Microsoft, Fortinet & Ivanti Warn About Actively Exploited Zero Day Vulnerabilities
Microsoft, Fortinet & Ivanti have all notified customers about vulnerabilities in their products that are known to have been exploited by threat actors. Prompt patching is strongly recommended, and workaround/mitigations should be implemented if patching must be delayed.
Microsoft
On Patch Tuesday, Microsoft issued patches for five vulnerabilities known to have been exploited in the wild, plus two publicly disclosed zero-day vulnerabilities. The actively exploited vulnerabilities are:
| Product | CVE | Severity | Type | Outcome |
| Microsoft DWM Core Library | CVE-2025-30400 | Important | Elevation of Privilege | Local elevation of privilege to SYSTEM |
| Windows Common Log File System | CVE-2025-32701 | Important | Elevation of Privilege | Local elevation of privilege to SYSTEM |
| Windows Common Log File System | CVE-2025-32706 | Important | Elevation of Privilege | Local elevation of privilege to SYSTEM |
| Windows Ancillary Function Driver | CVE-2025-32709 | Important | Elevation of Privilege | Local elevation of privilege to SYSTEM |
| Microsoft Scripting Engine | CVE-2025-30397 | Important | Memory Corruption | Code execution |
The following vulnerabilities have been publicly disclosed:
| Product | CVE | Severity | Type | Outcome |
| Microsoft Defender | CVE-2025-26685 | Important | Identity Spoofing | Spoofing of another account over an adjacent network |
| Visual Studio | CVE-2025-32702 | Important | Remote Code Execution | Local code execution by an unauthenticated attacker |
Microsoft also released patches for six critical vulnerabilities that are not known to have been exploited but should be prioritized. They affect Microsoft Office (CVE-2025-30377 and CVE-2025-30386), Microsoft Power Apps (CVE-2025-47733), Remote Desktop Gateway Service (CVE-2025-29967), and Windows Remote Desktop (CVE-2025-29966).
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Fortinet
Fortinet has issued a security advisory about a critical vulnerability affecting its FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera products. The stack-based buffer overflow vulnerability has been assigned a CVSS v4 severity score of 9.6 (CVSS v3.1: 9.8) and can be exploited by a remote unauthenticated hacker by sending HTTP requests with a specially crafted hash cookie. Successful exploitation of the vulnerability can allow arbitrary code execution.
Fortinet said it has observed exploitation of the vulnerability on FortiVoice. The threat actor scanned the device network, erased system crashlogs, and enabled fcgi debugging to log credentials from the system or SSH login attempts. The vulnerability is tracked as CVE-2025-32756 and affects the following product versions:
| Affected Product | Affected Versions | Fixed Versions |
| FortiVoice | 7.2.0 | Upgrade to 7.2.1 or above |
| 7.0.0 through 7.0.6 | Upgrade to 7.0.7 or above | |
| 6.4.0 through 6.4.10 | Upgrade to 6.4.11 or above | |
| FortiRecorder | 7.2.0 through 7.2.3 | Upgrade to 7.2.4 or above |
| 7.0.0 through 7.0.5 | Upgrade to 7.0.6 or above | |
| 6.4.0 through 6.4.5 | Upgrade to 6.4.6 or above | |
| FortiMail | 7.6.0 through 7.6.2 | Upgrade to 7.6.3 or above |
| 7.4.0 through 7.4.4 | Upgrade to 7.4.5 or above | |
| 7.2.0 through 7.2.7 | Upgrade to 7.2.8 or above | |
| 7.0.0 through 7.0.8 | Upgrade to 7.0.9 or above | |
| FortiNDR | 7.6.0 | Upgrade to 7.6.1 or above |
| 7.4.0 through 7.4.7 | Upgrade to 7.4.8 or above | |
| 7.2.0 through 7.2.4 | Upgrade to 7.2.5 or above | |
| 7.1 all versions | Migrate to a fixed release | |
| 7.0.0 through 7.0.6 | Upgrade to 7.0.7 or above | |
| 1.1 through 1.5 | Migrate to a fixed release | |
| FortiCamera | 2.1.0 through 2.1.3 | Upgrade to 2.1.4 or above |
| 2.0 all versions | Migrate to a fixed release | |
| 1.1 all versions | Migrate to a fixed release |
Fortinet has issued indicators of Compromise in its security alert. If immediate patching is not possible, Fortinet recommends disabling the HTTP/HTTPS administrative interface
Ivanti
Ivanti has issued a security advisory about two vulnerabilities affecting the Ivanti Endpoint Manager Mobile (EPMM) solution, one is a medium severity flaw and the other is high severity flaw. The two vulnerabilities can be chained together and can allow unauthenticated remote code execution. Ivanti explained that the two vulnerabilities are associated with open-source code used in the EPMM, and not within Ivanti’s code.
The medium severity flaw is tracked as CVE-2025-4427 and is an authentication bypass flaw with a CVSS v3.1 severity score of 5.3. The second vulnerability is a remote code execution vulnerability with a CVSS v3.1 severity score of 7.2
| Affected Product | Affected Versions | Fixed Versions |
| Ivanti Endpoint Mobile Manager | 11.12.0.4 and prior | 11.12.0.5 and later |
| 12.3.0.1 and prior | 12.3.0.2 and later | |
| 12.4.0.1 and prior | 12.4.0.2 and later | |
| 12.5.0.0 and prior | 12.5.0.1 and later |
Ivanti said users should upgrade to the latest version as soon as possible; however, risk can be greatly reduced if the user filters access to the API using the built-in Portal ACLs or an external WAF.
