CyberSecurity news

FlagThis - #rce

info@thehackernews.com (The@The Hacker News //
Multiple critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters to the public internet. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have a CVSS score of 9.8. Cloud security firm Wiz discovered these flaws and reported that approximately 43% of cloud environments are susceptible to these vulnerabilities.

Specifically, IngressNightmare affects the admission controller component of the Ingress NGINX Controller, which utilizes NGINX as a reverse proxy and load balancer. Attackers can exploit the unrestricted network accessibility of admission controllers by injecting malicious NGINX configurations, gaining unauthorized access to cluster secrets and potentially leading to a complete cluster takeover. Kubernetes users are urged to update to versions v1.11.5, v1.12.1, or later to mitigate these risks.

Recommended read:
References :
  • Open Source Security: Multiple vulnerabilities in ingress-nginx
  • The Hacker News: Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication
  • Wiz Blog | RSS feed: IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
  • The Register - Software: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw
  • Open Source Security: [kubernetes] Multiple vulnerabilities in ingress-nginx
  • ciso2ciso.com: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw – Source: go.theregister.com
  • securityonline.info: CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
  • dragosr: "CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required." ingress-nginx is deployed in 40% of k8s clusters.
  • research.kudelskisecurity.com: Critical Unauthenticated Remote Code Execution Vulnerabilities inIngress NGINX
  • securityboulevard.com: Security Boulevard answers FAQs about IngressNightmare.
  • : Wiz Security finds four critical RCE vulnerabilities in the Ingress NGINX Controller for Kubernetes
  • Resources-2: IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
  • www.csoonline.com: Critical RCE flaws put Kubernetes clusters at risk of takeover
  • www.cybersecuritydive.com: Critical vulnerabilities put Kubernetes environments in jeopardy
  • Arctic Wolf: CVE-2025-1974: Critical Unauthenticated RCE Vulnerability in Ingress NGINX for Kubernetes
  • Tenable Blog: CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare
  • open-appsec: On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsanitized user...
  • Threats | CyberScoop: String of defects in popular Kubernetes component puts 40% of cloud environments at risk
  • Blog: Ingress NGINX Kubernetes Controller vulnerabilities a ‘nightmare’ for impacted users
  • circl: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. CVE-2025-1974 but also CVE-2025-1097 CVE-2025-1098 CVE-2025-24513 CVE-2025-24514 🔗 For more details about Ingress NGINX Controller for Kubernetes release
  • Sysdig: Detecting and Mitigating IngressNightmare – CVE-2025-1974
  • thecyberexpress.com: Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise
  • Datadog Security Labs: The "IngressNightmare" vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation
  • Information Security Buzz: Five critical security vulnerabilities have been found in the Ingress NGINX Controller for Kubernetes, potentially enabling unauthenticated remote code execution. This exposure puts over 6,500 clusters at immediate risk by making the component accessible via the public internet.
  • MSSP feed for Latest: Researchers aren’t aware of active exploitation in the wild, but they warn the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high.
  • Latest Bulletins: Addresses issues with Kubernetes ingress-nginx controller
  • nsfocusglobal.com: Kubernetes Ingress-nginx Remote Code Execution Vulnerability (CVE-2025-1974)
  • Dynatrace news: NGINX vulnerability: Quickly detect and mitigate IngressNightmare vulnerabilities with Dynatrace
  • securityonline.info: ingress-nginx maintainers released fixes for multiple vulnerabilities that could allow threat actors to take over Kubernetes clusters.
  • Delinea Blog: Discusses vulnerabilities enabling access to Kubernetes clusters’ secrets.
  • Kali Linux Tutorials: Details on IngressNightmare Vulnerabilities

Julian Tuin@Arctic Wolf //
A critical vulnerability, identified as CVE-2025-23120, has been discovered in Veeam Backup & Replication software. This flaw allows authenticated domain users to execute remote code, potentially leading to the compromise of enterprise backup infrastructures. The vulnerability affects versions 12, 12.1, 12.2, and 12.3 of Veeam Backup & Replication and has been assigned a CVSS score of 9.9, indicating a critical severity. The issue was reported by Piotr Bazydlo of watchTowr and highlights the importance of community engagement in addressing security issues.

