Apple Webkit Zero-Day Exploited; Patch Tuesday: Microsoft, Adobe, Apple; Ivanti and VeraCore Flaws Added to KEV

Apple has patched a zero-day vulnerability in the Webkit browser engine after receiving a report of its exploitation in "an extremely sophisticated attack against targeted individuals." CVE-2025-24201, still awaiting CVSS assessment, would allow an attacker to break out of the Web Content sandbox using maliciously crafted web content, due to an out-of-bounds write issue in versions of iOS before iOS 17.2. Apple notes the update "is a supplementary fix for an attack that was blocked in iOS 17.2," fixed in iOS and iPadOS 18.3.2, with improved checks to prevent unauthorized actions. Devices impacted are "iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later." Dan Goodin at Ars Technica posits that "users facing the biggest threat are likely those who are targets of well-funded law enforcement agencies or nation-state spies."

Tuesday, March 11, saw security updates from Microsoft, Adobe, and Apple. Microsoft released updates to address more than 50 vulnerabilities, including six that are already being actively exploited; all six are rated important. Six other vulnerabilities are deemed critical. Adobe released updates to address 35 security issues in a range of their products, including nine issues affecting Reader and Acrobat.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog: three critical flaws affecting Ivanti Endpoint Manager (EPM), and two high-severity flaws affecting Advantive VeraCore. CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161, all assigned CVSS score 9.8 by Ivanti and patched in January 2025, allow an attacker to leak sensitive information via absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. No details of known exploits have been publicly provided. CVE-2024-57968, CVSS score 8.8, allows a remote authenticated user "to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users)," due to an unrestricted file upload vulnerability in Advantive VeraCore before 2024.4.2.1. CVE-2025-25181, CVSS score 7.5, allows a remote user to execute arbitrary SQL commands via the PMSess1 parameter due to an SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0. The Hacker News reports that "the exploitation of VeraCore vulnerabilities has been attributed to likely a Vietnamese threat actor named XE Group." Federal Civilian Executive Branch (FCEB) agencies must apply patches for all five flaws by March 31, 2025.

On March 13, 2025, three UK civil liberties organizations -- the Open Rights Group (ORG), Big Brother Watch, and Index on Censorship -- published a joint open letter to Lord Justice Singh, president of the UK's Investigatory Powers Tribunal (IPT), which on Friday, March 14, 2025 will hold a closed-door hearing of Apple's appeal of an Technical Capability Notice (TCN) to create a backdoor in the company's Advanced Data Protection for the UK government. The organizations mention their involvement in similar cases involving the IPT and TCNs, and urge disclosure of the government's basis for "compel[ling] a private company to undermine the privacy and security of its customers," noting the impossibility of targeted breaks in end-to-end encryption (E2EE). The letter cites a European Court of Human Rights (ECtHR) ruling stating that the harm of obliging E2EE decryption threatens to unacceptably weaken encryption to an extent "not proportionate to the legitimate aims pursued." Finally, the letter argues the IPT's secrecy is unjustified by its obligations and legal precedents, stating that "the public interest lies in conducting this hearing in public."

A Mozilla root certificate is set to expire on Friday, March 14, 2025, which will cut off the functionality and security of Firefox add-ons, signed content, and DRM-protected media playback unless users update to Firefox version 128 (ESR 115.13) or later. According to Mozilla, using Firefox with an expired root certificate puts users at risk from malicious add-ons and revoked or fraudulent security certificates due to out-of-date blocklists and revocation lists, as well as from unavailability of alerts about compromised credentials. Windows, macOS, Linux, and Android users using Firefox or Firefox-based browsers must apply the update, but iOS users do not need to take any action.

PowerSchool has released a February 2025 report by CrowdStrike describing their month-and-a-half-long investigation of the December 2024 data breach of PowerSchool's Student Information System (SIS). CrowdStrike confirmed that the threat actor gained access to the PowerSource portal using a single compromised set of support credentials, using "Maintenance Remote Support operations" to access schools' SIS instances. The threat actor maintained unauthorized access between December 19 and December 28, 2024, and exfiltrated data from "Teachers" and "Students" tables in SIS. System-layer access, malware, and lateral movement to environments outside of PowerSource and SIS were not detected, nor did CrowdStrike observe exfiltrated data for sale on the dark web. The same compromised credentials were used to access the PowerSource portal between August 16 and September 17, 2024, but CrowdStrike cannot confirm this was done by the same threat actor, and "log data did not go back far enough to show whether the August and September activity included unauthorized access to PowerSchool SIS data." The report notes that apart from employing CrowdStrike tools, PowerSchool has deactivated the compromised credential; reset employee and contractor passwords; and secured and limited access to the PowerSource portal, mandating access through a VPN requiring single sign-on and multi-factor authentication.

Juniper Networks has released a bulletin noting updates and mitigations for a vulnerability in Junos OS MX routers that have reached end-of-life (EOL), following Mandiant's discovery of six custom variations of TINYSHELL backdoor malware operating on EOL Junos OS routers. CVE-2025-21590 allows a local attacker with shell access to inject arbitrary code and compromise the device due to an improper isolation or compartmentalization vulnerability in the Junos OS kernel. MandiantÕs report shows how a threat actor tracked as UNC3886 exploited this vulnerability to circumvent the Verified Exec (veriexec) subsystem protecting the OS against unauthorized code and deploy the backdoors. Each of the six backdoors pairs TINYSHELL functionality with a different set of malicious capabilities and activation methods. Mandiant provides Indicators of Compromise (IOCs) and YARA Rules, and recommends organizations update Juniper devices and run the Juniper Malware Removal Tool (JMRT); implement secure authentication; strictly manage network configuration; monitor activity closely; prioritize patching; focus on device lifecycle management; harden security; and "proactively leverage threat intelligence."

Researchers from Kaspersky's Global Research and Analysis Team (GReAT) have noted recent activity attributed to the advanced persistent threat (APT) group dubbed Sidewinder, notably focusing on maritime targets, logistics targets, and the nuclear sector, in spear phishing email campaigns primarily across Africa and South Asia. The targeted lure email contains a DOCX attachment that "uses the remote template injection technique to download an RTF file stored on a remote server controlled by the attacker," then exploiting a known Microsoft Office flaw to install a "Backdoor Loader" which in turn loads Sidewinder's custom "post-exploitation toolkit." CVE-2017-11882, patched since 2017, is a memory corruption vulnerability affecting older versions of Microsoft Office, allowing an attacker to run arbitrary code when objects are not properly handled in memory. Kaspersky urges regular software updates and anti-phishing employee training.

Researchers from Microsoft Threat Intelligence have "identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry" to steal information that can be used to commit financial fraud. In a report published this week, Microsoft Threat Intelligence describes the campaign, which involves fraudulent emails that attempt to manipulate people and organizations in the hospitality industry into performing actions that result in malware being executed. Microsoft writes that "as of February 2025, this campaign is ongoing." The report includes recommendations and detection details.

A case study from Dragos describes how they helped the Littleton (Massachusetts) Electric Light and Water Departments (LELWD) remove Volt Typhoon's presence from their network. In November 2023, the US Federal Bureau of Investigation notified LELWD of intruders in their network. LELWD then brought in Dragos, who determined that the China-based threat actors had had a presence in LELWDÕs network since February 2023. Dragos writes, "the significance of the discovery of this attack is that it highlights that the adversary not only aimed to maintain persistent access to the victim's environment for a long tenure, but also were aiming to exfiltrate specific data related to OT operating procedures and spatial layout data relating to energy grid operations."