Cybersecurity Updates: Vulnerabilities, March 3 – 9, 2025

Vuln Recap Editor,

Here are the CVE updates for the week of March 3rd through the 9th.

CRITICAL SEVERITY VULNERABILITIES

Progress WhatsUp Gold Path Traversal Vulnerability | CVE-2024-4885 (CISA KEV)

Description: A critical unauthenticated remote code execution vulnerability has been identified in Progress WhatsUp Gold versions released before 2023.1.3. The vulnerability resides in the WhatsUp.ExportUtilities.Export.GetFileWithoutZip method, which does not properly validate user inputs. This improper validation allows a remote attacker to execute arbitrary system commands on the underlying operating system with the privileges of the iisapppool\nmconsole user. Exploitation of this vulnerability does not require authentication, making it especially dangerous for exposed instances.

Potential Impacts:

  • Full System Compromise: Successful exploitation could allow attackers to run arbitrary commands, potentially leading to complete control over the affected system.
  • Data Theft or Manipulation: Attackers could access, modify, or exfiltrate sensitive data stored on the server.
  • Service Disruption: Malicious commands could stop essential services, causing downtime.
  • Lateral Movement: Compromised servers may be leveraged to pivot deeper into the internal network.

Mitigation Recommendations:

  • Update WhatsUp Gold: Immediately upgrade to version 2023.1.3 or later, where this vulnerability has been resolved.
  • Restrict Access: Limit network access to the WhatsUp Gold interface to only trusted internal hosts or networks.
  • Monitor for Suspicious Activity: Review logs for unexpected or unauthorized activity, particularly targeting the vulnerable export functions.
  • Apply Web Application Firewall (WAF) Protections: Use a WAF to block known malicious patterns targeting this vulnerability.
  • Principle of Least Privilege: Ensure that the application pool and related services run with the minimal required permissions to limit the impact of any compromise.

Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability | CVE-2022-43939 (CISA KEV)

Description: A security restriction bypass vulnerability has been discovered in Hitachi Vantara Pentaho Business Analytics Server in versions prior to 9.4.0.1 and 9.3.0.2, including all 8.3.x releases. This vulnerability arises from improper handling of non-canonical URLs, allowing attackers to craft specially formatted URL requests that evade existing security restrictions. By manipulating the URL structure, an attacker could gain unauthorized access to protected resources or functionalities within the application that would otherwise require proper authentication or authorization.

Potential Impacts:

  • Unauthorized Access: Attackers may bypass authentication controls to access restricted areas or sensitive information.
  • Data Exposure: Sensitive reports, dashboards, or internal data could be viewed or downloaded without authorization.
  • Application Misuse: Unauthorized users may interact with or manipulate features intended for privileged users.
  • Compliance Risks: Exposure of protected data could lead to violations of data protection regulations.

Mitigation Recommendations:

  • Update Pentaho: Apply updates to version 9.4.0.1, 9.3.0.2, or later, where this vulnerability has been addressed.
  • Enforce URL Validation: Implement strict validation and normalization of all incoming URLs to prevent bypass techniques.
  • Access Control Review: Regularly audit and test authentication mechanisms to ensure robust protection against unauthorized access.
  • Monitor Access Logs: Continuously monitor logs for irregular URL patterns and unauthorized resource requests.
  • Deploy Web Application Firewall (WAF): Utilize a WAF to detect and block suspicious URL requests and potential bypass attempts.

VMware ESXi and Workstation TOCTOU Race Condition Vulnerability | CVE-2025-22224 (CISA KEV)

Description: VMware ESXi and Workstation are affected by a Time-of-Check Time-of-Use (TOCTOU) vulnerability that can result in an out-of-bounds write. An attacker with local administrative privileges on a virtual machine can exploit this flaw to execute arbitrary code as the VMX process on the host system, potentially leading to host-level compromise.

Potential Impacts:

  • Full Host Compromise: Attackers may execute arbitrary code with the same privileges as the VMX process on the host.
  • Privilege Escalation: Malicious actors can escalate their privileges from the guest virtual machine to the hypervisor level.
  • Service Disruption: Exploitation may interrupt services across the host system and its running virtual machines.
  • Cross-VM Attacks: Unauthorized control over other virtual machines operating on the same host.

Mitigation Recommendations

  • Apply Security Updates: Upgrade to the latest patched versions of VMware ESXi and Workstation as provided by VMware.
  • Restrict Privileges: Limit administrative rights within guest virtual machines to trusted personnel only.
  • Monitor System Activity: Regularly review logs from both host and guest systems to detect unusual behavior.
  • Isolate Critical Workloads: Run sensitive virtual machines on dedicated hosts to reduce cross-VM attack risk.
  • Network Segmentation: Restrict access to management interfaces through proper segmentation and firewall policies.

