{"id":2693,"date":"2025-04-08T23:21:45","date_gmt":"2025-04-08T23:21:45","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2693"},"modified":"2025-04-08T23:21:45","modified_gmt":"2025-04-08T23:21:45","slug":"april-patch-tuesday-news-windows-zero-day-being-exploited-big-vulnerability-in-2-sap-apps","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2693","title":{"rendered":"April Patch Tuesday news: Windows zero day being exploited, \u2018big vulnerability\u2019 in 2 SAP apps"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A threat actor is exploiting a zero-day elevation of privileges vulnerability in the Windows Common Log File System to deploy ransomware, one of a number of critical holes Microsoft plugged today as part of its April Patch Tuesday releases.<\/p>\n

\u201cThe targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia,\u201d Microsoft said<\/a>, as it released a total of 126 fixes <\/a>.<\/p>\n

The exploit of the vulnerability (CVE-2025-29824<\/a> ) has been deployed by a threat actor Microsoft calls Storm-2460, which has also been seen spreading ransomware via the PipeMagic backdoor.<\/p>\n

Microsoft hasn\u2019t determined how devices were initially compromised. But this group has used the certutil utility for verifying certificates to download a file from a legitimate third-party website that was previously compromised to host the threat actor\u2019s malware.<\/p>\n

Also today, CISOs with SAP systems in their environments were warned to patch a critical code injection vulnerability in SAP System Landscape Transformation (SLT) and S\/4HANA.<\/p>\n

It was one of 20 new and updated SAP Security Notes in its April Patch Day, including three\u00a0Hot News<\/em>\u00a0Notes and five\u00a0High Priority<\/em>\u00a0Notes.<\/p>\n

\u201cThis is huge,\u201d Paul Laudanski, director of security research at Onapsis, said in urging CISOs to act fast on applying the SAP patch. \u201cIt\u2019s a pretty big vulnerability.\u201d<\/p>\n

He doesn\u2019t believe the patch requires either SAP application to be rebooted.<\/p>\n

More on SAP patches later.<\/p>\n

Make fixing CLFS a priority<\/h2>\n

Applying the patch for Windows Common Log File System (CLFS) should be considered a priority for security teams, said Tyler Reguly, associate director of security R&D at Fortra.<\/p>\n

\u201cI was recently discussing CLFS vulnerabilities and how they seem to come in waves,\u201d he said in an email. \u201cWhen a vulnerability in CLFS is patched, people tend to dig around and look at what\u2019s going on, and come across other vulnerabilities in the process. If I was a gambler, I would bet on CLFS appearing again next month.\u201d<\/p>\n

CISOs should view this vulnerability \u201cas a serious threat,\u201d\u00a0 Mike Walters, president of Action1 told CSO in an email, \u201cas it impacts the organization\u2019s overall security posture\u2014not just isolated systems\u2014making it a priority for immediate attention and remediation.\u201d<\/p>\n

He also noted that patches for this vulnerability are not yet available for Windows 10 (either x64-based or 32-bit systems). Admins should closely monitor for updates and apply them as soon as they become available, he advised.\u00a0\u00a0<\/p>\n

Walters also said that CISOs should pay attention to two groups of remote access fixes:<\/p>\n

for Windows Remote Desktop Services<\/strong> there are patches for two vulnerabilities <\/strong>(CVE-2025-27482, CVE-2025-27480).
\u201cThese critical flaws open the door for attackers to remotely execute malicious code, paving the way for unauthorized access and lateral movement within an organization\u2019s network,\u201d he said. \u201cGiven that Remote Desktop is a widely used access point, CISOs should view these vulnerabilities as high-risk\u2014potentially exposing entire infrastructures to compromise.\u201d
These CVEs are currently not exploited, he said, but the potential for exploitation is high due to the critical nature of Remote Desktop in enterprise environments. Attackers could exploit these vulnerabilities to gain remote access to systems, using them as an entry point for more extensive attacks within the network, he said;<\/p>\n

for remote code execution vulnerabilities<\/strong> in Microsoft Office <\/strong>(CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, CVE-2025-27745).
\u201cGiven the widespread use of Microsoft Office in enterprises, these vulnerabilities pose a significant risk of widespread compromise and are a top concern for CISOs due to their potential impact on enterprise-wide security,\u201d he said. These vulnerabilities aren\u2019t currently being exploited in the wild, he added, but the likelihood of exploitation is high\u2014particularly through phishing campaigns, which remain a common and effective attack vector.\u00a0<\/p>\n

Patches for Microsoft Office LTSC for Mac 2021 and 2024 aren\u2019t immediately available. Walters said admins should monitor for updates and apply them as soon as possible.<\/p>\n

