Quest Security and Service Advisories

As an ongoing service to Quest's valued clients, our team of experts monitors security and service advisories we are seeing in the market from multiple vendors and these important notices are sent to our clients. You can view an overview of our recent advisories below. If you need more information on any of these advisories, or would like to set up a meeting to discuss them further, please reach out to our team.

October 2025

Security Advisory: Critical Vulnerabilities in Veeam Products (10/14):

Quest is reaching out to inform you of critical security vulnerabilities disclosed on October 14, 2025, affecting Veeam Backup & Replication and Veeam Agent for Microsoft Windows. These vulnerabilities may pose a significant risk to backup infrastructure if not addressed promptly.

Summary of Vulnerabilities:

CVE-2025-48983 — Mount Service RCE vulnerability (affects domain-joined servers only)
- Severity: Critical | CVSS v3.1: 9.9
- Impact: Allows remote code execution (RCE) on backup infrastructure hosts by an authenticated domain user.
- Affected versions: Veeam Backup & Replication 12.3.2.3617 and earlier v12 builds
- Fixed in: Veeam Backup & Replication 12.3.2.4165 (Patch)
CVE-2025-48984 — Backup Server RCE vulnerability (affects domain-joined servers only)
- Severity: Critical | CVSS v3.1: 9.9
- Impact: Allows RCE on the backup server by an authenticated domain user.
- Affected versions: Veeam Backup & Replication 12.3.2.3617 and earlier v12 builds
- Fixed in: Veeam Backup & Replication 12.3.2.4165 (Patch)
CVE-2025-48982 — Local privilege escalation in Veeam Agent
- Severity: High | CVSS v3.1: 7.3
- Impact: Allows local privilege escalation if a system administrator restores a malicious file.
- Affected versions: Veeam Agent for Microsoft Windows 6.3.2.1205 and earlier v6 builds
- Fixed in: Veeam Agent for Microsoft Windows 6.3.2.1302

Recommended Actions:

Patch immediately:Upgrade Veeam Backup & Replication to 12.3.2.4165 and Veeam Agent for Microsoft Windows to 6.3.2.1302 as soon as possible.
Review deployment architecture: If you’re running VBR in a domain, review exposure and confirm hardening aligns with best practices. (Best-practice reference: https://bp.veeam.com/security/Design-and-implementation/Hardening/Workgroup_or_Domain.html#best-practice)
Monitor systems: Ensure your infrastructure is monitored for any signs of compromise and follow your organization’s incident response procedures if needed.
Details and downloads: See Veeam KB4771 (Veeam Software) for full details and download links.

Additional Notes:

Unsupported product versions are likely vulnerable and should be considered at risk.
The Veeam Software Appliance and the upcoming Veeam Backup & Replication v13 for Microsoft Windows are not impacted by these vulnerabilities due to architectural differences.

If you need assistance reviewing these vulnerabilities, assessing your environment, or completing a health check, please let us know.

Security Advisory: Immediate Critical Risk in MySonicWall Firewall Backups (10/9):

Quest has been notified of an updated security advisory addressing critical risks involving MySonicWall Cloud Backup files. SonicWall has completed its investigation and confirmed that all customers who used the company’s cloud backup service were affected by last month’s security breach. SonicWall is urging customers to reset their MySonicWall credentials (if they have not already) and implement the Remediation Playbook linked below.

SonicWall is recommending IMMEDIATE Mitigation Steps. We strongly urge all partners and customers using SonicWall firewalls to take the following actions immediately:

Confirm impacted device serial numbers
Knowledge base: https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330

Log in to your MySonicWall.com account and verify whether cloud backups exist for your registered firewalls.
Check whether impacted serial numbers are listed in your account. Upon login, navigate to Product Management | Issue List. Affected serial numbers will be flagged with details such as Friendly Name, Last Download Date, and Known Impacted Services.

Run the Remediation Playbook
The Playbook includes a SonicWall tool that analyzes the firewall configuration file and provides targeted remediation guidance.
Remediation Playbook: https://www.sonicwall.com/support/knowledge-base/remediation-playbook/250916130050523

Critical actions to the following procedures include:

Reset and update passwords for all local users.
Reset temporary access codes (TOTP) for local users.
Update passwords on LDAP, RADIUS, or TACACS+ servers.
Update the shared secret in all IPsec site-to-site and GroupVPN policies.
Update passwords used for any L2TP/PPPoE/PPTP WAN interfaces.
Reset the Cloud Secure Edge (CSE) API key.

