialog to host websites and web applications.

However, after installing the update, many Windows 10 and 11 users discovered the C:\inetpub folder on their systems, created by the SYSTEM account, even though IIS was not installed. While deleting the folder did not cause any noticeable issues during tests, Microsoft maintains that it was intentionally created and should not be removed.

Additionally, some users reported that the April Cumulative Update fails to install if the C:\inetpub directory is created before the update is applied.

Microsoft has not clearly explained the purpose of the folder but has updated its advisory for the Windows process activation privilege escalation vulnerability to warn against deleting the inetpub folder, regardless of whether IIS services are running. This change is described as part of a security enhancement that does not require any action from IT administrators or end users.

The security update also addresses CVE-2025-21204, a vulnerability caused by improper link resolution before accessing a file (“link jumping”) in the Windows Update Center stack.

On unpatched devices, Windows Update Center may follow symbolic links, allowing local attackers to manipulate the system to access or modify files or folders without authorization. Microsoft warns that exploiting this vulnerability could allow local attackers with low privileges to elevate their privileges and perform file operations under the NT AUTHORITY\SYSTEM account.

If the inetpub folder was deleted due to concerns about its origin, it can be recreated by navigating to the Windows Control Panel, selecting “Add or Remove Components,” and installing Internet Information Services. This process will recreate the inetpub folder at the root of the C: drive, now populated with IIS files.

If IIS is not in use, it can be uninstalled via the same Windows Features control panel. After a system restart, the software will be removed, but the inetpub folder will remain. Microsoft assures that this method will restore the folder with the same level of security as intended by the recent update.

Google Chrome

The latest version of Google Chrome includes fixes for eight security vulnerabilities. Many of these issues were identified through automated testing using tools like AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL.

No critical vulnerabilities were found that could bypass all layers of browser protection and execute code outside the sandbox environment. However, the most notable vulnerability is a heap buffer overflow in HTML, identified as CVE-2025-4096.

The vulnerability likely stems from a flaw in Chrome’s HTML parsing and rendering engine. Specifically, the browser fails to properly handle and validate user-input data in HTML, such as malformed or oversized input, leading to a buffer overflow condition. This could allow an attacker to execute arbitrary code on the victim’s system, potentially enabling further malicious activities like escalating privileges, lateral movement within a network, or data exfiltration.

Mozilla Firefox

Firefox 138 includes fixes for 14 security vulnerabilities, with six of them related to memory handling issues, such as buffer overflows and access to freed memory areas. These flaws could potentially allow attackers to execute malicious code by luring users to open specially crafted web pages.

Another noteworthy vulnerability involves the “copy as cURL” function in the web development tools, where improper handling of special characters allows attackers to substitute their own commands.

The most significant vulnerability in this update is a Privilege Escalation in Firefox Updater, identified as CVE-2025-2817. The vulnerability is rooted in improper handling of file-locking behavior in the Firefox update mechanism. The updater fails to adequately validate and restrict access to SYSTEM-level file operations, allowing a medium-integrity user process to manipulate file-locking behavior and inject code into a user-privileged process.

This could enable an attacker to escalate privileges and perform SYSTEM-level file operations on paths controlled by a non-privileged user. For instance, an attacker could leverage this flaw to gain initial access to a system and then use other vulnerabilities to further escalate privileges, move laterally within the network, or exfiltrate sensitive data.

The Privilege Escalation in Firefox Updater underscores the importance of proper access control and validation in software update mechanisms, illustrating how a seemingly minor file-locking issue can be exploited to gain elevated privileges and access sensitive data.

Android

Google has also released its monthly security updates for Android, addressing 46 vulnerabilities, including one that has reportedly been exploited in the wild.

CVE-2025-27363 is a critical flaw with a CVSS score of 8.1 that affects the System component and could lead to local code execution without additional execution privileges or user interaction. The issue is related to the FreeType open-source font rendering library and involves an out-of-bounds write error when parsing TrueType GX files and variable fonts.

The vulnerability was first reported by Meta in March 2025 after being exploited in the wild. It has since been resolved in FreeType versions above 2.13.0.

