Quest Security and Service Advisories
As an ongoing service to Quest's valued clients, our team of experts monitors security and service advisories we are seeing in the market from multiple vendors and these important notices are sent to our clients. You can view an overview of our recent advisories below. If you need more information on any of these advisories, or would like to set up a meeting to discuss them further, please reach out to our team.

May 2025
Security Advisory: Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware (5/23)
Security Advisory: Malicious KeePass Campaign Identified (5/20)
April 2025
Security Advisory: Threat Actors Breach and Spread in Under an Hour - Auto-Containment (4/30)
Security Advisory: Critical Update Required for Microsoft Entra Connect Sync (4/24)
Security Advisory: Fortinet Post-Exploitation Technique for Known Vulnerabilities (4/11)
March 2025
Security Advisory: Stay Alert – Phishing Attacks Are Becoming More Believable (3/26)
Security Advisory: Critical Vulnerabilities in Veeam Backup and Replication Products (3/19)
Security Advisory: Action Required – Review Disaster Recovery Plans for Azure Services (3/18)
Security Advisory: Critical Vulnerabilities in Broadcom VMware Products (3/4)
May 2025
Security Advisory: Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware (5/23):
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
Release Date: May 21, 2025
Alert Code: AA25-141B
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
Security Advisory: Malicious KeePass Campaign Identified (5/20):
Quest is issuing a critical security advisory regarding a malicious campaign involving trojanized versions of the KeePass password manager.
Summary of Threat:
Threat actors have been distributing compromised versions of KeePass for at least eight months. These versions, dubbed KeeLoader, are built from altered open-source KeePass code and retain full password management functionality. The compromised versions of KeePass are embedded with malicious components that install Cobalt Strike beacons for remote access, export KeePass password databases in cleartext, and enable credential theft and ransomware deployment.
For more details, you can read the full report here.
Recommended Actions:
- Only download KeePass and other sensitive software from official sources.
- Avoid clicking on advertisements, even if they appear to link to legitimate URLs. Threat actors have demonstrated the ability to spoof URLs in ads to redirect users to malicious sites.
- Verify digital signatures and checksums where possible before installing software.
We urge all users to remain vigilant and review any recent KeePass installations for signs of compromise.
April 2025
Security Advisory: Threat Actors Breach and Spread in Under an Hour - Auto-Containment (4/30):
Quest is issuing this urgent security alert to highlight a critical and rapidly growing threat we have observed in the field. Threat actors are breaching and spreading through systems faster than ever, with the average breakout time dropping from over an hour in 2022 and 2023 to under 48 minutes today—and in some cases, less than 1 minute. A significant number of these attacks occur on weekends or after business hours, leaving organizations vulnerable during off-peak times.
Call to Action:
- Review and Enable Auto-Containment:
- Auto-containment for endpoint protection is critical but often not enabled by default on most security tools.
- Assess its availability and discuss the need for enablement within your organization.
- Utilize Advanced Cybersecurity Tools:
- Consider tools that automatically contain threats based on device or user behavior to improve response times and limit damage.
Why This Matters:
Today’s cybercriminals move quickly after gaining access, making lateral movement from one system to the next before teams even detect their presence. This can lead to severe consequences, including:
- Ransomware spreading across servers within hours.
- Stolen credentials used for privilege escalation.
- Sensitive data stolen before any alerts are triggered.
Real-World Example:
A midsize financial firm fell victim to a phishing attack. Without endpoint isolation, the attacker compromised a single device and spread to encrypt most of the network within 90 minutes. The result? Ransom demands and several days of costly downtime.
What the Experts Say:
- CISA Guidance: Immediate containment is crucial to reducing damage during cyber incidents.
- CrowdStrike Findings: China-related hacking activities have reached a critical "inflection point."
What This Means For You:
- If You Have Auto-Containment:
- Ensure it is enabled immediately.
- Activate your incident response plan promptly in the event of a suspected threat.
- If You Don’t Have Auto-Containment:
- You’re at increased risk of delayed containment, greater damage from fast-moving threats, and extended recovery times. Consider upgrading to a solution that includes automated threat containment.
Contact our team if you’d like to review your current setup, and we’ll arrange a call.
Security Advisory: Critical Update Required for Microsoft Entra Connect Sync (4/24):
Microsoft has announced a critical update affecting Microsoft Entra Connect Sync, the tool used to synchronize on-premises Active Directory with Microsoft Entra ID (Azure AD). Unless environments are updated before April 30, 2025, key functions within the tool will cease to operate.
Link to source(s):
Microsoft Entra Connect Sync Update
If your environment is using Microsoft Entra Connect Sync (formerly Azure AD Connect) with a version lower than v2.4.18.0, your environment will be impacted. While core synchronization will continue, the ability to manage or reconfigure the sync tool will be significantly degraded.
