Microsoft fixed 134 flaws in April Patch Tuesday, including one exploited zero-day

Microsoft’s April 2025 Patch Tuesday rolled out fixes for 134 vulnerabilities, including one zero-day—CVE-2025-29824—that was actively exploited before the update. The flaw, found in the Windows Common Log File System Driver, allowed local privilege escalation and was reportedly used by the RansomEXX ransomware gang. Microsoft credited its Threat Intelligence Center with the discovery and noted that patches for some Windows 10 systems are still pending release.

The update also addressed 11 Critical-rated remote code execution vulnerabilities across Microsoft Office, Windows Kernel, Remote Desktop Services, and other core components. In total, April’s patches included fixes for 49 privilege escalation bugs, 31 remote code execution issues, and 17 information disclosure vulnerabilities.

Other major vendors also issued important updates in April: Apple patched three zero-days; Google fixed 62 Android vulnerabilities; and Ivanti addressed a critical RCE flaw. Organisations are urged to ensure systems are fully updated to prevent exploitation.

Microsoft confirms RansomEXX exploited Windows zero-day to gain SYSTEM access

Microsoft has confirmed that the RansomEXX ransomware gang, also known as Storm-2460, exploited a zero-day vulnerability in the Windows Common Log File System Driver (CVE-2025-29824) to gain SYSTEM privileges. Patched during April’s Patch Tuesday, this use-after-free flaw allowed low-privilege users to escalate privileges without user interaction.

Although exploitation was limited, it affected organisations in the IT and real estate sectors in the US, finance in Venezuela, a Spanish software company, and retail in Saudi Arabia. Windows 11 24H2 users were not affected, but patches for Windows 10 LTSB 2015 are still pending.

The attackers used the PipeMagic backdoor to deliver the exploit and deploy ransomware along with ransom notes titled !READ_ME_REXX2!.txt. PipeMagic has previously been linked to attacks exploiting other Windows zero-days.

RansomEXX, active since 2018, has previously hit major organisations including GIGABYTE, Konica Minolta, and Brazil’s court system. Microsoft urges users to apply updates immediately.

Fortinet fixes critical FortiSwitch flaw allowing unauthorised password changes

Fortinet has released urgent security updates addressing a critical vulnerability (CVE-2024-48887) in its FortiSwitch product, warning that the flaw could allow remote unauthenticated attackers to change admin passwords through a crafted request. The vulnerability, which received a CVSS score of 9.3, affects multiple FortiSwitch versions and is linked to an unverified password change issue in the FortiSwitch GUI (CWE-620).

The flaw impacts:

• FortiSwitch 7.6.0 (update to 7.6.1 or later)
• Versions 7.4.0 to 7.4.4 (update to 7.4.5+)
• Versions 7.2.0 to 7.2.8 (update to 7.2.9+)
• Versions 7.0.0 to 7.0.10 (update to 7.0.11+)
• Versions 6.4.0 to 6.4.14 (update to 6.4.15+)

We advise all users to patch immediately to mitigate the risk of admin account compromise. If you notice any unusual activity, contact the Integrity360 Incident Response team for immediate assistance. For more information read our threat advisory HERE.

Smokeloader customers arrested in Operation Endgame follow-up

Law enforcement has arrested at least five individuals linked to the Smokeloader botnet as part of continued action under Operation Endgame. This follows the major takedown in 2023 that dismantled infrastructure supporting malware loaders like IcedID, Trickbot, and Smokeloader.

Europol confirmed that the investigation is still active, with data from over 100 seized servers being analysed. The botnet was operated by a threat actor known as ‘Superstar’ and offered as a pay-per-install service, giving cybercriminals access to compromised systems.

Authorities linked online aliases to real-world identities using a database of Smokeloader customers. Europol said some suspects cooperated with investigators and allowed digital forensic analysis of their devices.

Actions against suspects included arrests, home searches, and interviews. Europol has launched a dedicated website and video series to provide updates and encourage tips. Sanctions were also imposed on cybercriminals and exchanges linked to laundering funds. Operation Endgame continues to track affiliates and disrupt cybercrime infrastructure.

Ransomware activity hits record highs, but profits fall

New data shows ransomware attacks surged to record levels in early 2025, but cybercriminal profits are falling as more victims refuse to pay. BlackFrog’s Q1 2025 report revealed 278 publicly disclosed attacks—up 81% year-on-year—with March alone marking an all-time high. The firm estimates an additional 2,124 unreported incidents took place, driven largely by data exfiltration.

Cyble’s April report echoed the trend, noting 886 victims claimed in February—the most in any month to date. The US, healthcare, education, and public sector organisations remain top targets.

Despite the spike in attacks, ransom revenues dropped by 33% in 2024 to $818m. Analysts say groups may now be relying on volume rather than big payouts.

Meanwhile, the ransomware landscape is shifting. Activity from BlackBasta collapsed after an internal leak, and new groups like Arkana Security and VanHelsing have appeared. Analysts warn that while tactics evolve, inflated attack numbers may mask falling profitability.

UK SMEs lose £3.4bn annually to cyberattacks, new report warns

UK small and medium-sized enterprises (SMEs) are losing £3.4 billion each year due to poor cybersecurity, according to a Vodafone Business report published this week. The average cost of a cyber incident is £3,398 for small businesses, rising to £5,001 for firms with 50+ employees.

One in three SMEs experienced a cyberattack in 2024, yet over half of employees have received no training, and nearly one in three firms have no protections in place. Limited budgets and competing priorities hinder response efforts—38% of SMEs invest less than £100 per year in cyber security.

Vodafone is calling for scalable, affordable security tools and stronger awareness campaigns. The report also urges tax incentives for cybersecurity investments and expanded public-private collaboration.

Phishing remains the top threat, followed by ransomware and DDoS attacks. With two-thirds of staff working remotely, Vodafone warns that SMEs are increasingly exposed and must treat cybersecurity as business-critical.

Cyberattacks hit 62% of water and power utilities, new report finds

A new report has revealed that 62% of water and electricity operators in the US and UK experienced cyberattacks in the past year, with 80% hit multiple times. Titled The State of Critical Infrastructure Resilience, the study highlights serious risks that also apply to other nations utility sectors.

Nearly 60% of attacks were attributed to nation-state groups, with 54% of impacted operators suffering permanent data loss. Alarmingly, identity systems like Active Directory were compromised in two-thirds of cases.

Despite this, 38% of operators believe they’ve never been targeted—suggesting many simply lack the tools to detect threats. Security experts warn that groups like China’s Volt Typhoon use stealthy, long-term techniques that can go unnoticed.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.