While Google has indicated that CVE-2025-27363 may have been exploited in limited, targeted attacks, specific details about the attacks remain unknown. The May update also addresses eight other Android vulnerabilities and 15 vulnerabilities in the Framework module, which could potentially lead to privilege escalation, information disclosure, or denial of service.

Google urges all users to update to the latest Android version promptly to mitigate these risks.

WordPress

The cyber underground is now targeting a second critical vulnerability in the OttoKit plugin for WordPress to hijack websites. Researchers from Defiant have issued a warning about the exploitation of this new vulnerability, which follows a similar attack less than a month ago involving another flaw in the same plugin.

OttoKit: All-in-One Automation Platform (formerly SureTriggers) has been installed over 100,000 times and enables website administrators to automate tasks by integrating applications, websites, and other plugins.

In early April, attackers exploited CVE-2025-3102, a vulnerability in unconfigured OttoKit installations that allowed them to create new administrative accounts and take control of vulnerable websites.

Now, Defiant is warning of another critical vulnerability in the plugin, identified as CVE-2025-27007 with a CVSS score of 9.8. This flaw allows unauthorized attackers to connect to vulnerable websites through the create_wp_connection() function, which fails to properly verify user authentication, enabling attackers to escalate privileges.

However, successful exploitation requires specific conditions. The website must never have enabled or used the application password, and OttoKit/SureTriggers must never have previously connected to the site using the application password. If these conditions are met, an attacker could exploit the vulnerability without knowing a valid username.

For sites that have already connected to the plugin using the application password, unauthenticated connections should not be possible.

Apache Parquet

Researchers at F5 Labs have released a tool on GitHub to test the exploitation of a critical Apache Parquet vulnerability identified as CVE-2025-30065, making it easier to identify vulnerable servers. According to the researchers, previous proof-of-concept (PoC) attempts were either ineffective or non-functional in practice. The newly released tool serves as a practical demonstration of exploiting CVE-2025-30065, allowing administrators to assess their systems and mitigate potential risks. The vulnerability was disclosed on April 1, 2025, by Amazon researcher Keyi Lee and classified as a remote code execution (RCE) flaw. It affects all versions of Apache Parquet up to and including 1.15.0. Technically, CVE-2025-30065 is a deserialization vulnerability in the parquet-avro module of Apache Parquet Java. The flaw allows the library to create unrestricted Java classes when reading Avro data embedded in Parquet files, enabling potential exploitation. On April 2, 2025, Endor Labs issued an advisory warning of the potential risks associated with the vulnerability, particularly for systems importing Parquet files from external sources.

Subsequent analysis by F5 Labs determined that the vulnerability is not a complete deserialization RCE but could still be exploited under specific conditions. Exploitation is possible if the created class has side effects during instance creation, such as initiating a network request to a server controlled by an attacker. However, researchers concluded that practical exploitation is challenging and of limited value to attackers. While Parquet and Avro are widely used, exploiting this vulnerability requires a unique set of conditions that are unlikely to occur in most environments. Even if those conditions are met, the vulnerability only allows the creation of a Java object instance with a side effect that could be useful to an attacker. Despite the low likelihood of exploitation, the risk remains significant for organizations that process Parquet files from untrusted or external sources.

To address this risk, F5 Labs developed the Canary Exploit tool, which triggers an HTTP GET request by creating an instance of javax.swing.JEditorKit, enabling users to verify whether their systems are vulnerable. In addition to using the tool, it is recommended to update Apache Parquet to version 15.1.1 or later and configure the org.apache.parquet.avro.SERIALIZABLE_PACKAGES parameter to limit the packages permitted for deserialization.

Apple

Apple has issued emergency updates to address two zero-day vulnerabilities exploited in what the company describes as an “extremely sophisticated attack” targeting a select group of iPhone users. The vulnerabilities, CVE-2025-31200 in CoreAudio and CVE-2025-31201 in RPAC, affect iOS, macOS, tvOS, iPadOS, and visionOS.

CVE-2025-31200, discovered by Apple and Google’s Threat Analysis Group, can be exploited by processing malicious media files to execute remote code on a device. Apple also addressed CVE-2025-31201, which allows attackers with read or write access to bypass Pointer Authentication (PAC), an iOS security feature that helps protect against memory corruption.