Additional high- and low-priority actions may be required; see the Remediation Playbook for details.

If you need assistance reviewing this situation or would like to discuss the risk in more detail, please contact our team.

September 2025

Security Advisory: Cisco Secure Firewall ASA, FTD, IOS, IOS XE, IOS XR Remote Code Execution Vulnerability (9/25):

Quest has been notified of a security advisory addressing multiple critical vulnerabilities in Cisco Secure Firewall ASA, FTD, IOS, IOS XE, IOS XR products. Cisco has urgently patched critical security vulnerabilities that could allow unauthenticated users to perform remote code execution (RCE) exploits on impacted products listed in their Security Advisory.

Vendor: Cisco

CVE(s): CVE-2025-20363, CVE-2025-20333

CVSS: 9.0 – 9.9 Critical

In the Wild: Yes

Unauthenticated: Yes

Description: Cisco Secure Firewall ASA, FTD, IOS, IOS XE, IOS XR Remote Code Execution Vulnerability

Impact: Multiple vulnerabilities in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device which may lead to the complete compromise of the affected device.

Workarounds: No

Link to source(s):

CVE-2025-20363: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O

CVE-2025-20333: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB

IOC Available: No

Recommendation: Review Vendor Advisory; confirm applicability, apply updates as necessary.

If you need assistance with reviewing and patching impacted Cisco ASA, FTD, IOS, IOS XE, IOS XR products or would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.

August 2025

Risk Management Advisory: Update on Upcoming EOL/EOS for Key IT Products (8/25):

As an update to our July Risk Advisory, Quest continues to hear from clients who are asking about and working through several critical vendor changes. Between now and the end of October 2025, several major IT products from Microsoft and Broadcom will reach End-of-Life (EOL) and End-of-Support (EOS). These changes may significantly impact your system stability, compliance, licensing, cybersecurity insurance, and overall cybersecurity posture.

Key Changes to Be Aware Of:

Broadcom (VMware)

1. vSphere 6.x and 7.x reach EOL/EOS on October 2, 2025

- No more patches, updates, or official support—posing a major risk for production environments.

Microsoft

1. Windows 10 reaches EOL on October 14, 2025

- No future security updates; urgent need to migrate to Windows 11 or alternatives.
- There is a path for support post-October 14, 2025, but this requires detailed discussion.
- Some builds of Windows 11 will also be impacted.

2. Exchange Server 2016 and 2019 (Hybrid environments)

- Migration to the new Exchange Server Subscription Edition will be required.
- May impact licensing and ongoing costs.

3. Office 2016 and Office 2019 reach EOS on October 14, 2025

- Microsoft will no longer provide technical support, bug fixes, or security updates for vulnerabilities.
- This includes critical security updates that protect against viruses, spyware, and other malicious software.
- Updates via Microsoft Update and phone/chat technical support will no longer be available.

4. Microsoft 365 (O365) will enforce Multi-Factor Authentication (MFA) for all users starting September 15, 2025

- Non-compliance may result in login issues and access restrictions.

5. Legacy MFA and Self-Service Password Reset (SSPR) policies will be deprecated on September 30, 2025

- These settings will be managed under the new Authentication Methods policy.
- MFA and SSPR policy settings to the Authentication methods – Microsoft Q&A

What This Means for You

These vendor changes could affect:

Security posture
Compliance obligations
Operational continuity
Software licensing costs
Cyber insurance

To help you prepare, Quest is offering a no-charge, 30-minute risk review call to evaluate your environment, discuss your upgrade path, and identify next steps.

Security Advisory: Microsoft Exchange Hybrid Vulnerability Could Compromise O365 (8/7):

Microsoft has warned customers to mitigate a high-severity vulnerability, CVE-2025-53786, in Exchange Server hybrid deployments. This vulnerability could allow attackers to escalate privileges in Exchange Online cloud environments undetected. If not addressed, it could compromise the identity integrity of an organization’s Exchange Online service.

What You Need to Know:

Hybrid Exchange deployments, on-premises Exchange Server, and Exchange Online share the same service principal—a shared identity used for authentication between the two environments.
Failing to mitigate this vulnerability could lead to total domain compromise, including on-premises Exchange and Office365 environments.
Microsoft has indicated that there are no observed exploitations at this time; however, they have flagged this vulnerability as “Exploitation More Likely” and strongly urge companies to remediate quickly.

