CyberSecurity news
FlagThis - #exploit
|
Bill Toulas@BleepingComputer
//
Two critical vulnerabilities, CVE-2025-48827 and CVE-2025-48828, have been identified in vBulletin forum software, impacting versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3. The vulnerabilities enable API abuse and remote code execution, posing a significant threat to forums running the affected versions. Security experts warn that one of these vulnerabilities is already being actively exploited in the wild, making it crucial for administrators to take immediate action.
The flaws are rated as critical, with CVE-2025-48827 receiving a CVSS v3 score of 10.0 and CVE-2025-48828 receiving a score of 9.0. CVE-2025-48827 is an API method invocation issue, allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. The second flaw, CVE-2025-48828, enables attackers to run arbitrary PHP code by abusing template conditionals. Both vulnerabilities were discovered by security researcher Egidio Romano on May 23, 2025, and exploit attempts were observed in the wild shortly after disclosure. vBulletin users are urged to immediately apply patches released last year that remediate both vulnerabilities or to upgrade to the latest version 6.1.1. The vulnerabilities were likely patched quietly last year with the release of Patch Level 1 for all versions of the 6.* release branch. Security researchers recommend that defenders and developers review their frameworks and custom APIs, especially if they are dynamically routing controller methods through Reflection. They also suggest auditing access restrictions and examining application behavior across different PHP versions to prevent similar exploits. Recommended read:
References :
@x.com
//
A staggering $223 million has been stolen from Cetus Protocol, a decentralized exchange operating on the Sui blockchain. This exploit represents another significant blow to investor confidence in the decentralized finance (DeFi) space. The incident occurred on May 22, 2025, prompting Cetus to initiate an emergency pause of its smart contract upon detecting suspicious activity. The swift action was aimed at preventing further losses, but the initial damage was substantial, with attackers successfully extracting a massive sum of digital assets.
The Cetus Protocol team acted quickly after discovering the breach. They announced that $162 million of the stolen cryptocurrency had been frozen, leaving approximately $61 million still unaccounted for. The project has also announced a $5 million bounty for anyone who can provide relevant information that leads to the identification and arrest of the attacker. In addition, Cetus Protocol is offering a deal to the hacker, promising to cease all legal action if the stolen funds are returned. This incident has raised concerns about the true decentralization of Cetus Protocol, with some questioning how funds could be frozen so readily. The exploit highlights the ongoing challenges and risks associated with DeFi platforms, even those built on newer blockchain ecosystems like Sui. The investigation into the theft is ongoing, with Cetus Protocol working with law enforcement agencies in hopes of recovering the remaining stolen funds and bringing the perpetrators to justice. Recommended read:
References :
@cyberalerts.io
//
The United States has indicted a 36-year-old Yemeni national, Rami Khaled Ahmed of Sana'a, believed to be the developer and primary operator of the 'Black Kingdom' ransomware. The charges stem from approximately 1,500 attacks conducted against Microsoft Exchange servers globally. Ahmed is accused of deploying the Black Kingdom malware on these systems between March 2021 and June 2023, targeting businesses, schools, and hospitals within the U.S. and elsewhere. He faces one count of conspiracy, one count of intentional damage to a protected computer, and one count of threatening damage to a protected computer.
The attacks involved exploiting a vulnerability in Microsoft Exchange Server known as ProxyLogon, identified as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. This allowed Ahmed and his co-conspirators to gain access to vulnerable networks, encrypt data, or claim to have stolen information. Victims were then instructed to send $10,000 worth of Bitcoin to a cryptocurrency address controlled by a co-conspirator as ransom for decryption. They were also allegedly asked to send proof of payment to a Black Kingdom email address. Cybersecurity experts described Black Kingdom ransomware as somewhat rudimentary, characterizing the attacker as a "motivated script-kiddie" leveraging ProxyLogon to deploy web shells and PowerShell commands. The indictment underscores the ongoing cybersecurity challenges posed by ransomware and highlights the importance of patching vulnerabilities promptly to prevent exploitation. If convicted, Ahmed faces a maximum sentence of five years in federal prison for each count. The FBI, with assistance from the New Zealand Police, is conducting the investigation. Recommended read:
References :
@cloud.google.com
//
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.
Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices. Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services. Recommended read:
References :
@www.bleepingcomputer.com
//
Fortinet has issued critical fixes following the discovery of a new method employed by cyber attackers to maintain access to FortiGate devices, even after patches were applied. The attackers are exploiting vulnerabilities such as FG-IR-22-398, FG-IR-23-097, and FG-IR-24-015, creating a symlink that connects the user filesystem to the root filesystem within a folder used for SSL-VPN language files. This allows attackers to quietly read configuration files without triggering standard detection mechanisms. If SSL-VPN has never been enabled on a device, it is not affected by this vulnerability.
Fortinet has responded by launching an internal investigation, coordinating with third-party experts, and developing an AV/IPS signature to automatically detect and remove the symbolic link. Multiple updates have been released across different FortiOS versions, including 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the backdoor but also modify the SSL-VPN interface to prevent future occurrences. Customers are strongly advised to update their instances to these FortiOS versions, review device configurations, and treat all configurations as potentially compromised, taking appropriate recovery steps. The Shadowserver Foundation reports that over 16,000 internet-exposed Fortinet devices have been compromised with this new symlink backdoor. This backdoor grants read-only access to sensitive files on previously compromised devices. CISA has also issued an advisory urging users to reset exposed credentials and consider disabling SSL-VPN functionality until patches can be applied. This incident underscores a worrying trend where attackers are designing backdoors to survive even updates and factory resets, highlighting the need for organizations to prioritize rapid patching and proactive security measures. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.
This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site. WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4). Recommended read:
References :
|