02/05/2025-02/12/2025 Critical Flaws in Connect Secure and Policy Secure, Vulnerabilities in Cisco Identity Services Engine, Zimbra Releases Security Updates And More.

1. Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now

Ivanti has released security updates to fix multiple vulnerabilities in Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could enable remote code execution.

Vulnerabilities:

• CVE-2024-38657 (CVSS 9.1): Arbitrary file write via external control of file name (ICS <22.7R2.4, IPS <22.7R1.3).
• CVE-2025-22467 (CVSS 9.9): Stack-based buffer overflow (ICS <22.7R2.6).
• CVE-2024-10644 (CVSS 9.1): Code injection (ICS <22.7R2.4, IPS <22.7R1.3).
• CVE-2024-47908 (CVSS 9.1): OS command injection in CSA admin console (<5.0.5).

Fixed Versions: ICS 22.7R2.6, IPS 22.7R1.3, CSA 5.0.5. Ivanti urges immediate patching, warning that its products are targeted by sophisticated attackers.

Meanwhile, Bishop Fox disclosed details of CVE-2024-53704 in SonicWall SonicOS, affecting 4,500 unpatched SSL VPN servers. Akamai also revealed two vulnerabilities in Fortinet FortiOS (CVE-2024-46666, CVE-2024-46668), with Fortinet fixing another flaw (CVE-2025-24472).

2. Multiple Vulnerabilities in Cisco Identity Services Engine (ISE)

Cisco has released security updates to address critical vulnerabilities (CVE-2025-20124 and CVE-2025-20125) affecting their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), regardless of device configuration.

Vulnerabilities:

• CVE-2025-20124: Successful exploitation of the insecure java deserialisation vulnerability could allow an authenticated remote attacker to perform arbitrary code execution on the vulnerable device as a root user. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.
• CVE-2025-20125: Successful exploitation of the authorisation bypass vulnerability could allow an authenticated remote attacker with valid read-only credentials to access sensitive information, modify node configurations, and restart the node.
  The vulnerabilities affect Cisco ISE Software versions 3.3 and earlier.

3. Progress Software Fixes Multiple Vulnerabilities in Its LoadMaster Software

Progress Software has patched multiple high-severity vulnerabilities in its LoadMaster software that could allow authenticated attackers to execute system commands or access files. The flaws include CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, and CVE-2024-56135 (CVSS 8.4), all caused by improper input validation, enabling OS command injection. CVE-2024-56134 (CVSS 8.4) allows an attacker with access to the management interface to download any file via a crafted HTTP request. An attacker who gains access to LoadMaster’s management interface and successfully authenticates could exploit these flaws using specially crafted HTTP requests.

4. Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities

Zimbra has released updates to fix critical security flaws in its Collaboration software, including CVE-2025-25064 (CVSS 9.8), an SQL injection vulnerability in the ZimbraSync Service SOAP endpoint affecting versions before 10.0.12 and 10.1.4. Attackers could exploit it to retrieve email metadata. Another patched flaw is a stored cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client, which improves input sanitization. The fix is available in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5.

Zimbra also addressed CVE-2025-25065 (CVSS 5.3), a server-side request forgery (SSRF) flaw in the RSS feed parser that could allow unauthorized redirection to internal endpoints. This was patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4.
Users are urged to update to the latest Zimbra Collaboration versions to protect against these vulnerabilities.

5. Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware

Threat actors are exploiting recently disclosed vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software as part of a ransomware attack, according to Field Effect. The flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—allow information disclosure, privilege escalation, and remote code execution. They were patched in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8. Field Effect observed attackers using a vulnerable SimpleHelp instance to gain access, create an admin account, and deploy the Sliver framework for persistence. The attackers attempted to use a Cloudflare tunnel to stealthily route traffic, but the attack was detected before execution. The tactics resemble Akira ransomware attacks from 2023, though other threat actors may be involved. Organizations using SimpleHelp are urged to update immediately.