@The DefendOps Diaries
//
Millions of Apple AirPlay-enabled devices are at risk due to the discovery of 23 critical vulnerabilities, collectively named "AirBorne." These vulnerabilities, found in Apple's AirPlay protocol and Software Development Kit (SDK), could allow attackers on the same Wi-Fi network to remotely execute code on vulnerable devices. This poses a significant threat, particularly to third-party devices that incorporate AirPlay, such as smart TVs, speakers, and CarPlay systems.
The vulnerabilities stem from flaws in Apple's implementation of the AirPlay protocol and SDK, which is used for streaming media between devices. A successful exploit could lead to zero-click or one-click remote code execution, bypassing access controls, and conducting man-in-the-middle attacks. This could enable attackers to take over devices, access sensitive files, and potentially steal data.
Apple has released patches to address the AirBorne vulnerabilities in its own products, including iPhones, iPads, MacBooks, Apple TVs, and the Vision Pro headset, however devices that use the software from third parties are still at risk. However, the potential for unpatched third-party devices to remain vulnerable for years is a major concern. Cybersecurity experts estimate that tens of millions of devices could be affected, highlighting the far-reaching impact of these newly discovered flaws.
Recommended read:
References :
- CyberInsider: ‘AirBorne’ Flaws Expose Apple Devices to Zero-Click RCE Attacks
- WIRED: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
- BleepingComputer: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
- www.bleepingcomputer.com: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
- cyberinsider.com: ‘AirBorne’ Flaws Expose Apple Devices to Zero-Click RCE Attacks
- bsky.app: Oligo security researchers have disclosed over two dozen vulnerabilities in the Apple AirPlay protocol and SDK. Collectively named AirBorne, the vulnerabilities can allow attackers on the same network to run malicious code on any Apple device that supports AirPlay.
- BleepingComputer: A set of security vulnerabilities in Apple's AirPlay Protocol and AirPlay Software Development Kit (SDK) exposed unpatched third-party and Apple devices to various attacks, including remote code execution.
- securityonline.info: AirBorne Exploits: Zero-Click Wormable RCE Hits Apple & IoT Devices
- The DefendOps Diaries: Explore AirBorne vulnerabilities in Apple's AirPlay, posing zero-click RCE threats to devices, and learn about mitigation measures.
- securityaffairs.com: AirBorne flaws can lead to fully hijack Apple devices
- securityonline.info: AirBorne Exploits: Zero-Click Wormable RCE Hits Apple & IoT Devices
- BleepingComputer: Mastodon mentions Flaws Expose Apple Devices to Zero-Click RCE Attacks
- www.oligo.security: Oligo Security blog post on AirBorne vulnerability.
- www.techradar.com: Millions of Apple AirPlay devices susceptible to 'AirBorne' zero-click RCE attacks, so patch now
- PCMag UK security: 'AirBorne' Flaw Exposes AirPlay Devices to Hacking: How to Protect Yourself
- Help Net Security: Vulnerabilities in Apple’s AirPlay Protocol, AirPlay Software Development Kits (SDKs), and the CarPlay Communication Plug-in could allow attackers to compromise AirPlay-enabled devices developed and sold by Apple and by other companies.
- Blog: New Apple zero-days go ‘AirBorne’
- bsky.app: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
- www.helpnetsecurity.com: Airplay-enabled devices open to attack via “AirBorne†vulnerabilities
- Blog: How to find Apple AirPlay devices on your network
- Risky.Biz: In other news: Marks & Spencer sends staff home after ransomware attack; China accuses US of hacking cryptography provider; AirBorne vulnerabilities impact Apple's AirPlay.
- Risky Business Media: The French government calls out Russian hacks for the first time, Marks & Spencer sends staff home after a ransomware attack, China accuses America of hacking a major cryptography provider, and AirBorne vulnerabilities impact Apple’s AirPlay.
