@cyberalerts.io
//
North Korean state-sponsored actor Konni, also known as TA406, has been observed targeting Ukrainian government entities in intelligence collection operations. Researchers at Proofpoint uncovered phishing campaigns initiated in February 2025, where the threat group delivered both credential harvesting tools and malware. These attacks are designed to gather intelligence on the trajectory of the Russian invasion, reflecting Konni's broader pattern of cyber espionage and information gathering. The group's activities extend beyond Ukraine, as they have historically targeted government entities in Russia for strategic intelligence purposes.
The phishing emails used in the attacks often impersonate think tanks and reference important political events or military developments to lure their targets. These emails contain links to password-protected RAR archives hosted on cloud services. Once opened, these archives launch infection sequences designed to conduct extensive reconnaissance of compromised machines. A common tactic involves using CHM files displaying decoy content related to Ukrainian military figures. Clicking on the decoy content triggers the execution of a PowerShell command, downloading a next-stage PowerShell payload from an external server.
This newly launched PowerShell script is capable of gathering detailed information about the compromised system, encoding it, and sending it back to the attacker's server. In some instances, Proofpoint observed HTML files being directly distributed as attachments, instructing victims to click embedded links to download ZIP archives containing malicious files. The ultimate goal of these campaigns is to collect intelligence relevant to the conflict, potentially to support North Korea's military involvement alongside Russia in Ukraine and assess the political landscape.
Recommended read:
References :
- thehackernews.com: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
- BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
- BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
- securityonline.info: In a recently disclosed campaign, TA406, a North Korean state-aligned threat actor, has expanded its cyber-espionage efforts by The post appeared first on SecurityOnline.
- securityonline.info: TA406 Cyber Campaign: North Korea’s Focus on Ukraine Intelligence
- www.bleepingcomputer.com: North Korea ramps up cyberspying in Ukraine to assess war risk
- www.proofpoint.com: Proofpoint researchers look into campaigns by Democratic People's Republic of Korea (DPRK) state-sponsored actor TA406 that target government entities in Ukraine.
- Virus Bulletin: Proofpoint researchers look into campaigns by Democratic People's Republic of Korea (DPRK) state-sponsored actor TA406 that target government entities in Ukraine.
@www.microsoft.com
//
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.
The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.
The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.
Recommended read:
References :
- The DefendOps Diaries: Understanding and Mitigating the Zero-Day Vulnerability in Output Messenger
- BleepingComputer: Output Messenger flaw exploited as zero-day in espionage attacks
- Microsoft Security Blog: Marbled Dust leverages zero-day in Output Messenger for regional espionage
- cyberinsider.com: Zero-day Flaw in Output Messenger Exploited in Espionage Attacks
- www.microsoft.com: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
- securityonline.info: Türkiye-Linked Hackers Exploit Output Messenger Zero-Day (CVE-2025-27920) in Espionage Campaign
- thecyberexpress.com: Türkiye-linked Hackers Exploit Output Messenger Zero-Day in Targeted Espionage Campaign
- CyberInsider: Zero-day Flaw in Output Messenger Exploited in Espionage Attacks
- The Register: Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq
- BleepingComputer: A Türkiye-backed cyberespionage group exploited a zero-day vulnerability to attack Output Messenger users linked to the Kurdish military in Iraq.
- Talkback Resources: A Türkiye-backed cyberespionage group exploited a zero-day vulnerability in the Output Messenger messaging application, targeting users linked to the Kurdish military in Iraq.
- go.theregister.com: The Register article on Output Messenger Zero-Day
- securityonline.info: Microsoft Threat Intelligence has linked a regional cyber-espionage campaign exploiting a zero-day vulnerability in Output Messenger to the The post appeared first on SecurityOnline.
- securityaffairs.com: Security Affairs article on Output Messenger zero-day
- Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
- securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
- The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
- securityaffairs.com: A Türkiye-linked group used an Output Messenger zero-day to spy on Kurdish military targets in Iraq, collecting user data since April 2024.
@unit42.paloaltonetworks.com
//
A critical security flaw, CVE-2025-31324, affecting SAP NetWeaver Visual Composer 7.x is under active exploitation in the wild. This deserialization vulnerability allows unauthenticated remote code execution through malicious uploads to the `/developmentserver/metadatauploader` endpoint. Attackers are leveraging this flaw to deploy web shells and gain full control of vulnerable SAP servers. Forescout Vedere Labs researchers have linked ongoing attacks targeting this vulnerability to a Chinese threat actor dubbed Chaya_004. Evidence suggests opportunistic scanning and exploitation attempts against SAP systems have been occurring since late April 2025 across multiple industries.
