Exposures, Exposed! Weekly Round-up January 6 – January 12

Welcome to this week’s snow-dusted edition of Exposures Exposed! As winter deepens and frost coats the landscape, you need to safeguard yourself against the chilling threats that can compromise your security. Each week, our experts uncover critical vulnerabilities and exposures that, like icy winds, can catch you off guard. Stay informed, brace against the storm, and keep your defenses solid throughout the cold months ahead!

Google Fixes Critical Android Vulnerabilities in Latest Update??

Google has released the January Android security bulletin, confirming several critical vulnerabilities in Android 12 through 15. The most severe flaw, in the System component, allows remote code execution without additional privileges. Google rated the vulnerabilities based on their potential impact if platform mitigations are bypassed.??

The update fixes five critical vulnerabilities identified as CVE-2024-43096, CVE-2024-43770, CVE-2024-43771, CVE-2024-49747, and CVE-2024-49748. Google provided limited technical details to give users time to apply updates before potential exploitation.??

Android users are strongly urged to verify their devices have been updated to the security patch level 2025-01-05 or later. Devices without this patch remain at risk, particularly those running Android versions 12 through 15.??

The Takeaway: Check for system updates immediately and install the latest Android security patch. Learn more here.

Researchers Identify Firmware Risks in Illumina DNA Sequencer??

Security researchers at Eclypsium have uncovered vulnerabilities in the firmware of Illumina’s iSeq 100 DNA sequencer. The flaws include the use of outdated BIOS firmware, the absence of Secure Boot, and a lack of write protections, exposing the device to risks such as malicious firmware implants and unauthorized access.??

The iSeq 100, widely used in medical laboratories, relies on hardware and firmware outsourced to original design manufacturers. Eclypsium identified additional vulnerabilities in its UEFI firmware, including susceptibility to LogoFAIL and outdated Intel CPU microcode affected by known side-channel attacks.??

Illumina stated it is following standard disclosure processes and noted that its initial evaluation classifies these issues as low-risk. Eclypsium emphasized that similar vulnerabilities likely affect other medical devices due to systemic weaknesses in hardware supply chains and limited support for security updates.??

The Takeaway: Ensure devices have updated firmware and implement hardware-based security protections. Learn more here.??

Moxa Identifies Critical Vulnerabilities in Network Devices??

Taiwan-based Moxa has disclosed two critical security vulnerabilities affecting several of its network security products. These include cellular routers, secure routers, and other appliances. The flaws could enable privilege escalation and command execution, posing risks such as unauthorized modifications, data exposure, and system compromise.??

The vulnerabilities are CVE-2024-9138, rated 8.6, involving hard-coded credentials allowing privilege escalation, and CVE-2024-9140, rated 9.3, which permits attackers to bypass input restrictions for unauthorized command execution. Affected products include the EDR, EDF, NAT, OnCell, and TN series with specific firmware versions.??

Patches are available for most products. Moxa advises updating firmware to version 3.14 or later. For NAT-102 and OnCell G4302-LTE4, users should contact Moxa Technical Support.??

The Takeaway: Update firmware promptly and follow mitigation measures to minimize security risks. Learn more here.

CISA Adds Three Exploited Vulnerabilities to KEV Catalog??

The Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on January 7. These include two flaws in the Mitel MiCollab platform and a 2020 Oracle WebLogic Server vulnerability.??

The critical Mitel MiCollab bug, CVE-2024-41713, has a CVSS score of 9.1 and allows unauthenticated attackers to access unified communications systems. CVE-2024-55550, with a CVSS score of 4.4, requires administrative privileges but could still expose sensitive files.??

The Oracle WebLogic Server vulnerability, CVE-2020-2883, remains a concern despite being patched in 2020. It allows unauthenticated attackers to control servers through Internet Inter-Orb Protocol or T3 protocols.??

Security experts recommend immediate patching of affected systems, deploying Web Application Firewall rules, and confirming Oracle WebLogic Server installations are fully updated.??

The Takeaway: Patch affected systems, deploy WAF rules, and verify updates. Learn more here.

MediaTek Discloses Critical Vulnerabilities in Device Chipsets??

MediaTek has identified several vulnerabilities in its chipsets, including a critical flaw that allows remote code execution (RCE). These issues affect a range of devices, including smartphones, tablets, AIoT products, smart displays, and TVs.??

The critical vulnerability, CVE-2024-20154, poses a serious threat by enabling attackers to control devices remotely. Other high-severity vulnerabilities, such as CVE-2024-20140 and CVE-2024-20143, and medium-severity flaws like CVE-2024-20149 and CVE-2024-20150, were also disclosed. These issues involve components such as audio processors and AI functions.??

MediaTek has notified manufacturers and released patches to mitigate risks. Users should update devices promptly when patches are available and avoid untrusted apps and links. Enterprises are advised to strengthen network security on MediaTek-powered platforms.??

The Takeaway: Update your devices immediately to reduce exposure to potential exploits. Learn more here.

Google, Mozilla Patch Critical Vulnerabilities in Browsers??

Google and Mozilla have released security updates for Chrome and Firefox to address multiple high-severity vulnerabilities. Google’s Chrome 131 update fixes four flaws, including a type confusion issue in the V8 JavaScript engine, tracked as CVE-2025-0291. This vulnerability could allow remote code execution and earned a $55,000 bug bounty. The update is available for Windows, macOS, and Linux users.??

Mozilla’s Firefox update resolves 11 vulnerabilities, including three high-severity flaws. Two are memory safety bugs that could lead to remote code execution, while the third, CVE-2025-0244, is an address bar spoofing defect on Firefox for Android. Mozilla also rolled out updates for Firefox ESR versions.??

While no active exploitation of these vulnerabilities has been reported, both companies urge users to update their browsers promptly.??

The Takeaway: Update Chrome and Firefox browsers to fix critical security vulnerabilities. Learn more here.

That’s all for this week – have any exposures to add to our list? Let us know!

Read our latest article "10 Cybersecurity Trends to Watch in 2025 and How to Prepare":