Veeam has addressed this vulnerability in version 12.3.1 (build 12.3.1.1139), and users are strongly urged to apply the patch immediately. The vulnerability specifically impacts domain-joined backup servers, which goes against Security & Compliance Best Practices. It is imperative for organizations to prioritize updates to ensure their systems remain secure. The company also emphasizes its commitment to customer security through a Vulnerability Disclosure Program and rigorous internal code audits.

Recommended read:
References :
  • gbhackers.com: Critical Veeam Backup & Replication Vulnerability Allows Remote Execution of Malicious Code
  • securityonline.info: CVE-2025-23120 (CVSS 9.9): Critical RCE Vulnerability Discovered in Veeam Backup & Replication
  • Help Net Security: Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120)
  • www.redhotcyber.com: Vulnerabilità critica da 9.9 di Score in Veeam Backup & Replication che consente RCE
  • borncity.com: Warning for users of Veeam Backup & Replication. Vendor Veeam has informed it's customers on March 19, 2025 about a Remote Code Execution (RCE) vulnerability CVE-2025-23120 in various versions of the mentioned product. It can be abused in domain joined
  • Vulnerability-Lookup: You can now share your thoughts on vulnerability CVE-2025-23120 in Vulnerability-Lookup: Veeam - Backup and Recovery
  • Rescana: Urgent Alert: CVE-2025-23120 Vulnerability in Veeam Backup & Replication Risks RCE Exploitation
  • The DefendOps Diaries: Understanding and Mitigating the CVE-2025-23120 Vulnerability in Veeam Backup & Replication
  • Security Affairs: Veeam fixed critical Backup & Replication flaw CVE-2025-23120
  • socradar.io: Critical Veeam Vulnerability (CVE-2025-23120) Enables Remote Code Execution by Domain Users
  • Arctic Wolf: CVE-2025-23120: Critical Remote Code Execution Vulnerability in Veeam Backup & Replication
  • Blog: Another critical deserialization flaw found in Veeam backup
  • www.bleepingcomputer.com: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations. [...]
  • Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) By Executive Order I hereby BAN deserialization issues. I don't know how many god damned times I've read about how critical software vulnerabilities have been rooted in deserialization issues, and here we go again. Thanks watchTowr for an entertaining read. Summary This research details two Remote Code Execution (RCE) vulnerabilities in Veeam Backup & Replication (CVE-2025-23120) discovered by watchTowr Labs. The vulnerabilities exploit deserialization flaws in Veeam's codebase, specifically targeting the product's reliance on blacklist-based security mechanisms rather than proper whitelisting. The researchers demonstrate how any domain user can exploit these vulnerabilities when the Veeam server is joined to an Active Directory domain, potentially allowing complete system compromise. The vulnerabilities were responsibly disclosed to Veeam, who patched them by simply adding the discovered gadget classes to their blacklist, a solution the researchers criticize as inadequate and likely to lead to similar vulnerabilities in the future.
  • MSSP feed for Latest: Veeam patches critical Backup & Replication flaw CVE-2025-23120
  • www.techradar.com: Researchers criticize the way Veeam handled deserialization flaws.
  • Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)
  • bsky.app: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
  • Security Risk Advisors: Critical RCE in #Veeam Backup & Replication (CVE-2025-23120) lets domain users run rogue code.
  • research.kudelskisecurity.com: A newly discovered vulnerability in Veeam Backup & Replication, tracked as CVE-2025-23120, has emerged as a critical threat for enterprise environments. This flaw enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
  • www.sentinelone.com: A newly disclosed vulnerability, tracked as CVE-2025-23120, affecting Veeam Backup & Replication, enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
  • Cyber Security News: CyberPress : Veeam RCE Vulnerability Allows Domain Users to Compromise Backup Servers
  • www.scworld.com: Veeam patches critical 9.9 flaw in backup and replication product
  • www.csoonline.com: A critical remote code execution flaw patched in Veeam backup servers
  • Arctic Wolf: On March 19, 2025, Veeam published a security advisory for a critical severity vulnerability impacting their Backup & Replication software.
  • Help Net Security: Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware

do son@Daily CyberSecurity //
A critical security vulnerability, CVE-2025-24813, has been identified in Apache Tomcat, potentially exposing servers to remote code execution (RCE) and data leaks. The vulnerability stems from a path equivalence issue related to how Tomcat handles filenames with internal dots, particularly when writes are enabled for the default servlet and partial PUT support is enabled. This flaw could allow attackers to execute malicious code, disclose sensitive information, or inject malicious content into uploaded files.