- Risky Business Media: Risky Business #789 -- Apple's AirPlay vulns are surprisingly awful
- The Record: Millions of Apple Airplay-enabled devices can be hacked via Wi-Fi
- securityaffairs.com: Vulnerabilities in Apple’s AirPlay protocol and SDK exposed Apple and third-party devices to attacks, including remote code execution. Oligo Security found serious flaws, collectively tracked as AirBorne, in Apple’s AirPlay protocol and SDK, affecting Apple and third-party devices. Attackers can exploit the vulnerabilities to perform zero-/one-click RCE, bypass ACLs, read local files, steal data, and […]
- arstechnica.com: Millions of Apple AirPlay-Enabled Devices Can Be Hacked via Wi-Fi
- www.scworld.com: Researchers reveal a collection of bugs known as AirBorne that would allow any hacker on the same Wi-Fi network as a third-party AirPlay-enabled device to surreptitiously run their own code on it.
- securityaffairs.com: Vulnerabilities in Apple’s AirPlay protocol and SDK exposed Apple and third-party devices to attacks, including remote code execution. Oligo Security found serious flaws, collectively tracked as AirBorne, in Apple’s AirPlay protocol and SDK, affecting Apple and third-party devices. Attackers can exploit the vulnerabilities to perform zero-/one-click RCE, bypass ACLs, read local files, steal data, and […]
- www.pcmag.com: Apple rolled out a fix with iOS 18.4, but third-party AirPlay-compatible devices remain exposed. Researchers at cybersecurity firm Oligo have found major vulnerabilities in Apple's AirPlay protocol that allow hackers to breach compatible devices on the same Wi-Fi network.
- Malwarebytes: Apple AirPlay SDK devices at risk of takeover—make sure you update
- hackread.com: Billions of Apple Devices at Risk from “AirBorne†AirPlay Vulnerabilities
- PhoneArena - Articles: Millions of AirPlay-enabled devices are at risk of being attacked by "AirBorne" security threat
- The Hacker News: Wormable AirPlay Flaws Enable Zero-Click RCE on Apple Devices via Public Wi-Fi
@reliaquest.com
//
A critical zero-day vulnerability, CVE-2025-31324, has been discovered in SAP NetWeaver Visual Composer Metadata Uploader, posing a significant threat to organizations using the platform. The flaw stems from missing authorization checks on the `/developmentserver/metadatauploader` endpoint, allowing unauthenticated attackers to upload malicious files directly to the system. This unrestricted file upload vulnerability has a CVSS score of 10, indicating its critical severity and potential for widespread exploitation. Security researchers and threat hunters have already observed active exploitation in the wild, with threat actors using the vulnerability to drop web shell backdoors onto exposed systems.
Exploitation of CVE-2025-31324 enables attackers to gain unauthorized access and control over SAP systems. Threat actors are leveraging the vulnerability to upload web shells, facilitating remote code execution and further system compromise. These web shells allow attackers to execute commands, manage files, and perform other malicious actions directly from a web browser. According to SAP security platform Onapsis, the vulnerability can afford attackers the opportunity to take full control over SAP business data and processes, potentially leading to ransomware deployment and lateral movement within a network.
SAP has released an out-of-band emergency patch to address CVE-2025-31324, and organizations are strongly encouraged to apply the patch as soon as possible to mitigate the risk. ReliaQuest researchers also reported investigating multiple customer incidents involving JSP webshells uploaded via this vulnerability. Given the widespread active exploitation and the potential for significant impact, organizations should prioritize patching vulnerable systems and assessing them for any signs of compromise. Experts estimate that a significant percentage of internet-facing SAP NetWeaver systems may be vulnerable, highlighting the urgency of addressing this critical flaw.
Recommended read:
References :
- Threats | CyberScoop: CyberScoop article about SAP zero-day vulnerability under widespread active exploitation
- securityaffairs.com: SecurityAffairs article about SAP NetWeaver zero-day allegedly exploited by an initial access broker.
- The DefendOps Diaries: thedefendopsdiaries.com article on Addressing CVE-2025-31324: A Critical SAP NetWeaver Vulnerability
- Tenable Blog: Tenable Blog post on CVE-2025-31324 zero day vulnerability in SAP NetWeaver being exploited in the wild.
- BleepingComputer: SAP fixes suspected Netweaver zero-day exploited in attacks
- reliaquest.com: ReliaQuest uncovers vulnerability behind SAP NetWeaver compromise
- MSSP feed for Latest: SAP Patches Critical Zero-Day Vulnerability in NetWeaver Visual Composer
- Blog: Max severity zero-day in SAP NetWeaver actively exploited
- thehackernews.com: Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.
- cyberscoop.com: SAP zero-day vulnerability under widespread active exploitation
- www.cybersecuritydive.com: SAP NetWeaver zero-day vulnerability under widespread active exploitation.
- www.scworld.com: SAP patches zero day rated 10.0 in NetWeaver
- The Register - Security: Emergency patch for potential SAP zero-day that could grant full system control
- Resources-2: Picus Security explains SAP NetWeaver Remote Code Execution Vulnerability
- socradar.io: Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Allows Unauthorized Upload of Malicious Executables
- Strobes Security: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
- strobes.co: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
- The DefendOps Diaries: The DefendOps Diaries: Understanding and Mitigating the CVE-2025-31324 Vulnerability in SAP NetWeaver
- Vulnerable U: SAP CVE-2025-31324 Targeted by Attackers
- www.bleepingcomputer.com: Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
- www.bleepingcomputer.com: SAP fixes suspected Netweaver zero-day exploited in attacks
- BleepingComputer: Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers.
- Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
- research.kudelskisecurity.com: Critical Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324)
- securityaffairs.com: U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog
- onapsis.com: In our SAP CVE-2025-31324 webinar learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
- research.kudelskisecurity.com: Research Kudelski Security Article on SAP NetWeaver Exploitation
- Cyber Security News: SAP NetWeaver 0-Day Vulnerability Actively Exploited to Deploy Webshells
- Caitlin Condon: Rapid7 MDR has observed in-the-wild exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 in customer environments.
- www.cybersecuritydive.com: Thousands are exposed and potentially vulnerable as researchers warn of widespread exploitation.
- www.it-daily.net: Security experts have identified a serious security vulnerability in SAP NetWeaver that allows unauthorized access to company systems.
- securityonline.info: CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
- redcanary.com: Critical vulnerability in SAP NetWeaver enables malicious file uploads
- www.stormshield.com: Security alert SAP CVE-2025-31324: Stormshield Products Response
- Rescana: Critical Zero-Day Vulnerability in SAP NetWeaver Visual Composer: CVE-2025-31324 Exploited in Manufacturing Attacks
- SOC Prime Blog: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
- Stormshield: Security alert SAP CVE-2025-31324: Stormshield Products Response
- socprime.com: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
@securityonline.info
//
A critical security vulnerability has been discovered in Active! Mail, a web-based email client popular among large Japanese organizations. The vulnerability, identified as CVE-2025-42599, is a stack-based buffer overflow that allows remote attackers to execute arbitrary code on affected systems. This flaw, which has a CVSS score of 9.8, poses a significant threat to over 2,250 organizations in Japan, potentially impacting more than 11 million accounts. The severity of this vulnerability stems from the fact that it can be exploited by unauthenticated attackers, meaning they do not need any login credentials to carry out an attack.
This zero-day remote code execution vulnerability is actively being exploited in attacks targeting large organizations in Japan. Successful exploitation of CVE-2025-42599 can lead to full server compromise, data theft, service disruption, or the installation of malware. Given that Active! Mail is a vital component in many Japanese-language business environments, including corporations, universities, government agencies, and banks, the potential impact is substantial. It is crucial to note that Active! mail is used in over 2,250 organizations, boasting over 11,000,000 accounts, making it a significant player in the country's business webmail market.
In response to the active exploitation of this vulnerability, Qualitia, the developer of Active! Mail, released a security bulletin and a corrective patch on April 18, 2025. Users are strongly urged to update to Active! Mail 6 BuildInfo: 6.60.06008562 as soon as possible to mitigate the risk. The Japan Computer Emergency Response Team (JPCERT) has also issued an advisory emphasizing the urgency of applying the patch. For organizations unable to update immediately, JPCERT recommends configuring Web Application Firewalls (WAF) to inspect HTTP request bodies and block excessively large multipart/form-data headers as a temporary mitigation strategy.