The Chinese-speaking threat group tracked as Chaya_004 by Forescout has been actively exploiting the SAP NetWeaver vulnerability. The attackers have not only deployed classic web shells but have also installed sophisticated management backdoors like Supershell, a Go-based remote shell favored among Chinese APT operators. Forescout's adversary engagement environments detected mass scanning shortly after the public disclosure of the bug and its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The scanning activity primarily originated from Microsoft and Amazon cloud ASNs, indicating both benign research and malicious reconnaissance efforts.
Technical analysis of the attacker's infrastructure revealed a network of over 500 IPs, many hosted on leading Chinese cloud providers. This infrastructure contained not just Supershell but also an arsenal of penetration testing and asset discovery tools. The observed toolset includes NPS, SoftEther VPN, Cobalt Strike, ARL, Pocassit, Gosint, and bespoke tunnels written in Go. The use of Chinese cloud providers and Chinese-language tools strongly suggests the campaign is orchestrated by a seasoned Chinese threat actor. Applying the latest security patches is crucial for organizations to protect their SAP NetWeaver systems from potential compromise.
Recommended read:
References :
- Cyber Security News: A critical deserialization vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer 7.x, is being actively exploited in the wild, according to recent research by Forescout.
- The Hacker News: Hundreds of SAP NetWeaver instances hacked via a zero-day that allows remote code execution, not only arbitrary file uploads, as initially believed.
- fortiguard.fortinet.com: A zero-day SAP vulnerability, CVE-2025-31324, with CVSS score of 10.0 is being actively exploited in the wild.
- securityonline.info: From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
- www.scworld.com: Remote code execution possible of SAP NetWeaver Visual Composer flaw rated 10.0.
- Unit 42: CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry.
- The DefendOps Diaries: Understanding the CVE-2025-31324 Vulnerability in SAP NetWeaver Servers
- Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- The Hacker News: China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide
- EclecticIQ Blog: EclecticIQ analysts report that in April 2025, China-nexus APTs exploited SAP NetWeaver vulnerabilities to target critical infrastructures globally.
- securebulletin.com: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
- cyberpress.org: EclecticIQ analysts have confirmed with high confidence that multiple China-nexus advanced persistent threat (APT) groups exploited a critical zero-day vulnerability in SAP NetWeaver Visual Composer, tracked as CVE-2025-31324, to breach critical infrastructure and enterprise networks globally.
- Onapsis: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
- The DefendOps Diaries: Understanding the Threat: CVE-2025-31324 and Its Impact on SAP NetWeaver
- Secure Bulletin: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
- www.techradar.com: SAP patches recently exploited zero-day in wake of NetWeaver server attacks
@unit42.paloaltonetworks.com
//
A critical vulnerability, CVE-2025-31324, affecting SAP NetWeaver is under active exploitation by China-linked Advanced Persistent Threat (APT) groups. This zero-day flaw, boasting a maximum CVSS score of 10.0, is an unauthenticated file upload vulnerability that grants attackers the ability to execute remote code on compromised systems. The vulnerability allows attackers to upload malicious files and gain unauthorized access, posing a significant threat to organizations relying on SAP systems and has led to breaches of critical systems worldwide.
Multiple Chinese hacking groups, including UNC5221, UNC5174, and CL-STA-0048, are leveraging CVE-2025-31324 to maintain persistent remote access, conduct reconnaissance, and deploy malicious programs. Attackers are exploiting this vulnerability to deploy web shells, maintain persistent access, and execute arbitrary commands on compromised systems. EclecticIQ researchers uncovered an exposed directory on attacker-controlled infrastructure, revealing that 581 SAP NetWeaver instances have already been compromised and backdoored with web shells.
The targets of these attacks include critical infrastructure sectors globally, ranging from natural gas distribution networks and water management utilities to medical device manufacturing plants and government ministries. Organizations are urged to immediately apply the emergency patches released by SAP to mitigate the risk of exploitation. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, further emphasizing the urgency for organizations to address this critical flaw to protect their systems and data from potential compromise.
Recommended read:
References :
- onapsis.com: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
- securityaffairs.com: Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324
- MSSP feed for Latest: Second Wave of Attacks Targets SAP NetWeaver
- The Hacker News: A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver.
- BleepingComputer: Chinese hackers behind attacks targeting SAP NetWeaver servers
- www.scworld.com: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
- The DefendOps Diaries: Explore the critical CVE-2025-31324 vulnerability in SAP NetWeaver, its exploitation by Chinese hackers, and essential mitigation steps.