How to Protect Yourself:

Immediately remove any public-facing servers running end-of-life (EOL) or end-of-service versions of Exchange Server.
Install Microsoft’s April 2025 Exchange Server Hotfix Update on on-premises Exchange Servers.
Follow Microsoft’s configuration instructions to deploy a dedicated Exchange Hybrid App.
For companies using Hybrid (or those that previously configured Exchange Hybrid but no longer use it), review Microsoft’s Service Principal Clean-Up Mode guidance on resetting the service principal keyCredentials.
Once completed, run the Microsoft Exchange Health Checker to determine if further steps are required.

Important Reminder:

Exchange 2016 and Exchange 2019 will reach their end of extended support (EOS) on October 14, 2025. Companies will need to migrate to Exchange Online or upgrade to Exchange Server Subscription Edition (SE) to remain supported. After October 14, 2025, Microsoft will no longer provide technical support for Exchange 2016 or Exchange 2019, including bug fixes for newly discovered issues that may impact server usability and stability.

What Quest Can Do to Help:

Assess your current Exchange versions (including Exchange Hybrid) for remediation measures and provide specific recommendations for your deployment.
Apply the necessary remediations (updates, hotfixes, configurations, and testing) listed in Microsoft’s Security Advisory.
Advise on and upgrade your Exchange environment to ensure continued support.

Security Advisory: IMMEDIATE Critical Risk in SonicWall Firewall SSLVPN (8/4):

Quest has been notified of a security advisory addressing critical risks involving SonicWall SSLVPN in SonicWall Firewall products. SonicWall has announced a recent increase in reported cyber incidents involving a number of Gen 7 SonicWall firewalls running various firmware versions with SSLVPN enabled. SonicWall is actively investigating these incidents to determine whether they stem from a previously disclosed vulnerability or represent a new (zero-day) vulnerability.

SonicWall is recommending IMMEDIATE Mitigation Steps:

As a precaution, we strongly urge all partners and customers using Gen 7 firewalls to take the following actions immediately:

Disable SSLVPN services where practical.
If SSLVPN remains enabled, apply the following additional (best practices) controls:
- Restrict access to trusted source IP addresses only.
- Ensure Security Services (e.g., Botnet Protection, Geo-IP Filtering) are turned on and actively protecting the firewall.
- Remove unused or inactive firewall user accounts, particularly those with remote access permissions.
- Enforce strong password hygiene across all accounts, including resetting all passwords.
- Enable Multi-Factor Authentication (MFA) for all remote access points (Note: MFA alone may not prevent the activity under investigation).

Link to updated SonicWall Information: https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430

Recommendation: Disable SonicWall SSLVPN immediately on Gen7 Firewalls; Contact Quest to discuss immediate alternatives solutions to reenable secure remote access to internal applications.

July 2025

Security Advisory: Guidance on Exploitation of Microsoft SharePoint Vulnerability (7/21):

Microsoft has identified active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed in the July 2025 Security Update. These vulnerabilities, including CVE-2025-53770 and CVE-2025-53771, pose significant risks to system security and operational integrity. While SharePoint Online in Microsoft 365 is not impacted, on-premises SharePoint Servers are at risk. Microsoft has released security updates to fully protect customers using SharePoint Subscription Edition and SharePoint 2019. Customers using SharePoint 2016 or 2019 are strongly advised to apply the latest updates and follow additional mitigation steps to safeguard their environments.

Current Recommendations (as of 7/21):

Remove internet-facing deployments of on-premise SharePoint immediately.
Apply the latest Microsoft July 2025 patches/security update (this only partially mitigates the risk).
Apply the specific SharePoint security update.
Ensure AMSI (Antimalware Scan Interface) is turned on and configured correctly.
After updating, rotate SharePoint Server ASP.NET machine keys and restart IIS on SharePoint servers.
Ensure your endpoint protection detects and protects against behaviors related to this threat.
Enable SIEM rules to detect exploit activity.
You can view more details from Microsoft here.

If you need assistance with reviewing and patching impacted systems or would like to discuss these vulnerabilities in more detail, please let us know.

Security Advisory: Critical Vulnerabilities in Broadcom/VMware Products (7/18):

Quest has been notified of a security advisory addressing critical vulnerabilities in Broadcom VMware products. Broadcom has urgently patched a critical security vulnerability that could allow unauthenticated users to perform privilege escalation exploits on impacted products listed in their Security Advisory.

