Microsoft, Fortinet, and Ivanti have released critical security patches following the discovery of several zero-day vulnerabilities that are actively being exploited in the wild.
Microsoft shipped patches for over 70 security vulnerabilities affecting its software ecosystem, five of which have been flagged as actively exploited zero-day flaws, spanning a variety of Windows components and present serious risks for privilege escalation and remote code execution.
The actively exploited zero-days include:
-
CVE-2025-30397 – Scripting Engine Memory Corruption Vulnerability
-
CVE-2025-30400 – Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability
-
CVE-2025-32701 – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability
-
CVE-2025-32706 – Another CLFS Driver Elevation of Privilege Vulnerability
-
CVE-2025-32709 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
The flaws could allow attackers to gain elevated privileges on affected systems or execute arbitrary code, potentially compromising entire networks. Microsoft has urged users and administrators to apply the patches immediately.
Cybersecurity firm Fortinet has also patched a critical stack-based buffer overflow vulnerability in its enterprise phone system product FortiVoice, identified as CVE-2025-32756. The flaw affects several Fortinet products, including FortiMail, FortiNDR, FortiRecorder, and FortiCamera, and can be exploited remotely via malicious HTTP requests.
Fortinet confirmed the vulnerability has been exploited in the wild, particularly targeting FortiVoice devices. The attackers reportedly performed network scans, erased system crash logs, and enabled debugging functions to harvest credentials, including those from SSH login attempts. While the company has not disclosed the identity of the threat actors or the scale of the attacks, it is urging customers to update affected products without delay.
Ivanti has released patches for two severe vulnerabilities CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution) in its Endpoint Manager Mobile (EPMM) software, which have been exploited together to achieve remote code execution.
The flaws impact multiple versions of EPMM, including 11.12.0.4 and earlier (fixed in 11.12.0.5), 12.3.0.1 and earlier (fixed in 12.3.0.2),
12.4.0.1 and earlier (fixed in 12.4.0.2), 12.5.0.0 and earlier (fixed in 12.5.0.1)
Ivanti credited CERT-EU for reporting the issues and acknowledged that a small number of customers have been affected. The vulnerabilities stem from two unnamed open-source libraries embedded in EPMM. The company is still investigating the incident and has not confirmed whether other applications using the same libraries are also vulnerable.