Both vulnerabilities have been patched in iOS 18.4.1, iPadOS 18.4.1, tvOS 18.4.1, macOS Sequoia 15.4.1, and visionOS 2.4.1. Affected devices include iPhone XS and later, iPad Pro 13-inch and 13.9-inch (3rd generation), iPad Pro 11-inch (1st generation), iPad Air (3rd generation), iPad (7th generation), iPad mini (5th generation and later), Apple TV HD, Apple TV 4K (all models), and Apple Vision Pro.

Despite the targeted nature of the attacks, Apple urges all users to install the updates as soon as possible. The company has not disclosed specific details regarding how the vulnerabilities were exploited.

Researchers at Oligo Security have also disclosed vulnerabilities in the AirPlay protocol and SDK, collectively known as AirBorne, which enable zero-click remote code execution (RCE), man-in-the-middle (MITM) attacks, and denial-of-service (DoS) attacks on unpatched Apple and third-party devices. The vulnerabilities can also be exploited to bypass Access Control Lists (ACLs) and access sensitive information and local files.

Oligo identified 23 vulnerabilities and informed Apple, which released patches on March 31 for iPhone and iPad iOS 18.4 and iPadOS 18.4, Mac macOS Ventura 13.7.5, macOS Sonoma 14.7.5, macOS Sequoia 15.4, and visionOS 2.4. Updates were also applied to the AirPlay Audio SDK, AirPlay Video SDK, and CarPlay Communication Plug-in.

Seventeen CVE identifiers have been assigned to these vulnerabilities, and Apple has worked with Oligo to address them in recent software versions. While AirBorne can only be exploited by attackers on the same network using wireless or peer-to-peer connections, the vulnerabilities could allow compromised devices to serve as a launching point for attacks on other AirPlay-enabled devices on the network.

Oligo researchers demonstrated how attackers could exploit CVE-2025-24252 and CVE-2025-24132 for worm-capable RCEs. CVE-2025-24206, a user interaction bypass vulnerability, allows attackers to bypass the “accept” button requirement for AirPlay requests and can be combined with other vulnerabilities for zero-click attacks.

CVE-2025-24271, an ACL vulnerability that allows unauthenticated attackers to send AirPlay commands without pairing, may be related to CVE-2025-24137, which was patched in January 2025 for one-click RCE. The stacked buffer overflow vulnerability CVE-2025-24132 can be exploited for one-click RCE on speakers and receivers using the AirPlay SDK, regardless of their configuration, and could be used to create malware worms.

Given that AirPlay is widely used across Apple devices and third-party products, these vulnerabilities could have significant implications. Apple estimates that there are over 2.35 billion active Apple devices worldwide, while Oligo suggests tens of millions of third-party devices are also AirPlay-enabled, excluding CarPlay systems in vehicles.

Linux

ARMO researchers have identified a serious vulnerability in Linux runtime security related to the io_uring interface that enables rootkits to operate undetected, bypassing advanced security tools. To demonstrate the feasibility of attacks leveraging io_uring to evade detection, the researchers developed an experimental rootkit called Curing.

Introduced in 2019 with Linux 5.1, io_uring is a kernel interface designed for efficient asynchronous I/O operations, addressing the performance limitations of traditional I/O methods. Instead of relying on system calls that can cause processes to hang, io_uring uses ring buffers shared between programs and the kernel to queue I/O requests, which are processed asynchronously.

According to ARMO, the vulnerability arises because most security tools focus on tracking suspicious system calls and intercepts (such as ptrace or seccomp) while ignoring io_uring-related operations, creating a blind spot.

The researchers highlight that io_uring supports 61 types of operations, including reading and writing files, establishing network connections, spawning processes, modifying file permissions, and reading directory contents, making it a powerful vector for rootkit deployment. The risk is considered significant enough that Google has disabled io_uring by default in Android and ChromeOS, which use the Linux kernel and inherit its vulnerabilities.

ARMO’s experimental rootkit, Curing, uses io_uring to receive commands from a remote server and execute arbitrary operations without triggering system calls. Tests showed that most existing runtime security tools, including Falco and Tetragon, failed to detect io_uring-based operations, as they rely primarily on system call monitoring.

