CyberSecurity news

FlagThis - #RCE

@arcticwolf.com //
Trend Micro has released security updates to address critical vulnerabilities in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. These vulnerabilities, which include remote code execution and authentication bypass flaws, pose a significant risk to affected systems. The company urges administrators to apply the necessary security updates as soon as possible to mitigate potential exploitation. While Trend Micro states there is no evidence of active exploitation in the wild, the severity of the flaws necessitates immediate action.

One specific vulnerability, tracked as ZDI-25-371, exists within the Endpoint Encryption product and involves the DeserializeFromBase64String method. This flaw stems from a lack of proper validation of user-supplied data, which can lead to the deserialization of untrusted data. An attacker who successfully exploits this vulnerability can execute code in the context of SYSTEM, potentially gaining complete control over the affected system. Although authentication is required, the existing authentication mechanism can be bypassed, making exploitation easier.

The vulnerabilities were reported to Trend Micro on October 11, 2024, by Piotr Bazydlo of Trend Micro's Zero Day Initiative. A coordinated public release of the advisory followed on June 11, 2025. Users of Apex Central and Endpoint Encryption (TMEE) PolicyServer products are advised to visit the Trend Micro website for details on obtaining and applying the necessary patches. Further information on the specific fixes can be found at https://success.trendmicro.com/en-US/solution/KA-0019928.

Recommended read:
References :
  • ZDI: Published Advisories: ZDI-25-371: Trend Micro Endpoint Encryption DeserializeFromBase64String Deserialization of Untrusted Data Remote Code Execution Vulnerability
  • BleepingComputer: Trend Micro fixes critical vulnerabilities in multiple products
  • BleepingComputer: Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products.
  • ZDI: Published Advisories: ZDI-25-373: Trend Micro Endpoint Encryption DbAppDomain Authentication Bypass Vulnerability
  • www.bleepingcomputer.com: Trend Micro fixes critical vulnerabilities in multiple products
  • securityaffairs.com: Trend Micro fixes critical bugs in Apex Central and TMEE PolicyServer
  • www.scworld.com: Trend Micro patches four 9.8 bugs in encryption PolicyServer products
  • arcticwolf.com: Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • Arctic Wolf: Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • The DefendOps Diaries: Trend Micro Addresses Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • arcticwolf.com: Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • Arctic Wolf: Trend Micro Fixes Several Critical Vulnerabilities in Apex Central and Endpoint Encryption PolicyServer
  • www.techradar.com: Trend Micro patches several worrying security flaws, so update now

Bill Toulas@BleepingComputer //
Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, have been identified in vBulletin forum software, impacting versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3. The vulnerabilities enable API abuse and remote code execution, posing a significant threat to forums running the affected versions. Security experts warn that one of these vulnerabilities is already being actively exploited in the wild, making it crucial for administrators to take immediate action.

The flaws are rated as critical, with CVE-2025-48827 receiving a CVSS v3 score of 10.0 and CVE-2025-48828 receiving a score of 9.0. CVE-2025-48827 is an API method invocation issue, allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. The second flaw, CVE-2025-48828, enables attackers to run arbitrary PHP code by abusing template conditionals. Both vulnerabilities were discovered by security researcher Egidio Romano on May 23, 2025, and exploit attempts were observed in the wild shortly after disclosure.

vBulletin users are urged to immediately apply patches released last year that remediate both vulnerabilities or to upgrade to the latest version 6.1.1. The vulnerabilities were likely patched quietly last year with the release of Patch Level 1 for all versions of the 6.* release branch. Security researchers recommend that defenders and developers review their frameworks and custom APIs, especially if they are dynamically routing controller methods through Reflection. They also suggest auditing access restrictions and examining application behavior across different PHP versions to prevent similar exploits.

