Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia's tendrils around the world.

Source: Kenishirotie via Alamy Stock Photo

Arguably, no advanced persistent threat (APT) enjoys as much notoriety as Sandworm, otherwise known as Military Unit 74455 within Russia's military intelligence (GRU). Its highlight reel includes NotPetya, an attack against the 2018 Winter Olympics, and two effective assaults on Ukraine's power grid. More recent activities include a campaign against Denmark's energy sector and an unsuccessful attempt to down Ukraine's grid for a third time, followed by a successful attempt.

In a sign of the times, Sandworm has subtly been shifting toward quieter, more widespread intrusions. Microsoft, which tracks the group as "Seashell Blizzard," has identified a subgroup within 74455 focused solely on gaining initial access to high-value organizations across major industries and geographic regions. It calls this subgroup "BadPilot."

**Sandworm's IAB, BadPilot**

Since at least late 2021, BadPilot has been performing opportunistic attacks against Internet-facing infrastructure, taking advantage of known vulnerabilities in popular email and collaboration platforms. Notable examples include Zimbra's CVE-2022-41352, the Microsoft Exchange bug CVE-2021-34473, and CVE-2023-23397 in Microsoft Outlook. All three of these vulnerabilities received "critical" 9.8 out of 10 scores in the Common Vulnerability Scoring System (CVSS).

BadPilot uses these critical vulnerabilities to gain useful initial access to traditionally high-value organizations: telecommunications companies, oil and gas companies, shipping companies, arms manufacturers, and entities of foreign governments. Targets have ranged from Ukraine and broader Europe to Central and South Asia and the Middle East.

Since early 2024, BadPilot has expanded to access targets in the US and UK as well. For this, it has made particular use of bugs in remote monitoring and management software: CVE-2023-48788, for example, a remote injection opportunity in the Fortinet Forticlient Enterprise Management Server (EMS), and the rare 10 out of 10 CVSS-rated CVE-2024-1709, allowing for authentication bypass in ScreenConnect by ConnectWise.

After gaining its foothold on a targeted system, BadPilot follows all the usual steps of any average hacking operation. It promptly establishes persistence using its custom "LocalOlive" Web shell, as well as copies of legitimate remote management and monitoring (RMM) tools, or "ShadowLink," which configures compromised systems as Tor hidden services. It collects credentials, performs lateral movement, exfiltrates data as necessary, and sometimes performs further post-compromise activities.

"There is not a lack of sophistication here, but a focus on agility and obtaining goals," says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. "These TTPs work because this threat actor is persistent and continues pursuing its objectives."

**The Impact in Ukraine**

Ultimately, BadPilot's job is to lubricate more significant attacks by its parent group, and, by extension, empower its controlling government. While a lot of its activity seems opportunistic, Microsoft wrote, "its compromises cumulatively offer Seashell Blizzard options when responding to Russia's evolving strategic objectives."

It may or may not be a coincidence, for example, that the group came into being just months before Russia's invasion of Ukraine. As that war began, and Russia peppered its neighbor with more cyberattacks than ever before, BadPilot was right in the mix, helping gain access to organizations perceived to be providing political or military support to its adversary. Additionally, Microsoft says, the group has enabled at least three destructive attacks in Ukraine since 2023.

Sandworm has targeted critical infrastructure across Ukraine since the war started, including telecommunications infrastructure, manufacturing plants, transportation and logistics, energy, water, military and government organizations, and other infrastructure meant to support the civilian population. It has also targeted military communities for the purpose of intelligence gathering.

"These threat actors are persistent, creative, organized, and well-resourced," DeGrippo emphasizes. For this reason, "Critical sectors need to ensure that they sustain above-average security practices, patch their software, monitor Internet-facing assets, and enhance their overall security posture."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to…

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to protect against these threats.

Microsoft’s February 2025 Patch Tuesday update addresses 63 security vulnerabilities across its product range, including two zero-day exploits actively being used by attackers. Four of these vulnerabilities are classified as critical.

The update covers a variety of vulnerability types, including remote code execution, elevation of privilege, denial of service, spoofing, security feature bypass, information disclosure, and tampering.

Screenshot via SOCRadar

Two zero-day vulnerabilities are of particular concern due to their active exploitation.  

CVE-2025-21391, an elevation of privilege flaw in Windows Storage, could allow attackers to delete critical system files, potentially causing data loss and service disruptions.  While Microsoft states this vulnerability doesn’t expose confidential data, the ability to disrupt services is, nevertheless, a serious concern.  

