Security Digest (April 2025)

April 2025

Patch Tuesday – 4/08/2025

The 2nd Tuesday of every month is Patch Tuesday! Every Patch Tuesday, Microsoft addresses security vulnerabilities in their products via a large deployment of software updates. This month’s Patch Tuesday addressed 121 security vulnerabilities. The full list can be seen here.

This month’s leading risk types are Execution and Elevation Of Privilege (40%) followed by Remote Code Execution (26%) and Information Disclosure (14%)

Threat Grading Overview
Microsoft assesses threats based on the theoretical worst possible outcome were a vulnerability to be exploited. The assessment factors in how easily a vulnerability can be exploited, and what damage could be done.

These patches included remediation for one “Zero-Day” vulnerability, meaning no patch was previously available. This vulnerability is being actively exploited in the wild.

CVE-2025-29824 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Microsoft says this vulnerability allows local attackers to gain SYSTEM privileges on the device (the highest possible permissions).

“The security update for Windows 10 for x64-based Systems and Windows 10 for 32-bit Systems are not immediately available,” explained Microsoft.

“The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.”

Microsoft says the patches are not available for Windows 10 LTSB 2015 and will be released in the future.

After the publishing of this article, Microsoft shared more details about how the flaw was exploited as a zero-day by the RansomEXX ransomware gang to gain elevated privileges.

Microsoft attributes the discovery of this flaw to the Microsoft Threat Intelligence Center.

Vendor Patch Review

Various companies have recommended critical patches for common software this month. Some of the most notable can be seen below:

Apache fixed a maximum severity RCE flaw in Apache Parquet.
Apple backported fixes for actively exploited flaws to older devices.
Google released security updates for 62 Android vulnerabilities, including two zero-days exploited in targeted attacks.
Ivanti released its April security updates as well as a fix earlier this month to patch a critical Connect Secure remote code execution flaw exploited by Chinese threat actors.
Fortinet released security update for numerous products, including a critical flaw that allows attackers to change admin passwords in FortiSwitch.
MediaTek released security updates as part of its April 2025 security bulletin.
Minio released security updates for an “incomplete signature validation for unsigned-trailer uploads” flaw, urging users to upgrade ASAP.
SAP releases security updates for multiple products, including three critical flaws.
WinRAR disclosed a flaw that prevented Mark of the Web updates from propagating to extracted files.

Advanced deploys patches to all environments as a priority following a testing phase. The criticality of security updates is determined by several factors, primarily the ease of exploitability by threat actors and if the vulnerability has been exploited in the wild. Please reach out to [email protected] with any questions, comments or concerns on your patch management.

Apple Updates

Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security. The latest build numbers for various products can be seen below.

The latest version of iOS and iPadOS is 18.4.1. Learn how to update the software on your iPhone or iPad.
The latest version of macOS is 15.4.1. Learn how to update the software on your Mac and how to allow important background updates.
The latest version of tvOS is 18.4.1. Learn how to update the software on your Apple TV.
The latest version of watchOS is 11.4. Learn how to update the software on your Apple Watch.
The latest version of visionOS is 2.4.1. Learn how to update the software on your Apple Vision Pro.

Note that after a software update is installed for iOS, iPadOS, tvOS, watchOS, and visionOS, it cannot be downgraded to the previous version.

Case Study: Delivery Of Persistent Access Tools

What is Persistent Access?

Persistent access is the ability of an attacker to ensure they can return to a compromised system or network at will, typically by embedding mechanisms that survive system restarts, user logoffs, or security interventions. These tools are often referred to as Remote Access Trojans, or RATs. They can transform a one-time breach into a long-term foothold. Persistent access allows a threat actor to:

Conduct ongoing data exfiltration, such as passwords or sensitive files
Deploy additional malware or ransomware over time.
Monitor user activity or escalate privileges for deeper network access.

How Are Threat Actors Establishing Persistent Access?

Threat Actors almost always establish persistent access via phishing emails. These phishing emails can come in various forms, including fake LinkedIn posts, advisories on Social Security benefits, and Quickbooks updates.

Once an end user clicks the links in these emails, a connection is made to an external site to install the RAT, shown here with a fake name of “IntuitPatch.Clientsetup.exe”.

Once opened, the executable file will begin installing software called ScreenConnect Client. This is legitimate remote access software designed for technicians to remotely manage end user workstations.

Once fully installed, ScreenConnect Client will appear in the victim’s software list.

The threat actor is then notified of the successful installation in their personal ScreenConnect administrator console. This allows threat actors to make remote connections to the target PC, run code to install additional tools, and extract any information with no restrictions.

How End Users Can Prevent Falling Victim to ScreenConnect Misuse?
Recognize Phishing Emails

Be wary of unsolicited emails claiming to be from IT support, vendors, or trusted contacts requesting software installation (e.g., “Install this remote support tool”).
Check the sender’s email address for discrepancies (e.g., [email protected] instead of [email protected]) and look for typos or urgent language
Keep end users up to date on the latest threat campaigns targeting your industry.

Recognize and Report Irregular Activity

Advise end users to alert administrators to any irregular PC activity.
Watch for unexpected session prompts or screen-sharing requests, which could indicate unauthorized connection.
Review any end user devices exhibiting unusual levels of resource consumption or activity, especially after working hours.

Build A Culture That Champions Security Awareness

Encourage Security Awareness Training for all staff members.
Incentivize reporting suspicious emails and circulating information around the company
Openly discuss security issues with team members. Encourage questions and critical thinking to truly understand the nature of prevalent threats.

As always, ADVANCED is happy to be your trusted security advisor. Reach out to [email protected] to see how we can improve your security posture today!

Regards,

ADVANCED Security Operations

https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-april-2025/
https://msrc.microsoft.com/update-guide/releaseNote/2025-APR
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2025-patch-tuesday-fixes-exploited-zero-day-134-flaws/
https://support.apple.com/en-us/100100
https://blog.knowbe4.com/warning-phishing-campaign-impersonates-the-us-social-security-administration
https://hackread.com/fake-ssa-emails-trick-users-installing-screenconnect-rat/
https://cofense.com/phishme-security-awareness-training-(sat)-platform
https://www.malwarebytes.com/blog/news/2025/04/fake-social-security-statement-emails-trick-users-into-installing-remote-tool

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Security Digest (April 2025)

Recent Posts

Why End User Verification Is Non-Negotiable for Connecticut Businesses

ADVANCED Announces New VP and CTO

Modernize Your File Server: Seamless SharePoint Migrations for Connecticut & Long Island Businesses

Security Digest (April 2025)

Categories

CONTACT US