CyberSecurity news
FlagThis - #authenticationbypass
|
@arcticwolf.com
//
Trend Micro has released security updates to address critical vulnerabilities in its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. These vulnerabilities, which include remote code execution and authentication bypass flaws, pose a significant risk to affected systems. The company urges administrators to apply the necessary security updates as soon as possible to mitigate potential exploitation. While Trend Micro states there is no evidence of active exploitation in the wild, the severity of the flaws necessitates immediate action.
One specific vulnerability, tracked as ZDI-25-371, exists within the Endpoint Encryption product and involves the DeserializeFromBase64String method. This flaw stems from a lack of proper validation of user-supplied data, which can lead to the deserialization of untrusted data. An attacker who successfully exploits this vulnerability can execute code in the context of SYSTEM, potentially gaining complete control over the affected system. Although authentication is required, the existing authentication mechanism can be bypassed, making exploitation easier. The vulnerabilities were reported to Trend Micro on October 11, 2024, by Piotr Bazydlo of Trend Micro's Zero Day Initiative. A coordinated public release of the advisory followed on June 11, 2025. Users of Apex Central and Endpoint Encryption (TMEE) PolicyServer products are advised to visit the Trend Micro website for details on obtaining and applying the necessary patches. Further information on the specific fixes can be found at https://success.trendmicro.com/en-US/solution/KA-0019928. Recommended read:
References :
@blog.criminalip.io
//
A critical authentication bypass vulnerability, CVE-2025-29927, has been discovered in Vercel's Next.js framework. The flaw resides in Next.js middleware, a feature designed to intercept incoming HTTP requests for tasks like authentication, logging, and request modification. This vulnerability allows attackers to circumvent middleware authorization checks, gaining unauthorized access to protected resources. Criminal IP identified over 520,000 assets potentially at risk, emphasizing the widespread impact of this flaw.
Next.js middleware is used for authentication/authorization, request modification, server-side redirects, and Content Security Policy (CSP) implementation. An attacker can bypass these middleware controls by adding a specially crafted `x-middleware-subrequest` header to their HTTP requests. This tricks the application into treating the request as an internal subrequest, effectively bypassing authorization checks. According to the report, the root cause of the vulnerability lies in the `beforeFiles` routing logic within Next.js. The vulnerability affects Next.js versions from 13.4 and above, but prior to 14.1.0. Vercel addressed the vulnerability in versions after v14.1.0-canary.35. Users are strongly advised to upgrade to Next.js version 14.1.0-canary.35 or later to mitigate the risk. Next.js deployments hosted on Vercel are automatically protected against this vulnerability, self-hosted Next.js applications remain vulnerable unless patched or mitigated. This issue can lead to serious security risks, including data exposure and application compromise. Recommended read:
References :
Rescana@Rescana
//
CISA has issued an urgent warning regarding a critical authentication bypass vulnerability, CVE-2025-31161, in CrushFTP, a widely-used file transfer server solution. The agency has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that it is actively being exploited in the wild. This flaw allows attackers to bypass authentication mechanisms and potentially gain unauthorized administrative access to vulnerable CrushFTP servers, posing significant risks to both government agencies and private organizations. Federal cybersecurity officials are urging immediate action to mitigate the threat.
The vulnerability, which affects CrushFTP server versions before 10.8.4 and 11.3.1, stems from improper validation of authentication tokens in the CrushFTP login process. An attacker can manipulate HTTP request parameters to gain unauthorized administrative access. CISA’s advisory highlights that exploitation could lead to a full system compromise. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability by April 28, 2025, emphasizing the severity of the risk. CISA strongly encourages all organizations, including private sector entities and state governments, to prioritize patching CVE-2025-31161 and adopt similar vulnerability management strategies. To mitigate the risk, organizations using CrushFTP should immediately apply available patches or updates issued by the software's developers. Additionally, reviewing system logs for any unusual activity is advised. The Cybersecurity and Infrastructure Security Agency emphasizes that this authentication bypass vulnerability represents a severe security risk, potentially allowing complete compromise of affected CrushFTP servers, and has observed sophisticated threat actors actively exploiting it to establish persistent access to critical systems. Recommended read:
References :
Rescana@Rescana
//
A critical authentication bypass vulnerability, CVE-2025-31161 (previously tracked as CVE-2025-2825), has been identified in CrushFTP, a multi-protocol file transfer server. The vulnerability, which exists in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, allows attackers to bypass authentication mechanisms, potentially gaining unauthorized access to sensitive data and system resources. CrushFTP privately alerted customers to the issue on March 21, 2025, urging them to apply available patches immediately. BleepingComputer reports that over 1,500 instances remain exposed.
Intrusions exploiting the CVE-2025-2825 vulnerability are already underway, following the emergence of a proof-of-concept exploit. Attackers can gain complete access to affected servers, manipulate files, upload malicious content, and even create admin-level user accounts. Indicators of Compromise include unauthorized access logs, unexpected modifications to user accounts, and unusual file uploads. As a mitigation strategy, CrushFTP recommended activating the demilitarized zone perimeter network option for those unable to promptly update their software. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.
Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users. Recommended read:
References :
|