Recommended read:
References :
- bsky.app: An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
- securityonline.info: CVE-2025-42599: Critical Buffer Overflow in Active! mail Exploited in the Wild
- The DefendOps Diaries: Explore the critical Active! Mail vulnerability impacting over 11 million accounts, highlighting the need for robust cybersecurity measures.
- BleepingComputer: An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
- securityonline.info: CVE-2025-42599: Critical Buffer Overflow in Active! mail Exploited in the Wild
@documentation.commvault.com
//
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-34028, has been discovered in Commvault Command Center. This security flaw, rated a severity of 9.0 out of 10, allows unauthenticated remote attackers to execute arbitrary code on affected installations. The vulnerability stems from a path traversal issue that can lead to a complete compromise of the Command Center environment. Commvault acknowledged the flaw in an advisory released on April 17, 2025, highlighting the potential for attackers to gain control of the system without requiring authentication.
Commvault Command Center versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release are impacted by this vulnerability. The root cause lies within the "deployWebpackage.do" endpoint, which is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack. This is because there is no filtering as to what hosts can be communicated with. Attackers can exploit this by sending an HTTP request to the vulnerable endpoint, causing the Commvault instance to retrieve a malicious ZIP file from an external server. Once retrieved, the contents of the ZIP file are unzipped into a temporary directory under the attacker's control.
The vulnerability was discovered and reported by Sonny Macdonald, a researcher at watchTowr Labs, on April 7, 2025. watchTowr published technical details and a proof-of-concept (PoC) exploit on April 24, 2025, increasing the urgency for users to apply the necessary patches. Commvault has addressed the vulnerability in versions 11.38.20 and 11.38.25, urging all users to upgrade immediately. The vulnerability was last modified by NIST’s National Vulnerability Database on April 23. watchTowr has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability.
Recommended read:
References :
- Open Source Security: Posted by Fabian Bäumer on Apr 19 Hi Alexander, We used a technique called state machine learning to infer the state machine of the Erlang/OTP SSH server by interaction. With the state machine at hand, we noticed unexpected state transitions during the handshake caused by SSH_MSG_CHANNEL_OPEN messages. In particular, sending SSH_MSG_CHANNEL_REQUEST without SSH_MSG_CHANNEL_OPEN caused the connection to terminate, while sending SSH_MSG_CHANNEL_OPEN first changed this...
- Resources-2: On April 16th, 2025, Erlang/OTP team disclosed a critical vulnerability affecting their SSH server implementation [1]. CVE-2025-32433 is an unauthenticated remote code execution vulnerability with a CVSS score of 10.0 (Critical) that allows adversaries to run arbitrary code on vulnerable systems with elevated privileges.
- Tenable Blog: Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices. Background On April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the vulnerability mailing list.
- arcticwolf.com: On April 24, 2025, watchTowr published technical details and a proof-of-concept (PoC) exploit for a critical vulnerability in Commvault Command Center, CVE-2025-34028, which had been disclosed earlier in April.
- The Hacker News: A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations.
- www.scworld.com: CVE-2025-34028 could lead to a complete compromise of the Command Center.
- Arctic Wolf: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
- labs.watchtowr.com: Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) - watchTowr Labs
- Help Net Security: Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028)
- Anonymous ???????? :af:: Critical Exploit Alert! A 9.0 CVSS flaw in Commvault Command Center lets hackers run code without logging in. 🯠Targets versions 11.38.0–11.38.19
- SOC Prime Blog: SocPrime blog post on detecting CVE-2025-34028 exploitation
- thecyberexpress.com: The Cyber Express article on the Commvault vulnerability
- arcticwolf.com: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
- Arctic Wolf: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
- hackread.com: Critical Commvault Flaw Allows Full System Takeover – Update NOW
- socprime.com: CVE-2025-34028 Detection: A Maximum-Severity Vulnerability in the Commvault Command Center Enables RCE
- fortiguard.fortinet.com: What is the Vulnerability?A critical path traversal vulnerability has been identified in Commvault's Command Center Innovation Release.