Vendor: Broadcom/VMware
CVE(s): CVE-2025-41236, CVE-2025-41237, CVE-2025-41238, CVE-2025-41239
CVSS: 6.2 – 9.3 (Critical)
In the Wild: Unknown; however, it is expected to appear in the wild soon, as it was proven at a Pwn2Own event.
Unauthenticated: No
Description: VMware ESXi, Workstation, Fusion, and VMTools updates address multiple vulnerabilities.
Impact: A malicious actor with local administrative privileges on a virtual machine may exploit these issues to execute code as the virtual machine’s process running on the host, leading to complete ESX Host compromise.
Workarounds: None
Link to Source(s): Broadcom Security Advisory
IOC Available: No

Recommendation: Review the vendor advisory, confirm applicability, and apply updates as necessary.

Note: CVE-2025-41239 impacts VMware Tools for Windows. Please ensure you review and update VMTools on Windows machines to fixed versions.

If you need assistance with reviewing and patching impacted VMware products or would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.

Security Advisory: Microsoft 365 Direct Send Feature Under Threat (7/16):

We are reaching out to inform you about an immediate security concern with the Microsoft 365 Direct Send feature. Threat actors are currently targeting organizations with spoofed, unsolicited emails, forging the sender’s address to make it appear as though it comes from within your organization or a trusted source. We have observed messages going through Microsoft infrastructure to bypass email security controls, crafted to steal your Office 365 credentials.

What You Need to Know:

Spoofed emails can appear to come from yourself, a coworker, or a company executive.
Be cautious of requests for sensitive information (like passwords or payment details) via email.
Phishing emails often urge you to take action—click on links, update account information, download attachments, scan QR codes, or listen to voicemail attachments.

How to Protect Yourself:

If you are using Office 365, you must act immediately to secure the Direct Send feature.
Be cautious: If you are not expecting an email—even if it looks legitimate—do not open it.
Do not use your phone to scan QR codes sent via email. QR codes are rarely sent through email.
Verify the sender’s email address carefully. Look for misspellings or unusual domains, and validate by reaching out to the sender via phone or message.
Do not click on suspicious links or download unexpected attachments.
Contact us directly if you receive any email that seems unusual or unexpected.
Enable phishing-resistant multi-factor authentication (MFA) and conditional access on your accounts whenever possible.

What We Can Do to Help:

Discuss or implement the process and steps to address the Direct Send risk (e.g., disabling the feature or creating mail flow rules).
Configure and enforce strict DMARC, SPF, and DKIM policies to ensure only verified senders can use your domain.
Review unauthenticated emails.
Conduct threat-hunting activities if your company has been targeted by the Direct Send phishing campaign.

We take your security seriously and are actively monitoring these threats. If you have any questions or would like assistance securing your Office 365 environment, please don’t hesitate to reach out.

June 2025

Security Advisory: Surge in Social Engineering Tactics Targeting U.S. Businesses (6/18):

Quest has observed a significant increase in targeted social engineering attacks attributed to the threat actor group Shattered Spider, specifically aimed at U.S.-based retail, insurance, staffing, and distribution sectors. These attacks focus on gaining initial access through sophisticated social engineering campaigns, often leading to ransomware deployment and significant operational disruptions.

A common scenario consists of the following:

Threat actors initiate contact by phone, text, or email, impersonating internal IT or a trusted third party. The threat actor creates urgency with the user, centering on situations such as alleged account compromises or system outages to prompt immediate action.
Pressure is then applied to approve MFA requests, access spoofed login portals, or install remote access tools—framing these actions as necessary steps to resolve the issue.
Credentials and session tokens are subsequently compromised, enabling full access to Identity Management, MFA, Remote Access, and Email platforms.

Quest recommends actively monitoring for unusual help desk activity and ensuring all staff are trained to recognize tactics that use false urgency to manipulate users. Employees should know how to safely verify suspicious requests and escalate concerns. Communicating these risks to your broader user base—especially help desk, finance, and claims teams—is strongly advised.

Security Advisory: Critical Veeam Vulnerability Fix Available (6/17):

Quest has been notified of a Veeam critical vulnerability (CVE-2025-23121) with a CVSS severity score of 9.9. This vulnerability could allow an authenticated domain user to execute remote code on the Backup Server, posing a significant security risk.

