February trending vulnerability digest

After conducting a detailed analysis in January, we've compiled a list of vulnerabilities that are currently classified as trending. These represent the most dangerous security flaws, either currently being widely exploited by cybercriminals or likely to be exploited in the near future. We strongly recommend verifying whether your organization has addressed these vulnerabilities, as well as those highlighted in our previous digests.
Six vulnerabilities were found in Microsoft products. Three of them are critical: CVE-2024-49112, CVE-2024-43468, and CVE-2025-21298); another three are of high severity: CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335.
The vulnerability CVE-2024-49112 enables remote code execution through a DCE/RPC request. The vulnerability CVE-2024-43468 allows privilege escalation to SYSTEM by executing arbitrary SQL queries. The vulnerability CVE-2025-21298 enables remote code execution when a victim opens a specially crafted email.
Three high-severity vulnerabilities in the Hyper-V NT Kernel Integration VSP component enable privilege escalation to SYSTEM level via heap buffer overflow or use-after-free memory flaws.
A vulnerability in Fortinet products (CVE-2024-55591) allows attackers to gain super-admin privileges on FortiOS and FortiProxy devices by sending specially crafted requests.
The high-severity vulnerability in 7-Zip (CVE-2025-0411) allows attackers to execute arbitrary code when extracting files from specially crafted archives.
Read below to learn about these vulnerabilities, how they are exploited, and mitigation strategies in this digest.

The Windows vulnerabilities described below potentially affect over a billion devices, according to The Verge. Any users with outdated versions of Windows are potentially at risk.

Windows Lightweight Directory Access Protocol remote code execution vulnerability (LDAP nightmare)

CVE-2024-49112 (CVSS score: 9.8; critical severity)

The LDAPNightmare vulnerability is related to the LDAP server discovery and location mechanisms. It can be exploited by an unauthenticated remote attacker. For this, the attacker sends a DCE/RPC request¹ to the victim's LDAP server² (a command for sending a DNS SRV request for the attacker's address. In response, the victim's device attempts to resolve the IP address of the attacker's hostname on the network. Once the IP address is obtained, the victim becomes an LDAP client and sends a CLDAP request³ to the attacker's device. The attacker's CLDAP response, containing a specific value, triggers a crash in the LSASS service through an integer overflow⁴.  A crash in the LSASS service can lead to downtimes, data leaks, and arbitrary code execution by the attacker. This vulnerability is particularly dangerous for systems using the Active Directory technology.
Signs of exploitation: as of this digest's publication, Microsoft has not confirmed any successful exploitations of the vulnerability.
Publicly available exploits: the PoC was published with open access.
Compensating controls: as temporary protective measures, experts recommend publishing RPC and LDAP externally over SSL and implementing network segmentation.

Windows Hyper-V NT Kernel Integration VSP elevation of privilege vulnerabilities

CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 (CVSS score: 7,8; high severity)

These vulnerabilities were discovered in the Hyper-V NT Kernel Integration component used for communication between the main operating system and container-type virtual machines, such as Windows Sandbox and Microsoft Defender Application Guard. The vulnerability CVE-2025-21333 is associated with heap overflow. The vulnerabilities CVE-2025-21334 and CVE-2025-21335 are related to use-after-free memory issues. By exploiting these vulnerabilities, an attacker can obtain SYSTEM-level privileges on the main system. This could allow the attacker to move laterally across the network, infect devices with malware, and gain full control over the compromised system.
Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. CISA also added these vulnerabilities to its Known Exploited Vulnerabilities Catalog.
Publicly available exploits: not available in open sources.

Windows OLE remote code execution vulnerability

CVE-2025-21298 (CVSS score: 9.8; critical severity)

The vulnerability is related to a use-after-free memory error in the ole32.dll!UtOlePresStmToContentsStm function of the Windows OLE component⁵. To exploit this vulnerability, an attacker needs to send a specially crafted RTF file to the victim (a format commonly used in Microsoft Outlook). When the victim opens the file, the processing of malicious code begins, which may lead to leakage of confidential information and loss of control over the device.
Signs of exploitation: Microsoft does not confirm any successful exploitations of the vulnerability.
Publicly available exploits: the PoC was published with open access.
Compensating controls: it is recommended to read email messages in text format.