The second actively exploited zero-day, CVE-2025-21418, affects the Ancillary Function Driver for Windows Sockets.  This vulnerability enables privilege escalation, potentially granting attackers SYSTEM-level access.  Details about the exploitation methods for these vulnerabilities remain undisclosed.

Microsoft is also addressing two publicly disclosed zero-day vulnerabilities. CVE-2025-21194, a hypervisor flaw, could compromise the secure kernel in UEFI-based virtual machines. This vulnerability is speculated to be related to the PixieFail vulnerabilities. Another flaw, CVE-2025-21377, could allow attackers to steal NTLM hashes through minimal user interaction with a malicious file.

Some critical vulnerabilities patched by Microsoft include: CVE-2025-21376, an RCE vulnerability in Windows Lightweight Directory Access Protocol allowing arbitrary code execution. CVE-2025-21177, a Server-Side Request Forgery vulnerability in Dynamics 365 that may lead to privilege escalation. CVE-2025-21379 in the DHCP Client Service and CVE-2025-21381 in Microsoft Excel, both allow remote code execution.  

Another severe flaw addressed was in Microsoft’s High-Performance Compute Pack. Tracked as CVE-2025-21198, it is a remote code execution (RCE) vulnerability that allows attackers to perform RCE on other clusters or nodes connected to the targeted head node by sending a specially crafted HTTPS request

Microsoft also addressed some high-risk flaws in this update including vulnerabilities in Microsoft Office SharePoint, Windows Disk Cleanup Tool, Windows CoreMessaging, Windows Win32 Kernel Subsystem, Windows Setup Files Cleanup, Windows DWM Core Library, and others. These vulnerabilities are considered high-risk due to their potential for exploitation and the lack of existing workarounds.  

Beyond Microsoft’s updates, other vendors, including Adobe, SAP, and Ivanti, have also released security patches.  SAP’s updates address vulnerabilities in BusinessObjects, Supplier Relationship Management, and Approuter, including a critical authorization flaw.  Ivanti’s patch fixes a critical OS command injection vulnerability in its Cloud Services Application.  

These updates highlight the ongoing need for timely security patching. With actively exploited zero-days and a range of critical vulnerabilities, organizations must prioritize applying these updates to mitigate risks. The sheer volume of vulnerabilities tracked by security platforms is staggering, as illustrated by SOCRadar’s Vulnerability Intelligence dashboard.

Screenshot via SOCRadar

Mr. Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, told Hackread.com that CVE-2025-21391, though appearing as a file deletion bug, is actively exploited and far more dangerous when combined with code execution. While it doesn’t threaten confidentiality, it severely impacts integrity and availability, potentially crippling servers. Attackers can exploit it to delete critical system files, replacing them with weakly secured versions, and ultimately gaining SYSTEM-level access. Abbasi warns this is no minor flaw; it’s a stealthy path to full system control.

Patch Tuesday: Microsoft Fixes 63 Bugs with 2 Zero-Days

When it comes to keeping patient information safe, people empowerment is just as necessary as deploying new technologies.

Source: Yuri Arcurs via Alamy Stock Photos

COMMENTARY

Some say artificial intelligence (AI) has changed healthcare in ways we couldn't have imagined just a few years ago. It's now used for everything from paperwork to helping doctors make better diagnoses. But like any new tech, there are risks involved.

Currently, AI is both a potent defense mechanism and an attacker enabler. Therefore, the question that must be asked is clear: Is AI an enemy or a friend of cybersecurity in healthcare? Honestly, the answer is both.

**AI as the Defender: Enhancing Healthcare Security**

Healthcare systems are rich targets for malicious actors, with considerable protected health information (PHI) spread across interconnected assets such as electronic health records, Internet of Things (IoT)-enabled medical devices, and telehealth platforms. It has been proven that traditional cybersecurity tools often lack the resources and features required to protect such complex ecosystems and, as in different industries, struggle to keep pace with both the volume of data being generated and evolving attack methodologies.

The advantage of machine learning algorithms is that they can find a potential threat before it is serious. AI-powered security tools can detect anomalies in system behaviors, such as unauthorized data transfer or suspicious login activities, and thus proactively prevent a breach. Indeed, several hospitals using AI-powered systems have been able to avert ransomware attacks and maintain operational integrity and patient safety.

