Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws - Related to patch, firewall, zero-days,, an, january

Globe Life data breach may impact an additional 850,000 clients

Insurance giant Globe Life finished the investigation into the data breach it suffered last June and says that the incident may have impacted an additional 850,000 end-clients.

Globe Life was founded in 1900 and is one of the largest providers of life and health insurance plans in the United States. It has a market capitalization of $12 billion and a total revenue that exceeds $[website] billion.

On June 13, 2024, the corporation discovered during a security review of its networks that it had been compromised by hackers who had gained unauthorized access to one of its web portals.

Globe Life shared in October the first results of its investigation, which was assisted by external cybersecurity experts, pointing to a small-scale breach at its subsidiary, American Income Life Insurance organization. The assessment at the time was that the incident affected approximately 5,000 individuals.

The organization has shared the latest results of the investigation into the data breach in a new filing with the [website] Securities and Exchange Commission (SEC), and says that the threat actor accessed specific databases maintained by a few independent agency owners that held personal data of about 850,000 people.

Although Global Life could not confirm if the information stolen by the threat actor extends beyond the nearly 5,000 individuals already identified, the firm decided to exercise caution and notify the rest of the potentially impacted consumers, as well as provide credit and monitoring services.

The potentially exposed information varies per individual and may include:

Following the incident, the hacker contacted the firm in an extortion attempt. However, Global Life says that it declined to pay a ransom to the attacker. The breach did not involve data encryption, nor did it impact the operation of IT systems.

Globe Life states that, at this time, it does not believe the security incident will have a material impact on its business, while costs, expenses, and losses stemming from it will be claimed by its insurers.

Cybersecurity researchers have discovered a malvertising campaign that's targeting Microsoft advertisers with bogus Google ads that aim to take them t......

In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly ......

Social engineering has long been an effective tactic because of how it focuses on human vulnerabilities. There's no brute-force 'spray and pray' passw......

Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws

Today is Microsoft's February 2025 Patch Tuesday, which includes security updates for 55 flaws, including four zero-day vulnerabilities, with two actively exploited in attacks.

This Patch Tuesday also fixes three "Critical" vulnerabilities, all remote code execution vulnerabilities.

The number of bugs in each vulnerability category is listed below:

19 Elevation of Privilege Vulnerabilities.

2 Security Feature Bypass Vulnerabilities.

22 Remote Code Execution Vulnerabilities.

1 Information Disclosure Vulnerabilities.

The above numbers do not include a critical Microsoft Dynamics 365 Sales elevation of privileges flaw and 10 Microsoft Edge vulnerabilities fixed on February 6.

To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5051987 & KB5051989 cumulative updates and the Windows 10 KB5051974 update.

Two actively exploited zero-day disclosed.

This month's Patch Tuesday fixes two actively exploited and two publicly exposed zero-day vulnerabilities.

Microsoft classifies a zero-day flaw as one that is publicly disclosed or actively exploited while no official fix is available.

The actively exploited zero-day vulnerability in today's updates are:

CVE-2025-21391 - Windows Storage Elevation of Privilege Vulnerability.

Microsoft has fixed an actively exploited elevation of privileges vulnerability that can be used to delete files.

"An attacker would only be able to delete targeted files on a system," reads Microsoft's advisory.

"This vulnerability does not allow disclosure of any confidential information, but could allow an attacker to delete data that could include data that results in the service being unavailable," continued Microsoft.

No information has been released about how this flaw was exploited in attacks and who disclosed it.

CVE-2025-21418 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability.

The second actively exploited vulnerability allows threat actors to gain SYSTEM privileges in Windows.

It is unknown how it was used in attacks, and Microsoft says this flaw was disclosed anonymously.

CVE-2025-21194 - Microsoft Surface Security Feature Bypass Vulnerability.

Microsoft says that this flaw is a hypervisor vulnerability that allows attacks to bypass UEFI and compromise the secure kernel.

"This Hypervisor vulnerability relates to Virtual Machines within a Unified Extensible Firmware Interface (UEFI) host machine," explains Microsoft's advisory.

"On some specific hardware it might be possible to bypass the UEFI, which could lead to the compromise of the hypervisor and the secure kernel."

Microsoft says that Francisco Falcón and Iván Arce of Quarkslab discovered the vulnerability.

While Microsoft did not share many details about the flaw, it is likely connected to the PixieFail flaws disclosed by the researchers last month.

PixieFail is a set of nine vulnerabilities that impact the IPv6 network protocol stack of Tianocore's EDK II, which is used by Microsoft Surface and the corporation's hypervisor products.

CVE-2025-21377 - NTLM Hash Disclosure Spoofing Vulnerability.

Microsoft fixed a publicly disclosed bug that exposes a Window user's NTLM hashes, allowing a remote attacker to potentially log in as the user.