- www.bleepingcomputer.com: Chinese hackers behind attacks targeting SAP NetWeaver servers
- Talkback Resources: A threat actor linked to China is exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) for remote code execution, targeting multiple industries globally, prompting the need for prompt patching and enhanced security measures.
- Unit 42: CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry.
- unit42.paloaltonetworks.com: CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry. The post appeared first on .
- bsky.app: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
- cyberpress.org: Chinese Hackers Leverage SAP RCE Vulnerability to Install Supershell Backdoors
- the420.in: Chinese Hackers Target SAP Systems in Global Cyber Campaign
- malware.news: SAP NetWeaver bug exploited since January, allows RCE
- fortiguard.fortinet.com: FortiGuard Threat Signal Report on SAP Netweaver Zero-Day
- securityonline.info: From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
- securityonline.info: From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
- Cyber Security News: A critical deserialization vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer 7.x, is being actively exploited in the wild, according to recent research by Forescout.
- The420.in: Details the exploitation of CVE-2025-31324 by a Chinese threat group, Chaya_004.
- The DefendOps Diaries: TheDefendOpsDiaries on SAP NetWeaver Vulnerabilities
- The Hacker News: The Hacker News article on China-Linked APTs exploiting SAP CVE-2025-31324
- Blog: Second zero-day in SAP NetWeaver actively exploited
- Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- securebulletin.com: China-Linked APTs exploit critical SAP NetWeaver vulnerability to breach over 580 systems globally
- EclecticIQ Blog: EclecticIQ analysts report that in April 2025, China-nexus APTs exploited SAP NetWeaver vulnerabilities to target critical infrastructures globally, leveraging CVE-2025-31324 for remote code execution and maintaining persistent access.
- The DefendOps Diaries: Understanding the Threat: CVE-2025-31324 and Its Impact on SAP NetWeaver
- Onapsis: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
- Secure Bulletin: SecureBulletin article on China-Linked APTs exploiting critical SAP NetWeaver vulnerability
Anna Ribeiro@Industrial Cyber
//
Fortinet's FortiGuard Labs has revealed a multi-year, state-sponsored cyber intrusion targeting critical infrastructure in the Middle East. The intrusion, attributed to an Iranian APT group likely Lemon Sandstorm, began as early as May 2023, with potential traces back to May 2021, and went undetected for nearly two years. Attackers gained initial access through compromised VPN credentials, deploying multiple web shells and custom backdoors throughout the infrastructure.
This Iranian APT exhibited significant operational discipline, constantly rotating tools, infrastructure, and access methods to maintain their foothold. After gaining access, they installed backdoors such as HanifNet, HXLibrary, and NeoExpressRAT. The attackers used in-memory loaders for Havoc and SystemBC to avoid detection, plus custom loaders to execute malware directly in memory, avoiding disk-based detection.
Throughout the campaign, FortiGuard Labs identified at least five novel malware families, including HanifNet, NeoExpressRAT, HXLibrary, RemoteInjector, and CredInterceptor. The attackers also modified legitimate OWA JavaScript files to silently siphon credentials, disguising malicious scripts as legitimate traffic. The attackers used open-source proxy tools such as plink, Ngrok, Glider Proxy, and ReverseSocks5 to circumvent network segmentation.
Recommended read:
References :
- securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
- industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
- Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.
- securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
info@thehackernews.com (The@The Hacker News
//
A long-term cyber intrusion aimed at critical national infrastructure (CNI) in the Middle East has been attributed to an Iranian state-sponsored threat group. The attack, which persisted from May 2023 to February 2025, entailed extensive espionage operations and suspected network prepositioning, a tactic used to maintain persistent access for future strategic advantage. The network security company noted that the attack exhibits tradecraft overlaps with Lemon Sandstorm (formerly Rubidium), also tracked as Parisite, Pioneer Kitten, and UNC757, an Iranian nation-state threat actor active since at least 2017.
The attackers gained initial access by exploiting stolen login credentials to access the victim's SSL VPN system, deploying web shells on public-facing servers, and deploying three backdoors: Havoc, HanifNet, and HXLibrary, for long-term access. They further consolidated their foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim's emails, and conducting lateral movement to the virtualization infrastructure. In response to the victim's initial containment and remediation steps, the attackers deployed more web shells and two more backdoors, MeshCentral Agent and SystemBC.
Even after the victim successfully removed the adversary's access, attempts to infiltrate the network continued by exploiting known Biotime vulnerabilities and spear-phishing attacks aimed at employees to harvest Microsoft 365 credentials. Researchers identified an evolving arsenal of tools deployed throughout the intrusion, including both publicly available and custom-developed malware. The custom tools, such as NeoExpressRAT, a Golang-based backdoor with hardcoded command and control communication capabilities, allowed the threat actors to maintain persistent access while evading traditional detection methods.