Artificial Intelligence is also incomparable in terms of its critical role in reducing administrative burdens and further complying with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations. AI-powered tools, such as virtual assistants and data processing systems, take over administrative work while safeguarding sensitive data. These tools protect PHI and free human resources to focus on patient care.

**AI as the Enabler of Cyber Threats**

While AI hardens the defense, it turbocharges the attacker side, too. In such a way, cyber threats in healthcare have become increasingly sophisticated. The game changed with generative AI tools that let attackers create unbelievably realistic tailor-made emails with perfect grammar and formatting that quickly slipped through traditional security filters.

Deepfakes add another layer to these deceptions: generating hyperreal audio and video that makes an attacker sound like senior health leaders or other trusted voices. These fabrications have been used to deceive staff into granting unauthorized access, sharing PHI, and even making fraudulent financial transactions. In some cases, attackers have used deepfakes to spread false medical information or to undermine public confidence, further destabilizing an already complex threat landscape.

AI-powered malware leverages machine learning to make live changes, evade traditional detection, and zero in on critical systems, such as IoT-enabled devices and electronic health records. Attackers manipulate diagnostic data, alter medical imaging, and gain entry through vulnerabilities in lightly secured IoT devices, enabling them to create avenues to coordinate attacks. Combining AI with IoT could pose a greater threat to patient safety and trust in healthcare systems than just financial losses. 

AI-powered threats sound an alarm for information security, IT, and healthcare leaders. These risks are reshaping the cybersecurity landscape. Preemptive defenses require advanced AI tools, employee training, and collaboration across cross-functional teams. This would, in turn, involve policy and detection system reviews to grant top priority for countering AI-impelled social engineering and malware. Constantly being one step ahead of the bad actors requires constant vigilance, innovative thinking, and a core commitment to data safety and patient care.

**Balancing AI's Potential with Realistic Implementation**

As an expert or executive, you face the critical decision of managing the promise of AI and the risk it further introduces into an already overcomplicated cybersecurity landscape. AI is not the Holy Grail; it's a tool that can be used for and against us. AI’s transformative potential in healthcare and security comes from how it is implemented, so leaders must approach its adoption with a balanced perspective. They should be excited yet cautious, knowing full well that attackers are leveraging the very same technology to undermine our systems, data, and trust.

In my experience, the excitement around adopting AI tools like transcript generators, grammar checkers, or automated note-taking systems often takes precedence over critical security assessments. I have seen teams advocate for rapid implementation to save time and resources without assessing the risks; common questions such as where the data is stored, how it is processed, or if the vendor is compliant often are not asked. This rush to embrace convenience creates gaps that attackers can exploit, especially in healthcare, where even minor oversights can lead to significant breaches of PHI or personally identifiable information (PII).

Deepfakes, adaptive malware, and the exploitation of IoT devices, all powered by AI, require a new type of thinking to address these threats — one that changes from legacy defenses or even leading-edge AI-powered tools to placing those tools within an extended proactive security framework encompassing audits, employee training, and reliable governance. For that to happen, health workers and administrators must be empowered to recognize sophisticated attacks, faked video calls, or some other unexpected data transfer AI flagged up. People empowerment is just as necessary in deploying new technologies.

Drive collaboration between IT, security, and clinical teams in developing customized strategies for technical vulnerabilities and operational realities. This means vigilance, from systems monitoring to continuing review of AI's evolving role in your institution.

Safeguarding healthcare systems includes protecting the trust and well-being of the patients it cares for and its entire community. This depends entirely on the type of leadership that doesn't just react to threats but proactively takes bold measures to mitigate risks before they spread. Security embedded in all facets of the organization should ensure continuity of critical operations and uncompromised care of the patients by leaders in healthcare.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Is AI a Friend or Foe of Healthcare Security?

Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to break out of a container's isolation protections and gain complete access to the underlying host.
The new vulnerability is being tracked as CVE-2025-23359 (CVSS score: 8.3). It affects the following versions -

NVIDIA Container Toolkit (All

Researchers Find New Exploit Bypassing Patched NVIDIA Container Toolkit Vulnerability

Apple fixes the USB Restricted Mode flaw in iOS 18.3.1 and iPadOS 18.3.1.  Vulnerability exploited in targeted attacks.…

Apple fixes the USB Restricted Mode flaw in iOS 18.3.1 and iPadOS 18.3.1.  Vulnerability exploited in targeted attacks. Update your iPhone/iPad now.