Users of Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98 are advised to upgrade immediately to versions 11.0.3, 10.1.35, or 9.0.99 respectively, which include the necessary fixes. The vulnerability exists if an application uses Tomcat's file-based session persistence with the default storage location and includes a library susceptible to deserialization attacks, potentially leading to remote code execution. COSCo Shipping Lines DIC and sw0rd1ight are credited with discovering and reporting the vulnerability.

Recommended read:
References :
  • gbhackers.com: Apache Tomcat Flaw Could Allow RCE Attacks on Servers
  • cR0w :cascadia:: Tomcat vulns are always fun, right? H/T: Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
  • buherator's timeline: [oss-security] CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or ...
  • Open Source Security: CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
  • securityonline.info: CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
  • buherator's timeline: Analysis of CVE-2025-24813 Apache Tomcat Path Equivalence RCE
  • BleepingComputer: A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request. [...]
  • securityonline.info: Tomcat Flaw CVE-2025-24813 Exploited in the Wild, PoC Released
  • securityaffairs.com: Threat actors rapidly exploit new Apache Tomcat flaw following PoC release
  • infosecwriteups.com: CVE-2025–24813: Apache Tomcat Path Equivalence Vulnerability $$$$ BOUNTY
  • The Hacker News: The Hacker News reports on Apache Tomcat Vulnerability Actively Exploited Just 30 Hours After Public Disclosure
  • www.scworld.com: Apache Tomcat flaw actively exploited; could allow 'devastating' RCE
  • bsky.app: Bsky Social - A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.
  • bsky.app: A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.
  • The Register - Software: One PUT request, one poisoned session file, and the server’s yours A trivial flaw in Apache Tomcat that allows remote code execution and access to sensitive files is said to be under attack in the wild within a week of its disclosure.

Sergiu Gatlan@BleepingComputer //
Cybersecurity experts are warning of a mass exploitation of a critical PHP vulnerability, CVE-2024-4577. This flaw allows attackers to remotely execute code on vulnerable servers using Apache and PHP-CGI. GreyNoise data has confirmed that the exploitation extends far beyond initial reports, with attack attempts observed across multiple regions. Notable spikes have been detected in the United States, Singapore, Japan, and other countries throughout January 2025, signaling a broad campaign targeting this vulnerability.

Cisco Talos has discovered an active exploitation of CVE-2024-4577. The attacker gains access to victim machines and carries out post-exploitation activities. The attempted exploitation has escalated across the U.S., Japan, Singapore, and other parts of the world. GreyNoise detected over 1,000 attacks globally. Experts urge organizations to apply the necessary patches and monitor for suspicious activity to mitigate the risk of compromise.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.
  • securityaffairs.com: Threat actors exploit PHP flaw CVE-2024-4577 for remote code execution. Over 1,000 attacks detected globally.
  • www.scworld.com: Attempted exploitation escalated across the U.S., Japan, Singapore, and other parts of the world.
  • www.cybersecuritydive.com: Critical PHP vulnerability under widespread cyberattack
  • The GreyNoise Blog: GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign
  • MSSP feed for Latest: Targeting Of Critical PHP Vulnerability Expands Gloabally
  • www.techradar.com: Experts warn this critical PHP vulnerability could be set to become a global problem
  • www.scworld.com: Critical 9.8 PHP flaw exploited in US, Japan and Singapore
  • The DefendOps Diaries: Explore CVE-2024-4577, a critical PHP vulnerability affecting CGI mode on Windows, and learn about its implications and mitigation strategies.
  • BleepingComputer: Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation.
  • bsky.app: Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation.