- watchTowr Labs: Fire In The Hole, We’re Breaching The Vault
- www.csoonline.com: Critical Commvault SSRF could allow attackers to execute code remotely
- : Critical Commvault Flaw Allows Full System Takeover.
- hackread.com: Enterprises using Commvault Innovation Release are urged to patch immediately against CVE-2025-34028. This critical flaw allows attackers to…
- hackread.com: Critical Commvault Flaw Allows Full System Takeover – Update NOW
info@thehackernews.com (The@The Hacker News
//
A critical vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) 100 series appliances is under active exploitation, according to recent reports. The vulnerability, which stems from improper neutralization of special elements in the SMA100 management interface, allows attackers to remotely inject arbitrary commands, potentially leading to code execution. This flaw affects SMA100 devices running older firmware, prompting immediate concern and action from cybersecurity experts. The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgency for federal agencies and other organizations to address the issue.
Exploitation of this older SonicWall SMA100 vulnerability has been underway since January 2025, with cybersecurity firm Arctic Wolf tracking a campaign specifically targeting VPN credential access on SonicWall SMA devices. This campaign is believed to be directly related to the CVE-2021-20035 vulnerability. SonicWall itself has acknowledged the active exploitation, with a spokesperson stating that they are actively investigating the scope and details of the attacks. This revelation underscores the increasing trend of threat actors targeting edge devices, such as VPNs and firewalls, to gain unauthorized access.
Given the active exploitation, CISA has mandated that federal civilian executive branch agencies patch their SonicWall appliances or discontinue their use if mitigations cannot be applied by May 7. SonicWall urges customers to follow mitigation steps outlined in its advisory and upgrade to the latest firmware as a best practice. As SonicWall vulnerabilities have been a popular target for threat actors in recent years, the Cybersecurity Dive notes patching and timely firmware updates are key to protection.
Recommended read:
References :
- Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
- securityaffairs.com: Attackers exploited SonicWall SMA appliances since January 2025
- The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
- www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
- www.scworld.com: Attacks involving old SonicWall SMA100 vulnerability underway
- arcticwolf.com: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
- BleepingComputer: SonicWall SMA VPN devices targeted in attacks since January
- www.helpnetsecurity.com: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
info@thehackernews.com (The@The Hacker News
//
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.
This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes.
CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks.
Recommended read:
References :
- Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
- www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
- Help Net Security: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
- Arctic Wolf: On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
- securityaffairs.com: Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025.
- The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
- BleepingComputer: SonicWall SMA VPN devices targeted in attacks since January
- www.scworld.com: Attacks involving old SonicWall SMA100 vulnerability underway
- The DefendOps Diaries: CISA Flags Critical SonicWall Vulnerabilities: Urgent Mitigation Required
- arcticwolf.com: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
- arcticwolf.com: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
- securityaffairs.com: Security Affairs newsletter reports attackers exploited SonicWall SMA appliances since January 2025
- www.helpnetsecurity.com: Help Net Security details Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
- BleepingComputer: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
info@thehackernews.com (The@The Hacker News
//
A critical security vulnerability, CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation, potentially allowing unauthenticated remote code execution (RCE). The flaw, which has been assigned a maximum CVSS score of 10.0, could enable attackers to execute arbitrary code on affected systems without providing any credentials. Researchers at Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk, identified the vulnerability. It stems from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication, leading to a complete system compromise if the SSH daemon is running with root privileges.
The vulnerability affects all users running an SSH server based on the Erlang/OTP SSH library. According to the official Ericsson security advisory, any application providing SSH access using the Erlang/OTP SSH library should be considered affected. This vulnerability poses a significant risk, especially to critical infrastructure and high-availability systems where Erlang/OTP is widely used, such as in telecommunications equipment, industrial control systems, and connected devices. Expert Mayuresh Dani of Qualys emphasizes the critical nature, noting Erlang's frequent installation on high-availability systems. This vulnerability could allow actions such as installing ransomware or siphoning off sensitive data.
