Exposures, Exposed! Weekly Round-up February 3 – February 9

Welcome to the Groundhog Day edition of 'Exposures, Exposed!'—your go-to source for cyber vulnerability insights. This year, Punxsutawney Phil saw his shadow, predicting six more weeks of winter. As we brace for the cold days yet to come, our experts are tracking the latest exposure incidents to keep you warm, informed and well-prepared.

AMD and Google Disclose High-Severity Microcode Vulnerability

AMD and Google disclosed a high-severity vulnerability in Zen CPUs related to microcode signature verification. The flaw, tracked as CVE-2024-56161, allows attackers with local administrator privileges to load malicious microcode, potentially compromising confidentiality and integrity of confidential guest systems running under AMD's Secure Encrypted Virtualization (SEV-SNP).?

Google researcher Tavis Ormandy first identified the issue when an Asus update page revealed an undisclosed vulnerability. After coordination between the two companies, AMD released a patch for affected microprocessors. Some platforms also require firmware updates for SEV technology. Although exploitation requires local access and the ability to develop malicious microcode, the flaw poses significant risks. Google’s Eduardo Vela published a separate advisory and proof-of-concept exploit. Full details will be shared on March 5, 2025.

The Takeaway: Users should apply AMD's microcode updates and ensure SEV technology firmware is updated. Learn more here.

CISA Issues Nine New ICS Advisories for Critical Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released nine new Industrial Control Systems (ICS) advisories, identifying critical vulnerabilities in systems from Rockwell Automation, Schneider Electric, and AutomationDirect. The advisories highlight risks in various products, including Local File Inclusion in Western Telematic NPS Series and improper handling vulnerabilities in Rockwell Automation devices. Schneider Electric Modicon M580 PLCs and other devices were found to have buffer size and XML-related vulnerabilities, posing significant security risks. The vulnerabilities could lead to unauthorized access, denial-of-service, and remote code execution. The advisories also cover vulnerabilities in Elber communications equipment and Ashlar-Vellum software.

The Takeaway: Users are advised to review the advisories and act promptly to protect critical infrastructure. Learn more here.

Google and Mozilla Roll Out Browser Security Updates

Google and Mozilla released security updates for Chrome and Firefox on Tuesday to fix multiple high-severity memory safety vulnerabilities. Chrome 133, now available on the stable channel, includes 12 security fixes, including three reported by external researchers. Two of the flaws, tracked as CVE-2025-0444 and CVE-2025-0445, are use-after-free defects in the Skia library and V8 JavaScript engine.?

The third issue is a medium-severity flaw in the Extensions API. Google awarded $7,000 for the Skia bug and $2,000 for the medium-severity issue. Mozilla’s Firefox 135 update fixes two similar use-after-free vulnerabilities, tracked as CVE-2025-1009 and CVE-2025-1010, impacting the Custom Highlight API and XSLT language.?

The Takeaway: Update your browser to the latest version to secure against these vulnerabilities. Learn more here.

49 Automotive Vulnerabilities Found in Pwn2Own Contest

The 2025 Pwn2Own Automotive competition revealed 49 security flaws in automotive systems. Held from January 22-25, 2025, at the Automotive World in Tokyo, the event saw cybersecurity researchers from 13 countries uncover previously unknown zero-day vulnerabilities in technologies like in-vehicle infotainment (IVI) systems and electric vehicle chargers. The contest, part of the Zero Day Initiative by Trend Micro, challenged experts to test state-of-the-art automotive systems in real-world conditions.?

With the growing adoption of software-defined vehicles (SDV) and advanced driver-assistance systems (ADAS), security risks in these areas are increasing. The 2025 VicOne report highlighted 530 new vulnerabilities discovered in 2024, underscoring the expanding attack surface in the automotive sector. Experts emphasize the need for a security-focused approach to protect against evolving threats, including AI manipulation and OTA attacks.

The Takeaway: Stay informed on emerging automotive security threats and prioritize proactive measures. Learn more here.

Healthcare Providers Alerted to Exploited Vulnerabilities in SimpleHelp Software

The American Hospital Association (AHA) and the Health Information Sharing and Analysis Center (Health-ISAC) issued a cybersecurity advisory regarding three vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software. These vulnerabilities are believed to be actively exploited. The flaws were discovered by Horizon3 researchers in December 2024 and disclosed to SimpleHelp in January 2025.?

Patches were released on January 13, 2025, and attacks are suspected to have started within one week. The vulnerabilities include a privilege escalation flaw, tracked as CVE-2024-57726, a directory traversal flaw, tracked as CVE-2024-57727, and a path traversal flaw, tracked as CVE-2024-57728.?

The Takeaway: Healthcare organizations should patch SimpleHelp software to prevent exploitation. Learn more here.

IBM Discovers Critical Vulnerabilities in Cloud Pak Platform

IBM disclosed multiple security vulnerabilities in its Cloud Pak for Business Automation platform, raising concerns about the exposure of sensitive data. The vulnerabilities, detailed in a bulletin published on February 4, 2025, affect several versions of Cloud Pak and associated open-source components. Critical issues include CVE-2024-47554, which involves Apache Commons IO and can lead to denial-of-service (DoS) attacks, and CVE-2024-47764, which allows attackers to bypass security restrictions in the jshttp cookie module.?

Another issue, CVE-2024-5535, exposes memory contents during TLS communications. These vulnerabilities could lead to data theft, system compromise, and service disruptions. IBM has released patches for affected versions. Organizations are urged to apply patches, audit systems, and monitor cloud activities.

The Takeaway: Organizations must apply security patches and audit systems immediately. Learn more here.

Critical Zero-Day Flaw Affects Microsoft Sysinternals Tools

A critical zero-day vulnerability has been found in Microsoft Sysinternals tools, impacting system administrators and developers. The vulnerability allows attackers to exploit DLL injection techniques to execute malicious code, potentially compromising systems. The flaw affects tools like Process Explorer, Autoruns, and Bginfo.?

Researchers found that Sysinternals tools prioritize untrusted DLL paths, allowing attackers to replace legitimate files with malicious ones. If users execute the tools from compromised directories, malicious DLLs can be loaded, enabling remote code execution. This vulnerability was disclosed to Microsoft over 90 days ago but remains unpatched. Microsoft classified it as a “defense-in-depth” issue rather than a critical flaw. Users are advised to avoid running the tools from network locations and to ensure they only execute trusted DLLs. Until a fix is released, administrators should audit systems and apply workarounds to mitigate risks.

The Takeaway: Sysinternals users should avoid running tools from network locations and verify DLL integrity. Learn more here.

That’s all for this week – have any exposures to add to our list? Let us know!

Read our latest blog "Exposure Management: Healthcare’s Preventive Medicine":