Apple has issued an urgent security update for iPhones and iPads, addressing a significant vulnerability that has, reportedly, already been exploited in targeted attacks. Tracked as CVE-2025-24200, the vulnerability affects the USB Restricted Mode, a security feature introduced in 2018 to protect devices from unauthorized access. 

For your information, this security feature is designed to disable the Lightning or USB ports of iPhones and iPads if they remain locked for more than an hour. Normally, these ports are re-enabled once the user authenticates and unlocks their device.   

However, it appears that this protection mechanism itself has been compromised. The bug can be exploited by an attacker with physical possession of a locked phone, enabling them to re-enable the data port and potentially allowing further intrusion. Apple has acknowledged that this flaw can disable the feature.

“A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an “extremely sophisticated” attack against specific targeted individuals,” the iPhone maker’s advisory read.

Security experts believe that Apple’s unusual choice of words, describing the exploit as “extremely sophisticated,” highlights the seriousness of the issue.   

The National Institute of Standards and Technology (NIST) has also assessed this vulnerability, describing it as an “authorization issue” that has been resolved through “improved state management.”  

The company has released patches, iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5 to address this issue. These updates are available for a wide range of devices, including iPhone XS and later models, as well as various iPad Pro, iPad Air, iPad Mini, and standard iPad models.

The vulnerability was discovered by Bill Marczak, a senior researcher at the Citizen Lab. While Apple has not provided detailed information about the attack or the specific methods used, the discovery by the Citizen Lab suggests a possible connection to sophisticated surveillance techniques, potentially at the nation-state level.

> Update your iPhones.. again! iOS 18.3.1 out today with a fix for an ITW USB restricted mode bypass (via Accessibility) https://t.co/jcrsab7RGu pic.twitter.com/ER42QQcsLj
> 
> — Bill Marczak (@billmarczak) February 10, 2025

Apple Confirms ‘Extremely Sophisticated’ Exploit Threatening iOS Security

Gambling companies are sharing their users’ data with Meta for marketing and tracking purposes.

While you might think you’re hitting the jackpot, whether you’ve consented to it or not, online gambling sites are playing with your data. Users’ data, including details of webpages they visited and buttons they clicked, are being shared with Meta, Facebook’s parent company.  

The Observer reports that over 150 UK gambling websites have been extracting visitor data through a hidden embedded tracking tool, and then sending that data to Meta in order to profile people as gamblers and flood them with Facebook ads for casinos and betting sites.

The gambling websites used and shared data for marketing purposes—without obtaining explicit permission from the users—in an apparent breach of data protection laws. The websites include popular sites like Hollywoodbets, Sporting Index, Lottoland, and Bwin.  

Of the 150 websites that were tested, 52 used a tracking tool called Meta Pixel to share data directly and without explicit consent. This data was automatically transferred when loading the webpage, before users could even accept or decline the use of their data.  

The data collection resulted in the reporter—who said they never once agreed to the use of their data for marketing purposes— being inundated with ads for gambling websites. In one browsing session, the reporter encountered ads from 49 different brands, including from betting companies which were not involved in the data collection and had been using Meta Pixel within the rules.  

Wolfie Christl, a data privacy expert investigating the ad tech industry commented:

> “Sharing data with Meta is highly problematic, even with consent, but doing so without explicit informed consent shows a blatant disregard for the law. Meta is complicit and must be held accountable” 

This isn’t the first time that gambling sites have been caught unlawfully selling off user data, and comes amid calls for a wider investigation into the targeting of gamblers, as well as the need for more protective measures.

**Don’t gamble away your data and stay protected**

Here are some ways to protect your data while using gambling (or any other) sites online:

*   Use a VPN, especially on public Wi-Fi networks
*   Use privacy-focused browsers and search engines, such as Brave
*   Clear your browsing data when closing your browser
*   Review the permissions of all your apps. Only grant them permission to access things they absolutely need.
*   Disable location tracking for as many apps as possible
*   Disable personalized ads as much as you can
*   Keep your devices up-to-date. This protects you from vulnerabilities that cybercriminals might try to exploit
*   Install Malwarebytes Browser Guard—our free tool that protects against ad tracking.