If you have any questions about how this may affect your environment or how Quest can assist, please reach out to our team. We’re here to help.
Security Advisory: Fortinet Post-Exploitation Technique for Known Vulnerabilities (4/11):
Quest has been notified of a Fortinet advisory regarding a new post-exploitation technique for known vulnerabilities. Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet RCE vulnerabilities within FortiOS and FortiGate products. This malicious file could enable read-only access to files on the device’s file system, which may include configurations.
Link to source(s):
Analysis of Threat Actor Activity | Fortinet Blog
Recommended Steps to Execute in Case of a Compromised Host
Recommendation:
- Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 to remove the malicious file and prevent re-compromise.
- Review the configuration of all devices.
- Reset potentially exposed credentials.
If you need assistance with reviewing, upgrading, or resetting credentials for FortiOS and FortiGate products, or if you would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.
March 2025
Security Advisory: Stay Alert – Phishing Attacks Are Becoming More Believable (3/26):
Cybercriminals are making phishing attacks more convincing by mimicking emails you expect to receive. These fraudulent messages often appear to come from trusted sources, such as:
- Internal departments (HR, IT, Finance)
- Popular services (Microsoft, Google, Amazon)
- Known colleagues or vendors
They frequently create a sense of urgency, prompting actions like updating passwords, entering credentials to view a shared file link, confirming payments, or opening an important document attachment. Clicking on a malicious link or attachment is a common tactic used to gain initial access, which can result in credential theft, ransomware, or data breaches.
Quest is assisting customers in implementing configurations and features to defend against phishing and unauthorized access. These measures include:
Technical Defenses
- Configuring email filtering
- Enabling audit logs and alerts for unusual activity
- Utilizing phishing-resistant multifactor authentication (MFA)
- Enforcing DMARC, DKIM, and SPF protocols
- Restricting file-sharing permissions
- Implementing data loss prevention (DLP) measures
Establishing a Response Plan
- Developing an incident response plan
- Conducting tabletop exercises
- Running phishing simulations
Stay vigilant and think before you click. Please contact us if you'd like to schedule a meeting to review your defenses.
Security Advisory: Critical Vulnerabilities in Veeam Backup and Replication Products (3/19):
Quest has been notified of a security advisory addressing critical vulnerabilities in Veeam Backup and Replication products. Veeam has urgently patched a critical security vulnerability that could allow unauthenticated users to perform privilege escalation exploits on impacted products, as listed in their Security Advisory.
Vendor: Veeam
CVE(s): CVE-2025-23120
CVSS: 9.9 Critical
Exploited in the wild: Unknown
Impacted Products: Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds.
Description: A vulnerability allowing remote code execution (RCE) by authenticated domain users.
Impact: An unauthenticated attacker could initiate a remote code execution, leading to unauthorized access to the backup server.
Note: This vulnerability only impacts domain-joined backup servers, which is against the Security & Compliance Best Practices.
Link to source(s): https://www.veeam.com/kb4649
IOC Available: No
Recommendation: Review applicability, apply the update released by Veeam as soon as possible, and continue to follow Veeam Security Best Practices.
If you need assistance with reviewing and patching impacted Veeam Backup and Replication products, or if you would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.
Security Advisory: Action Required – Review Disaster Recovery Plans for Azure Services (3/18):
The Quest team is strongly advising clients to review their disaster recovery plans. Relying solely on hyperscalers (AWS, Azure, Google, etc.) or Software as a Service (SaaS) vendors may not provide sufficient recovery capabilities, particularly in the event of a ransomware attack. Starting March 31, 2025, Azure will discontinue automatic disaster recovery for App Service web applications. This change means that in the event of a regional outage, applications will no longer fail over automatically to another region.
To improve your resilience, we strongly recommend evaluating your ability to recover in the event of a ransomware incident. Implementing ransomware-proof solutions can save your organization millions of dollars and reduce significant recovery times.
If you’d like to discuss or review your current disaster recovery plans, please contact us. We’re reaching out as a security advisor because we’ve seen many clients caught off guard by ransomware threats, resulting in avoidable disruptions.
Security Advisory: Critical Vulnerabilities in Broadcom VMware Products (3/4):
Quest has been notified of a security advisory addressing critical vulnerabilities in Broadcom VMware products. Broadcom has urgently patched a critical security vulnerability that could allow unauthenticated users to perform privilege escalation exploits on impacted products listed in their Security Advisory.
Vendor: Broadcom/VMware
CVE(s): CVE-2025-22224, CVE-2025-22225, CVE-2025-22226
CVSS: 9.3-7.1 Critical
Currently Exploited in the wild: Yes
Description: Multiple vulnerabilities in VMware ESXi and Workstation include a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write.
Impact: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
Workarounds / Mitigations: None
Link to source(s): Broadcom Security Advisory
IOC Available: No
Recommendation: Review applicability and apply the update released by Broadcom as soon as possible.