What You Need to Do:

Fixes are now available, and we strongly recommend that all customers update their Veeam products immediately to mitigate potential risks.

For detailed information, please review KB4743.

If you need assistance with validating or implementing the update, please let us know. Our team is here to support you.

May 2025

Security Advisory: Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware (5/23):

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.

Release Date: May 21, 2025

Alert Code: AA25-141B

Advisory details

The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.

Security Advisory: Malicious KeePass Campaign Identified (5/20):

Quest is issuing a critical security advisory regarding a malicious campaign involving trojanized versions of the KeePass password manager.

Summary of Threat:

Threat actors have been distributing compromised versions of KeePass for at least eight months. These versions, dubbed KeeLoader, are built from altered open-source KeePass code and retain full password management functionality. The compromised versions of KeePass are embedded with malicious components that install Cobalt Strike beacons for remote access, export KeePass password databases in cleartext, and enable credential theft and ransomware deployment.

For more details, you can read the full report here.

Recommended Actions:

Only download KeePass and other sensitive software from official sources.
Avoid clicking on advertisements, even if they appear to link to legitimate URLs. Threat actors have demonstrated the ability to spoof URLs in ads to redirect users to malicious sites.
Verify digital signatures and checksums where possible before installing software.

We urge all users to remain vigilant and review any recent KeePass installations for signs of compromise

April 2025

Security Advisory: Threat Actors Breach and Spread in Under an Hour – Auto-Containment (4/30):

Quest is issuing this urgent security alert to highlight a critical and rapidly growing threat we have observed in the field. Threat actors are breaching and spreading through systems faster than ever, with the average breakout time dropping from over an hour in 2022 and 2023 to under 48 minutes today—and in some cases, less than 1 minute. A significant number of these attacks occur on weekends or after business hours, leaving organizations vulnerable during off-peak times.

Call to Action:

Review and Enable Auto-Containment:
- Auto-containment for endpoint protection is critical but often not enabled by default on most security tools.
- Assess its availability and discuss the need for enablement within your organization.
Utilize Advanced Cybersecurity Tools:
- Consider tools that automatically contain threats based on device or user behavior to improve response times and limit damage.

Why This Matters:

Today’s cybercriminals move quickly after gaining access, making lateral movement from one system to the next before teams even detect their presence. This can lead to severe consequences, including:

Ransomware spreading across servers within hours.
Stolen credentials used for privilege escalation.
Sensitive data stolen before any alerts are triggered.

Real-World Example:

A midsize financial firm fell victim to a phishing attack. Without endpoint isolation, the attacker compromised a single device and spread to encrypt most of the network within 90 minutes. The result? Ransom demands and several days of costly downtime.

What the Experts Say:

CISA Guidance: Immediate containment is crucial to reducing damage during cyber incidents.
- CISA Incident Response Plan Guide
CrowdStrike Findings: China-related hacking activities have reached a critical “inflection point.”
- CrowdStrike: China hacking has reached ‘inflection point’ | TechTarget

What This Means For You:

If You Have Auto-Containment:
- Ensure it is enabled immediately.
- Activate your incident response plan promptly in the event of a suspected threat.
If You Don’t Have Auto-Containment:
- You’re at increased risk of delayed containment, greater damage from fast-moving threats, and extended recovery times. Consider upgrading to a solution that includes automated threat containment.

Contact our team if you’d like to review your current setup, and we’ll arrange a call.

Security Advisory: Critical Update Required for Microsoft Entra Connect Sync (4/24):

Microsoft has announced a critical update affecting Microsoft Entra Connect Sync, the tool used to synchronize on-premises Active Directory with Microsoft Entra ID (Azure AD). Unless environments are updated before April 30, 2025, key functions within the tool will cease to operate.

Link to source(s):

Microsoft Entra Connect Sync Update

If your environment is using Microsoft Entra Connect Sync (formerly Azure AD Connect) with a version lower than v2.4.18.0, your environment will be impacted. While core synchronization will continue, the ability to manage or reconfigure the sync tool will be significantly degraded.

If you have any questions about how this may affect your environment or how Quest can assist, please reach out to our team. We’re here to help.

Security Advisory: Fortinet Post-Exploitation Technique for Known Vulnerabilities (4/11):

Quest has been notified of a Fortinet advisory regarding a new post-exploitation technique for known vulnerabilities. Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet RCE vulnerabilities within FortiOS and FortiGate products. This malicious file could enable read-only access to files on the device’s file system, which may include configurations.

