Microsoft Patches Two Zero-Days in February

Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week: Microsoft, Ivanti and Google release fixes for critical vulnerabilities and urge priority patching; Lee Enterprises confirms a cyberattack disrupted newspaper operations; and thousands of KerioControl Firewalls exposed to critical remote code execution flaws.

See Also: A Modern Approach to Data Security

Microsoft addressed 73 security flaws across its software ecosystem in its February Patch Tuesday update. Among them, two zero-day vulnerabilities have been actively exploited in the wild, heightening the urgency for immediate patch deployment.

One of the zero-days, tracked as CVE-2025-21402, is a privilege escalation flaw in Windows that could allow attackers to gain elevated permissions on a targeted system. Microsoft classified this as ‘important’ and confirmed reports of active exploitation.

The second zero-day, CVE-2025-21399, is a security feature bypass vulnerability that affects Microsoft Office. Exploitation of this flaw could allow attackers to evade macro-based security protections, potentially leading to malware infections through maliciously crafted documents.

In addition to the two zero-days, the update also fixes 15 critical vulnerabilities that could enable RCE across Windows, Exchange Server and Azure.

Ivanti released security updates for its Connect Secure, Policy Secure and Secure Access Client products, addressing multiple vulnerabilities, including three critical flaws. The company discovered the issues through responsible disclosure programs, including contributions from CISA, Akamai and the HackerOne bug bounty platform.

While Ivanti did not detect active exploitation of these vulnerabilities, it urges users to apply the patches immediately. The most severe flaw, CVE-2025-22467, is a stack-based buffer overflow that allows RCE with low privileges. Two other critical flaws involve external filename control and code injection, respectively, both of which require authentication but could be used by attackers with stolen credentials.

The update also addresses five additional vulnerabilities of medium to high severity, including cross-site scripting, hardcoded encryption keys and insufficient permissions.

Ivanti confirmed that Pulse Connect Secure 9.x is also affected but will not receive fixes, as its support ended in December 2024. The company advises customers to upgrade to newer versions, as no mitigations have been provided for the patched flaws.

Google patched two security flaws that, when combined, could have exposed the email addresses of YouTube users, posing a major privacy risk for those relying on anonymity.

Security researchers Brutecat and Nathan discovered that YouTube’s API leaked users’ internal Google Gaia IDs, which were then convertible into email addresses using an old Pixel Recorder API. Gaia IDs serve as unique Google account identifiers across services like Gmail, YouTube and Google Drive, but they are not meant to be public.

Brutecat found that YouTube’s live chat feature unintentionally exposed these IDs through an API request. By tweaking this request, researchers could retrieve the Gaia ID of any YouTube user. Nathan later discovered that Pixel Recorder’s web API could use this ID to fetch the associated email address, potentially unmasking millions of users.

Google was notified in September 2024 and fixed the issue by Feb. 9. Initially, it deemed the report a duplicate and awarded a $3,133 bounty, later increasing it to $10,633 after recognizing the full exploit chain.

Google confirmed the vulnerabilities have been mitigated, and there is no evidence of real-world exploitation. These fixes now limit Gaia ID exposure and restrict YouTube blocking to the platform itself.

Lee Enterprises, one of the largest U.S. newspaper publishers, revealed that a cyberattack on Feb. 3 caused a major technology outage, disrupting its operations.

The attack forced the shutdown of several internal networks, disrupting the printing and delivery of multiple newspapers. The attack also affected VPN access for remote employees, leaving journalists unable to access critical files. Many Lee Enterprises publications have since displayed maintenance notices, warning readers of temporary disruptions to subscription services and e-editions.

Over 12,000 GFI KerioControl firewall instances remain vulnerable to a critical RCE flaw, CVE-2024-52875, despite a security patch released in December 2024. The vulnerability allows attackers to execute malicious code with minimal effort, posing a serious risk to small and medium-sized businesses relying on KerioControl for network security, VPNs and intrusion prevention.

The flaw enables one-click RCE attacks by exploiting improper input sanitization in HTTP headers. Shortly after the discovery, GFI Software released a fix in version 9.4.5 Patch 1. However, by early January, Censys reported nearly 24,000 vulnerable instances still online, and now, Shadowserver has detected 12,229 exposed firewalls, primarily in Iran, the U.S., Italy, Germany and India.

Administrators are urged to install KerioControl version 9.4.5 Patch 2, released Jan. 31, 2025, to mitigate the risk and apply additional security enhancements.

Other Stories From Last Week