 Gambling firms are secretly sharing your data with Facebook  

Microsoft on Tuesday released fixes for 63 security flaws impacting its software products, including two vulnerabilities that it said has come under active exploitation in the wild.
Of the 63 vulnerabilities, three are rated Critical, 57 are rated Important, one is rated Moderate, and two are rated Low in severity. This is aside from the 23 flaws Microsoft addressed in its Chromium-based Edge

Microsoft’s Patch Tuesday Fixes 63 Flaws, Including Two Under Active Exploitation

Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could be exploited to achieve arbitrary code execution.
The list of vulnerabilities is below -

CVE-2024-38657 (CVSS score: 9.1) - External control of a file name in Ivanti Connect Secure before version 22.7R2.4 and Ivanti Policy

Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now

More than half of attacks on Indian businesses come from outside the country, while 45% of those targeting consumers come from Cambodia, Myanmar, and Laos.

Source: NicoElNino via Shutterstock

India continues to see a surge in cybercrime affecting both citizens and businesses, with cyber fraud against citizens jumping 51% over the past year and cyberattackers targeting businesses in volumes significantly higher than global averages.

Overall, Indian citizens filed more than 1.7 million cybercrime complaints in 2024, up from 1.1 million complaints in 2023, according to the latest data from India's National Cyber Reporting Platform (NCRP) released in early February. While many of those cyber scams came from domestic sources, about 45% of the cyberattacks came from cybercriminal havens in Cambodia, Myanmar, and Laos, according to the report.

The problem underscores the dark side of increasing access to online services. While the country is digitizing many of its government services — giving citizens easier access — crime has followed online, President Droupadi Murmu said during a speech to Parliament on Jan. 31.

"\[I\]n an increasingly digital society, cybersecurity has become a crucial issue of national importance," Murmu said. "Digital fraud, cybercrime, and emerging technologies like deepfakes pose challenges to our social, economic, and national security."

India's citizens are not the only targets of cybercriminals — business sites increasingly face online attacks. Cyber-risks and digital/technology risks are the most pressing concerns for companies in India, with businesses in the region prioritizing those issues more than their global counterparts, according to PricewaterhouseCoopers' "2025 Global Digital Trust Insights — India Edition."

Source: PricewaterhouseCoopers, "2025 Global Digital Trust Insights — India Edition"

"Over the next 12 months, Indian organizations are prioritizing the mitigation of three key risks: cyberthreats, digital vulnerabilities and inflation," PwC India stated in the report. "This focus highlights the critical need for robust cybersecurity, reliable technological infrastructure, and strategies to counter rising costs and ensure resilience and sustained growth."

**Businesses See Different Threat Profile**

Compared with other regions of the world, India is seeing a greater volume of attacks. The average website in India sees about 6.9 million unwanted requests — often referred to as "attacks" by vendors — every year, with 26% more attacks per site compared with the global average, according to Indusface. Denial-of-service attacks are also more common against Indian targets, compared with the global average, says Venky Sundar, founder and president for the Americas at Indusface.

The threat actors have gone mobile-first, with API servers for mobile applications targeted with 43% more requests per host compared with websites, he says.

There is "a shift in attack strategies towards disrupting mobile and connected services," Sundar says. "Cybercrime is increasingly targeting external-facing APIs associated with mobile apps rather than just traditional web platforms."

The attacks are split fairly evenly between domestic sources and global ones, he adds. Overall, about half of the malicious traffic targeting company sites and API servers are domestic, with much of the rest coming from four countries: US, France, UK, and Singapore.

**Government Moves to Protect Citizens**

The government is currently taking steps to make life harder for attackers. The Reserve Bank of India (RBI), for example, has created exclusive Internet domains for banks (bank.in) and for non-bank financial institutions (fin.in), which will be run by the Institute for Development and Research in Banking Technology (IDRBT). India also passed its first privacy and data-protection law in 2023, and drafted implementation rules last month, which together define the rights of Indian citizens and requirements for companies handling data.

India and the US also recently signed a memorandum of understanding (MoU) that allows the two countries to cooperate on intelligence gathering, the exchange of information on cybercrime cases, and collaborative training. India has also fought to rescue and repatriate its citizens from forced labor camps for criminal syndicates in Cambodia, Myanmar, and Laos, where they are forced to conduct a variety of online scams.

Yet the country still faces a shortage of cybersecurity professionals. In September, the government announced an effort to train 5,000 "cyber commandos" over the next five years, to help national and state governments with cyber investigations.