Matan Mittelman@Cato Networks //
References: bsky.app , Secure Bulletin , Cato Networks ...
The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.

This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns.

Recommended read:
References :
  • bsky.app: New Ballista botnet found -Author seems to be from Italy -Targets TP-Link Archer routers -Used for DDoS accounts -Unique code, not based on Mirai or Mozi
  • Secure Bulletin: The Ballista Botnet: a new IoT threat with italian roots
  • securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
  • Cato Networks: Cato CTRLâ„¢ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
  • The Hacker News: Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices
  • CyberInsider: TP-Link Archer Routers Under Attack by New IoT Botnet ‘Ballista’
  • Blog: New Ballista botnet targets vulnerabilities in popular TP-Link routers
  • www.cybersecuritydive.com: Emerging botnet exploits TP-Link router flaw posing risk to US organizations
  • www.cybersecurity-insiders.com: Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers. The CVE-2023-1389 flaw is an unauthenticated command injection […]
  • community.emergingthreats.net: The Ballista Botnet: a new IoT threat with italian roots
  • www.techradar.com: This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
  • securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
  • Schneier on Security: TP-Link Router Botnet

Ameer Owda@socradar.io //
A critical security vulnerability, CVE-2025-25012, has been identified in Kibana, the data visualization platform used with Elasticsearch. This flaw stems from prototype pollution and could enable attackers to execute arbitrary code on affected systems. Given Kibana's widespread adoption across various industries, this vulnerability poses a significant risk to data security, integrity, and system stability. The vulnerability has a CVSS score of 9.9.

Versions 8.15.0 up to 8.17.3 are affected, where users with the Viewer role can be exploited, and versions 8.17.1 and 8.17.2 can be exploited through roles with elevated privileges. It is advised to update Kibana to version 8.17.3. Immediate action is crucial for organizations using vulnerable versions of Kibana to mitigate the potential for unauthorized access, data exfiltration, and service disruption.

Recommended read:
References :
  • socradar.io: Critical Kibana Vulnerability (CVE-2025-25012) Exposes Systems to Code Execution, Patch Now
  • securityaffairs.com: Security Affairs article on Elastic patching critical Kibana flaw.
  • The Hacker News: The Hacker News article on Elastic releasing an urgent fix for a critical Kibana vulnerability.
  • thecyberexpress.com: Elastic Issues Urgent Update for Critical Kibana Vulnerability Exposing Remote Code Execution Risk
  • Rescana: Critical Kibana Vulnerability Report: Urgent Mitigation Needed for CVE-2025-25015
  • securityonline.info: CVE-2025-25012 (CVSS 9.9): Critical Code Execution Vulnerability Patched in Elastic Kibana
  • securityonline.info: CVE-2025-25015 (CVSS 9.9): Critical Code Execution Vulnerability Patched in Elastic Kibana
  • research.kudelskisecurity.com: Critical Kibana Vulnerability Enabling Remote Code Execution (CVE-2025-25012)
  • Tom Sellers: Elastic has published a security advisory for a CVSSv3 9.9 rated RCE in Kibana versions 8.15.0 to 8.17.2. The access required varies depending on the version, see the post below. Kibana version 8.17.3 has been released to address this vulnerability.
  • securityaffairs.com: Elastic patches critical Kibana flaw allowing code execution

Bill Toulas@BleepingComputer //
GitLab has released critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) platforms. The updates, included in versions 17.9.2, 17.8.5, and 17.7.7, fix nine vulnerabilities. Two of these are critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) within the ruby-saml library, used when SAML SSO authentication is enabled at the instance or group level. GitLab has already patched GitLab.com and will update GitLab Dedicated customers, but self-managed installations require immediate manual updates.

Exploitation of these flaws could allow attackers with access to a legitimate signed SAML document from an identity provider to impersonate any valid user, potentially leading to unauthorized access to sensitive repositories and data breaches. The issue stems from differences in XML parsing between REXML and Nokogiri. GitLab strongly advises all affected installations to upgrade to the latest versions as soon as possible to mitigate potential risks. Other vulnerabilities that were addressed are CVE-2025-27407, a high severity Ruby graphql vulnerability.