In further testing of commercial security tools, ARMO confirmed the inability to detect io_uring-based malware that interacts with the kernel without involving system calls. However, ARMO did not disclose which specific commercial tools were tested.
For those interested in assessing their own systems, ARMO has made Curing publicly available on GitHub. The researchers suggest that the vulnerability could be addressed by implementing the KRSI kernel runtime security toolkit, which allows eBPF programs to monitor security-related kernel events.

ASUS

ASUS has released a patch for a critical vulnerability in American Megatrends International’s (AMI) MegaRAC Baseboard Management Controller (BMC) software, identified as CVE-2024-54085. This zero-day vulnerability, which has a maximum severity rating, affects server hardware from multiple vendors, including HPE, ASUS, and ASRock.

According to Eclypsium, attackers can exploit the vulnerability by gaining access to remote management interfaces (Redfish) or the internal host of the BMC interface. Successful exploitation allows attackers to remotely control compromised servers, deploy malware, modify firmware, disable motherboard components such as the BMC or BIOS/UEFI, and initiate continuous reboot cycles that the victim cannot interrupt. In some cases, the flaw could potentially cause physical damage to affected servers.

AMI initially released a bulletin with fixes on March 11, 2025, but it took some time for affected OEMs to implement the patches in their products. ASUS has now announced fixes for the following four affected motherboard models, along with the recommended BMC firmware versions:

• PRO WS W790E-SAGE SE – Version 1.1.57
• PRO WS W680M-ACE SE – Version 1.1.21
• PRO WS WRX90E-SAGE SE – Version 2.1.28
• PRO WS WRX80E-SAGE SE WIFI – Version 1.34.0

Given the severity of the vulnerability and the risk of remote exploitation, users are strongly advised to update to the latest firmware versions as soon as possible

Python

A critical vulnerability identified as CVE-2025-32434 has been discovered in PyTorch, affecting all versions up to and including 2.5.1. The issue, reported by information security researcher Jian Zhou, has been fixed in version 2.6.0. The vulnerability carries a CVSS score of 9.3, indicating a critical risk level, and allows attackers to execute arbitrary code without user interaction. The only condition is that the attacker’s model is loaded, even with the supposedly safe parameter weights_only=True.

For a long time, weights_only=True was considered a secure alternative to unsafe deserialization using pickle, a recommendation emphasized in PyTorch’s official documentation. However, the discovered exploit demonstrates that it is still possible to inject and execute code in this mode. This revelation is particularly concerning given that many developers have relied on this setting as a primary defense mechanism when working with models from unverified sources.

The PyTorch team strongly advises updating the library to version 2.6.0 immediately. If an update is not feasible, users should avoid using torch.load() with external files and implement additional model content verification.

SSH

A critical vulnerability identified as CVE-2025-32433 has been discovered in the SSH implementation of the Erlang/Open Telecom Platform (OTP), allowing attackers with network access to execute arbitrary code without authentication under specific conditions. The vulnerability has been assigned a CVSS score of 10.0, indicating the highest severity level.

The vulnerability arises from improper handling of SSH protocol messages, allowing an attacker to send connection protocol messages before authentication. If successfully exploited, the flaw could lead to arbitrary code execution in the context of the SSH daemon. If the SSH daemon is running with root privileges, the attacker could gain full control of the affected device, potentially leading to unauthorized access, data manipulation, or denial of service.

All SSH servers based on the Erlang/OTP SSH library are likely affected by CVE-2025-32433. Affected users are advised to update to the patched versions: OTP-27.3.3.3, OTP-26.2.5.11, and OTP-25.3.2.2.20. As a temporary workaround, firewall rules can be implemented to restrict access to vulnerable SSH servers.

Researchers from Qualys describe the vulnerability as highly critical, potentially enabling attackers to install ransomware or steal sensitive data. Erlang is widely used in high-availability systems due to its parallel processing capabilities, and many Cisco and Ericsson devices rely on it. Any service using the Erlang/OTP SSH library for remote access, particularly in OT/IoT and edge computing devices, is vulnerable. Upgrading to a patched version or a vendor-supported version will mitigate the risk. Restricting SSH port access to authorized users is also recommended.

