Customer Security Newsletter - April 2025

Welcome to the April 2025 MEDITECH Customer Security Newsletter, where we provide you with information and resources to give you insight on security challenges facing your organization and the healthcare community as a whole. Here we endeavor to provide some good information to help you improve your organization's security posture. This data has been gleaned from the review of public records on file with CISA, H-ISAC and Health Sector Cybersecurity Coordination Center (HC3) alerts.  Please note the Talk To Us section, as we would like to tailor future editions of the newsletter to address specific concerns.

Known Exploited Vulnerabilities

From March 12, 2025 until the writing of this bulletin, there have been nineteen known exploited vulnerabilities  added to CISA's list . They are CVE-2017-12637, CVE-2019-9874, CVE-2019-9875, CVE-2024-20439, CVE-2024-48248, CVE-2024-53150, CVE-2024-53197, CVE-2025-1316, CVE-2025-2783, CVE-2025-21590, CVE-2025-22457, CVE-2025-24201, CVE-2025-24472, CVE-2025-24813, CVE-2025-29824, CVE-2025-30066, CVE-2025-30154, CVE-2025-30406,  and CVE-2025-31161.

All of these additions are based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks. When looking at the catalog, the CVEs are listed from most recently added by default and the list may be manipulated by using the provided filters. This list was most recently reviewed on April 10, 2025.

Vulnerabilities for Hospitals to Watch Out For

These significant vulnerabilities have been shown to have been weaponized in February and March 2025. Intelligence indicates a high degree of caution for hospital infrastructures.

• CVE-2025-30406 (CRITICAL): This Gladinet CentreStack vulnerability involves the use of a hard-coded cryptographic key, potentially allowing unauthorized access and control.
• CVE-2025-29824 (HIGH): This Microsoft Windows CLFS Driver use-after-free vulnerability in the Common Log File System (CLFS) driver could allow attackers to execute arbitrary code.
• CVE-2025-24985 (HIGH): This Windows Fast FAT File System Driver remote code execution vulnerability was actively exploited as a zero-day before patches were released in March 2025.
• CVE-2025-24993 (HIGH): This Windows NTFS remote code execution vulnerability was actively exploited as a zero-day before patches were released in March 2025.
• CVE-2025-25181 (HIGH): This SQL injection vulnerability in Advantive VeraCore software used for order fulfillment and warehouse management could lead to data breaches, unauthorized access, and data manipulation.
• CVE-2025-30066 (HIGH) : This authentication bypass vulnerability in the widely used GitHub Action (tj-actions/changed-files GitHub Action) allows for arbitrary code execution. While no active exploitation was confirmed at the time of the report, its severity warrants high caution.
• CVE-2025-24472 (CRITICAL): A Fortinet FortiOS and FortiProxy authentication bypass vulnerability allows attackers to gain super-admin privileges remotely.
• CVE-2025-24813 (CRITICAL): This is a remote code execution vulnerability in Apache Tomcat due to improper file path handling during partial PUT requests. This was actively discussed in underground forums with proof-of-concept code circulating.
• CVE-2025-26319 (TBD) & CVE-2025-26633 (HIGH): These FlowiseAI and Microsoft Management Console Critical vulnerabilities involve arbitrary file upload and improper input validation, respectively, being actively weaponized for system infiltration.
• CVE-2025-21333 (HIGH): This privilege escalation vulnerability in Microsoft Windows Hyper-V allows local attackers to gain SYSTEM-level privileges. Proof-of-concept exploits have emerged, increasing the risk.

News

CISA and Partners Issue Fast Flux Cybersecurity Advisory

On April 3, 2025, CISA joined the National Security Agency (NSA) and other government and international partners to release a joint Cybersecurity Advisory (CSA) that warns organizations, internet service providers (ISPs), and cybersecurity service providers about fast flux enabled malicious activities that consistently evade detection.

Health-ISAC Hacking Healthcare (Blog Entry)

On March 24, 2025, H-ISAC posted a blog entry which outlines upcoming changes to cyber incident reporting requirements in Switzerland. This may be an indicator of expected changes in the US and Canada and is worth your time to review and understand. 

Additional Resources

• HHS 405(d) Aligning Health Care Industry Security Approaches  - The 405(d) Program and Task Group is a collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move healthcare organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. Their website provides the latest resources and information as well as an opportunity for involvement.
• Helpful resources CISA has provided can be found on the following pages:
  • Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
  • StopRansomware.gov
  • Cyber Hygiene Services

Talk to us!

We at MEDITECH would love to hear your feedback about this newsletter and we’d like to know what is on your mind. Is there something you would like us to address?

We also have a question for you that is important to us. What are your largest concerns or security hopes for 2024?

Please let us know by contacting us!

Until next time, stay alert out there!