Link to source(s):

Analysis of Threat Actor Activity | Fortinet Blog

Recommendation:

Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 to remove the malicious file and prevent re-compromise.
Review the configuration of all devices.
Reset potentially exposed credentials.

If you need assistance with reviewing, upgrading, or resetting credentials for FortiOS and FortiGate products, or if you would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.

March 2025

Security Advisory: Stay Alert – Phishing Attacks Are Becoming More Believable (3/26):

Cybercriminals are making phishing attacks more convincing by mimicking emails you expect to receive. These fraudulent messages often appear to come from trusted sources, such as:

Internal departments (HR, IT, Finance)
Popular services (Microsoft, Google, Amazon)
Known colleagues or vendors

They frequently create a sense of urgency, prompting actions like updating passwords, entering credentials to view a shared file link, confirming payments, or opening an important document attachment. Clicking on a malicious link or attachment is a common tactic used to gain initial access, which can result in credential theft, ransomware, or data breaches.

Quest is assisting customers in implementing configurations and features to defend against phishing and unauthorized access. These measures include:

Technical Defenses

Configuring email filtering
Enabling audit logs and alerts for unusual activity
Utilizing phishing-resistant multifactor authentication (MFA)
Enforcing DMARC, DKIM, and SPF protocols
Restricting file-sharing permissions
Implementing data loss prevention (DLP) measures

Establishing a Response Plan

Developing an incident response plan
Conducting tabletop exercises
Running phishing simulations

Stay vigilant and think before you click. Please contact us if you’d like to schedule a meeting to review your defenses.

Security Advisory: Critical Vulnerabilities in Veeam Backup and Replication Products (3/19)

Quest has been notified of a security advisory addressing critical vulnerabilities in Veeam Backup and Replication products. Veeam has urgently patched a critical security vulnerability that could allow unauthenticated users to perform privilege escalation exploits on impacted products, as listed in their Security Advisory.

Vendor: Veeam

CVE(s): CVE-2025-23120

CVSS: 9.9 Critical

Exploited in the wild: Unknown

Impacted Products: Veeam Backup & Replication 12.3.0.310 and all earlier version 12 builds.

Description: A vulnerability allowing remote code execution (RCE) by authenticated domain users.

Impact: An unauthenticated attacker could initiate a remote code execution, leading to unauthorized access to the backup server.

Note: This vulnerability only impacts domain-joined backup servers, which is against the Security & Compliance Best Practices.

Link to source(s): https://www.veeam.com/kb4649

IOC Available: No

Recommendation: Review applicability, apply the update released by Veeam as soon as possible, and continue to follow Veeam Security Best Practices.

If you need assistance with reviewing and patching impacted Veeam Backup and Replication products, or if you would like to discuss these vulnerabilities in more detail, please let us know, and we will set up a call.

Security Advisory: Action Required – Review Disaster Recovery Plans for Azure Services (3/18):

The Quest team is strongly advising clients to review their disaster recovery plans. Relying solely on hyperscalers (AWS, Azure, Google, etc.) or Software as a Service (SaaS) vendors may not provide sufficient recovery capabilities, particularly in the event of a ransomware attack. Starting March 31, 2025, Azure will discontinue automatic disaster recovery for App Service web applications. This change means that in the event of a regional outage, applications will no longer fail over automatically to another region.

To improve your resilience, we strongly recommend evaluating your ability to recover in the event of a ransomware incident. Implementing ransomware-proof solutions can save your organization millions of dollars and reduce significant recovery times.

If you’d like to discuss or review your current disaster recovery plans, please contact us. We’re reaching out as a security advisor because we’ve seen many clients caught off guard by ransomware threats, resulting in avoidable disruptions.

Security Advisory: Critical Vulnerabilities in Broadcom VMware Products (3/4):

Vendor: Broadcom/VMware

CVE(s): CVE-2025-22224, CVE-2025-22225, CVE-2025-22226

CVSS: 9.3-7.1 Critical

Currently Exploited in the wild: Yes

Description: Multiple vulnerabilities in VMware ESXi and Workstation include a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write.

Impact: A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.

Workarounds / Mitigations: None

Link to source(s): Broadcom Security Advisory

IOC Available: No

Recommendation: Review applicability and apply the update released by Broadcom as soon as possible.