Recommended read:
References :
- The Hacker News: An Iranian state-sponsored threat group has been attributed to a long-term cyber intrusion aimed at a critical national infrastructure (CNI) in the Middle East that lasted nearly two years.
- cybersecuritynews.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
- gbhackers.com: Threat Actors Target Critical National Infrastructure with New Malware and Tools
- securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
- Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
- securityonline.info: Recently, the FortiGuard Incident Response (FGIR) team has released an in-depth analysis detailing a prolonged, state-sponsored intrusion into The post appeared first on .
- gbhackers.com: A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term cyber intrusion targeting critical national infrastructure (CNI) in the Middle East, attributed to an Iranian state-sponsored threat group.
- www.scworld.com: Middle Eastern critical infrastructure targeted by long-term Iranian cyberattack
- industrialcyber.co: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
- Industrial Cyber: Fortinet’s FortiGuard Labs uncovers multi-year state-sponsored cyber intrusion targeting Middle East critical infrastructure
- Virus Bulletin: Fortinet's IR team investigate an Iranian-led long-term intrusion on critical infrastructure in the Middle East. Attackers used stolen VPN creds, in-memory loaders for Havoc/SystemBC, and backdoors like HanifNet, HXLibrary, and NeoExpressRAT.
info@thehackernews.com (The@The Hacker News
//
Cybersecurity firm SentinelOne has become a prime target for state-sponsored threat actors from China and North Korea. SentinelOne, which provides autonomous endpoint protection using AI and machine learning to Fortune 10 and Global 2000 enterprises, government agencies, and managed service providers, is facing persistent cyber espionage and infiltration attempts. A recent analysis by SentinelOne revealed that Chinese actors are actively targeting both the company and its high-value clients, engaging in reconnaissance activities against SentinelOne’s infrastructure and specific organizations they defend.
SentinelOne uncovered a China-nexus threat cluster dubbed PurpleHaze, which conducted reconnaissance attempts against its infrastructure and some of its high-value customers. Researchers first became aware of this group during a 2024 intrusion against an organization that was previously providing hardware logistics services for SentinelOne employees. PurpleHaze is assessed to be a hacking crew with loose ties to another state-sponsored group known as APT15 and has been observed targeting a South Asian government-supporting entity, employing an operational relay box (ORB) network and a Windows backdoor dubbed GoReShell.
North Korean actors have also been targeting SentinelOne, attempting to infiltrate the company through a fake IT worker campaign. The company is tracking approximately 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne and SentinelLabs Intelligence. SentinelOne has warned of threat actors targeting its systems and high-value clients, emphasizing that cybersecurity providers are attractive targets due to the potential for significant compromise and the insights into how thousands of environments and millions of endpoints are protected.
Recommended read:
References :
- securityaffairs.com: SentinelOne warns of threat actors targeting its systems and high-value clients
- The Hacker News: SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients
- www.techradar.com: SentinelOne targeted by Chinese espionage campaign probing customers and infrastructure
- www.scworld.com: Report: Cyber threats bombard cybersecurity vendors
@www.welivesecurity.com
//
A China-aligned advanced persistent threat (APT) group known as TheWizards is actively exploiting a vulnerability in IPv6 networking to launch sophisticated adversary-in-the-middle (AitM) attacks. These attacks allow the group to hijack software updates and deploy Windows malware onto victim systems. ESET Research has been tracking TheWizards' activities since at least 2022, identifying targets including individuals, gambling companies, and other organizations in the Philippines, the United Arab Emirates, Cambodia, mainland China, and Hong Kong. The group leverages a custom-built tool named Spellbinder to facilitate these attacks.
The Spellbinder tool functions by abusing the IPv6 Stateless Address Autoconfiguration (SLAAC) feature. It performs SLAAC spoofing to redirect IPv6 traffic to a machine controlled by the attackers, effectively turning it into a malicious IPv6-capable router. This enables the interception of network packets and DNS queries, specifically targeting software update domains. In a recent case, TheWizards hijacked updates for Tencent QQ, a popular Chinese software, to deploy their signature WizardNet backdoor.
ESET's investigation has also uncovered potential links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. The attack chain typically involves an initial access vector followed by the deployment of a ZIP archive containing files such as AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. The execution of these files ultimately leads to the launch of Spellbinder, which then carries out the AitM attack. Researchers advise users to be cautious about software updates and monitor network traffic for any suspicious activity related to IPv6 configurations.