HIGH SEVERITY VULNERABILITIES

Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability | CVE-2018-8639 (CISA KEV): An elevation of privilege vulnerability exists in Microsoft Windows due to improper handling of objects in memory by the Win32k component. When exploited, an attacker who successfully leverages this vulnerability can execute code with elevated privileges. This flaw allows local attackers to run arbitrary code in kernel mode, enabling them to install programs, view or change data, or create new accounts with full user rights. The vulnerability affects multiple Windows versions, including Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. This vulnerability is distinct from CVE-2018-8641, although both impact the Win32k component.

Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability | CVE-2022-43769 (CISA KEV): A template injection vulnerability has been identified in Hitachi Vantara Pentaho Business Analytics Server in versions prior to 9.4.0.1 and 9.3.0.2, including all 8.3.x releases. The vulnerability exists because certain web services within the application allow setting property values that include Spring templates. These templates are later processed and interpreted downstream, potentially allowing attackers to inject malicious expressions. If successfully exploited, this flaw can enable remote attackers to execute arbitrary code or manipulate the application’s behavior through crafted input.

Cisco Small Business RV Series Routers Command Injection Vulnerability | CVE-2023-20118 (CISA KEV): A vulnerability in the web-based management interface of Cisco Small Business Routers (RV016, RV042, RV042G, RV082, RV320, and RV325) allows an authenticated remote attacker with valid administrative credentials to execute arbitrary commands on the device. This occurs due to improper validation of user input in HTTP requests. Exploitation can lead to root-level privileges and unauthorized data access. Cisco has confirmed no software updates will be released to address this vulnerability.

VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability | CVE-2025-22226 (CISA KEV): An information disclosure vulnerability exists in VMware ESXi, Workstation, and Fusion due to an out-of-bounds read in the HGFS (Host Guest File System) component. A malicious actor with administrative privileges on a virtual machine can exploit this flaw to leak memory contents from the vmx process, potentially exposing sensitive data from the host environment.

VMware ESXi Arbitrary Write Vulnerability | CVE-2025-22225 (CISA KEV): A sandbox escape vulnerability has been identified in VMware ESXi due to an arbitrary kernel write issue. An attacker with privileges inside the vmx process can exploit this flaw to perform unauthorized writes to the ESXi kernel, potentially leading to full sandbox escape and control over the host system.

Memory Corruption Vulnerability in Firefox and Thunderbird | CVE-2025-1943: Multiple memory safety bugs have been identified in Firefox 135 and Thunderbird 135, with some exhibiting signs of memory corruption. Given sufficient effort, these vulnerabilities could potentially be exploited to execute arbitrary code on affected systems. Users running Firefox versions prior to 136 and Thunderbird versions prior to 136 are at risk.

Authorization Bypass Vulnerability in ServiceNow Now Platform | CVE-2025-0337 : An authorization bypass vulnerability has been identified in the Washington release of the ServiceNow Now Platform. If exploited, an authenticated user could gain unauthorized access to restricted data within the platform, potentially exposing sensitive information. ServiceNow has released patches and updated family releases to address this issue for both hosted and self-hosted customers, as well as partners.

MEDIUM SEVERITY VULNERABILITIES

Linux Kernel Use of Uninitialized Resource Vulnerability | CVE-2024-50302  (CISA KEV): A vulnerability in the Linux kernel’s HID core has been identified, where the report buffer was not properly initialized upon allocation. This flaw could allow an attacker to leak uninitialized kernel memory using specially crafted reports, leading to potential information disclosure. The vulnerability has been addressed by ensuring the report buffer is zero-initialized during allocation, preventing unintended exposure of sensitive memory data.

Privilege Escalation Vulnerability in KioWare for Windows | CVE-2022-44875: A security vulnerability in KioWare through version 8.33 on Windows allows attackers to escalate privileges to SYSTEM level. This issue arises from KioScriptingUrlACL.AclActions.AllowHigh being set for the about:blank origin, enabling attackers to execute privileged system commands via KioUtils.Execute in JavaScript.

Path Traversal Vulnerability in ESRI ArcGIS Server | CVE-2024-51966: A path traversal vulnerability exists in ESRI ArcGIS Server versions 10.9.1 through 11.3. A remote authenticated attacker with administrative privileges may exploit this flaw to traverse the file system and access files outside the intended directory. While this vulnerability does not impact data integrity or system availability, it poses a significant risk to confidentiality by exposing sensitive files.

Post Views: 10
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *