Fixes That Lets: Latest Updates and Analysis

AMD fixes bug that lets hackers load malicious microcode patches

​AMD has released mitigation and firmware updates to address a high-severity vulnerability that can be exploited to load malicious CPU microcode on unpatched devices.

The security flaw (CVE-2024-56161) is caused by an improper signature verification weakness in AMD's CPU ROM microcode patch loader.

Attackers with local administrator privileges can exploit this weakness, resulting in the loss of confidentiality and integrity of a confidential guest running under AMD Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP).

's development resources, SEV isolates guests and the hypervisor from one another, and SEV-SNP adds memory integrity protection that creates an isolated execution environment by helping prevent malicious hypervisor-based attacks ([website], data replay, memory re-mapping, and more).

AMD now provides mitigation requiring a microcode revision on all affected platforms to block malicious microcode execution.

Some platforms also require a SEV firmware enhancement for SEV-SNP attestation, with individuals having to enhancement the system BIOS and reboot to enable attestation of the mitigation.

To confirm that the mitigation has been correctly installed, check whether the microcode version(s) matches the one(s) listed in the table below.

Code Name Family CPUID Naples AMD EPYC 7001 Series 0x00800F12 Rome AMD EPYC 7002 Series 0x00830F10 Milan AMD EPYC 7003 Series 0x00A00F11 Milan-X AMD EPYC 7003 Series 0x00A00F12 Genoa AMD EPYC 9004 Series 0x00A10F11 Genoa-X AMD EPYC 9004 Series 0x00A10F12 Bergamo/Siena AMD EPYC 9004 Series 0x00AA0F02.

"We have demonstrated the ability to craft arbitrary malicious microcode patches on Zen 1 through Zen 4 CPUs. The vulnerability is that the CPU uses an insecure hash function in the signature validation for microcode updates," the Google Security Team noted.

"This vulnerability could be used by an adversary to compromise confidential computing workloads protected by the newest version of AMD Secure Encrypted Virtualization, SEV-SNP or to compromise Dynamic Root of Trust Measurement."

Google security researchers, credited with finding and reporting this flaw to AMD, have also shared a proof-of-concept (PoC) exploit (tested on AMD EPYC and AMD Ryzen 9 CPUs) that displays how attackers can create arbitrary microcode patches.

Their PoC exploit makes the RDRAND instruction on vulnerable AMD Zen processors always return 4, which also sets the carry flag (CF) to 0. This indicates that the return value is invalid and ensures the exploit can't be used "to compromise correctly functioning confidential computing workloads."

This week, AMD has also received a research from Li-Chung Chiang at NTU (National Taiwan University) detailing cache-based side-channel attacks against Secure Encrypted Virtualization (SEV) that impact data center (1st Gen to 4th Gen AMD EPYC) and embedded (AMD EPYC 3000/7002/7003/9004) processors.

AMD advised developers to follow best practices for prime and probe attacks ([website], constant-time algorithms), avoid secret-dependent data whenever possible, and follow the guidance regarding Spectre-type attacks.

Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments.

The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access inf......

CISA warned [website] federal agencies on Thursday to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execu......

Critical Cisco ISE bug can let attackers run commands as root

Cisco has released patches to fix two critical vulnerabilities in its Identity Services Engine (ISE) security policy management platform.

Enterprise administrators use Cisco ISE as an identity and access management (IAM) solution that combines authentication, authorization, and accounting into a single appliance.

The two security flaws (CVE-2025-20124 and CVE-2025-20125) can be exploited by authenticated remote attackers with read-only admin privileges to execute arbitrary commands as root and bypass authorization on unpatched devices.

These vulnerabilities impact Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC) appliances, regardless of device configuration.

"This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software," Cisco noted, describing the CVE-2025-20124 bug tagged with a [website] severity rating.

"An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges."