Recommended read:
References :
- BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
- ESET Research: Details the toolset of the China-aligned APT group that we have named . It can move laterally on compromised networks by performing adversary-in-the-middle (AitM) attacks to hijack software updates.
- The Hacker News: Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder Lateral Movement Tool
- BleepingComputer: A China-aligned APT threat actor named 'TheWizards' abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
- www.welivesecurity.com: Links between and the Chinese company Dianke Network Security Technology, also known as UPSEC.
- www.bleepingcomputer.com: The China-aligned APT threat actor abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
- The DefendOps Diaries: Unveiling the Threat: How 'The Wizards' Exploit IPv6 for Cyber Attacks
- Security Risk Advisors: TheWizards APT Group Targets Southeast Asian Governments Using Rootkits and Cloud Tools
- bsky.app: TheWizards APT group abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware.
- cyberinsider.com: Chinese Hackers Use IPv6 SLAAC Spoofing to Deliver WizardNet Backdoor
- WeLiveSecurity: ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks
- www.scworld.com: IPv6 SLAAC exploited by Chinese APT for AitM attacks
- Blog: ‘TheWizards’ exploit IPv6 feature as part of AitM attacks
- Cyber Security News: Hackers Abuse IPv6 Stateless Address For AiTM Attack Via Spellbinder Tool
- cybersecuritynews.com: Hackers Abuse IPv6 Stateless Address For AiTM Attack Via Spellbinder Tool
- www.techradar.com: IPv6 networking feature hit by hackers to hijack software updates
- hackread.com: Chinese Group TheWizards Exploits IPv6 to Drop WizardNet Backdoor
Ddos@securityonline.info
//
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.
Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025.
The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data.
Recommended read:
References :
- The DefendOps Diaries: Understanding SonicWall SMA100 Vulnerabilities: Risks and Mitigation
- BleepingComputer: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
- Arctic Wolf: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
- isc.sans.edu: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
- thehackernews.com: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
- securityonline.info: SonicWall confirms active exploitation of SMA 100 vulnerabilities – urges immediate patching
- Talkback Resources: SonicWall disclosed exploited security flaws in SMA100 Secure Mobile Access appliances, including OS Command Injection and Apache HTTP Server mod_rewrite issues, with patches released in versions 10.2.1.10-62sv and 10.2.1.14-75sv.
- www.bleepingcomputer.com: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
- arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
- securityonline.info: SecurityOnline
- Talkback Resources: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models [net]
- arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
- es-la.tenable.com: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
- Arctic Wolf: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
- bsky.app: Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
- securityaffairs.com: SonicWall confirmed that threat actors actively exploited two vulnerabilities impacting its SMA100 Secure Mobile Access (SMA) appliances.
- securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
- MSSP feed for Latest: SonicWall Flags New Wave of VPN Exploits Targeting SMA Devices
- bsky.app: Security company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
- Help Net Security: Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221)
- www.scworld.com: SonicWall confirms exploitation of two SMA 100 bugs, one critical
- securityonline.info: SonicWall Issues Patch for SSRF Vulner
- Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
- The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware
- hackread.com: watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
- cyberpress.org: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
- www.helpnetsecurity.com: Attackers exploited old flaws to breach SonicWall SMA appliances.
- watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
- Talkback Resources: Iranian state-sponsored threat group conducted a long-term cyber intrusion targeting critical national infrastructure in the Middle East, exhibiting tradecraft overlaps with Lemon Sandstorm, using custom malware families and sophisticated tactics to maintain persistence and bypass network segmentation.
- Cyber Security News: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
- securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
- RedPacket Security: SonicWall Products Multiple Vulnerabilities
- thecyberexpress.com: CISA Adds Two Known Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
- Cyber Security News: SonicWall Secure Mobile Access (SMA) appliances are under active attack due to two critical vulnerabilities-Â CVE-2023-44221 (post-authentication command injection) and CVE-2024-38475(pre-authentication arbitrary file read)-being chained to bypass security controls.
- bsky.app: SonicWall urges admins to patch VPN flaw exploited in attacks
- securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
- The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
- BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
- securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
- MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
info@thehackernews.com (The@The Hacker News
//
A new report from Citizen Lab has uncovered a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) living in exile. The attackers utilized a trojanized version of UyghurEditPP, a legitimate open-source text editor designed to support the Uyghur language, to deliver Windows-based malware. This campaign highlights the concerning trend of digital transnational repression, where software intended to empower repressed communities is instead weaponized against them. The method involved impersonating a known contact from a partner organization of the WUC to deliver a Google Drive link containing the malicious file.
