What this is: A plain-English summary of the most critical security vulnerabilities affecting UK SME infrastructure this month. No vendor sales pitches. No jargon for its own sake. Just the five vulnerabilities you need to know about, what they do, and what action to take. If you have questions about any of these in your specific environment, contact your 313SEC analyst directly.
OLE is the technology that lets Windows documents embed objects — a spreadsheet inside a Word file, for example. A vulnerability in this system means an attacker can craft a malicious RTF or Office document that, when opened or previewed in Outlook, executes code on the victim's machine without any further interaction. The attack requires no login, no elevated privileges — just someone previewing the email.
If your organisation uses Ivanti's VPN or network access products, this vulnerability allows an attacker on the internet to run code on your appliance without logging in first. Ivanti VPN appliances sit on the edge of your network — a compromise here gives attackers a foothold inside before any perimeter defence can respond. This was exploited as a zero-day before patches were available.
Fortinet firewalls and proxies running affected versions have a flaw in their web management interface that lets an attacker bypass the login process entirely — gaining full admin access without credentials. Attackers are then creating new admin accounts to maintain persistent access. Fortinet gear is extremely common in UK SME deployments.
Browsing to a folder containing a maliciously crafted .library-ms file in Windows Explorer can cause Windows to automatically send the user's NTLM credentials (hashed password) to an attacker-controlled server. No clicking required — just navigating to the folder. This credential can then be cracked or relayed to authenticate as that user.
An authenticated attacker with read-only access to a Cisco Nexus switch can inject OS-level commands through the CLI interface. This has been exploited in the wild by the Velvet Ant threat actor group to gain persistent root access on network infrastructure. Lower severity than the others — requires some access first — but highly impactful if your Nexus switches aren't patched.
This month's most relevant threat actor context for UK SMEs: Salt Typhoon, a Chinese state-sponsored group, has been observed actively targeting telecommunications and managed service providers across the UK and US. Their initial access method of choice this quarter has been exploiting the Fortinet and Ivanti vulnerabilities listed above. UK MSPs and companies with relationships to critical national infrastructure should treat the FortiOS and Ivanti patches above as urgent. The NCSC issued guidance in February recommending immediate action.
Both Play and Akira ransomware groups have been observed actively scanning for unpatched Ivanti and Fortinet systems in UK IP ranges. Akira in particular has been targeting UK professional services firms (legal, accountancy, financial services) — sectors with high data value but often limited security resource. Unpatched perimeter appliances are their primary initial access method. If you are in these sectors, the CVE-2025-0282 and CVE-2024-55591 patches above are your immediate priority.
DISCLAIMER: This brief is produced for informational purposes and is accurate as of publication. CVE scores and exploitation status change — check vendor advisories for the latest status. This is not a substitute for formal vulnerability management. 313SEC GHOSTLINE clients receive real-time alerts when CVEs affect their specific deployed technology stack.