Security updates for Apple and Microsoft, Fortinet vulnerabilities exploited, Microsoft replacing Remote Desktop app...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Apple Releases Security Updates for Multiple Products
Apple has released security updates to address an exploited vulnerability in multiple Apple products. CVE-2025-24201 is an ‘out-of-bounds write’ vulnerability that could allow an attacker with maliciously crafted web content to break out of Web Content sandbox. The security update addressing CVE-2025-24201 is a supplementary fix for an exploited vulnerability that was addressed in iOS 17.2. Apple is aware of a report that ‘this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2’. The security update addressing CVE-2025-24201 is a supplementary fix for an exploited vulnerability that was addressed in iOS 17.2. Apple is aware of a report that ‘this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2’. The following platforms are known to be affected: Safari all prior to18.3.1, iOS all prior to 18.3.2, iPadOS all prior to 18.2, macOS Sequoia 15.3.2 and visionOS all prior to 2.3.2. CVE-2025-24201 is also listed in Google Chrome Releases Stable Channel for Desktop Update. Google Chrome Releases Stable Channel for Desktop has included CVE-2025-24201 as being an ‘Out of bounds write in GPU on Mac’ vulnerability and has started releasing security updates for 134.0.6998.89 for Mac. Google is aware of reports that an exploit for CVE-2025-24201 exists in the wild. Affected organisations are encouraged to review Apple security releases and apply the relevant updates.
Microsoft Releases March 2025 Security Updates
Microsoft has released security updates to address 57 vulnerabilities in Microsoft products. Five vulnerabilities are highlighted below, of which two are exploited and three are considered critical.
CVE-2025-24983 – Windows Win32 Kernel Subsystem Privilege Escalation Vulnerability. CVE-2025-24983 is a ‘use-after-free’ vulnerability in Windows and Windows Server with a CVSSv3 score of 7.0. Successful exploitation could allow an attacker to escalate privileges and gain SYSTEM privileges. Microsoft reports that this vulnerability is under exploitation.
CVE-2025-24993 – Windows NTFS Remote Code Execution Vulnerability. CVE-2025-24993 is a ‘heap-based buffer overflow’ vulnerability in Windows and Windows Server with a CVSSv3 score of 7.8. Successful exploitation could allow an unauthorised attacker to execute code locally. Microsoft reports that this vulnerability is under exploitation.
CVE-2025-24057 – Microsoft Office Remote Code Execution Vulnerability. CVE-2025-24057 is a critical ‘heap-based buffer overflow’ vulnerability in Microsoft Office, Microsoft 365 Apps, and Office Online Server with a CVSSv3 score of 7.8. The Preview Pane is considered as an attack vector. Successful exploitation could allow an unauthorised attacker to execute arbitrary code (ACE).
CVE-2025-26645 – Remote Desktop Client Remote Code Execution Vulnerability. CVE-2025-26645 is a critical ‘relative path traversal’ vulnerability in Remote Desktop Client, Windows App Client for Windows Desktop, Windows, and Windows Server with a CVSSv3 score of 8.8 . Successful exploitation could allow an unauthorised attacker to execute code over a network.
CVE-2025-24084 – Windows Subsystem for Linux (WSL2) Kernel Remote Code Execution Vulnerability. CVE-2025-24084 is a critical ‘untrusted pointer dereference’ vulnerability in Windows and Windows Server with a CVSSv3 score of 8.4 . Successful exploitation could allow an unauthorised attacker to achieve ACE.
Affected organisations are encouraged to review Microsoft’s March 2025 Security Updates and apply the relevant updates as soon as practicable.
Cyber Attacks
Recent Fortinet Vulnerabilities Exploited in ‘SuperBlack’ Ransomware Attacks
A Russian threat actor has been exploiting two Fortinet firewall vulnerabilities in attacks leading to ransomware deployments, cybersecurity firm Forescout warns. The hacking group, tracked as Mora_001, apparently adopted a leaked LockBit builder to create its own file-encrypting ransomware variant that Forescout has dubbed SuperBlack. Mora_001, the cybersecurity firm says, has ties to established ransomware gangs, based on its post-exploitation patterns, the use of the leaked builder, and the use of the same ID as LockBit for the peer-to-peer communication service Tox. “The post-exploitation patterns observed enabled us to define a unique operational signature that sets Mora_001 apart from other ransomware operators, including LockBit affiliates. This consistent operational framework suggests a distinct threat actor with a structured playbook,” Forescout notes. The threat actor has been observed exploiting CVE-2024-55591 and CVE-2025-24472, two vulnerabilities in FortiOS and FortiProxy that allow attackers to elevate their privileges to super-admin on a vulnerable Fortinet appliance. Fortinet announced patches for CVE-2024-55591 in January, warning of its in-the-wild exploitation as a zero-day. On February 11, the company updated its advisory to add CVE-2025-24472, which covers an additional attack vector. “In some cases, instead of relying on a single administrative account for all actions, the threat actor employed a chaining method, where each newly created administrative account was used to generate additional accounts,” Forescout explains. Following the local administrator account creation, the attackers downloaded the firewall configuration file, which contains critical information, modified system settings, and created a scripted automation task to recreate the super admin user if it was deleted.
Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
Microsoft has shed light on an ongoing phishing campaign that targeted the hospitality sector by impersonating online travel agency Booking.com using an increasingly popular social engineering technique called ClickFix to deliver credential-stealing malware. The activity, the tech giant’s threat intelligence team said, started in December 2024 and operates with the end goal of conducting financial fraud and theft. It’s tracking the campaign under the moniker Storm-1865. “This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency,” Microsoft said. The ClickFix technique has become widespread in recent months, as it tricks users into executing malware under the guise of fixing a supposed (i.e., non-existent) error by copying, pasting, and launching deceptive instructions that activate the infection process. It was first detected in the wild in October 2023. The attack sequence starts with Storm-1865 sending a malicious email to a targeted individual about a negative review left by a purported guest on Booking.com and asking them for their “feedback.” The message also embeds a link, or a PDF attachment containing one that seemingly directs the recipients to the booking site. However, clicking on it leads the victim to a fake CAPTCHA verification page that’s overlaid on a “subtly visible background designed to mimic a legitimate Booking.com page.” In doing so, the idea is to lend a false sense of security and increase the likelihood of a successful compromise.
In Other News...
Microsoft replacing Remote Desktop app with Windows App in May
Microsoft announced that it will drop support for the Remote Desktop app (available via the Microsoft Store) on May 27 and replace it with its new Windows App. “Connections to Windows 365, Azure Virtual Desktop, and Microsoft Dev Box via the Remote Desktop app from the Microsoft Store will be blocked after May 27, 202,” Microsoft said. “To understand if there are current feature gaps that may create challenges for migrating to Windows App, review Known issues and limitations of Windows App”. The Windows App is designed for work and school accounts and helps connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs. According to Microsoft, it can be used from PCs, tablets, smartphones, and via web browsers to connect to cloud PCs, virtual desktops, and local PCs across Windows 365, Remote Desktop, Remote Desktop Services, Azure Virtual Desktop, or Microsoft Dev Box. The app has been available in preview since 2023 and was officially launched in September 2024, when Redmond described it as “a unified gateway to Windows”. However, despite being under development for years, the new Windows App still doesn’t support Remote Desktop Services and Remote PC connections on Windows, although it does on all other platforms (e.g., macOS, iOS/iPadOS, Android, Chrome OS, web, and Meta Quest). Because of this, Microsoft advises Remote desktop and Remote Desktop Services users to use the Windows built-in Remote Desktop Connection app (which can also be downloaded from here) to connect to remote desktops.
NVIDIA Riva Vulnerabilities Let Attackers Escalate Privileges
NVIDIA has issued a significant software update for its Riva speech AI platform, releasing version 2.19.0 to resolve two high-severity vulnerabilities (CVE-2025-23242 and CVE-2025-23243) involving improper access control mechanisms. The update, detailed in a March 10, 2025, security bulletin, impacts all Linux deployments running Riva versions ≤2.18.0 and follows coordinated disclosure with Trend Micro’s David Fiser and Alfredo Oliveira researchers. The CVE-2025-23242 vulnerability (CVSS 7.3) exposes systems to privilege escalation vectors through improper access control in Riva’s service authentication layer. Attackers exploiting this flaw could execute arbitrary code with elevated permissions, manipulate real-time speech processing pipelines, or exfiltrate sensitive conversation logs from AI inference workloads. Its attack vector (AV:N/AC:L/PR:N/UI:N/S:U) indicates network-based exploitation requiring no user interaction, making it particularly dangerous for exposed API endpoints. CVE-2025-23243 (CVSS 6.5) presents a more limited but still critical risk profile, enabling unauthenticated actors to trigger denial-of-service conditions or tamper with text normalization outputs in neural machine translation (NMT) services. Both vulnerabilities stem from insufficient validation of gRPC request headers in Riva’s microservice architecture, as confirmed by NVIDIA’s Product Security Incident Response Team (PSIRT). NVIDIA mandates an immediate upgrade to Riva 2.19.0, introducing enhanced role-based access control (RBAC) policies and hardened gRPC authentication protocols. Organizations using custom voice fonts or domain-specific language models should validate acoustic properties post-upgrade, as the security patches modify low-level audio processing threads.