CVE-2025-20125 is caused by a lack of authorization in a specific API and improper validation of user-supplied data, which can be exploited using maliciously crafted HTTP requests to obtain information, modify a vulnerable system's configuration, and reload the device.

Admins are advised to migrate or upgrade their Cisco ISE appliances to one of the fixed releases listed in the table below as soon as possible.

Cisco ISE Software Releases First Fixed Release [website] Migrate to a fixed release. [website] [website] [website] [website] [website] [website] [website] Not vulnerable.

Cisco's Product Security Incident Response Team (PSIRT) has yet to discover evidence of publicly available exploit code or that the two critical security flaws () have been abused in attacks.

On Wednesday, the corporation also warned of high-severity vulnerabilities impacting its IOS, IOS XE, IOS XR (CVE-2025-20169, CVE-2025-20170, CVE-2025-20171) and NX-OS (CVE-2024-20397) software that can let attackers trigger denial of service (DoS) conditions or bypass NX-OS image signature verification.

Cisco has yet to patch the DoS vulnerabilities impacting IOS, IOS XE, and IOS XR software with the SNMP feature enabled. However, it introduced they're not exploited in the wild and provided mitigation measures requiring admins to disable vulnerable object identifiers (OIDs) on vulnerable devices (although this could negatively impact network functionality or performance).

The corporation plans to roll out software updates to address the SNMP DoS security bugs in February and March.

In September, Cisco fixed another Identity Services Engine vulnerability (with public exploit code) that lets threat actors escalate privileges to root on vulnerable appliances.

Two months later, it also patched a maximum severity vulnerability that allows attackers to run commands with root privileges on vulnerable Ultra-Reliable Wireless Backhaul (URWB) access points.

A help desk phishing campaign targets an organization's Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal crede......

British-based engineering firm IMI plc has disclosed a security breach after unknown attackers hacked into the firm's systems.

A new malware campaign dubbed SparkCat has leveraged a suit of bogus apps on both Apple's and Google's respective app stores to steal victims' mnemoni......

CISA orders agencies to patch Linux kernel bug exploited in attacks

​CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks.

Tracked as CVE-2024-53104, the security bug was first introduced in kernel version [website] and was patched by Google for Android people on Monday.

"There are indications that CVE-2024-53104 may be under limited, targeted exploitation," the Android February 2025 Android security updates warn.

's security advisory, this vulnerability is caused by an out-of-bounds write weakness in the USB Video Class (UVC) driver, which allows "physical escalation of privilege with no additional execution privileges needed" on unpatched devices.

The driver's inability to accurately parse UVC_VS_UNDEFINED frames within the uvc_parse_format function triggers the issue, leading to frame buffer size miscalculations and potential out-of-bounds writes.

While Google didn't provide additional information on the zero-day attacks exploiting this vulnerability, the GrapheneOS development team says this USB peripheral driver vulnerability is "likely one of the USB bugs exploited by forensic data extraction tools."

​As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, [website] federal agencies must secure their networks against ongoing attacks targeting flaws added to CISA's Known Exploited Vulnerabilities catalog.

The cybersecurity agency has given Federal Civilian Executive Branch (FCEB) agencies three weeks to patch their Linux and Android devices by February 26.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned today.

On Tuesday, CISA also tagged high-severity and critical vulnerabilities in Microsoft .NET Framework and Apache OFBiz (Open For Business) software as actively exploited in the wild. However, it didn't provide details on who was behind the attacks.

With Five Eyes cybersecurity agencies in the UK, Australia, Canada, New Zealand, and the [website], it also shared security guidance for network edge devices, urging manufacturers to improve forensic visibility to help defenders detect attacks and investigate breaches.

Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. in recent times, UnitedH......

The North Korean hacking group known as Kimsuky was observed in recent attacks using a custom-built RDP Wrapper and proxy tools to directly access inf......

An ongoing distributed denial of service (DDoS) attack targets Bohemia Interactive's infrastructure, preventing players of DayZ and Arma Reforger from......