Recommended read:
References :
  • Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
  • securityaffairs.com: SecurityAffairs article on GitLab addressed critical flaws in CE and EE
  • socradar.io: SocRadar article on GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
  • The DefendOps Diaries: GitLab's Critical Vulnerability Fixes: What You Need to Know
  • BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
  • Rescana: Rescana Cybersecurity Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7
  • securityonline.info: GitLab urgently patches critical authentication bypass flaws – CVE-2025-25291 & CVE-2025-25292
  • www.scworld.com: Account hijacking possible with ruby-saml library bugs
  • bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.
  • gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication

Divya@gbhackers.com //
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-27364, has been discovered in MITRE Caldera, a widely used adversarial emulation framework. This flaw allows attackers to remotely execute arbitrary code on affected Caldera servers. The vulnerability stems from Caldera's dynamic agent compilation functionality, which can be manipulated through crafted web requests. This poses a significant security risk, especially given Caldera's use in penetration testing and security automation, potentially granting attackers full control over compromised systems.

Versions of MITRE Caldera through 4.2.0 and 5.0.0 before commit 35bc06e are vulnerable and require immediate patching. The unauthenticated API endpoint in Caldera’s agent compilation process can be exploited by injecting arbitrary commands during compilation, specifically by abusing the `-extldflags` linker flag in GCC. This allows attackers to deploy rogue Sandcat or Manx agents, which can then execute commands on the compromised system leading to data exfiltration and further attacks on connected assets. Proof-of-Concept exploit details are publicly available.

Recommended read:
References :
  • community.emergingthreats.net: MITRE Caldera Remote Code Execution (CVE-2025-27364)
  • gbhackers.com: Critical RCE Vulnerability in MITRE Caldera – Proof of Concept Released
  • socradar.io: Security Alert: Critical Flaws in MITRE Caldera and Parallels Desktop (CVE-2025-27364, CVE-2024-34331)
  • The Register - Security: MITRE Caldera security suite scores perfect 10 for insecurity
  • cR0w :cascadia:: A perfect 10 in MITRE Caldera? Nice. 🥳 In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.
  • Talkback Resources: CVE-2025-27364 (CVSS 10): Remote Code Execution Flaw Found in MITRE Caldera, PoC Releases
  • SOC Prime Blog: CVE-2025–27364 in MITRE Caldera: Exploitation of a New Max-Severity RCE Vulnerability via Linker Flag Manipulation Can Lead to Full System Compromise
  • thecyberexpress.com: MITRE Caldera Hit by Critical RCE Flaw (CVE-2025-27364) – Here’s What You Need to Know
  • Help Net Security: MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364)

Ameer Owda@socradar.io //
Cisco has released patches to address two critical remote code execution vulnerabilities in its Identity Services Engine (ISE). The flaws, tracked as CVE-2025-20124 (CVSS score 9.9) and CVE-2025-20125 (CVSS score 9.1), could allow a remote attacker with read-only administrative privileges to execute arbitrary commands on affected devices. The vulnerabilities could prevent privilege escalation and system configuration changes.

The first vulnerability, CVE-2025-20124, is due to insecure deserialization of user-supplied Java byte streams, allowing attackers to execute arbitrary commands and elevate privileges by sending a crafted serialized Java object to an affected API. The second, CVE-2025-20125, is an authorization bypass issue that could allow attackers to obtain sensitive information, modify system configurations, and restart the node by sending a crafted HTTP request to a specific API. Cisco warns that there are no workarounds, advising customers to migrate to a fixed software release as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Cisco addressed critical flaws in Identity Services Engine, preventing privilege escalation and system configuration changes.
  • securityonline.info: CVE-2025-20124 (CVSS 9.9) & CVE-2025-20125 (CVSS 9.1): Cisco Patches Critical Flaws in Identity Services Engine
  • ciso2ciso.com: Cisco addressed two critical flaws in its Identity Services Engine (ISE) – Source: securityaffairs.com
  • ciso2ciso.com: Cisco addressed two critical flaws in its Identity Services Engine (ISE) – Source: securityaffairs.com
  • securityonline.info: Cisco has issued a security advisory addressing two critical vulnerabilities in its Identity Services Engine (ISE), a network
  • Pyrzout :vm:: Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities – Source:sec.cloudapps.cisco.com #'Cyber
  • BleepingComputer: Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.
  • socradar.io: Critical Cisco ISE Vulnerabilities Patched: CVE-2025-20124 & CVE-2025-20125
  • The Hacker News: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc
  • www.csoonline.com: Cisco’s ISE bugs could allow root-level command execution
  • www.bleepingcomputer.com: Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.
  • ciso2ciso.com: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc – Source:thehackernews.com
  • ciso2ciso.com: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc – Source:thehackernews.com
  • ciso2ciso.com: Cisco’s ISE bugs could allow root-level command execution – Source: www.csoonline.com

