Thursday, April 24, 2025
Vulnerabilities

April Patch Tuesday news: Windows zero day being exploited, ‘big vulnerability’ in 2 SAP apps

by CybrGPT
0 comment

There are several critical fixes for CISOs to worry about — and why were Microsoft patches later than expected?

Credit: Shutterstock

A threat actor is exploiting a zero-day elevation of privileges vulnerability in the Windows Common Log File System to deploy ransomware, one of a number of critical holes Microsoft plugged today as part of its April Patch Tuesday releases.

“The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,” Microsoft said, as it released a total of 126 fixes .

The exploit of the vulnerability (CVE-2025-29824 ) has been deployed by a threat actor Microsoft calls Storm-2460, which has also been seen spreading ransomware via the PipeMagic backdoor.

Microsoft hasn’t determined how devices were initially compromised. But this group has used the certutil utility for verifying certificates to download a file from a legitimate third-party website that was previously compromised to host the threat actor’s malware.

Also today, CISOs with SAP systems in their environments were warned to patch a critical code injection vulnerability in SAP System Landscape Transformation (SLT) and S/4HANA.

It was one of 20 new and updated SAP Security Notes in its April Patch Day, including three Hot News Notes and five High Priority Notes.

“This is huge,” Paul Laudanski, director of security research at Onapsis, said in urging CISOs to act fast on applying the SAP patch. “It’s a pretty big vulnerability.”

He doesn’t believe the patch requires either SAP application to be rebooted.

More on SAP patches later.

Make fixing CLFS a priority

Applying the patch for Windows Common Log File System (CLFS) should be considered a priority for security teams, said Tyler Reguly, associate director of security R&D at Fortra.

“I was recently discussing CLFS vulnerabilities and how they seem to come in waves,” he said in an email. “When a vulnerability in CLFS is patched, people tend to dig around and look at what’s going on, and come across other vulnerabilities in the process. If I was a gambler, I would bet on CLFS appearing again next month.”

CISOs should view this vulnerability “as a serious threat,”  Mike Walters, president of Action1 told CSO in an email, “as it impacts the organization’s overall security posture—not just isolated systems—making it a priority for immediate attention and remediation.”

He also noted that patches for this vulnerability are not yet available for Windows 10 (either x64-based or 32-bit systems). Admins should closely monitor for updates and apply them as soon as they become available, he advised.  

Walters also said that CISOs should pay attention to two groups of remote access fixes:

  • for Windows Remote Desktop Services there are patches for two vulnerabilities (CVE-2025-27482, CVE-2025-27480).
    “These critical flaws open the door for attackers to remotely execute malicious code, paving the way for unauthorized access and lateral movement within an organization’s network,” he said. “Given that Remote Desktop is a widely used access point, CISOs should view these vulnerabilities as high-risk—potentially exposing entire infrastructures to compromise.”
    These CVEs are currently not exploited, he said, but the potential for exploitation is high due to the critical nature of Remote Desktop in enterprise environments. Attackers could exploit these vulnerabilities to gain remote access to systems, using them as an entry point for more extensive attacks within the network, he said;
  • for remote code execution vulnerabilities in Microsoft Office (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, CVE-2025-27745).
    “Given the widespread use of Microsoft Office in enterprises, these vulnerabilities pose a significant risk of widespread compromise and are a top concern for CISOs due to their potential impact on enterprise-wide security,” he said. These vulnerabilities aren’t currently being exploited in the wild, he added, but the likelihood of exploitation is high—particularly through phishing campaigns, which remain a common and effective attack vector. 

Patches for Microsoft Office LTSC for Mac 2021 and 2024 aren’t immediately available. Walters said admins should monitor for updates and apply them as soon as possible.

Tyler Reguly of Fortra also said the Microsoft patches released this month show that CVSS severity is not necessarily the best metric for prioritization. The CLFS vulnerability, which Fortra helped discover, has a base score of 7.8, while another vulnerability that he advises CISOs to pay attention to, CVE-2025-27472, only has a base score of 5.4.