Once the infected UyghurEditPP was executed, a hidden backdoor would silently gather system information, including the machine name, username, IP address, and operating system version. This data was then transmitted to a remote command-and-control (C2) server, allowing the attackers to perform various malicious actions, such as downloading files or uploading additional malicious plugins. Citizen Lab researchers noted that the attackers displayed a deep understanding of the target community, using culturally significant Uyghur and Turkic language terms in the C2 infrastructure to avoid raising suspicion.
Researchers believe that state-aligned actors are behind this campaign, reflecting a broader pattern of Chinese government actors targeting the Uyghur community. While the malware itself wasn't particularly advanced, the campaign showcased a high level of social engineering. The discovery emphasizes the ongoing threats faced by the Uyghur diaspora and the need for increased vigilance against digital surveillance and hacking attempts. This incident adds to the growing evidence of digital transnational repression, where governments use digital technologies to surveil, intimidate, and silence exiled communities.
Recommended read:
References :
- The Citizen Lab: Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware
- securityonline.info: Weaponized Uyghur Language Software: Citizen Lab Uncovers Targeted Malware Campaign
- techcrunch.com: Citizen Lab says exiled Uyghur leaders targeted with Windows spyware
- securityonline.info: Researchers at Citizen Lab have exposed a spearphishing campaign targeting senior members of the
- The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
- thecyberexpress.com: Text Editor Used in Targeted Uyghur Spying
- The Register - Software: Open source text editor poisoned with malware to target Uyghur users
- The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
- Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
- citizenlab.ca: 🚩 Trojanized UyghurEdit++ Text Editor Used to Target Uyghur Diaspora With Windows Surveillance Malware
- The Cyber Express: Trojanized Text Editor Software Used in Targeted Uyghur Spy Campaign
- hackread.com: China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…
- Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
- www.scworld.com: Uyghur leaders subjected to malware attack
@securityonline.info
//
Earth Kurma, a newly identified Advanced Persistent Threat (APT) group, has been actively targeting government and telecommunications organizations in Southeast Asia since June 2024. According to reports from Trend Micro and other security firms, the group's activities, which date back to November 2020, primarily focus on cyberespionage and data exfiltration. Countries affected include the Philippines, Vietnam, Thailand, and Malaysia. The threat actors are particularly interested in exfiltrating sensitive data, often utilizing public cloud services like Dropbox and Microsoft OneDrive for this purpose.
Earth Kurma employs a sophisticated blend of custom malware, stealthy rootkits, and living-off-the-land (LotL) techniques. Their arsenal includes tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA, the latter two being rootkits designed for persistence and concealing malicious activities. The group's use of rootkits like MORIYA, which intercepts TCP traffic and injects malicious payloads, highlights their advanced evasion capabilities. Notably, Earth Kurma also abuses PowerShell for data collection, using commands to gather files of interest based on file extensions such as PDF, DOC, XLS, and PPT.
Detection strategies focus on monitoring process creations and command-line activities associated with known file extensions used by the group. The group leverages legitimate system tools and features, such as syssetup.dll, to install rootkits, making detection more challenging. While there are overlaps with other APT groups like ToddyCat and Operation TunnelSnake, definitive attribution remains inconclusive. Security researchers emphasize the high business risk posed by Earth Kurma due to their targeted espionage, credential theft, persistent footholds, and data exfiltration via trusted cloud platforms.
Recommended read:
References :
- securityaffairs.com: SecurityAffairs: Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia
- securityonline.info: SecurityOnline: Earth Kurma APT Targets Southeast Asia with Stealthy Cyberespionage
- The Hacker News: TheHackNews: Earth Kurma Targets Southeast Asia With Rootkits and Cloud-Based Data Theft Tools
- Know Your Adversary: Know Your Adversary: That's How Earth Kurma Abuses PowerShell for Data Collection
- www.trendmicro.com: Trend Micro: Earth Kurma APT Campaign
- Industrial Cyber: Earth Kurma APT targets Southeast Asian government, telecom sectors in latest cyberespionage campaigns.
- industrialcyber.co: Trend Micro researchers have uncovered that an advanced persistent threat (APT) group known as Earth Kurma is actively
- www.scworld.com: Trend Micro researchers have identified a sophisticated cyberespionage campaign orchestrated by the APT group, Earth Kurma, focusing on organizations in Southeast Asia, including Malaysia, Thailand, Vietnam, and the Philippines.
- Security Risk Advisors: #EarthKurma #APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents. #CyberEspionage #ThreatIntel
- securityonline.info: In a newly released report, Trend Research has unveiled the operations of an advanced persistent threat (APT) group,
- sra.io: APT targeting Southeast Asian governments with #rootkits and cloud exfiltration tools using kernel-level persistence & trusted cloud services to steal sensitive documents.
