@arcticwolf.com
//
Trend Micro has released security updates to address critical vulnerabilities in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. These vulnerabilities, which include remote code execution and authentication bypass flaws, pose a significant risk to affected systems. The company urges administrators to apply the necessary security updates as soon as possible to mitigate potential exploitation. While Trend Micro states there is no evidence of active exploitation in the wild, the severity of the flaws necessitates immediate action.
One specific vulnerability, tracked as ZDI-25-371, exists within the Endpoint Encryption product and involves the DeserializeFromBase64String method. This flaw stems from a lack of proper validation of user-supplied data, which can lead to the deserialization of untrusted data. An attacker who successfully exploits this vulnerability can execute code in the context of SYSTEM, potentially gaining complete control over the affected system. Although authentication is required, the existing authentication mechanism can be bypassed, making exploitation easier. The vulnerabilities were reported to Trend Micro on October 11, 2024, by Piotr Bazydlo of Trend Micro's Zero Day Initiative. A coordinated public release of the advisory followed on June 11, 2025. Users of Apex Central and Endpoint Encryption (TMEE) PolicyServer products are advised to visit the Trend Micro website for details on obtaining and applying the necessary patches. Further information on the specific fixes can be found at https://success.trendmicro.com/en-US/solution/KA-0019928. Recommended read:
References :
Bill Toulas@BleepingComputer
//
Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, have been identified in vBulletin forum software, impacting versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3. The vulnerabilities enable API abuse and remote code execution, posing a significant threat to forums running the affected versions. Security experts warn that one of these vulnerabilities is already being actively exploited in the wild, making it crucial for administrators to take immediate action.
The flaws are rated as critical, with CVE-2025-48827 receiving a CVSS v3 score of 10.0 and CVE-2025-48828 receiving a score of 9.0. CVE-2025-48827 is an API method invocation issue, allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. The second flaw, CVE-2025-48828, enables attackers to run arbitrary PHP code by abusing template conditionals. Both vulnerabilities were discovered by security researcher Egidio Romano on May 23, 2025, and exploit attempts were observed in the wild shortly after disclosure. vBulletin users are urged to immediately apply patches released last year that remediate both vulnerabilities or to upgrade to the latest version 6.1.1. The vulnerabilities were likely patched quietly last year with the release of Patch Level 1 for all versions of the 6.* release branch. Security researchers recommend that defenders and developers review their frameworks and custom APIs, especially if they are dynamically routing controller methods through Reflection. They also suggest auditing access restrictions and examining application behavior across different PHP versions to prevent similar exploits. Recommended read:
References :
Andres Ramos@Arctic Wolf
//
Versa Concerto, a network security and SD-WAN orchestration platform, is facing scrutiny after the public disclosure of multiple unpatched vulnerabilities. ProjectDiscovery researchers revealed technical details on May 21, 2025, following a 90-day responsible disclosure period that began on February 13, 2025. The disclosed flaws include authentication bypasses, remote code execution (RCE), and container escapes, posing a significant threat to the platform and its underlying host systems. The platform is a Spring Boot-based application deployed via Docker containers and routed through Traefik, making it vulnerable to attacks targeting these components.
These vulnerabilities, when chained together, could allow a complete system compromise. One notable flaw, CVE-2025-34027, carries a maximum severity score of 10.0 and involves a URL decoding inconsistency issue. This could facilitate unauthorized access to file upload endpoints and enable remote code execution. Other critical vulnerabilities include CVE-2025-34026, an authentication bypass allowing access to administrative endpoints, and CVE-2025-34025, a privilege escalation leading to Docker container escape and code execution on the host machine. Despite the disclosure of these vulnerabilities, Versa Networks has stated that patches were implemented in early March and made publicly available in mid-April. According to a Versa Networks spokesperson, all affected customers were notified through established security and support channels with guidance on applying the recommended updates, and there is no indication that these vulnerabilities were exploited in the wild. However, ProjectDiscovery researchers initially noted the lack of patches, prompting the need for public disclosure after the 90-day deadline passed. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.
UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor. Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.
The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory. The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities. Recommended read:
References :
Sead Fadilpašić@techradar.com
//
ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.
Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe. ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards. Recommended read:
References :
Rescana@Rescana
//
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.
Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts. The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise. Recommended read:
References :
|