Table of Contents
In this week’s Security Advisory
- Microsoft’s April Patch Tuesday Release Resolves Exploited CLFS Vulnerability
- Cisco Meraki MX/Z Series and ECE Products Vulnerable to Denial-of-Service Attacks
- Fortinet Patches Critical FortiSwitch Vulnerability
- Ivanti Patches New Vulnerabilities in Endpoint Manager
- SAP Releases April Patch Cycle
- Apache Parquet Vulnerable to Remote Code Execution
- Android Patches Exploited Vulnerabilities in April Patch Cycle
Microsoft’s April Patch Tuesday Release Resolves Exploited CLFS Vulnerability
Microsoft announced patches for 125 vulnerabilities, including an already exploited CLFS zero-day vulnerability. The vulnerability tracked as CVE-2025-29824 (CVSS 7.8/10), allows local users with low privileges to gain SYSTEM privileges without user interaction. The remaining vulnerabilities in total can lead to remote code execution, privilege escalation, denial of service, spoofing, and feature bypasses. It is essential to make these vulnerabilities a priority for patching.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://www.securityweek.com/microsoft-patches-125-windows-vulns-including-exploited-clfs-zero-day/
- https://www.bleepingcomputer.com/news/security/microsoft-windows-clfs-zero-day-exploited-by-ransomware-gang/
Cisco Meraki MX/Z Series and ECE Products Vulnerable to Denial-of-Service Attacks
Cisco released patches for two new high-severity vulnerabilities, both of which are denial-of-service issues. The first, CVE-2025-20212 (CVSS 7.7/10), is found within the AnyConnect VPN server on Cisco Meraki MX and Z series devices. An attacker would need valid VPN credentials to exploit this vulnerability. The second, CVE-2025-20139 (CVSS 7.5/10), affects the Cisco ECE and could allow a remote unauthenticated attacker to execute a DoS condition.
Affected Versions
- The affected MX/Z series can be found here.
- The Cisco ECE vulnerability affects all versions before version 12.6 ES 10.
Recommendations
- Upgrade to Meraki MX firmware version 18.107.12, 18.211.4, or 19.1.4.
- Upgrade to Cisco ECE version 12.6 ES 10.
More Reading / Information
- https://sec.cloudapps.cisco.com/security/center/publicationListing.x
- https://www.securityweek.com/vulnerabilities-expose-cisco-meraki-and-ece-products-to-dos-attacks/
Fortinet Patches Critical FortiSwitch Vulnerability
Fortinet released patches for ten new vulnerabilities, the most severe of which affects the FortiSwitch application. The vulnerability, CVE-2024-48887 (CVSS 9.3/10), allows a remote unauthenticated attacker to modify admin passwords. Fortinet stated that disabling HTTP/HTTPS access from the administrative interfaces and limiting the hosts that can connect to the system can help mitigate this vulnerability.
Affected Versions
- FortiSwitch versions 6.4 to 7.6.
Recommendations
- If using FortiSwitch 7.6 – Upgrade to 7.6.1 or above.
- If using FortiSwitch 7.4.0 through 7.4.4 – Upgrade to 7.4.5 or above.
- If using FortiSwitch 7.2.0 through 7.2.8 – Upgrade to 7.2.9 or above.
- If using FortiSwitch 7.0.0 through 7.0.10 – Upgrade to 7.0.11 or above.
- If using FortiSwitch 6.4.0 through 6.4.14 – Upgrade to 6.4.15 or above.
More Reading / Information
- https://www.fortiguard.com/psirt?filter=1&version=&date=2025
- https://www.securityweek.com/fortinet-patches-critical-fortiswitch-vulnerability/
Ivanti Patches New Vulnerabilities in Endpoint Manager
Ivanti released patches resolving six new vulnerabilities in its Endpoint Manager product. The most severe of these is CVE-2025-22466 (CVSS 8.2/10), which allows an unauthenticated attacker to execute XSS attacks to obtain admin privileges within the console. The remaining vulnerabilities can lead to privilege escalation, remote code execution, and Denial-of-Service.
Affected Versions
- Ivanti Endpoint Manager 2024, 2022 SU6, and previous.
Recommendations
- Upgrade to Ivanti Endpoint Manager 2024 SU1 or 2022 SU7.
More Reading / Information
- https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
- https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-ivanti-endpoint-manager-could-allow-for-remote-code-execution_2025-037
SAP Releases April Patch Cycle
SAP released its April patch bundle, and it included eighteen new vulnerabilities, three of which are critical severity, affecting many of its products. Two of the critical vulnerabilities, CVE-2025-27429 and CVE-2025-31330 (each CVSS 9.9/10), are exploitable via code injection within the S/4HANA (Private Cloud) and Landscape Transformation (Analysis Platform). The third critical, CVE-2025-30016 (CVSS 9.8/10), is an authentication bypass vulnerability in the Financial Consolidation application that can allow an unauthenticated attacker to impersonate an admin user.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://www.securityweek.com/sap-patches-critical-code-injection-vulnerabilities/
- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2025.html
Apache Parquet Vulnerable to Remote Code Execution
Apache Parquet is an open-source file format that enables efficient data storage and retrieval. It is typically used by multiple analytics tools and programming languages. The vulnerability, CVE-2025-30065 (CVSS 10/10), is a deserialization of untrusted data that affects the library’s Parquet-avro module. This vulnerability is executed when a system reads a crafted Parquet file, resulting in remote code execution.
Affected Versions
- Apache Parquet Java through 1.15.0.
Recommendations
- Upgrade to Apache Parquet version 1.15.1.
More Reading / Information
- https://www.openwall.com/lists/oss-security/2025/04/01/1
- https://www.securityweek.com/critical-apache-parquet-vulnerability-leads-to-remote-code-execution/
Android Patches Exploited Vulnerabilities in April Patch Cycle
Android published its April Security Bulletin, which addressed over sixty vulnerabilities, two of which are under active exploitation. The vulnerabilities, CVE-2024-53150 and CVE-2024-53197, affect the USB-audio component in the Linux kernel. These were previously patched in December but may not have been fully successful in that release.
Affected Versions
- A full list of affected versions can be found here.
Recommendations
- Apply the latest patches.
More Reading / Information
- https://www.securityweek.com/android-update-patches-two-exploited-vulnerabilities/
- https://source.android.com/docs/security/bulletin/2025-04-01
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to “vendor-supported versions” only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, CyberMaxx strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.