The severity of the vulnerability has escalated with the release of publicly available exploits. Peter Girnus of the Zero Day Initiative and researchers from Horizon3 have privately developed remote code execution exploits, describing the vulnerability as surprisingly easy to exploit. Shortly after, ProDefense published a proof of concept (PoC) on GitHub, followed by an anonymous exploit posted on Pastebin, both of which rapidly spread through social media.

The widespread availability of exploits is expected to accelerate the scanning and targeting of vulnerable systems. Shodan scans have identified over 600,000 IP addresses running Erlang/OTP, but researchers believe most are running CouchDB, which is not affected by the vulnerability. An Apache CouchDB spokesperson confirmed that CouchDB does not utilize SSH server or client functions from Erlang/OTP, mitigating the risk for those systems. However, the overall threat remains significant given the number of devices potentially exposed to exploitation.

Cisco

Cisco has confirmed that several of its products are affected by the critical Erlang/OTP remote code execution vulnerability CVE-2025-32433, which was discovered by researchers at Ruhr University in Bochum, Germany. The vulnerability is described as a message handling flaw in the SSH protocol that could allow unauthorized attackers to gain access to vulnerable systems and execute arbitrary code.

Arctic Wolf also analyzed the scope of the exposure, noting that in addition to Ericsson and Cisco, other companies using Erlang/OTP include National Instruments, Broadcom, EMQ Technologies, Very Technology, Apache Software Foundation, and Riak Technologies. However, in most cases, these implementations require a separate Erlang/OTP installation.

Cisco is currently assessing the impact of CVE-2025-32433 across a wide range of products, including routing, switching, unified computing, network management, and networking applications. Thus far, the company has confirmed that the following products are affected:

• ConfD
• Network Services Orchestrator (NSO)
• Smart PHY
• Intelligent Node Manager
• Ultra Cloud Core

Cisco noted that while ConfD and NSO are affected by the vulnerabilities, they are not vulnerable to remote code execution due to their specific configurations. Patches for these products are expected to be released in May.

Lantronix XPort

A critical vulnerability in Lantronix XPort devices could be exploited to remotely compromise systems in sectors such as energy, transportation, and industrial control, according to a warning issued by CISA. The vulnerability involves a lack of authentication in the device’s configuration interface, allowing attackers to gain unauthorized access.

Lantronix XPort is widely used globally in sectors including manufacturing, transportation, water and power management, traffic control, and surveillance systems. According to Microsec researcher Suvik Kandar, who discovered the vulnerability, XPort is also prevalent in the oil and gas sector, particularly in fuel management systems at gas stations.

Kandar identified over 1,400 instances of XPort devices accessible on the Internet, with more than 300 located in oil and gas infrastructure, including fuel management systems. He warned that exploiting the vulnerability could allow attackers to gain full remote control over the device, including access to configuration and operational parameters. This could also enable attackers to infiltrate other connected systems on the network, potentially disrupting critical infrastructure operations.

In the energy sector, particularly at gas stations, exploitation of the flaw could impact automatic tank gauging (ATG) systems, causing service interruptions and financial losses.

Given the widespread deployment of XPort devices and the number of exposed instances, the vulnerability presents a significant cybersecurity threat to energy infrastructure, especially in gas and fuel distribution systems.

To mitigate the risk, Lantronix has released firmware update v8.0.0.0 for XPort, designed to enhance security and prevent unauthorized access.

Windows Task Scheduler

Researchers at Cymulate have identified four vulnerabilities in a key component of the Microsoft Windows Task Scheduler that could allow local attackers to escalate privileges and erase logs to conceal malicious activity. The flaws are located in the schtasks.exe binary, which enables administrators to create, modify, and manage scheduled tasks on both local and remote systems.

The primary vulnerability involves a User Account Control (UAC) bypass that enables attackers to execute SYSTEM-level commands without user authorization. By exploiting this flaw, attackers can gain elevated privileges and run malicious code with administrator rights, potentially leading to unauthorized access, data theft, or further system compromise.

According to Cymulate, the issue occurs when an attacker creates a scheduled task using a batch login (password-based authentication) instead of an interactive token. This causes the Task Scheduler service to grant the running process the highest level of privileges allowed. However, for this attack to succeed, the attacker must first obtain the password by methods such as cracking the NTLMv2 hash after authenticating to an SMB server or exploiting vulnerabilities like CVE-2023-21726.

