CyberSecurity news

FlagThis - #authenticationbypass

Pierluigi Paganini@Security Affairs //

VMware Windows Tools Authentication Bypass Vulnerability - Broadcom addressed a high-severity authentication bypass vulnerability, CVE-2025-22230, in VMware Tools for Windows due to improper access control, allowing non-administrative users to perform high-privilege operations; security updates are available.
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.

Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users.

Recommended read:
References :
  • securityaffairs.com: Broadcom released security updates to address a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
  • securityonline.info: VMware Tools for Windows Hit by CVE-2025-22230 Auth Bypass Flaw
  • The DefendOps Diaries: Understanding the VMware Tools Authentication Bypass Vulnerability
  • thehackernews.com: New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround
  • www.csoonline.com: VMware plugs a high-risk vulnerability affecting its Windows-based virtualization
  • BleepingComputer: Broadcom Warns of Authentication Bypass in VMware Windows Tools
  • www.techradar.com: Broadcom warns of worrying security flaws affecting VMware tools
  • Security Risk Advisors: New VMware Tools vulnerability (CVE-2025-22230) allows non-admin Windows guest users to perform privileged operations.
  • Security | TechRepublic: Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication
  • securityaffairs.com: Broadcom addressed a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
Rescana@Rescana //

CrushFTP Authentication Bypass Vulnerability Exploited - CrushFTP has a critical authentication bypass vulnerability (CVE-2025-31161) that allows unauthenticated remote access; a PoC exploit is public and customer compromises are confirmed, urging immediate patching.
References: bsky.app , The DefendOps Diaries , Rescana ...
A critical authentication bypass vulnerability, CVE-2025-31161 (previously tracked as CVE-2025-2825), has been identified in CrushFTP, a multi-protocol file transfer server. The vulnerability, which exists in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, allows attackers to bypass authentication mechanisms, potentially gaining unauthorized access to sensitive data and system resources. CrushFTP privately alerted customers to the issue on March 21, 2025, urging them to apply available patches immediately. BleepingComputer reports that over 1,500 instances remain exposed.

Intrusions exploiting the CVE-2025-2825 vulnerability are already underway, following the emergence of a proof-of-concept exploit. Attackers can gain complete access to affected servers, manipulate files, upload malicious content, and even create admin-level user accounts. Indicators of Compromise include unauthorized access logs, unexpected modifications to user accounts, and unusual file uploads. As a mitigation strategy, CrushFTP recommended activating the demilitarized zone perimeter network option for those unable to promptly update their software.

Recommended read:
References :
  • bsky.app: Project Discovery has published a technical write-up and PoC for a recent CrushFTP authentication bypass tracked as CVE-2025-2825
  • The DefendOps Diaries: Understanding the CrushFTP Authentication Bypass Vulnerability: A Critical Cybersecurity Threat
  • BleepingComputer: Attackers are now targeting a critical authentication bypass vulnerability in the CrushFTP file transfer software using exploits based on publicly available proof-of-concept code.
  • Rescana: CrushFTP CVE-2025-2825 Vulnerability: Critical Authentication Bypass Exploit and Mitigation Strategies
  • community.emergingthreats.net: CrushFTP Authentication Bypass (CVE-2025-2825) (web_specific_apps.rules)
  • securityaffairs.com: CrushFTP CVE-2025-2825 flaw actively exploited in the wild
  • www.cybersecuritydive.com: Critical vulnerability in CrushFTP file transfer software under attack
  • www.scworld.com: Over 1,500 CrushFTP file transfer software instances remain exposed to ongoing intrusions exploiting the critical authorization bypass vulnerability, tracked as CVE-2025-2825.
  • Arctic Wolf: CVE-2025-31161: Exploitation of Critical Authentication Bypass Vulnerability in CrushFTP
  • Help Net Security: Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825)
  • Arctic Wolf: CVE-2025-31161: Exploitation of Critical Authentication Bypass Vulnerability in CrushFTP
Bill Toulas@BleepingComputer //

GitLab Patches Critical Authentication Bypass Vulnerabilities - GitLab releases security updates for CE and EE, fixing nine vulnerabilities, including critical ruby-saml library authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) which could allow attackers to impersonate any user.
GitLab has released critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) platforms. The updates, included in versions 17.9.2, 17.8.5, and 17.7.7, fix nine vulnerabilities. Two of these are critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) within the ruby-saml library, used when SAML SSO authentication is enabled at the instance or group level. GitLab has already patched GitLab.com and will update GitLab Dedicated customers, but self-managed installations require immediate manual updates.

Exploitation of these flaws could allow attackers with access to a legitimate signed SAML document from an identity provider to impersonate any valid user, potentially leading to unauthorized access to sensitive repositories and data breaches. The issue stems from differences in XML parsing between REXML and Nokogiri. GitLab strongly advises all affected installations to upgrade to the latest versions as soon as possible to mitigate potential risks. Other vulnerabilities that were addressed are CVE-2025-27407, a high severity Ruby graphql vulnerability.

Recommended read:
References :
  • Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
  • securityaffairs.com: SecurityAffairs article on GitLab addressed critical flaws in CE and EE
  • socradar.io: SocRadar article on GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
  • The DefendOps Diaries: GitLab's Critical Vulnerability Fixes: What You Need to Know
  • BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
  • Rescana: Rescana Cybersecurity Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7
  • securityonline.info: GitLab urgently patches critical authentication bypass flaws – CVE-2025-25291 & CVE-2025-25292
  • www.scworld.com: Account hijacking possible with ruby-saml library bugs
  • bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.
  • gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication
Divya@gbhackers.com //

Critical ruby-saml vulns Allow Authentication Bypass - Multiple vulnerabilities in the ruby-saml library allow attackers to bypass authentication and conduct account takeover attacks by manipulating XML input, requiring organizations to upgrade to the latest version.
References: www.scworld.com , gbhackers.com ,
Critical vulnerabilities in the ruby-saml library, tracked as CVE-2025-25291 and CVE-2025-25292, allow attackers to bypass authentication in applications using the library for Single Sign-On (SSO). These flaws stem from discrepancies in XML parsing between REXML and Nokogiri, potentially leading to account takeovers. An attacker possessing a valid signature from the targeted organization can craft SAML assertions to log in as any user.

The vulnerabilities were discovered during a security review by GitHub's Security Lab, prompting GitLab to release critical patches in versions 17.9.2, 17.8.5, and 17.7.7 for Community Edition and Enterprise Edition. Organizations are urged to upgrade to the latest ruby-saml version to mitigate the risk of authentication bypass and account hijacking. The ruby-saml library is used in various applications and products, including GitLab.

Recommended read:
References :
  • www.scworld.com: Account hijacking possible with ruby-saml library bugs
  • gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication
  • bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.

Posts

Blogs

Research Tools