- Virus Bulletin: Trend Micro's Nick Dai & Sunny Lu look into the Earth Kurma APT campaign targeting government and telecommunications sectors in Southeast Asia. The campaign used advanced malware, rootkits, and trusted cloud services to conduct cyberespionage.
@www.silentpush.com
//
North Korean hackers, identified as the Contagious Interview APT group, are running a sophisticated malware campaign targeting individuals seeking employment in the cryptocurrency sector. Silent Push threat analysts have uncovered the operation, revealing that the group, also known as Famous Chollima and a subgroup of Lazarus, is using three front companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—to spread malicious software. These companies are being used to lure unsuspecting job applicants into downloading malware through fake job interview opportunities, marking an evolution in the group's cyber espionage and financial gain tactics.
The campaign involves the distribution of three distinct malware strains: BeaverTail, InvisibleFerret, and OtterCookie. Job seekers are enticed with postings on various online platforms, including CryptoJobsList, CryptoTask, and Upwork. Once an application is submitted, the hackers send what appear to be legitimate interview-related files containing the malware. The attackers are also using AI-generated images to create employee profiles for these front companies, specifically using Remaker AI to fabricate realistic personas, enhancing the credibility of their fraudulent operations and making it harder for job seekers to differentiate between genuine and malicious opportunities.
The use of these front companies and AI-generated profiles signifies a new escalation in the tactics employed by Contagious Interview. The malware, once installed, allows hackers to remotely access infected computers and steal sensitive data. The campaign leverages legitimate platforms like GitHub and various job boards to further enhance its deceptive nature. Silent Push's analysis has successfully traced the malware back to specific websites and internet addresses used by the hackers, including lianxinxiao[.]com, and uncovered a hidden online dashboard monitoring suspected BeaverTail websites, providing valuable insights into the operational infrastructure of this North Korean APT group.
Recommended read:
References :
- hackread.com: North Korean Hackers Use Fake Crypto Firms in Job Malware Scam
- The Hacker News: North Korean Hackers Spread Malware via Fake Crypto Firms and Job Interview Lures
- www.silentpush.com: Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookie
- Anonymous ???????? :af:: Threat analysts have uncovered that North Korea's Contagious Interview APT group is using three front companies to distribute malware strains BeaverTail, InvisibleFerret, and OtterCookie through fake cryptocurrency job offers.
- www.silentpush.com: North Korean APT registers three cryptocurrency companies to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- cyberpress.org: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- bsky.app: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- www.scworld.com: North Korean cyberespionage facilitated by bogus US firms, crackdown underway
- Virus Bulletin: Silent Push researchers have uncovered three cryptocurrency companies that are actually fronts for the North Korean APT group Contagious Interview. BeaverTail, InvisibleFerret & OtterCookie are being spread from this infrastructure to unsuspecting cryptocurrency job applicants.
- www.scworld.com: New Lazarus campaign hits South Korea BleepingComputer reports that at least half a dozen South Korean organizations in the finance, telecommunications, IT, and software industries have been compromised by North Korean hacking collective Lazarus Group
- Cyber Security News: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- PCMag UK security: Okta finds evidence that North Koreans are using a variety of AI services to upgrade their chances of fraudulently securing remote work so they can line their country's coffers or steal secrets.
- malware.news: North Korean Group Creates Fake Crypto Firms in Job Complex Scam
- www.bitdegree.org: North Korean hackers use AI and fake job offers within cryptocurrency companies to distribute malware to unsuspecting job seekers
- cyberpress.org: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- malware.news: North Korean threat actors are leveraging generative artificial intelligence (GenAI) technologies to systematically infiltrate remote technical roles worldwide, according to recent findings from Okta Threat Intelligence.
- securityonline.info: Threat analysts at Silent Push have uncovered a new campaign orchestrated by the North Korean state-sponsored APT group,
- securityonline.info: Threat actors are using fake companies in the cryptocurrency consulting industry to spread malware to unsuspecting job applicants.
- Cybernews: North Korean APT Contagious Interview registers three cryptocurrency companies (BlockNovas LLC, Angeloper Agency, and SoftGlide LLC) to infect cryptocurrency job applicants with BeaverTail, InvisibleFerret, and OtterCookie malware
- gbhackers.com: North Korean APT Hackers Pose as Companies to Spread Malware to Job Seekers
@reliaquest.com
//
A critical zero-day vulnerability, CVE-2025-31324, has been discovered in SAP NetWeaver Visual Composer Metadata Uploader, posing a significant threat to organizations using the platform. The flaw stems from missing authorization checks on the `/developmentserver/metadatauploader` endpoint, allowing unauthenticated attackers to upload malicious files directly to the system. This unrestricted file upload vulnerability has a CVSS score of 10, indicating its critical severity and potential for widespread exploitation. Security researchers and threat hunters have already observed active exploitation in the wild, with threat actors using the vulnerability to drop web shell backdoors onto exposed systems.