@www.bleepingcomputer.com //
Attackers are actively exploiting a deserialization vulnerability, identified as CVE-2025-0994, in Trimble’s Cityworks Server AMS. This flaw allows for remote code execution on Microsoft IIS web servers. The exploitation involves hackers deploying Cobalt Strike beacons for initial network access after gaining the ability to remotely execute commands. Cityworks is primarily used by local governments, utilities, and public works organizations for asset and work order management.

CISA has added the Cityworks vulnerability to its Known Exploited Vulnerabilities catalog, urging organizations to apply necessary updates and search for indicators of compromise. Furthermore, Microsoft has warned of code injection attacks using publicly disclosed ASP.NET machine keys, which can lead to the delivery of the Godzilla post-exploitation framework. It is advised to not copy keys from publicly available resources, as this poses a higher risk than stolen keys because they are available in multiple code repositories.

Recommended read:
References :
  • : CISA puts out a standalone security alert about Trimble Cityworks Server Asset Management System (AMS).
  • securityaffairs.com: U.S. CISA adds Trimble Cityworks flaw to its Known Exploited Vulnerabilities catalog
  • securityonline.info: CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
  • securityonline.info: CVE-2025-0994: Critical Vulnerability in Trimble Cityworks Exploited in the Wild
  • Anonymous ???????? :af:: Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • www.bleepingcomputer.com: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • BleepingComputer: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • bsky.app: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • Anonymous ???????? :af:: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access.
  • therecord.media: Hackers exploiting bug in popular Trimble Cityworks tool used by local gov’ts

info@thehackernews.com (The Hacker News)@The Hacker News //
Ivanti has released critical security updates for Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) to address multiple vulnerabilities. These include three critical severity problems that could allow remote code execution (RCE), posing a significant risk. The updates aim to patch flaws such as external control of a file name (CVE-2024-38657) and a stack-based buffer overflow (CVE-2025-22467), which can be exploited by authenticated attackers to execute arbitrary code and compromise system integrity.

The specific vulnerabilities addressed include CVE-2024-38657, which allows remote authenticated attackers with admin privileges to write arbitrary files, and CVE-2025-22467, a stack-based buffer overflow that enables remote code execution. Also patched is CVE-2024-10644 which is a code injection vulnerability, and CVE-2024-47908, an operating system command injection flaw in the admin web console of Ivanti CSA. Users are urged to update to the latest versions, Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3, and Ivanti CSA 5.0.5, as soon as possible to mitigate potential exploitation. While Ivanti is not aware of active exploitation, it's imperative to apply the patches due to the history of Ivanti appliances being weaponized.

Recommended read:
References :
  • Vulnerability-Lookup: Security advisory for Ivanti Connect Secure, Policy Secure, and Secure Access Client (multiple CVEs).
  • securityonline.info: Ivanti has disclosed multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products, with some The post appeared first on .
  • The Hacker News: Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now
  • BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • securityonline.info: CVE-2025-22467 (CVSS 9.9): Ivanti Connect Secure Vulnerability Allows Remote Code Execution
  • www.bleepingcomputer.com: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • vulnerability.circl.lu: February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs), has been published on Vulnerability-Lookup
  • research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
  • bsky.app: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • socradar.io: Ivanti Security Update Addresses Severe Vulnerabilities in ICS, IPS, and ISAC (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644)
  • research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
  • BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems

@www.helpnetsecurity.com //
End-of-life Zyxel routers are under active attack via CVE-2024-40891, a command injection vulnerability, and the company has confirmed that no patches will be released. The affected models include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. Zyxel is advising users to replace these devices and those who obtained their Zyxel product through an internet service provider (ISP), to contact the ISP for support. Despite being EOL, approximately 1,500 affected systems with internet-facing Telnet interfaces remain in use worldwide.

