Flaws Exploited by Salt Typhoon Still Unpatched; Update Exchange Servers for Emergency Mitigations; Faulty Zyxel Signature Causes Firewall Issues

Tenable researchers' analysis of Salt Typhoon's activity indicates that at least one of the vulnerabilities exploited by the state-sponsored threat actors remains largely unpatched. More than 90 percent of publicly-exposed Microsoft Exchange Servers are not patched against a critical remote code execution vulnerability, known as ProxyLogon, that was disclosed nearly four years ago. Tenable researchers contrast that number with other vulnerabilities exploited by Salt Typhoon: analysis of unpatched instances of 'Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887) ... found that these devices were fully remediated in over 92% of cases.'

Microsoft is cautioning users that outdated Exchange servers are unable to receive emergency mitigation definitions due to a deprecated Office Configuration Service certificate type. The Exchange Emergency Mitigation Service (EEMS), which was introduced in September 2021 'automatically applies interim mitigations for high-risk (and likely actively exploited) security flaws to secure on-premises Exchange servers against attacks. It detects Exchange Servers vulnerable to known threats and applies interim mitigations until security updates are released.' Exchange server versions older than 2023 are urged to update so they can receive emergency mitigations.

A faulty Zyxel application signature update is causing issues for USG FLEX and ATP Series firewalls. Zyxel has disabled the problematic application signature on its servers. According to the Zyxel advisory, the bug 'may cause reboot loops, ZySH daemon failures, or login access problems.' The faulty signature was phased out between January 24 and 25. Fixing the problem requires physical access to the firewall and a Console/RS232 cable.

Microsoft has published a reminder that driver synchronization updates via Windows Server Update Services (WSUS) will be deprecated as of April 18, 2025. Microsoft initially announced the deprecation in June 2024, at which time they encouraged users to adopt newer cloud-based driver services. WSUS was introduced in 2005.

On Monday, January 27, Apple released updates to address vulnerabilities in multiple products, including iOS and iPadOS, macOS, Safari, watchOS, tvOS, and visionOS. One of the vulnerabilities addressed in the patch release is an actively exploited use-after-free issue in the CoreMedia component found in multiple products. Apple says it fixed the problem by improving memory management. Apple has also released instructions for updating AirPod firmware.

Researchers from the University of Florida and North Carolina State University have identified nearly 120 vulnerabilities in the LTE / 5G core infrastructure. The flaws affect seven LTE implementations and three 5G implementations, both open source and commercial, and could be exploited to cause 'persistent denial of cell service to an entire metropolitan area or city and [in some cases] remotely compromise and access the cellular core.' The researchers contacted affected maintainers and allowed a minimum of 90 days for patch development before disclosing the issues. In all, the 119 discovered vulnerabilities resulted in 97 unique CVEs. Their whitepaper, 'RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces,' describes their methods and process.

Researcher RyotaK from GMO Flatt Security has disclosed four vulnerabilities that could leak user credentials from GitHub Desktop and other projects involving Git. CVE-2024-53858, CVSS score 6.5, allows the GitHub command line interface to leak an access token to an arbitrary host through recursive repository cloning; CVE-2025-23040, CVSS score 6.6, could give an attacker access to user credentials via a "maliciously crafted remote URL"; CVE-2024-50338, CVSS score 7.4, allows a malicious repository to leak credentials due to a mismatch in how .NET and Git interpret a carriage return; and CVE-2024-53263, CVSS score 8.5, exploits Git LFS to leak credentials by using a specially crafted HTTP URL. Updating to the latest versions of GitHub Desktop and Git-related projects will patch the flaws. RyotaK concludes by noting that "text-based protocols are often vulnerable to injection, and a small architecture flaw can lead to a big security issue."

UnitedHealth has confirmed that the number of individuals affected by the February 2024 Change Healthcare breach is now estimated to be 190 million. An earlier estimate placed that number at 100 million. When the final number of affected people is determined, that information will be reported to the US Department of Health and Human Services Office for Civil Rights. The attackers were able to access the Change healthcare system using stolen account credentials; the targeted account was not protected with multi-factor authentication (MFA). The compromised data include names, addresses, government identity documents, medical diagnoses, test results, and health insurance information. A January 16 report from UnitedHealth includes information about incurred breach-related costs.

The British Museum temporarily closed some exhibits and galleries over the weekend after a disgruntled former contractor shut down some of the museum's IT systems. The contractor was dismissed prior to the incident and was arrested after entering the museum on January 23, accessing an area without authorization, and 'caus[ing] damage to the museum's security and IT systems.'

Sam Curry and Shubham Shah have released a report demonstrating a now-patched vulnerability in Starlink, Subaru's multipurpose onboard services system, that would have allowed an attacker to remotely manipulate any vehicle and exfiltrate data given the owner's last name and "ZIP code, email address, phone number, or license plate." The researchers accessed an employee admin portal through JavaScript flaws in the login process, and bypassed 2FA on the site by simply removing the UI overlay. Any attacker with this access could perform remote operations on the vehicle, starting or stopping the engine, locking or unlocking the doors, and tracking the vehicle's current location and past 12 months of location history, as well as steal extensive customer PII and data about the vehicle's status and history, all without alerting the owner. Subaru patched the flaw within 24 hours of its report.

On January 26, Swedish authorities received word from Latvia that an undersea fiber optic cable belonging to the Latvian State Radio and Television Center (LVRTC), had taken "significant" external damage. Within hours Sweden seized and boarded a cargo ship named the Vezhen, sailing under the flag of Malta, suspected of causing the damage; the Swedish Security Service alongside "the National Operations Department of the Police, the Coast Guard and the Swedish Armed Forces" are investigating, but no further information has been released. The cable in question runs in the Baltic Sea from the town of Ventspils in Latvia to Gotland Island in Sweden, and is the third Baltic Sea cable to be damaged in just over a month. On January 22, Finland's lead investigator into the severing of two undersea cables by an oil tanker on December 25, 2024, stated that the National Bureau of Investigation "suspects intent, but is still evaluating it."