Exploitation of CVE-2025-31324 enables attackers to gain unauthorized access and control over SAP systems. Threat actors are leveraging the vulnerability to upload web shells, facilitating remote code execution and further system compromise. These web shells allow attackers to execute commands, manage files, and perform other malicious actions directly from a web browser. According to SAP security platform Onapsis, the vulnerability can afford attackers the opportunity to take full control over SAP business data and processes, potentially leading to ransomware deployment and lateral movement within a network.
SAP has released an out-of-band emergency patch to address CVE-2025-31324, and organizations are strongly encouraged to apply the patch as soon as possible to mitigate the risk. ReliaQuest researchers also reported investigating multiple customer incidents involving JSP webshells uploaded via this vulnerability. Given the widespread active exploitation and the potential for significant impact, organizations should prioritize patching vulnerable systems and assessing them for any signs of compromise. Experts estimate that a significant percentage of internet-facing SAP NetWeaver systems may be vulnerable, highlighting the urgency of addressing this critical flaw.
Recommended read:
References :
- Threats | CyberScoop: CyberScoop article about SAP zero-day vulnerability under widespread active exploitation
- securityaffairs.com: SecurityAffairs article about SAP NetWeaver zero-day allegedly exploited by an initial access broker.
- The DefendOps Diaries: thedefendopsdiaries.com article on Addressing CVE-2025-31324: A Critical SAP NetWeaver Vulnerability
- Tenable Blog: Tenable Blog post on CVE-2025-31324 zero day vulnerability in SAP NetWeaver being exploited in the wild.
- BleepingComputer: SAP fixes suspected Netweaver zero-day exploited in attacks
- reliaquest.com: ReliaQuest uncovers vulnerability behind SAP NetWeaver compromise
- MSSP feed for Latest: SAP Patches Critical Zero-Day Vulnerability in NetWeaver Visual Composer
- Blog: Max severity zero-day in SAP NetWeaver actively exploited
- thehackernews.com: Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.
- cyberscoop.com: SAP zero-day vulnerability under widespread active exploitation
- www.cybersecuritydive.com: SAP NetWeaver zero-day vulnerability under widespread active exploitation.
- www.scworld.com: SAP patches zero day rated 10.0 in NetWeaver
- The Register - Security: Emergency patch for potential SAP zero-day that could grant full system control
- Resources-2: Picus Security explains SAP NetWeaver Remote Code Execution Vulnerability
- socradar.io: Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Allows Unauthorized Upload of Malicious Executables
- Strobes Security: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
- strobes.co: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
- The DefendOps Diaries: The DefendOps Diaries: Understanding and Mitigating the CVE-2025-31324 Vulnerability in SAP NetWeaver
- Vulnerable U: SAP CVE-2025-31324 Targeted by Attackers
- www.bleepingcomputer.com: Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
- www.bleepingcomputer.com: SAP fixes suspected Netweaver zero-day exploited in attacks
- BleepingComputer: Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers.
- Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- research.kudelskisecurity.com: Critical Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324)
- securityaffairs.com: U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog
- onapsis.com: In our SAP CVE-2025-31324 webinar learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
- research.kudelskisecurity.com: Research Kudelski Security Article on SAP NetWeaver Exploitation
- Cyber Security News: SAP NetWeaver 0-Day Vulnerability Actively Exploited to Deploy Webshells
- Caitlin Condon: Rapid7 MDR has observed in-the-wild exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 in customer environments.
- www.cybersecuritydive.com: Thousands are exposed and potentially vulnerable as researchers warn of widespread exploitation.
- www.it-daily.net: Security experts have identified a serious security vulnerability in SAP NetWeaver that allows unauthorized access to company systems.
- securityonline.info: CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
- redcanary.com: Critical vulnerability in SAP NetWeaver enables malicious file uploads
- www.stormshield.com: Security alert SAP CVE-2025-31324: Stormshield Products Response
- Rescana: Critical Zero-Day Vulnerability in SAP NetWeaver Visual Composer: CVE-2025-31324 Exploited in Manufacturing Attacks
- SOC Prime Blog: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
- Stormshield: Security alert SAP CVE-2025-31324: Stormshield Products Response
- socprime.com: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
|
|
FlagThis - #apt