Handler on Duty: Jan Kopriva
Threat Level: green
Podcast Detail
SANS Stormcast Wednesday, May 14th: Microsoft Patch Tuesday; 0-Days patched for Ivanti Endpoint Manager and Fortinet Products
If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9450.mp3
Microsoft Patch Tuesday; 0-Days patched for Ivanti Endpoint Manager and Fortinet Products
00:00
My Next Class
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
Microsoft Patch Tuesday
Microsoft patched 70-78 vulnerabilities (depending on how you count them). Five of these vulnerabilities are already being exploited. In particular, a remote code execution vulnerability in the scripting engine should be taken seriously. It requires the Microsoft Edge browser to run in Internet Explorer mode.
https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%3A%20May%202025/31946
Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)
Ivanti patched an authentication bypass vulnerability and a remote code execution vulnerability. The authentication bypass can exploit the remote code execution vulnerability without authenticating first.
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
Fortinet Patches Exploited Vulnerability in API (CVE-2025-32756)
Fortinet patched an already exploited stack-based buffer overflow vulnerability in the API of multiple Fortinet products. The vulnerability is exploited via crafted HTTP requests.
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
iTunes
MP3 Download
RSS Feed
Google
Podbean
Amazon Echo
YouTube
Spreaker
Spotify
Discussion
Login here to join the discussion.
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Las Vegas | Sep 22nd - Sep 27th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Denver | Oct 4th - Oct 9th 2025 |
| Application Security: Securing Web Apps, APIs, and Microservices | Dallas | Dec 1st - Dec 6th 2025 |
Podcast Transcript
Hello and welcome to the Wednesday, May 14th, 2025 edition of the SANS and its Storm Center's Stormcast. My name is Johannes Ullrich and today's Stormcast is brought to you from the SANS.EDU Certificate Program in Cloud Security from Jacksonville, Florida. And the highlight today, of course, is Microsoft's Patch Tuesday. We had patches for 78 vulnerabilities in May. Eight of them had already been patched earlier, but the 70 new vulnerabilities being announced as part of this release. Out of the 78 vulnerabilities, 11 are critical and the number that's a little bit higher than normal is that we have five already exploited vulnerabilities that are being patched today. Now, out of those five vulnerabilities, there are four privileged escalation vulnerabilities. And the sort of couple, I call them always friends of the show here, the Windows Common Log File System, driver elevation of privilege vulnerability. That's something we had a couple of times before already. That's the old problem where this log file system driver is running with elevated privileges. It has to parse various log formats and that often fails. So definitely something to be aware of. There was one code execution vulnerability here. And this is the scripting engine memory corruption vulnerability. However, this vulnerability is only exploitable if you are running a Microsoft Edge in an Explorer mode. Because that scripting engine is of that leftover part from Internet Explorer. Probably do some configuration checks and such to make sure that this doesn't happen unintentionally. I can imagine where developers, maybe some system administrators that need access to legacy tools as such, they may need that. But it should be hardly ever where people actually need to run in an Explorer mode. You definitely should control that. Now, among the other sort of interesting vulnerabilities, we did have one vulnerability that initially sort of caught my interest. Because, well, it's Windows Desktop Service Remote Code Execution vulnerability. And you note here, it's only rated as important. It's not rated as critical. Even though this vulnerability is exploitable without authentication. However, there's another big dependency here. It's a timing vulnerability. And it's only exploitable while the remote desktop service is being relaunched. On the same note, if you look a little bit back, there are also two vulnerabilities here, also important, that are remote desktop gateway denial of service vulnerabilities. So, if an attacker would be able to trigger a restart, maybe with one of these denial of service vulnerabilities, then the code execution vulnerability becomes all for a sudden a lot more exploitable. That's a speculation at this point. So, I haven't seen anybody really talk about whether the denial of service can trigger a restart and whether it then becomes exploitable. Definitely something to patch. Think a little bit at configuration changes and such. In particular, with these repeating vulnerabilities where you probably want to be ready for the next log system vulnerability or the next scripting engine vulnerability. Well, maybe Microsoft's zero days today were a little bit disappointing for the attackers. Leave it up to Ivanti to make up for it. Ivanti fixed two already exploited vulnerabilities in Ivanti's Endpoint Manager Mobile. The first vulnerability is an authentication bypass vulnerability. The second vulnerability then is a remote code execution vulnerability. This, well, after you exploit the authentication bypass doesn't require any authentication either. I think the CVSS score is a little bit on the low side here, given the overall impact. But that's sort of one of the difficulties sometimes that a vulnerability by itself may not really be that much of a big deal. But once you look at them together and are able to sort of chain exploitation like this, well, you all for a sudden have a much larger problem. And talking about already exploited vulnerabilities, we also got updates from Fortinet. Fortinet patched stack-based buffer overflow that's already being exploited and affects a number of Fortinet products. For example, Forti Camera, Forti Mail, Forti NDR, Forti Recorder, and Forti Voice. And for all of these several versions, pretty much all supported versions are affected. So another thing that I would probably prioritize ahead of some of the Microsoft updates this week. Well, and that's it for today. Thanks for listening and thanks for liking the podcast. Thanks for any comments and such that are coming in. And for those of you watching this, as in a video format, I try to add a couple screenshots of webpages and such to make things a little bit easier to follow along. Don't do that while I'm on the road just because there's too many moving parts. And at home, it's a little bit more set up that I'm using here makes it a bit easier to add this. Well, that's it for today. Thanks and talk to you again tomorrow. Bye. Bye. Bye.
This site is powered by your submissions, so tell us what you see happening
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 