Recommended read:
References :
  • cyberpress.org: Severe vBulletin Forum Flaw Enables Remote Code Execution
  • securityonline.info: Critical Pre-Auth RCE: vBulletin Flaw Allows Full Server Compromise (PoC Available)
  • infosec.exchange: A newly discovered vulnerability in vBulletin, one of the world’s most popular forum platforms, has exposed thousands of online communities to the risk of unauthenticated Remote Code Execution
  • Cyber Security News: Severe vBulletin Forum Flaw Enables Remote Code Execution
  • securityaffairs.com: SecurityAffairs reports Two flaws in vBulletin forum software are under attack.
  • BleepingComputer: Hackers are exploiting critical flaw in vBulletin forum software.
  • www.scworld.com: Attacks exploiting maximum severity vBulletin vulnerability ongoing

Andres Ramos@Arctic Wolf //
Versa Concerto, a network security and SD-WAN orchestration platform, is facing scrutiny after the public disclosure of multiple unpatched vulnerabilities. ProjectDiscovery researchers revealed technical details on May 21, 2025, following a 90-day responsible disclosure period that began on February 13, 2025. The disclosed flaws include authentication bypasses, remote code execution (RCE), and container escapes, posing a significant threat to the platform and its underlying host systems. The platform is a Spring Boot-based application deployed via Docker containers and routed through Traefik, making it vulnerable to attacks targeting these components.

These vulnerabilities, when chained together, could allow a complete system compromise. One notable flaw, CVE-2025-34027, carries a maximum severity score of 10.0 and involves a URL decoding inconsistency issue. This could facilitate unauthorized access to file upload endpoints and enable remote code execution. Other critical vulnerabilities include CVE-2025-34026, an authentication bypass allowing access to administrative endpoints, and CVE-2025-34025, a privilege escalation leading to Docker container escape and code execution on the host machine.

Despite the disclosure of these vulnerabilities, Versa Networks has stated that patches were implemented in early March and made publicly available in mid-April. According to a Versa Networks spokesperson, all affected customers were notified through established security and support channels with guidance on applying the recommended updates, and there is no indication that these vulnerabilities were exploited in the wild. However, ProjectDiscovery researchers initially noted the lack of patches, prompting the need for public disclosure after the 90-day deadline passed.

Recommended read:
References :
  • Arctic Wolf: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • The Hacker News: Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host
  • securityonline.info: Unpatched 0-Days (CVSS 10): Versa Concerto Flaws Threaten Enterprise Networks
  • BleepingComputer: Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
  • thecyberexpress.com: Versa Patches 3 Concerto SD-WAN Vulnerabilities, Including a Perfect 10.0
  • Arctic Wolf: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • www.scworld.com: Significant compromise possible with critical Versa Concerto flaws
  • arcticwolf.com: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • Blog: Project Discovery has disclosed several vulnerabilities in Versa Concerto, a tool used to configure and monitor Versa devices in networks.
  • Blog: Security researchers have identified several critical vulnerabilities in Versa Concerto, a centralized management platform for Versa Networks' SD-WAN and SASE solutions.
  • projectdiscovery.io: The Versa Concerto vulnerabilities were revealed by Project Discovery in a earlier this week, which said Versa hadn’t responded to the researchers’ disclosures that were first made in February.

info@thehackernews.com (The@The Hacker News //
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.

UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor.

Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities.