Proof-of-concept (PoC) exploits for CVE-2025-32433 have already been released, increasing the urgency for organizations to take immediate action. SecurityOnline reported the release of PoC code, and the Horizon3 Attack Team confirmed they had developed their own exploit, describing it as "surprisingly easy" to reproduce. Mitigation strategies include immediately updating to the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround, it is recommended to disable the SSH server or restrict access via firewall rules until the updates can be applied. Organizations should evaluate their systems for potential compromise.
Recommended read:
References :
- darkwebinformer.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
- Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- Ubuntu security notices: USN-7443-1: Erlang vulnerability
- BleepingComputer: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
- Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- The Hacker News: TheHackerNews Article about CVSS 10.0 in Erlang/OTP SSH
- The DefendOps Diaries: Explore the critical CVE-2025-32433 vulnerability in Erlang/OTP SSH, its impact, and mitigation strategies.
- hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
- github.com: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- www.bleepingcomputer.com: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
- securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- www.openwall.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- Resources-2: Picus Security Blog on Erlang/OTP SSH RCE
- Tenable Blog: Details about CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability.
- securityonline.info: SecurityOnline article on Erlang/OTP CVE-2025-32433 (CVSS 10): Critical SSH Flaw Allows Unauthenticated RCE
- Security Risk Advisors: Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433).
- securityonline.info: Erlang/OTP SSH Vulnerability (CVE-2025-32433).
- Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- www.runzero.com: Discusses an SSHamble with remote code execution in Erlang/OTP SSH.
- Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- Cyber Security News: Cybersecurity News also reported this vulnerability.
- securityboulevard.com: Vulnerability in Erlang/OTP SSH allows for unauthenticated remote code execution on vulnerable devices.
- The DefendOps Diaries: Understanding and Mitigating CVE-2025-32433: A Critical Erlang/OTP Vulnerability
- www.scworld.com: Maximum severity flaw impacts Erlang/OTP SSH Widely used library Erlang/OTP SSH was discovered to be affected by a maximum severity flaw, tracked as CVE-2025-32433, which could be leveraged to allow code execution without required logins, according to Hackread.
- Open Source Security: Seclists Details on SSH execution in Erlang
- Blog: CyberReason article on Erlang/OTP RCE Vulnerability.
- infosecwriteups.com: InfoSec Writeups: Erlang/OTP SSH CVSS 10 RCE
- securityboulevard.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
- www.bleepingcomputer.com: Critical Erlang/OTP SSH RCE bug now has public exploits, patch now
- industrialcyber.co: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
- www.cybersecuritydive.com: Researchers warn of critical flaw found in Erlang OTP SSH
- Arctic Wolf: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
- arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
- Industrial Cyber: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
- www.csoonline.com: Public exploits already available for a severity 10 Erlang SSH vulnerability; patch now
- arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
- Security Risk Advisors: TheHackerNews post on Erlang/OTP SSH vulnerability.
- securityonline.info: Critical RCE Vulnerability in Erlang/OTP SSH Server Impacts Multiple Cisco Products
info@thehackernews.com (The@The Hacker News
//
CISA has added CVE-2021-20035, a high-severity vulnerability affecting SonicWall SMA100 series appliances, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, an OS command injection vulnerability in the SMA100 management interface, allows remote attackers to execute arbitrary code. The Cybersecurity and Infrastructure Security Agency (CISA) issued the alert on April 16, 2025, based on evidence of active exploitation in the wild. SonicWall originally disclosed the vulnerability in September 2021, and updated the advisory noting it has been reportedly exploited in the wild, and has updated the summary and revised the CVSS score to 7.2.
The vulnerability, tracked as CVE-2021-20035, stems from improper neutralization of special elements in the SMA100 management interface. Specifically, a remote authenticated attacker can inject arbitrary commands as a 'nobody' user, potentially leading to code execution. The affected SonicWall devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v appliances running specific firmware versions.
CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply the necessary mitigations by May 7, 2025, to protect their networks from this actively exploited vulnerability. Remediation steps include applying the latest security patches provided by SonicWall to all affected SMA100 appliances and restricting management interface access to trusted networks. CISA strongly advises all organizations, including state, local, tribal, territorial governments, and private sector entities, to prioritize remediation of this cataloged vulnerability to enhance their cybersecurity posture.
Recommended read:
References :
- chemical-facility-security-news.blogspot.com: CISA Adds SonicWall Vulnerability to KEV Catalog – 4-16-25
- securityaffairs.com: U.S. CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog
- The Hacker News: Details on the exploitation of the vulnerability
- Cyber Security News: CISA Alerts on Exploited SonicWall Command Injection Vulnerabilityâ€
- gbhackers.com: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
- BleepingComputer: On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability. [...]
- gbhackers.com: GBHackers: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
- securityonline.info: CISA Alert: Actively Exploited SonicWall SMA100 Vulnerability
- The DefendOps Diaries: CISA flags critical SonicWall vulnerabilities: Urgent mitigation required to prevent cyber attacks
- www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
- Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
- Help Net Security: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
- Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
- arcticwolf.com: On 15 April 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
- The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
- BleepingComputer: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
- bsky.app: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
- www.scworld.com: Cybersecurity Dive reports that active exploitation of the nearly half a decade-old high-severity SonicWall SMA100 remote-access appliance operating system command injection flaw
- www.helpnetsecurity.com: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
- securityaffairs.com: CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog.
- Help Net Security: CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers.
- arcticwolf.com: Details the credential access campaign targeting SonicWall SMA devices and its potential link to CVE-2021-20035 exploitation.
- securityaffairs.com: Attackers exploited SonicWall SMA appliances since January 2025
- securityaffairs.com: Attackers exploited SonicWall SMA appliances since January 2025
- www.bleepingcomputer.com: SonicWall SMA VPN devices targeted in attacks since January
@Talkback Resources
//
A critical spoofing vulnerability, identified as CVE-2025-30401, has been discovered in WhatsApp for Windows. Meta, the parent company of WhatsApp, has released a security update to address this flaw, which impacts versions prior to 2.2450.6. The vulnerability could allow attackers to trick users and enable remote code execution on their devices. Users of WhatsApp for Windows are strongly advised to update to the latest version immediately to mitigate the risk. This issue arises from a discrepancy in how WhatsApp handles file attachments, specifically the mismatch between the MIME type and file extension handling.
The exploit mechanism involves attackers sending maliciously crafted files with altered file types to potential targets. The WhatsApp application displays attachments based on their MIME type but selects the file opening handler based on the attachment's filename extension. This allows an attacker to craft a malicious file that appears harmless, such as an image, but when opened, executes arbitrary code. The spoofing technique takes advantage of the discrepancy between MIME type and file extension handling, allowing attackers to execute arbitrary code on the victim’s system.
The discovery of CVE-2025-30401 has raised concerns within the cybersecurity community, highlighting the importance of maintaining robust security practices in widely-used applications. While Meta has not reported any exploitation of this vulnerability in the wild, vulnerabilities in messaging applications like WhatsApp are frequently targeted by malicious actors. The impact of a successful exploit could include unauthorized system access and data theft, posing significant risks to users. To ensure protection, users should promptly update their WhatsApp for Windows application to version 2.2450.6 or later.