Meanwhile, a security vulnerability, CVE-2025-23114, has been identified in the Veeam Updater component. This vulnerability allows Man-in-the-Middle attackers to execute arbitrary code on affected servers due to a failure to properly validate TLS certificates. The Veeam Backup vulnerability impacts Veeam Backup for AWS, Veeam Backup for Google Cloud, Veeam Backup for Microsoft Azure, Veeam Backup for Nutanix AHV, Oracle Linux Virtualization Manager and Red Hat Virtualization, Veeam Backup for Salesforce. Users are advised to review Veeam's knowledge base article KB4712 for further information and mitigation steps.

Recommended read:
References :
  • gbhackers.com: GBHackers' article detailing the critical Veeam backup vulnerability and RCE.
  • securityonline.info: SecurityOnline's article on CVE-2025-23114, highlighting the remote code execution risk.
  • socca.tech: Socca.tech's vulnerability assessment report on CVE-2025-23114.
  • gbhackers.com: Veeam Backup Vulnerability Allows Attackers to Execute Arbitrary Code
  • securityonline.info: CVE-2025-23114 (CVSS 9.0): Critical Veeam Backup Vulnerability Enables Remote Code Execution
  • socradar.io: Critical Veeam Vulnerability (CVE-2025-23114) Exposes Backup Servers to Remote Code Execution
  • : CVE-2025-23114 (9.0 critical) A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions.
  • www.heise.de: Veeam Backup: Code smuggling possible through MitM gap in updater Veeam Backup contains an updater that is vulnerable to man-in-the-middle attacks.
  • The Hacker News: New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack
  • nvd.nist.gov: The National Vulnerability Database (NVD) provides details about the vulnerability, including its severity and potential impact.
  • www.veeam.com: Veeam's official knowledge base article details the vulnerability, provides guidance on mitigating the risk, and outlines recommended actions.
  • www.helpnetsecurity.com: There will be no patches for EOL Zyxel routers under attack via CVE-2024-40891

Bill Toulas@BleepingComputer //
GitLab has released critical security updates for versions 17.9.2, 17.8.5, and 17.7.7 of both its Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities. The updates are aimed at rectifying authentication bypass risks and a Remote Code Execution (RCE) threat. Users with self-managed GitLab installations are strongly encouraged to upgrade immediately to one of these patched versions to mitigate potential exploits. GitLab.com is already running the patched version, and GitLab Dedicated customers will be notified once their instances have been updated.

Patches address critical vulnerabilities, most notably authentication bypasses in the SAML single sign-on (SSO) authentication mechanism. Specifically, CVE-2025-25291 and CVE-2025-25292 involve authentication bypass issues in the SAML SSO mechanism due to discrepancies in XML parsing within the ruby-saml library. The vulnerability could allow an attacker with a valid signed SAML document to authenticate as another user. Mitigation includes enabling two-factor authentication, disabling SAML two-factor bypass, and mandating admin approval for new users. Another significant high-severity vulnerability, CVE-2025-27407, involves remote code execution via the Ruby graphql library when transferring a malicious project.

Recommended read:
References :
  • Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
  • securityaffairs.com: GitLab addressed critical auth bypass flaws in CE and EE
  • socradar.io: GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
  • BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
  • Rescana: Comprehensive Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7

@ciso2ciso.com //
Three critical vulnerabilities have been discovered in the open-source PHP package Voyager, a tool used for managing Laravel applications. These flaws allow for one-click remote code execution (RCE), potentially exposing a wide range of systems to attacks. The vulnerabilities impact Voyager’s media upload feature, allowing attackers to bypass MIME type verification and upload malicious PHP code disguised as an image or video, which then executes when processed by the server. This combined with a cross-site scripting flaw means simply clicking on a malicious link, would be enough for attackers to take over the server of an authenticated user.

