Cisco Talos Update for FireSIGHT Management Center

Date: 2025-01-14

This SRU number: 2025-01-14-001
Previous SRU number: 2025-01-08-001
Corresponding SEU number: 2830

Applies to:

3D Sensor versions: 5.4+ / 6.x
Cisco FireSIGHT Management Center versions: 5.4+ / 6.x

SRU Change Summary:

Total new rules	26
Total rule modifications	3
Policy change	No

Note: Rule updates are cumulative, so you do not need to install prior updates before installing this one.

To review a cumulative list of recent feature updates and resolved issues since the last Rule Updates you imported, use the link provided from this advisory on the Sourcefire Customer Support Site.

Synopsis:

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Details:

Microsoft Vulnerability CVE-2025-21189:
A coding deficiency exists in Microsoft MapUrlToZone that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64454 through 64455, Snort 3: GID 1, SID 301122.

Microsoft Vulnerability CVE-2025-21219:
A coding deficiency exists in Microsoft MapUrlToZone that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64456 through 64457, Snort 3: GID 1, SID 301123.

Microsoft Vulnerability CVE-2025-21269:
A coding deficiency exists in Microsoft Windows HTML Platforms that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64452 through 64453, Snort 3: GID 1, SID 301121.

Microsoft Vulnerability CVE-2025-21292:
A coding deficiency exists in Microsoft Windows Search Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64448 through 64449, Snort 3: GID 1, SID 301119.

Microsoft Vulnerability CVE-2025-21299:
A coding deficiency exists in Microsoft Windows Kerberos that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64446 through 64447, Snort 3: GID 1, SID 301118.

Microsoft Vulnerability CVE-2025-21309:
A coding deficiency exists in Microsoft Windows Remote Desktop Services that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SID 64432, Snort 3: GID 1, SID 64432.

Microsoft Vulnerability CVE-2025-21315:
A coding deficiency exists in Microsoft Brokering File System that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64450 through 64451, Snort 3: GID 1, SID 301120.

Microsoft Vulnerability CVE-2025-21354:
A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64444 through 64445, Snort 3: GID 1, SID 301117.

Microsoft Vulnerability CVE-2025-21362:
A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64435 through 64436, Snort 3: GID 1, SID 301114.

Microsoft Vulnerability CVE-2025-21365:
A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with: Snort 2: GID 1, SIDs 64433 through 64434, Snort 3: GID 1, SID 301113.

Talos has added and modified multiple rules in the file-office, file-other, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Importing an update:

You can view instructions for importing rule updates and SEUs on the Sourcefire Customer Support Site and in the user documentation for the Sourcefire 3D System.

Detailed instructions can be found on the Sourcefire Customer Support Site in the downloads section for each product.

For Assistance:

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about Cisco ASA devices, see What's New in Cisco Product Documentation.

Subscribe to What's New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service. If you have any questions or require assistance with Cisco ASA devices, please contact Cisco Support:

Note: To open a TAC request, you must first register for a Cisco.com user ID
Once you have a Cisco.com user ID, you may initiate or check on the status of a service request online or contacting the TAC by phone:

U.S. - 1-800-553-2447 Toll Free
International support numbers

For additional information on obtaining technical support through the TAC, please consult the Technical Support Reference Guide (PDF - 1 MB)

About Talos:

The Talos Security Intelligence and Research Group (Talos) is made up of leading threat researchers supported by sophisticated systems to create threat intelligence for Cisco products that detects, analyzes and protects against both known and emerging threats. Talos maintains the official rule sets of Snort.org, ClamAV, SenderBase.org and SpamCop. The team's expertise spans software development, reverse engineering, vulnerability triage, malware investigation and intelligence gathering.