In the case of Microsoft patches, prioritization is better done utilizing the Microsoft Exploitability Index and focusing on vulnerabilities with an index of 0 (Exploitation Detected) or 1 (Exploitation More Likely), Reguly advises.

CVE-2025-27472 describes a vulnerability in Mark of the Web (MOTW) that allows for the potential bypass of SmartScreen. Microsoft has listed this vulnerability as Exploitation More Likely, and it is common to see MOTW vulnerabilities utilized by threat actors. “I wouldn’t be surprised if this is a vulnerability that we see exploited in the future,” he added.

Satnam Narang, Tenable’s senior staff research engineer, noted that while most of the focus of each Patch Tuesday trends towards remote code execution flaws, historical data has shown that the majority of zero-day vulnerabilities exploited in the wild over the last two years were elevation of privilege (EoP) flaws. This year alone, over half of zero-days exploited in the wild were EoP bugs. So, he said, CISOs should ensure prioritization of patching privilege escalation bugs, such as CVE-2025-29812, CVE-2025-27727 and CVE-2025-29824, because it’s clear that attackers will use any means necessary to breach a network, and elevating privileges once inside is a key priority.

More on SAP fixes

The  critical code injection vulnerability in the two SAP applications (SAP Security Notes #3587115 and #3581961), “could be a gold mine for attackers,” said  Paul Laudanski of Onapsis.

The applications are susceptible to an attack that lets an attacker run SAP’s ABAP (Advanced Business Application Programming) code, he said.

“Looking at the vector again, the privileges required is set to Low, which means a basic account authentication would be required,” he noted.  An attacker would want to target an account they could take over and then utilize to effect the injection attack leading to full compromise.

The other SAP Security Note CISOs should pay attention to is #3572688, he said, which is tagged with a CVSS score of 9.8. It patches an authentication bypass vulnerability in SAP Financial Consolidation. Due to an improper authentication mechanism, unauthenticated attackers can impersonate the Admin account, causing high impact on the confidentiality, integrity, and availability of the application.

Google Android fixes

Separately, Malwarebytes reports that Google announced patches for 62 vulnerabilities in Android 13, 14 and 15.  Smartphone and tablet manufacturers were notified at least a month ago to give them time for updates for their devices to be released in the coming days or weeks. Among the fixes, two will plug actively exploited zero-day vulnerabilities.

Delay in releasing Microsoft news

Finally, some experts noted that today’s Microsoft patches were released 40 minutes later than usual. “This is not a big deal; we wouldn’t even notice a delay that small from most organizations,” said Tyler Reguly of Fortra. “But Microsoft isn’t most organizations, and their own punctuality made this delay obvious. Once the patches were released, they contained an FAQ note that Windows 10 security updates were not currently available and would be released as soon as possible with a revision to the CVE to notify customers. This really makes you wonder what went wrong with the Windows 10 updates that they are not presently available.

 “As an organization, you need to wonder how long [these] updates will be delayed. Are we talking hours or days? These vulnerabilities have now been announced, malicious actors will be reverse engineering the updates to identify the vulnerabilities and how to exploit them, and Windows 10 users are left without the ability to update. If I was responsible for risk in my organization, I’d probably be a little concerned about this delay. In other words, if I were a CISO, I’d be paying attention to how long this delay persists and how impacted my organization is.”

Source link

You Might Be Interested In

You may also like

Smart Africa Unveils 5-Year Cybersecurity Plan to Strengthen Digital Resilience

Ransomware Reaches A Record High, But Payouts Are Dwindling

Cyber Fraud: The Primary Culprit in UK Payment Fraud

Whatsapp plugs bug allowing RCE with spoofed filenames

Ivanti warns customers of new critical flaw exploited in the wild

Big hole in big data: Critical deserialization bug in Apache Parquet allows RCE

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

Facebook Twitter Instagram
BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.

@2025 - All Right Reserved.
View Cart Checkout Continue Shopping
Close