FlagThis - #api

Australia's national carrier, Qantas Airways, has disclosed a significant cyberattack affecting approximately six million customers. The breach occurred through unauthorized access to a third-party customer service platform used by a Qantas call center. Exposed data includes customer names, email addresses, phone numbers, birth dates, and frequent flyer numbers, however, the company reports that no financial data, passport details, passwords, or login credentials were compromised. The airline detected the unusual activity on Monday and took immediate action to bring the system back under control.

Qantas has launched an investigation into the incident, working closely with government authorities and cybersecurity experts. The airline has notified Australia’s National Cyber Security Coordinator, the Australian Cyber Security Centre, the Privacy Commissioner, and the Federal Police, reflecting the severity of the situation. Initial reports suggest the Scattered Spider group, known for targeting the aviation sector, may be linked to the attack. Qantas is also enhancing security measures by tightening access controls and improving system monitoring.

Vanessa Hudson, Qantas Group Managing Director, has sincerely apologized to customers, acknowledging the uncertainty caused by the breach. A special customer support hotline and dedicated webpage have been established to provide information and assistance to those affected. While Qantas assures that the cyberattack has not impacted flight operations or the safety of the airline, cybersecurity experts warn that the stolen customer data could potentially be used for identity theft and other fraudulent activities. This incident underscores the importance of robust cybersecurity measures and vigilance in protecting sensitive customer information, particularly within third-party platforms.


References :

• techxplore.com: Australian airline Qantas says hit by 'significant' cyberattack
• thecyberexpress.com: Australia’s Qantas Confirms Cyberattack: 6 Million Service Records Compromised
• www.bleepingcomputer.com: Qantas discloses cyberattack amid Scattered Spider aviation breaches
• www.it-daily.net: Australian airline Qantas victim of cyber attack
• securityaffairs.com: Qantas confirms customer data breach amid Scattered Spider attacks
• Malwarebytes: Qantas: Breach affects 6 million people, “significant” amount of data likely taken
• Cybersecurity Blog: Qantas Data Breach: Scattered Spider Takes to the Skies?
• Rescana: Qantas Airlines API Breach: Exploited Vulnerability Exposes 6 Million Customer Records
• Talkback Resources: The Breach Beyond the Runway: Cybercriminals Targeted Qantas Through a Trusted Partner
• techcrunch.com: Qantas hack results in theft of 6 million passengers’ personal data
• www.qantas.com: Qantas statement about the incident.
• Zack Whittaker: Weekly cybersecurity newsletter featuring Qantas' data breach.

Classification:

• HashTags: #Qantas #Cyberattack #DataBreach
• Company: Qantas
• Target: Qantas customers
• Product: Qantas Airways Limited
• Feature: Customer service platform
• Type: DataBreach
• Severity: Major

Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, have been identified in vBulletin forum software, impacting versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3. The vulnerabilities enable API abuse and remote code execution, posing a significant threat to forums running the affected versions. Security experts warn that one of these vulnerabilities is already being actively exploited in the wild, making it crucial for administrators to take immediate action.

The flaws are rated as critical, with CVE-2025-48827 receiving a CVSS v3 score of 10.0 and CVE-2025-48828 receiving a score of 9.0. CVE-2025-48827 is an API method invocation issue, allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. The second flaw, CVE-2025-48828, enables attackers to run arbitrary PHP code by abusing template conditionals. Both vulnerabilities were discovered by security researcher Egidio Romano on May 23, 2025, and exploit attempts were observed in the wild shortly after disclosure.

vBulletin users are urged to immediately apply patches released last year that remediate both vulnerabilities or to upgrade to the latest version 6.1.1. The vulnerabilities were likely patched quietly last year with the release of Patch Level 1 for all versions of the 6.* release branch. Security researchers recommend that defenders and developers review their frameworks and custom APIs, especially if they are dynamically routing controller methods through Reflection. They also suggest auditing access restrictions and examining application behavior across different PHP versions to prevent similar exploits.


References :

• securityaffairs.com: Two critical vulnerabilities in vBulletin forum software, CVE-2025-48827 and CVE-2025-48828, enable API abuse and remote code execution; one is actively exploited.
• BleepingComputer: Hackers are exploiting a critical flaw in vBulletin forum software. Two critical vulnerabilities affect the open-source forum software, with one confirmed to be actively exploited.

Classification:

• HashTags: #vBulletin #RCE #Vulnerability
• Company: vBulletin
• Target: vBulletin users
• Product: vBulletin
• Feature: API
• Type: Vulnerability
• Severity: Major

A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.

The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.

The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.


References :

• BleepingComputer: Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.
• The DefendOps Diaries: Fortinet's Swift Response to Zero-Day Exploits in FortiVoice Systems
• BleepingComputer: Fortinet fixes critical zero-day exploited in FortiVoice attacks
• Help Net Security: Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)
• gbhackers.com: Gbhackers post on fortinet zero-day
• Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
• malware.news: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
• arcticwolf.com: Arctic Wolf blog post on CVE-2025-32756
• cert.europa.eu: 2025-019: Critical Vulnerabilities in Fortinet Products
• RedPacket Security: Fortinet Products Multiple Vulnerabilities
• securityaffairs.com: Fortinet fixed actively exploited FortiVoice zero-day
• The Hacker News: Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems
• www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
• www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
• socradar.io: Critical Vulnerabilities in Fortinet and Ivanti Products: Multiple Zero-Day Threats Addressed
• Tenable Blog: CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
• Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
• arcticwolf.com: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
• Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
• securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
• The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
• www.microsoft.com: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
• securityaffairs.com: U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog
• Rapid7 Cybersecurity Blog: CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

Classification:

• HashTags: #API #Zeroday #RCE
• Company: Microsoft
• Target: Kurdish military servers
• Attacker: Türkiye-linked Hackers
• Product: Output Messenger
• Feature: Authenticated access
• Malware: Golang
• Type: 0Day
• Severity: Critical