Recommended read:
References :
  • Cisco Talos Blog: Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.
  • securityonline.info: Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382
  • The Hacker News: Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks
  • BleepingComputer: Chinese hackers breach US local governments using Cityworks zero-day
  • bsky.app: Cisco Talos says a group tracked as UAT-6382 has used a recent Trimble CityWorks zero-day (CVE-2025-0944) to breach local governing bodies in the US
  • securityonline.info: SecurityOnline.info article on critical 0-day Cityworks flaw exploited by Chinese APT UAT-6382
  • malware.news: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Chinese Hackers Exploit Cityworks Zero-Day Vulnerability in US Local Governments
  • www.scworld.com: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Exploitation of Ivanti EPMM Vulnerabilities by Chinese Hackers: A Detailed Analysis
  • BleepingComputer: Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies
  • securityaffairs.com: Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • blog.talosintelligence.com: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
  • www.techradar.com: The Chinese used the Cityworks bug to deploy Cobalt Strike beacons and backdoors.
  • www.cybersecuritydive.com: Cisco Talos researchers attribute the exploitation of the CVE-2025-0994 in Trimble Cityworks to Chinese-speaking threat actor UAT-6382, based on tools and TTPs used in the intrusions.
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • Blog: The Chinese-speaking cyber-espionage group identified as UAT-6382 has been observed exploiting a critical vulnerability in Trimble's Cityworks software to infiltrate U.S. government networks.
  • StateScoop: Report: Chinese hackers used Cityworks vulnerability to deliver malware
  • Cisco Talos Blog: Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.
  • hackread.com: Warnings on active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks.

info@thehackernews.com (The@The Hacker News //
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.

The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.

The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.

Recommended read:
References :
  • BleepingComputer: Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.
  • The DefendOps Diaries: Fortinet's Swift Response to Zero-Day Exploits in FortiVoice Systems
  • BleepingComputer: Fortinet fixes critical zero-day exploited in FortiVoice attacks
  • Help Net Security: Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)
  • gbhackers.com: Gbhackers post on fortinet zero-day
  • Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • malware.news: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • arcticwolf.com: Arctic Wolf blog post on CVE-2025-32756
  • cert.europa.eu: 2025-019: Critical Vulnerabilities in Fortinet Products
  • RedPacket Security: Fortinet Products Multiple Vulnerabilities
  • securityaffairs.com: Fortinet fixed actively exploited FortiVoice zero-day
  • The Hacker News: Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems
  • www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
  • www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
  • socradar.io: Critical Vulnerabilities in Fortinet and Ivanti Products: Multiple Zero-Day Threats Addressed
  • Tenable Blog: CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
  • Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • arcticwolf.com: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
  • securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
  • The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
  • www.microsoft.com: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
  • securityaffairs.com: U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog
  • Rapid7 Cybersecurity Blog: CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

Sead Fadilpašić@techradar.com //
ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.

Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe.

ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards.

Recommended read:
References :
  • securityonline.info: Critical Security Flaws Found in ASUS DriverHub: Update Immediately
  • Rescana: Vulnerabilities in ASUS DriverHub Exposed: CVE-2025-3462 and CVE-2025-3463 Analysis
  • cyberinsider.com: Critical Flaw in ASUS DriverHub Exposes Users to Remote Code Execution
  • securityaffairs.com: Researchers found one-click RCE in ASUS’s pre-installed software DriverHub
  • The DefendOps Diaries: ASUS DriverHub Vulnerability: Understanding and Mitigating CVE-2025-3463
  • The Hacker News: ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files
  • BleepingComputer: The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
  • bsky.app: ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
  • www.techradar.com: Details on ASUS DriverHub driver management tool targeted by RCE vulnerability
  • www.scworld.com: ASUS DriverHub vulnerabilities fixed
  • Tech Monitor: TechMonitor article about ASUS DriverHub security vulnerability
  • the420.in: The420.in
  • Blog: ASUS patches RCE flaw in DriverHub utility
  • socradar.io: CVE-2025-3462 & CVE-2025-3463: ASUS DriverHub Flaws Enable RCE

Rescana@Rescana //
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.

Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts.

The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise.

Recommended read:
References :
  • SOC Prime Blog: Zero-day vulnerabilities are no longer rare anomalies—they’re now a core weapon in the modern attacker’s arsenal, with exploitation activity escalating year over year.
  • Rescana: The recent discovery of a zero-day vulnerability in SAP NetWeaver Visual Composer has raised alarm bells across the...
  • The Hacker News: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
  • Anonymous ???????? :af:: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • The DefendOps Diaries: Understanding the CVE-2025-31324 Vulnerability in SAP NetWeaver Servers