Critical Patches Across Major Vendors Demand Action

When it rains, it pours for MSPs and MSSPs… coincidentally, it’s an unusual rainy day here in Las Vegas as I am writing this.

Last month, we covered an avalanche of network security issues affecting multiple vendors. This week, the spotlight is on the chip makers, ICS vendors, Microsoft Patch Tuesday, Adobe Patch Tuesday and more. 2025 is turning out to be relentless, so MSPs and MSSPs, buckle up! Here’s what you need to know to protect your clients effectively.

First, the chip makers

Intel, NVIDIA, and AMD all published security advisories this week.

• Intel published 34 advisories including patches for one critical and ten high severity issues. In their report, Intel also took a veiled shot at their competitors who also uncovered security issues, patting themselves on back for how well they’ve handled these issues compared to their counterparts.
• NVIDIA released patches for 4 issues, 2 high severity and 2 medium.
• AMD published 11 advisories that also require attention.  

Not to be left behind, Qualcomm also recently released patches, though there have been none so far this week.

Although hardware and firmware-level patches often require system reboots and careful planning, leaving these vulnerabilities unaddressed creates significant risk for your clients' environments. Prioritize their remediation with a risk-based approach.

Then, the ICS vendors

For MSPs supporting industrial clients, two major ICS vendors have released critical updates:

• Siemens has released patches for over 100 new vulnerabilities, including:
  • Remote code execution flaws
  • Insider attack vectors
  • Server-Side Request Forgery (SSRF) flaws
• Schneider Electric patched 10 flaws across their ASCO Remote Annunciator, EcoStruxure, and Enerlin products.

Microsoft, Adobe, and Ivanti, Oh My

Microsoft released patches for 55 CVEs including 4 zero days as part of February Patch Tuesday this week. Two of these vulnerabilities are currently being exploited in the wild.

• CVE-2025-21391 allows attackers to delete targeted files on the system, which can allow attackers to cover up their tracks and make forensic analysis harder. ‍
• CVE-2025-21418 is a privilege escalation vulnerability in AFD.sys.

Both these vulnerabilities have already been added to CISA KEV. North Korea's Lazarus Group has exploited vulnerabilities similar to CVE-2025-21418 in the past, namely CVE-2024-38193. Stay tuned as there will be more on the topic coming soon.

Adobe plugged 45 security issues this week as well, which should all be patched when possible.  

Finally, Ivanti has released security updates to address multiple security flaws impacting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could be exploited to achieve arbitrary code execution.

Strategic Action Plan for MSPs and MSSPs

Immediate Actions

1. Prioritize patches based on:
   • Active exploitation status
   • Available proof of concept exploits
   • CVSS scores
   • Client environment exposure
2. Deploy mitigations for zero days and other vulnerabilities where possible until full remediation strategies are available.

This Week

1. Review and update security products to ensure exploitation attempts are detected.
2. Schedule maintenance windows for critical hardware and firmware updates.
3. Coordinate with your MXDR provider to ensure proper detection and response coverage.

Long-term Planning

1. Develop a systematic approach to handle hardware and firmware-level security updates.
2. Create client-specific patch deployment strategies based on their risk profile.
3. Document and regularly review patch management procedures.

Looking Ahead

The first quarter of 2025 has already demonstrated the increasing complexity of security patch management. MSPs must stay vigilant and maintain robust patch management processes to protect their clients effectively. In spite of it all, though, don’t forget to look up at the sky and smile every once in a while.