The identified vulnerabilities, tracked as CVE-2024-55417, CVE-2024-55416, and CVE-2024-55415, include an arbitrary file write vulnerability, a reflected cross-site scripting (XSS) flaw and a file leak and deletion issue. These unpatched vulnerabilities pose a significant threat. The researchers at SonarSource attempted to notify the Voyager maintainers, but received no response within the 90-day disclosure window, and published details of the flaws to warn users of the potential security risk. Users are urged to exercise extreme caution while using the unpatched package.

Recommended read:
References :
  • ciso2ciso.com: PHP package Voyager flaws expose to one-click RCE exploits – Source: securityaffairs.com
  • BleepingComputer: Three vulnerabilities discovered in the open-source PHP package Voyager for managing Laravel applications could be used for remote code execution attacks.
  • securityaffairs.com: PHP package Voyager flaws expose to one-click RCE exploits
  • The Hacker News: Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits
  • www.bleepingcomputer.com: Laravel admin package Voyager vulnerable to one-click RCE flaw

@ciso2ciso.com //
Atlassian has released security patches to address 12 critical and high-severity vulnerabilities affecting multiple products, including Bamboo, Bitbucket, Confluence, Crowd, and Jira. The patches address five critical-severity issues in Confluence Data Center and Server and Crowd Data Center and Server that were discovered in third-party dependencies used within the two products.

Updates released for Confluence Data Center and Server address two critical flaws in Apache Tomcat, tracked as CVE-2024-50379 and CVE-2024-56337 (CVSS score of 9.8). These issues could be exploited by unauthenticated attackers to achieve remote code execution. Atlassian urges customers to update their installations as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Australian software firm Atlassian patched 12 critical and high-severity flaws in Bamboo, Bitbucket, Confluence, Crowd, and Jira.
  • ciso2ciso.com: Atlassian Patches Critical Vulnerabilities in Confluence, Crowd – Source: www.securityweek.com
  • heise online English: Security updates Atlassian: Attacks on Bamboo Data Center and Server possible Attackers can attack Atlassian's Bitbucket Data Center and Server with malicious code, among other things.

Rescana@Rescana //
A critical vulnerability, tracked as CVE-2025-26909, has been identified in the WP Ghost plugin, a popular WordPress security plugin used by over 200,000 websites. This Local File Inclusion (LFI) flaw can escalate to Remote Code Execution (RCE), potentially allowing attackers to gain complete control over affected web servers without authentication. The vulnerability stems from insufficient validation of user-supplied input through the URL path, specifically within the `showFile` function invoked by the `maybeShowNotFound` function.

This flaw allows unauthenticated users to manipulate the URL to trigger file inclusion, potentially leading to arbitrary code execution, especially when the "Change Paths" feature is set to Lite or Ghost mode. Exploit techniques such as `php://filter` chains and leveraging `PHP_SESSION_UPLOAD_PROGRESS` can be used. Website administrators are strongly advised to immediately update their WP Ghost plugin to the latest version 5.4.02 to mitigate this severe security risk and implement additional security measures.

In related news, GoDaddy Security researchers have uncovered a long-running malware operation named DollyWay, which targets visitors of infected WordPress sites. This campaign utilizes injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites to redirect users to malicious sites. This highlights the broader issue of WordPress plugin vulnerabilities and the importance of maintaining strong security practices, including regular updates and vigilance.

Recommended read:
References :
  • Sam Bent: Critical Vulnerability Discovered in WP Ghost Plugin: Unauthenticated Remote Code Execution Possible
  • Virus Bulletin: GoDaddy Security researchers have uncovered long-running malware operation DollyWay, which primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of TDS nodes hosted on compromised websites.
  • Rescana: Critical CVE-2025-26909 Vulnerability in WP Ghost Plugin: Immediate Update Required for Over 200,000 Websites
  • The DefendOps Diaries: Explore the critical CVE-2025-26909 vulnerability in WP Ghost plugin and learn how to mitigate its risks.