Microsoft, VMWare, Ivanti flaws called out: The feds highlighted a list of buffer overflow bugs affecting leading vendors like Microsoft, Ivanti, VMWare, Citrix and RedHat, ranging from high to critical severity, and some already having in-the-wild exploits.The list included two Microsoft flaws that could allow, local attackers in container-based environments to gain system privileges (CVE-2025-21333), and privilege escalation on the Windows Common Log File System Driver (CLFS) that could lead to full system access (CVE-2024-49138). The latter was picked up by threat actors for zero-day exploit and was assigned a CVSS rating of 7.8/10.Most critical in the list is a VMWare vCentre flaw (CVE-2024-38812) that Broadcom had to plug for a second time in months after it admitted the first patch did not completely fix the issue. The flaw was a heap overflow issue in an implementation of the DCERPC (distributed computing environment/ remote procedure call) protocol of the vCenter server.Another critical flaw (CVSS 9/10) listed in the advisory is the stack-overflow bug in Ivanti’s Connect Secure (CVE-2025-0282) that the IT software maker fixed in January after it was exploited in zero-day attacks. While historically dependent on vulnerable coding languages like C, and C++, all these vendors are gradually moving towards memory-safe languages like Rust, Go, Swift, and Python.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3823937/cisa-fbi-call-software-with-buffer-overflow-issues-unforgivable.html