As a result, a low-privilege user can exploit the schtasks.exe binary to impersonate higher-privileged groups such as Administrators, Backup Operators, and Performance Log Users, provided they have a known password.

Additionally, creating a scheduled task using the Batch Logon authentication method via an XML file can enable two security bypass techniques that allow attackers to overwrite event logs, effectively erasing evidence of prior malicious activity and potentially causing log overflow.

Cymulate emphasizes that the first discovered vulnerability is more than just a UAC bypass; it effectively allows attackers to impersonate any user using their command-line interface password to escalate privileges to the maximum level granted in the task.

Industrial Control Systems

Industrial control system security advisories have been released for vulnerabilities affecting products from Siemens, Schneider Electric, Rockwell Automation, and ABB.

Siemens issued nine new advisories, including a recommendation to replace the Sentron 7KT PAC1260 data manager with the newer PAC1261 model, as the PAC1260 is vulnerable to critical issues allowing file access and arbitrary code execution. No patches are planned for the PAC1260. Siemens also identified a critical authentication vulnerability in Industrial Edge, where a weak authentication mechanism could allow an unauthenticated attacker to bypass authentication and impersonate legitimate users.
Additionally, Siemens alerted customers to IngressNightmare vulnerabilities affecting its Insights Hub private cloud solution and issued notifications regarding patched high-severity issues in Sidis Prime and Solid Edge. Moderate-severity issues have also been addressed in Siemens License Server, ICMP Industrial Devices, and Mendix Runtime.

Schneider Electric released two advisories. One addresses two high-severity vulnerabilities in ConneXium Network Manager, including a flaw that could enable remote code execution and denial-of-service attacks on engineering workstations. The second advisory covers three medium-severity vulnerabilities in Trio Q Licensed Data Radios, which could lead to unauthorized access and data disclosure. Exploitation of these flaws requires physical access to the devices.

Rockwell Automation issued a fact sheet warning of a dozen localized code execution vulnerabilities affecting Arena. Exploiting these vulnerabilities involves convincing the target user to open a malicious file.

ABB released two new bulletins detailing multiple vulnerabilities identified over several years in third-party components used in its Arctic wireless gateways. These vulnerabilities could potentially affect critical infrastructure systems relying on Arctic wireless products.

Fortinet

Fortinet has released patches for 10 vulnerabilities across its product lineup, including a critical flaw in FortiSwitch tracked as CVE-2024-48887. The vulnerability, assigned a CVSS score of 9.3, allows a remote, unauthenticated attacker to change administrator passwords through specially crafted requests sent to the FortiSwitch GUI.

Fortinet recommends disabling HTTP/HTTPS access to administrative interfaces and limiting the number of hosts allowed to connect to mitigate the risk. The vulnerability affects FortiSwitch versions 6.4 through 7.6 and has been resolved in versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1.

Patches have also been released for two high-severity vulnerabilities, CVE-2024-26013 and CVE-2024-50565, which allow unauthenticated attackers to perform man-in-the-middle (MitM) attacks. These vulnerabilities involve intercepting FGFM authentication requests between managed and management devices, enabling attackers to impersonate the managed device (such as a FortiCloud server or FortiManager). The issues stem from improper channel restrictions on intended endpoints and affect products including FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb.

Another severe vulnerability, CVE-2024-54024, affects FortiIsolator and involves an OS command injection flaw that allows an authenticated attacker with Super Administrator privileges and CLI access to execute arbitrary code via specially crafted HTTP requests.

Additionally, Fortinet addressed four moderate-severity issues, including:

• OS command injection in FortiIsolator
• Logging vulnerability in FortiManager and FortiAnalyzer
• Incorrect user management in the FortiWeb widget panel
• Path traversal in FortiWeb

Two low-severity issues were also fixed, including an insufficient credential protection flaw in FortiOS and an incorrect input neutralization vulnerability during web page generation in FortiClient.

While Fortinet has not observed any active exploitation of these vulnerabilities, the company warns that interest from the cyber underground is high and advises users to update affected devices promptly. Further details can be found in Fortinet’s PSIRT advisory.

How To Efficiently Patch All of These Vulnerabilities And More

Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.

Webinar Recording: April 2025 Vulnerability Digest from Action1