Microsoft and Fortinet release critical patches, Oracle faces mounting criticism and articles on the latest in AI...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Microsoft Patches 125 Windows Vulnerabilities, including Exploited CLFS Zero-Day
The CLFS zero-day, tagged as CVE-2025-29824, allows a local attacker to gain SYSTEM privileges by exploiting a use-after-free bug, Redmond’s security response team warned.
The issue carries a CVSS severity score of 7.8/10 and requires only low-level privileges with no user interaction.
Microsoft credited its internal threat intelligence team with discovering the issue, suggesting it was being exploited by professional hacking teams. The software maker said a patch for Windows 10 is not yet available and will be shipped at a later date.
In separate documentation, Microsoft blamed a ransomware group for the attacks and said targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia.
“In addition to discovering the vulnerability, Microsoft also found that the exploit has been deployed by PipeMagic malware. Microsoft is attributing the exploitation activity to Storm-2460, which also used PipeMagic to deploy ransomware,” the company said.
Over the last few years, there have been at least 26 documented vulnerabilities in the Windows CLFS subsystem used for data and event logging and Microsoft has responded with a major new security mitigation to block these attacks.
The company’s plans include the addition of Hash-based Message Authentication Codes (HMAC) to detect unauthorized modifications to CLFS log files and cover one of the most attractive attack surfaces for APTs and ransomware attacks.
WhatsApp Vulnerability Could Facilitate Remote Code Execution
According to a brief advisory published by Meta, the vulnerability is tracked as CVE-2025-30401 and it has been patched with the release of WhatsApp for Windows version 2.2450.6. All prior versions are impacted.
An attacker could exploit the vulnerability by sending the targeted user a specially crafted file whose MIME type is altered to make it appear as a harmless file.
The user would believe that they are opening an image or document file when in reality they would be running an executable or other type of file that triggers the execution of malicious code.
“A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp,” Meta explained.
Attacks involving MIME type manipulation have been known for years, but Meta has not mentioned anything about CVE-2025-30401 being exploited in the wild.
However, WhatsApp is a valuable target for threat actors and vulnerabilities affecting the messaging application are known to be exploited in attacks.
For instance, a WhatsApp zero-day was exploited last year in attacks involving spyware developed by Israeli company Paragon Solutions.
Fortinet Patches Critical FortiSwitch Vulnerability
Tracked as CVE-2024-48887 (CVSS score of 9.3), the FortiSwitch issue could allow an attacker to modify administrative passwords, the company warns.
“An unverified password change vulnerability in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request,” reads Fortinet’s advisory.
Disabling HTTP/HTTPS access from administrative interfaces and limiting the hosts that can connect to the system should mitigate the flaw, the company says.
The bug impacts FortiSwitch versions 6.4 to 7.6 and was addressed with the release of FortiSwitch versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1.
Patches were also released for CVE-2024-26013 and CVE-2024-50565, two high-severity vulnerabilities that could allow unauthenticated attackers to perform man-in-the-middle (MitM) attacks, intercept FGFM authentication requests between management and managed devices, and impersonate the management device (either the FortiCloud server or FortiManager).
Described as ‘improper restriction of communication channel to intended endpoints’ bugs, the security defects impact FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice, and FortiWeb.
On Tuesday, Fortinet also announced fixes for CVE-2024-54024, a high-severity OS command injection flaw in FortiIsolator that could allow an authenticated attacker with super-admin privileges and CLI access to execute arbitrary code via crafted HTTP requests.
Cyber Attacks
Oracle Faces Mounting Criticism as It Notifies Customers of Hack
As we mentioned in our round-up last week, a hacker announced on a cybercrime forum on March 20 that they had hacked Oracle Cloud servers, offering to sell millions of records allegedly associated with over 140,000 tenants, including encrypted/hashed credentials.
Oracle rushed to categorically deny that there had been a breach of Oracle Cloud systems, making it appear as if it was completely denying getting hacked.
However, the hacker started leaking stolen information, which security firms assessed as likely being genuine, and some Oracle customers confirmed that their data was included in the leak.
As more evidence of a data breach affecting Oracle systems came to light, Oracle started privately informing customers — reportedly through verbal notifications — that some systems were indeed breached, but pointed out that they were not Oracle Cloud systems.