Tyler Reguly of Fortra also said the Microsoft patches released this month show that CVSS severity is not necessarily the best metric for prioritization.\u00a0The CLFS vulnerability, which Fortra helped discover, has a base score of 7.8, while another vulnerability that he advises CISOs to pay attention to,\u00a0CVE-2025-27472<\/a>, only has a base score of 5.4.<\/p>\n

In the case of Microsoft patches, prioritization is better done utilizing the\u00a0<\/a>Microsoft Exploitability Index<\/a>\u00a0and focusing on vulnerabilities with an index of 0 (Exploitation Detected) or 1 (Exploitation More Likely), Reguly advises.<\/p>\n

CVE-2025-27472 describes a vulnerability in\u00a0Mark of the Web (MOTW)<\/a>\u00a0that allows for the potential bypass of SmartScreen. Microsoft has listed this vulnerability as Exploitation More Likely<\/em>, and it is common to see MOTW vulnerabilities utilized by threat actors. \u201cI wouldn\u2019t be surprised if this is a vulnerability that we see exploited in the future,\u201d he added.<\/p>\n

Satnam Narang, Tenable\u2019s senior staff research engineer,\u00a0noted that\u00a0while most of the focus of each Patch Tuesday trends towards remote code execution flaws, historical data has shown that the majority of zero-day vulnerabilities<\/a> exploited in the wild over the last two years were elevation of privilege (EoP) flaws. This year alone, over half of zero-days exploited in the wild were EoP bugs. So,\u00a0he said,\u00a0CISOs should ensure prioritization of patching privilege escalation bugs, such as CVE-2025-29812, CVE-2025-27727 and CVE-2025-29824, because it\u2019s clear that attackers will use any means necessary to breach a network, and elevating privileges once inside is a key priority.<\/p>\n

More on SAP fixes<\/h2>\n

The\u00a0 critical code injection vulnerability in the two SAP applications (SAP Security Notes\u00a0#3587115<\/a>\u00a0and\u00a0#3581961<\/a>), \u201ccould be a gold mine for attackers,\u201d said\u00a0 Paul Laudanski of Onapsis.<\/p>\n

The applications are susceptible to an attack that lets an attacker run SAP\u2019s ABAP (Advanced Business Application Programming)\u00a0code, he said.<\/p>\n

\u201cLooking at the vector again, the privileges\u00a0required is set to Low, which means a basic account authentication would be required,\u201d he noted.\u00a0 An attacker would want to target an account they could take over and then utilize to effect the injection attack leading to full compromise.<\/p>\n

The other SAP Security Note\u00a0CISOs should pay attention to is #3572688<\/a>, he said, which is tagged with a CVSS score of 9.8. It patches an authentication bypass vulnerability in SAP Financial Consolidation. Due to an improper authentication mechanism, unauthenticated attackers can impersonate the Admin account, causing high impact on the confidentiality, integrity, and availability of the application.<\/p>\n

Google Android fixes<\/h2>\n

Separately, Malwarebytes reports<\/a> that Google announced patches for 62 vulnerabilities in Android 13, 14 and 15.\u00a0 Smartphone and tablet manufacturers were notified at least a month ago to give them time for updates for their devices to be released in the coming days or weeks. Among the fixes, two will plug actively exploited zero-day vulnerabilities.<\/p>\n

Delay in releasing Microsoft news<\/h2>\n

Finally, some experts noted that today\u2019s Microsoft patches were released 40 minutes later than usual. \u201cThis is not a big deal; we wouldn\u2019t even notice a delay that small from most organizations,\u201d said Tyler Reguly of Fortra. \u201cBut Microsoft isn\u2019t most organizations, and their own punctuality made this delay obvious. Once the patches were released, they contained an FAQ note that Windows 10 security updates were not currently available and would be released as soon as possible with a revision to the CVE to notify customers. This really makes you wonder what went wrong with the Windows 10 updates that they are not presently available.<\/p>\n

\u00a0\u201cAs an organization, you need to wonder how long [these] updates will be delayed. Are we talking hours or days? These vulnerabilities have now been announced, malicious actors will be reverse engineering the updates to identify the vulnerabilities and how to exploit them, and Windows 10 users are left without the ability to update. If I was responsible for risk in my organization, I\u2019d probably be a little concerned about this delay. In other words, if I were a CISO, I\u2019d be paying attention to how long this delay persists and how impacted my organization is.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A threat actor is exploiting a zero-day elevation of privileges vulnerability in the Windows Common Log File System to deploy ransomware, one of a number of critical holes Microsoft plugged today as part of its April Patch Tuesday releases. \u201cThe targets include organizations in the information technology (IT) and real estate sectors of the United […]<\/p>\n","protected":false},"author":0,"featured_media":2675,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2693","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2693"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2693"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2693\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2675"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2693"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2693"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2693"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}