Training citizens in cybersecurity can have additional benefits, President Murmu said in her remarks to Parliament.

"My government has taken numerous measures to control these cyber threats, creating opportunities for employment in the field of cybersecurity for the youth \[and\] is continuously working to ensure competence in cybersecurity," she said, noting that the country has reached Tier 1 status in the International Telecommunication Union's Global Cybersecurity Index.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India's Cybercrime Problems Grow as Nation Digitizes

Microsoft today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

**Microsoft** today issued security updates to fix at least 56 vulnerabilities in its Windows operating systems and supported software, including two zero-day flaws that are being actively exploited.

All supported Windows operating systems will receive an update this month for a buffer overflow vulnerability that carries the catchy name CVE-2025-21418. This patch should be a priority for enterprises, as Microsoft says it is being exploited, has low attack complexity, and no requirements for user interaction.

**Tenable** senior staff research engineer **Satnam Narang** noted that since 2022, there have been nine elevation of privilege vulnerabilities in this same Windows component — three each year — including one in 2024 that was exploited in the wild as a zero day (CVE-2024-38193).

“CVE-2024-38193 was exploited by the North Korean APT group known as Lazarus Group to implant a new version of the FudModule rootkit in order to maintain persistence and stealth on compromised systems,” Narang said. “At this time, it is unclear if CVE-2025-21418 was also exploited by Lazarus Group.”

The other zero-day, CVE-2025-21391, is an elevation of privilege vulnerability in Windows Storage that could be used to delete files on a targeted system. Microsoft’s advisory on this bug references something called “CWE-59: Improper Link Resolution Before File Access,” says no user interaction is required, and that the attack complexity is low.

**Adam Barnett**, lead software engineer at **Rapid7**, said although the advisory provides scant detail, and even offers some vague reassurance that ‘an attacker would only be able to delete targeted files on a system,’ it would be a mistake to assume that the impact of deleting arbitrary files would be limited to data loss or denial of service.

“As long ago as 2022, ZDI researchers set out how a motivated attacker could parlay arbitrary file deletion into full SYSTEM access using techniques which also involve creative misuse of symbolic links,”Barnett wrote.

One vulnerability patched today that was publicly disclosed earlier is CVE-2025-21377, another weakness that could allow an attacker to elevate their privileges on a vulnerable Windows system. Specifically, this is yet another Windows flaw that can be used to steal NTLMv2 hashes — essentially allowing an attacker to authenticate as the targeted user without having to log in.

According to Microsoft, minimal user interaction with a malicious file is needed to exploit CVE-2025-21377, including selecting, inspecting or “performing an action other than opening or executing the file.”

“This trademark linguistic ducking and weaving may be Microsoft’s way of saying ‘if we told you any more, we’d give the game away,'” Barnett said. “Accordingly, Microsoft assesses exploitation as more likely.”

The SANS Internet Storm Center has a handy list of all the Microsoft patches released today, indexed by severity. Windows enterprise administrators would do well to keep an eye on askwoody.com, which often has the scoop on any patches causing problems.

It’s getting harder to buy Windows software that isn’t also bundled with Microsoft’s flagship Copilot artificial intelligence (AI) feature. Last month Microsoft started bundling Copilot with **Microsoft Office 365**, which Redmond has since rebranded as “**Microsoft 365 Copilot**.” Ostensibly to offset the costs of its substantial AI investments, Microsoft also jacked up prices from 22 percent to 30 percent for upcoming license renewals and new subscribers.

Office-watch.com writes that existing Office 365 users who are paying an annual cloud license do have the option of “Microsoft 365 Classic,” an AI-free subscription at a lower price, but that many customers are not offered the option until they attempt to cancel their existing Office subscription.

In other security patch news, **Apple** has shipped iOS 18.3.1, which fixes a zero day vulnerability (CVE-2025-24200) that is showing up in attacks.

**Adobe** has issued security updates that fix a total of 45 vulnerabilities across **InDesign**, **Commerce**, **Substance 3D** **Stager**, **InCopy**, **Illustrator**, **Substance 3D Designer** and **Photoshop Elements**.

**Chris Goettl** at **Ivanti** notes that **Google Chrome** is shipping an update today which will trigger updates for Chromium based browsers including **Microsoft Edge**, so be on the lookout for Chrome and Edge updates as we proceed through the week.

Tag

#vulnerability