@cyble.com
//
References:
securityaffairs.com
, ciso2ciso.com
,
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.
The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches. The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.
UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor. Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities. Recommended read:
References :
@securityonline.info
//
A new wave of cyberattacks has been detected targeting Ivanti Connect Secure VPN devices, exploiting the zero-day vulnerability CVE-2025-0282. This vulnerability is being leveraged to deploy a previously unseen malware called DslogdRAT, along with a Perl-based web shell. The attacks, which initially targeted organizations in Japan around December 2024, involve the web shell being used for remote command execution, ultimately leading to the installation of DslogdRAT for persistence and command-and-control (C2) communication. Researchers at JPCERT/CC have been closely analyzing this malware and the methods used in these attacks.
The attack sequence begins with the exploitation of the CVE-2025-0282 vulnerability. Once exploited, a Perl web shell is deployed, which is used to execute commands, including those that lead to the installation of DslogdRAT. DslogdRAT establishes a socket connection with an external server, transmitting basic system information and awaiting further instructions. This allows attackers to execute shell commands, upload and download files, and even use the compromised host as a proxy. The malware is designed to operate primarily during business hours, likely to avoid detection, and uses a simple XOR-based encoding method to protect its communication with the C2 server. Notably, the SPAWNSNARE backdoor has also been observed on systems compromised in these attacks. While it is unclear whether the DslogdRAT campaign is connected to previous attacks involving the SPAWN malware family attributed to the Chinese hacking group UNC5221, the use of CVE-2025-0282 as an initial access vector is a common thread. Furthermore, threat intelligence firms have noted a significant increase in scanning activity targeting Ivanti ICS and Ivanti Pulse Secure appliances, suggesting a coordinated reconnaissance effort that could precede further exploitation attempts. Users of Ivanti Connect Secure VPN devices are strongly advised to apply the available patches and monitor their systems for any signs of compromise. Recommended read:
References :
@cloud.google.com
//
A Chinese cyber-espionage group, identified as UNC5221, is actively exploiting a zero-day vulnerability, CVE-2025-22457, in Ivanti Connect Secure. UNC5221 is suspected to be a China-nexus cyber-espionage group known for aggressively targeting edge network devices, such as VPNs, firewalls, and routers, with zero-day exploits since at least 2023. This vulnerability allows for unauthenticated remote code execution, giving attackers the ability to gain unauthorized access to organizations’ networks. The group has a history of quickly leveraging new flaws in Ivanti's Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances.
The latest campaign, launched in mid-March 2025, involves deploying the BRICKSTORM backdoor in targeted cyberespionage campaigns across Europe, including U.S.-based targets. This backdoor has evolved, with the Windows version now leveraging network tunneling capabilities and valid credentials to compromise Remote Desktop Protocol and Server Message Block, unlike the original Linux-targeting payload. The campaign is part of a broader trend of Chinese state-sponsored attackers focusing on internet-facing infrastructure for espionage, impacting government and enterprise networks globally. Ivanti released a patch for CVE-2025-22457 on April 3, 2025, which affects Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability is a stack-based buffer overflow that can be exploited by sending a crafted HTTP request with an overly long X-Forwarded-For header. CISA has added the CVE to its Known Exploited Vulnerabilities (KEV) catalog and recommends immediate action. Organizations using vulnerable Ivanti devices are strongly advised to apply the patch immediately and continuously monitor their external attack surface. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP, to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows confirmed active exploitation of the vulnerability in the wild, targeting multiple sectors including retail, marketing, and semiconductor industries. The flaw, present in versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, allows unauthenticated remote attackers to potentially take over susceptible instances of CrushFTP file transfer software if exposed publicly over HTTP(S).
The vulnerability stems from a weakness in the HTTP authorization header, enabling attackers to authenticate to any known or guessable user account, such as "crushadmin," potentially leading to a full system compromise. CrushFTP released fixes for the issue in versions 10.8.4 and 11.3.1, urging customers to update their systems immediately. Initial disclosure of the vulnerability has been controversial, with accusations of premature disclosure and attempts to conceal the issue to allow time for patching. Despite the controversy, the inclusion of CVE-2025-31161 in the KEV catalog signifies its high risk and the need for immediate action. SecurityWeek reports that the ongoing exploitation of the vulnerability has seen attackers deploying tools like MeshAgent for remote monitoring and DLL files indicative of Telegram bot utilization for data exfiltration. In some instances, AnyDesk has been installed prior to the deployment of SAM and System registry hives for credential compromise. FortiGuard Labs has also observed in-the-wild attack attempts targeting CVE-2025-31161. Although Shadowserver Foundation reports a decline in attacks since patches were issued on March 21, 2025, the CISA's warning and inclusion in the KEV catalog emphasize the persistent threat and the critical need for organizations to apply the necessary updates. Recommended read:
References :
Rescana@Rescana
//
CISA has issued an urgent warning regarding a critical authentication bypass vulnerability, CVE-2025-31161, in CrushFTP, a widely-used file transfer server solution. The agency has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling that it is actively being exploited in the wild. This flaw allows attackers to bypass authentication mechanisms and potentially gain unauthorized administrative access to vulnerable CrushFTP servers, posing significant risks to both government agencies and private organizations. Federal cybersecurity officials are urging immediate action to mitigate the threat.
The vulnerability, which affects CrushFTP server versions before 10.8.4 and 11.3.1, stems from improper validation of authentication tokens in the CrushFTP login process. An attacker can manipulate HTTP request parameters to gain unauthorized administrative access. CISA’s advisory highlights that exploitation could lead to a full system compromise. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate this vulnerability by April 28, 2025, emphasizing the severity of the risk. CISA strongly encourages all organizations, including private sector entities and state governments, to prioritize patching CVE-2025-31161 and adopt similar vulnerability management strategies. To mitigate the risk, organizations using CrushFTP should immediately apply available patches or updates issued by the software's developers. Additionally, reviewing system logs for any unusual activity is advised. The Cybersecurity and Infrastructure Security Agency emphasizes that this authentication bypass vulnerability represents a severe security risk, potentially allowing complete compromise of affected CrushFTP servers, and has observed sophisticated threat actors actively exploiting it to establish persistent access to critical systems. Recommended read:
References :
do son@Daily CyberSecurity
//
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.
RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution. Recommended read:
References :
Mandvi@Cyber Security News
//
CISA has added three critical Ivanti Endpoint Manager (EPM) flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. The affected vulnerabilities are CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161. These flaws are absolute path traversal vulnerabilities that could allow remote, unauthenticated attackers to fully compromise vulnerable servers, potentially granting unauthorized access to sensitive information. Federal agencies have been given until March 31, 2025, to apply the necessary patches and mitigate these threats.
CISA urges all organizations, including those in the private sector, to prioritize timely remediation of these Ivanti EPM vulnerabilities. Security experts warn that delays in patching can lead to full domain compromise, credential theft, and lateral movement by malicious actors. Given the recent history of Ivanti vulnerabilities, proactive security measures and rapid patching are essential to defend against potential attacks. The large market share of Ivanti products makes them a prime target for malicious actors, emphasizing the importance of immediate patching and continuous hardening of systems. Recommended read:
References :
|