Multiple actively exploited zero-days patched in Microsoft, Ivanti, and Fortinet products

Multiple actively exploited zero-days patched in Microsoft, Ivanti, and Fortinet products

Microsoft, Fortinet, and Ivanti have released critical security patches following the discovery of several zero-day vulnerabilities that are actively being exploited in the wild.

Microsoft shipped patches for over 70 security vulnerabilities affecting its software ecosystem, five of which have been flagged as actively exploited zero-day flaws, spanning a variety of Windows components and present serious risks for privilege escalation and remote code execution.

The actively exploited zero-days include:

  • CVE-2025-30397 – Scripting Engine Memory Corruption Vulnerability

  • CVE-2025-30400 – Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability

  • CVE-2025-32701 – Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability

  • CVE-2025-32706 – Another CLFS Driver Elevation of Privilege Vulnerability

  • CVE-2025-32709 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

The flaws could allow attackers to gain elevated privileges on affected systems or execute arbitrary code, potentially compromising entire networks. Microsoft has urged users and administrators to apply the patches immediately.

Cybersecurity firm Fortinet has also patched a critical stack-based buffer overflow vulnerability in its enterprise phone system product FortiVoice, identified as CVE-2025-32756. The flaw affects several Fortinet products, including FortiMail, FortiNDR, FortiRecorder, and FortiCamera, and can be exploited remotely via malicious HTTP requests.

Fortinet confirmed the vulnerability has been exploited in the wild, particularly targeting FortiVoice devices. The attackers reportedly performed network scans, erased system crash logs, and enabled debugging functions to harvest credentials, including those from SSH login attempts. While the company has not disclosed the identity of the threat actors or the scale of the attacks, it is urging customers to update affected products without delay.

Ivanti has released patches for two severe vulnerabilities CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution) in its Endpoint Manager Mobile (EPMM) software, which have been exploited together to achieve remote code execution.

The flaws impact multiple versions of EPMM, including 11.12.0.4 and earlier (fixed in 11.12.0.5), 12.3.0.1 and earlier (fixed in 12.3.0.2),

12.4.0.1 and earlier (fixed in 12.4.0.2), 12.5.0.0 and earlier (fixed in 12.5.0.1)

Ivanti credited CERT-EU for reporting the issues and acknowledged that a small number of customers have been affected. The vulnerabilities stem from two unnamed open-source libraries embedded in EPMM. The company is still investigating the incident and has not confirmed whether other applications using the same libraries are also vulnerable.


Back to the list

Latest Posts

UNC6148 threat actor actively targets outdated and patched SonicWall devices

UNC6148 threat actor actively targets outdated and patched SonicWall devices

The group is using stolen credentials and OTP seeds to regain access to devices even after security updates have been applied.
17 July 2025
Google patches Chrome zero-day allowing sandbox escape

Google patches Chrome zero-day allowing sandbox escape

The flaw stems from insufficient validation of untrusted input in ANGLE and GPU.
16 July 2025
Ukrainian police dismantle major server network used for malware distribution

Ukrainian police dismantle major server network used for malware distribution

Authorities identified a 33-year-old French national as the organizer of the illegal operation.
16 July 2025