Microsoft Addresses Two Zero-Day Vulnerabilities in February Update

ISMG publishes a weekly summary of significant cybersecurity incidents globally. This week’s highlights include crucial updates from Microsoft, Ivanti, and Google to address critical vulnerabilities. Additionally, Lee Enterprises has confirmed that a recent cyberattack disrupted their newspaper operations, while thousands of KerioControl Firewalls remain at risk due to severe vulnerabilities.

See Also: A Modern Approach to Data Security

In its February Patch Tuesday update, Microsoft resolved 73 security weaknesses across its software range, including two zero-day vulnerabilities that have been actively targeted. The urgency for remediation is heightened due to reports of exploitation in the wild.

One vulnerability, classified as CVE-2025-21402, allows privilege escalation within Windows, enabling malicious actors to acquire elevated permissions on affected systems. Microsoft considers this flaw ‘important’ and has confirmed that it is being exploited in real-time attacks.

The second vulnerability, identified as CVE-2025-21399, permits a bypass of security features in Microsoft Office. This issue may allow attackers to circumvent established macro protections, facilitating malware infiltration through specially crafted documents.

Beyond these two critical zero-days, the update mitigated 15 critical vulnerabilities that present remote code execution risks across Windows, Exchange Server, and Azure, necessitating immediate attention from IT administrators.

Ivanti has disclosed security updates for its Connect Secure, Policy Secure, and Secure Access Client products, addressing several vulnerabilities including three deemed critical. These issues emerged through responsible disclosure processes involving agencies such as CISA, Akamai, and the HackerOne bug bounty program.

Although Ivanti indicates that active exploitation of these vulnerabilities has not been detected, it strongly advises users to apply the patches without delay. The most critical vulnerability, CVE-2025-22467, features a stack-based buffer overflow which allows remote code execution with limited privileges. The other two critical flaws involve potential code injection and vulnerabilities regarding external filename controls, which, while requiring authentication, could be exploited by attackers utilizing compromised credentials.

This update also tackles five additional vulnerabilities of varying severity, such as cross-site scripting and hardcoded encryption keys, demanding user attention to ensure overall product security.

In a recent development, Google has addressed two interlinked vulnerabilities that posed serious privacy risks by potentially exposing YouTube users’ email addresses. Researchers from Brutecat and Nathan uncovered these leaks, which stem from the YouTube API erroneously revealing users’ internal Google Gaia IDs, which are sensitive identifiers for Google accounts.

The issue arose from YouTube’s live chat feature, which unintentionally disclosed these IDs, enabling researchers to convert them into associated email addresses through an outdated Pixel Recorder API. Google was alerted to this problem in September 2024 and subsequently implemented fixes by February 9, after initially misclassifying the report as a duplicate.

The vulnerabilities have been confirmed as mitigated, with Google asserting there is no evidence of any actual exploitation. The implemented fixes enhance the restriction of Gaia ID exposure and limit YouTube access points, lowering the risks associated with user anonymity.

Lee Enterprises, a major U.S. newspaper publisher, disclosed that a cyberattack on February 3 resulted in significant operational disruptions. The attack led to multiple internal network failures, affecting the printing and distribution of various newspapers while also disrupting remote access for employees.

Due to the incident, several publications displayed maintenance notifications, indicating interruptions in subscription services and electronic editions. The attack serves as a reminder for firms in all sectors to continuously monitor their cybersecurity postures and ensure robust recovery protocols are in place.

Over 12,000 GFI KerioControl firewalls are still vulnerable to a critical remote code execution flaw, CVE-2024-52875, despite the issuance of a patch in December 2024. The flaw allows malicious code execution with minimal effort, posing severe risks to small and medium-sized enterprises that depend on KerioControl for network security and intrusion prevention.

This vulnerability enables straightforward RCE attacks via improper input handling in HTTP headers. Following its discovery, GFI Software addressed the issue in version 9.4.5 Patch 1; however, as of early January, reports indicated around 24,000 instances remained vulnerable. Current analytics from Shadowserver identify 12,229 exposed firewalls, predominantly located in the U.S., Iran, Italy, Germany, and India.

Network administrators are strongly encouraged to apply the latest patch, KerioControl version 9.4.5 Patch 2, released on January 31, 2025, to safeguard their systems and incorporate additional security measures.

Recent Overview of Cybersecurity Incidents