While Microsoft has not shared many details about the flaw, it likely acts like other NTLM hash disclosure flaws, where simply interacting with a file rather than opening it could cause Windows to remotely connect to a remote share. When doing so, an NTLM negotiation passes the user's NTLM hash to the remote server, which the attacker can collect.

These NTLM hashes can then be cracked to get the plain-text password or used in pass-the-hash attacks.

Microsoft says this flaw was discovered by Owen Cheung, Ivan Sheung, and Vincent Yau with Cathay Pacific, Yorick Koster of Securify [website], and Blaz Satler with 0patch by ACROS Security.

Other vendors who released updates or advisories in February 2025 include:

The February 2025 Patch Tuesday Security Updates.

Below is the complete list of resolved vulnerabilities in the February 2025 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full study here.

CISOs are finding themselves more involved in AI teams, often leading the cross-functional effort and AI strategy. But there aren't many resources to ......

Microsofts Cloud-basierter Identitäts- und Zugriffsverwaltungsdienst Entra ID ist als zentraler Bestandteil vieler Unternehmensnetzwerke ein beliebtes......

Derzeit haben unbekannte Angreifer verschiedene Windows- und Windows-Server-Versionen im Visier. Admins sollten sicherstellen, dass Windows modification akt......

Fortinet discloses second firewall auth bypass patched in January

upgrade 2/11/25 07:32 PM ET: After publishing our story, Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January.

Furthermore, even though today's updated advisory indicates that both flaws were exploited in attacks and even includes a workaround for the new CSF proxy requests exploitation pathway, Fortinet says that only CVE-2024-55591 was exploited.

Fortinet told BleepingComputer that if a customer previously upgraded based on the guidance in FG-IR-24-535 / CVE-2024-55591, then they are already protected against the newly disclosed vulnerability.

The title of our story has been updated to reflect this new information, and our original article is below.

Fortinet warned today that attackers are exploiting another now-patched zero-day bug in FortiOS and FortiProxy to hijack Fortinet firewalls and breach enterprise networks.

Successful exploitation of this authentication bypass vulnerability (CVE-2025-24472) allows remote attackers to gain super-admin privileges by making maliciously crafted CSF proxy requests.

The security flaw impacts FortiOS [website] through [website], FortiProxy [website] through [website], and FortiProxy [website] through [website] Fortinet fixed it in FortiOS [website] or above and FortiProxy [website] or above.

Fortinet added the bug as a new CVE-ID to a security advisory issued last month cautioning end-consumers that threat actors were exploiting a zero-day vulnerability in FortiOS and FortiProxy (tracked as CVE-2024-55591), which affected the same software versions. However, the now-fixed CVE-2024-55591 flaw could be exploited by sending malicious requests to the [website] websocket module.

, attackers exploit the two vulnerabilities to generate random admin or local clients on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts "to gain a tunnel to the internal network.network."

While Fortinet didn't provide additional information on the campaign, cybersecurity firm Arctic Wolf released a analysis with matching indicators of compromise (IOCs), saying vulnerable Fortinet FortiGate firewalls with Internet-exposed management interfaces have been under attack since at least mid-November.

"The campaign involved unauthorized administrative logins on management interfaces of firewalls, creation of new accounts, SSL VPN authentication through those accounts, and various other configuration changes," Arctic Wolf Labs stated.

"While the initial access vector is not definitively confirmed, a zero-day vulnerability is highly probable. Organizations should urgently disable firewall management access on public interfaces as soon as possible."

Arctic Wolf Labs also provided this timeline for CVE-2024-55591 mass-exploitation attacks, saying it includes four unique phases:

Vulnerability scanning (November 16, 2024 to November 23, 2024) Reconnaissance (November 22, 2024 to November 27, 2024) SSL VPN configuration (December 4, 2024 to December 7, 2024) Lateral Movement (December 16, 2024 to December 27, 2024).

"Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board," it added.

Arctic Wolf Labs added that it notified Fortinet about the attacks on December 12 and received confirmation from the business's Product Security Incident Response Team (PSIRT) five days later that the activity was known and already under investigation.

Fortinet advised admins who can't immediately deploy the security updates to secure vulnerable firewalls to disable the HTTP/HTTPS administrative interface or limit the IP addresses that can reach it via local-in policies as a workaround.

BleepingComputer reached out to a Fortinet spokesperson for comment but did not hear back by time of publication.

Aktuell mehren sich Berichte von Bahnfahrern, die bei der Kontrolle ihres Deutschlandtickets als Schwarzfahrer aus dem Verkehr gezogen werden – obwohl......

Microsoft has released Windows 11 KB5051987 and KB5051989 cumulative updates for versions 24H2 and 23H2 to fix security vulnerabilities and issues.

Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address mu......