Microsoft Configuration Manager remote code execution vulnerability

CVE-2024-43468 (CVSS score: 9.8; critical severity)

The vulnerability in Microsoft Configuration Manager is related to the MP_Location service⁶. Client messages trigger the procedure in the database. Through SQL injection⁷, an attacker creates a new user with administrative privileges by sending a request with embedded malicious script on behalf of the client. As a result, an unauthenticated attacker can gain full control over the system by executing code on the victim's device via xp_cmdshell. The cause of the vulnerability lies in the MP_GetContentID procedure. Exploiting this vulnerability may allow attackers to upload malicious software to the victim's device, which can be used for data theft, encryption, or data propagation.
Signs of exploitation: as of this digest's publication, Microsoft has not confirmed any successful exploitations of the vulnerability.
Publicly available exploits: the PoC was published with open access.
Compensating controls: Synacktiv recommends checking the folder C:\Program Files\SMS_CCM\Logs\MP_Location.log for entries in the UpdateSFRequest log, XML messages, and errors when performing a getMachineID() operation.

Mitigation: security updates can be downloaded from official Microsoft pages about each vulnerability: CVE-2024-49112, CVE-2025-21333, CVE-2025-21334, CVE-2025-21335, CVE-2024-43468, and CVE-2025-21298.

CVE-2024-55591 (CVSS score: 9.6; critical severity)

The vulnerability is related to a flaw discovered in the websocket Node.js module. It allows an attacker to gain super-admin privileges by sending a specially crafted request. Exploitation of the vulnerability could result in credential compromise, and spoofing of device management certificates.
Signs of exploitation: Fortinet notes cases of vulnerability's exploitation.
Publicly available exploits: not available in open sources.
Potential victims: researchers report that the vulnerability has affected 15,000 devices worldwide, specifically targeting users of the following versions: FortiOS 7.0.0–7.0.16, FortiProxy 7.0.0–7.0.19, 7.2.0–7.2.12.
Mitigation: update systems to FortiOS 7.0 to 7.0.17 or later, FortiProxy 7.0 to 7.0.20 or later, and FortiProxy 7.2 to 7.2.13 or later.
Compensating controls: Fortinet recommends the following actions:
 

• Disable the HTTP/HTTPS administrative interface.
• Through local processes, restrict IP addresses that can access administrative interfaces.
• Change the default administrator username to a non-standard name.
•  In case of network compromise, immediately replace credentials and update firewall settings. Rotate certificates and conduct an audit.

CVE-2025-0411 (CVSS score: 7.0; high severity)

The vulnerability is elated to improper handling of the Mark of the Web⁸ in 7-Zip versions prior to 24.09.  When downloading a 7z archive that contains another 7z archive with malicious content (double compression), the Microsoft Defender SmartScreen feature does not flag suspicious files in the archive. The flaw lies in how 7-Zip processes archived files: when extracting files from an archive that has the Mark of the Web (MOTW), 7-Zip does not apply the MOTW to the extracted files. As a result, Microsoft Defender treats these files as safe. An attacker can exploit this vulnerability to remotely execute code in the context of the current user. This can lead to installation of malicious software on the vulnerable device and leakage of sensitive data.
Signs of exploitation: no confirmed cases of exploitation.
Publicly available exploits: the PoC was published with open access.
Potential victims: according to SourceForge, approximately 430 million copies of the program were downloaded prior to November (the release date of the update). All devices running an outdated version of 7-Zip are potentially vulnerable.
Mitigation: update 7-Zip to version 24.09 or later.
Compensating controls: use the operating system's security features.

Using popular solutions containing trending vulnerabilities can jeopardize any company. These security flaws are the most dangerous and require immediate remediation. In the MaxPatrol VM vulnerability management system, information about trending vulnerabilities is received within 12 hours of their detection to help eliminate the most dangerous threats quickly and protect company infrastructure.