Recommended read:
References :
- securityaffairs.com: WhatsApp fixed a spoofing flaw that could enable Remote Code Execution
- Talkback Resources: WhatsApp Vulnerability Could Facilitate Remote Code Execution [app] [exp]
- The DefendOps Diaries: Understanding the WhatsApp for Windows Vulnerability: CVE-2025-30401
- BleepingComputer: Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
- hackread.com: WhatsApp for Windows Flaw Could Let Hackers Sneak In Malicious Files
- infosec.exchange: vulnerability CVE-2025-30401 impacting all WhatsApp versions can let attackers execute malicious code on your devices. The flaw can be exploited by attackers by sending maliciously crafted files with altered file types to potential targets:
- PCMag UK security: WhatsApp Patches Bug That Can Execute Malware on Windows PCs
- darkwebinformer.com: DarkWebInformer Article on CVE-2025-30401: WhatsApp for Windows Spoofing Prior to Version 2.2450.6
- cyberinsider.com: WhatsApp for Windows Vulnerable to Spoofing Flaw Leading to Code Execution
- securityonline.info: SecurityOnline news detail for WhatsApp for Windows Spoofing Vulnerability: Execute Code Risk (CVE-2025-30401)
- The Register - Security: What a MIME field A bug in WhatsApp for Windows can be exploited to execute malicious code by anyone crafty enough to persuade a user to open a rigged attachment - and, to be fair, it doesn't take much craft to pull that off.
- bsky.app: Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
- ComputerWeekly.com: Spoofing vuln threatens security of WhatsApp Windows users
- www.csoonline.com: CSOOnline article on Whatsapp plugs bug allowing RCE with spoofed filenames
- Help Net Security: WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401)
- Malwarebytes: WhatsApp for Windows vulnerable to attacks. Update now!
- www.bleepingcomputer.com: WhatsApp flaw can let attackers run malicious code on Windows PCs
- www.scworld.com: Malicious code execution possible with patched WhatsApp flaw
@parquet.apache.org
//
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-30065, has been discovered in Apache Parquet's Java Library. This flaw carries a maximum severity rating and could allow a remote attacker to execute arbitrary code on susceptible systems. Apache Parquet is a widely used open-source columnar data file format designed for efficient data processing and retrieval, commonly employed in big data processing frameworks like Hadoop and Spark. Given the popularity of Apache Parquet and the severity of the vulnerability, immediate action is crucial to mitigate the risk.
This critical flaw stems from the deserialization of untrusted data within the parquet-avro module of the Java library. An attacker can exploit this vulnerability by tricking a vulnerable system into processing a specially crafted Parquet file. Upon processing the malicious file, the deserialization of untrusted data allows the attacker to execute arbitrary code, potentially gaining full control over the affected system. Consequences of successful exploitation could include data exfiltration or modification, service disruption, and the deployment of malicious payloads such as ransomware.
The vulnerability impacts all versions of Apache Parquet up to and including 1.15.0. Systems and applications that utilize data pipelines and analytics frameworks, particularly those that import Parquet files from external or untrusted sources, are at heightened risk. The flaw was fixed with the release of Apache version 1.15.1. Users are strongly advised to update their Apache Parquet installations to the latest version as soon as possible to address this critical security vulnerability and prevent potential exploitation.
Recommended read:
References :
- The DefendOps Diaries: Addressing the Critical CVE-2025-30065 Vulnerability in Apache Parquet
- The Hacker News: A maximum severity security vulnerability has been disclosed in Apache Parquet's Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.
- BleepingComputer: Max severity RCE flaw discovered in widely used Apache Parquet
- securityaffairs.com: Critical flaw in Apache Parquet’s Java Library allows remote code execution
- www.csoonline.com: Big hole in big data: Critical deserialization bug in Apache Parquet allows RCE
- Blog: Max-severity vulnerability discovered in Apache Parquet, patch now
- www.scworld.com: Significant big data environment risk likely with maximum severity Apache Parquet bug
Pierluigi Paganini@securityaffairs.com
//
CISA has added a new Apache Tomcat vulnerability, identified as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence that the flaw is being actively exploited in the wild, posing a significant risk to organizations utilizing affected versions of Apache Tomcat. The vulnerability is a path equivalence issue within Apache Tomcat.
To mitigate the risk posed by CVE-2025-24813, impacted users are urged to upgrade their Apache Tomcat installations to the latest secure versions. Specifically, upgrades to Apache Tomcat 11.0.3 or later, Apache Tomcat 10.1.35 or later, or Apache Tomcat 9.0.99 or later are recommended. The advisory also includes IPS protection measures to detect and block potential attack attempts targeting this vulnerability affecting the Apache Tomcat web server.
Recommended read:
|
|