On April 7, more than two weeks after the hack came to light, Oracle started sending out written notifications to customers, reiterating that Oracle Cloud Infrastructure (OCI) has “NOT experienced a security breach”.
“No OCI customer environment has been penetrated. No OCI customer data has been viewed or stolen. No OCI service has been interrupted or compromised in any way,” reads a notification email obtained by security expert Max Solonski.
However, the notification confirmed that “a hacker did access and publish user names from two obsolete servers that were never part of OCI”
‘AkiraBot’ Spammed 80,000 Websites With AI-Generated Messages
Dubbed AkiraBot due to its use of domains that have ‘Akira’ as the search engine optimization (SEO) service brand, the framework can evade CAPTCHA filters and network detections. The name ‘ServiceWrap’ also stands out in its SEO domain naming.
The framework was designed to target websites with spam messages that can be indexed by search engines, and uses OpenAI services to generate tailored messages for each targeted website.
The analysis of archives containing AkiraBot scripts revealed that the framework has been active since September 2024, initially targeting Shopify, and progressively expanding to websites built using GoDaddy, Wix, Squarespace, and generic website contact forms.
“These technologies are primarily used by small- to medium-sized businesses for their ease in enabling website development with integrations for eCommerce, website content management, and business service offerings,” SentinelOne’s SentinelLabs says.
The cybersecurity firm identified multiple versions of the framework, all using hardcoded OpenAI API keys, as well as the same proxy credentials and test sites.
In AkiraBot’s user interface, the operator can view attack metrics, select a list of websites to target, and choose how many sites to be targeted concurrently.
Spam messages are generated based on a template containing a generic outline, which is served to the OpenAI chat API. The OpenAI client is instructed to act as an assistant that generates marketing messages.
“The resulting message includes a brief description of the targeted website, making the message seem curated. The benefit of generating each message using an LLM is that the message content is unique and filtering against spam becomes more difficult compared to using a consistent message template which can trivially be filtered,” SentinelLabs explains.
In Other News...
Google Pushing ‘Sec-Gemini’ AI Model for Threat-Intel Workflows
The AI model, called Sec-Gemini v1, touts a combination of Google’s Gemini large language model capabilities with near real-time security data and tooling, including integration with Google Threat Intelligence (GTI), the Open Source Vulnerability (OSV) database, and other internal resources.
“This combination allows it to achieve superior performance on key cybersecurity workflows, including incident root cause analysis, threat analysis, and vulnerability impact understanding,” the company said.
The company boasts that Sec-Gemini v1 outperforms other models on several cybersecurity benchmarks.
According to Google, Sec-Gemini v1 leads by at least 11 percent on the CTI-MCQ threat intelligence benchmark and by 10.5% on the CTI-Root Cause Mapping benchmark that assesses an AI model’s ability to understand vulnerability descriptions and classify them using the Common Weakness Enumeration (CWE) taxonomy.
In practical examples shared by Google’s security team, Sec-Gemini v1 was able to accurately identify Salt Typhoon as a threat actor and provide detailed contextual information, including associated vulnerabilities and risk profiles.
Google said these capabilities are powered by its integration with Mandiant’s threat intelligence data.
AI Now Outsmarts Humans in Spear Phishing, Analysis Shows
Since 2023, Hoxhunt has run ongoing experiments pitting AI-generated spear phishing against expert red team generated spear phishing; and has found a 55% improvement in AI performance. In 2023, when the experiment started, AI was 31% less effective than humans. By March 2025, it was 24% more effective. (Effectiveness is measured by the number of times the spear phishes succeeded in getting the target to ‘click’.)
The 2023 results were similar to those returned by a separate study conducted by IBM’s X-Force Red, also in 2023. The IBM study found a human phish achieved a 14% click rate against an 11% click rate from the AI phish, confirming that humans were, at least then, the better phishers. Both experiments were conducted with phishes generated by prompt engineering ChatGPT, because at the time, that was the only generally available way to use AI.
IBM’s Chief People Hacker at X-Force Red, Snow Carruthers, suggested a primary reason for AI’s failure to move the needle in 2023 was its lack of emotional intelligence. “Humans understand emotions in ways that AI can only dream of. We can weave narratives that tug at the heartstrings and sound more realistic, making recipients more likely to click on a malicious link.”
But she added, “I think my biggest takeaway is to question what the future is going to look like. If we continue to improve gen-AI and make it sound more human, these phishing emails are going to be possibly devastating.”