CyberSecurity news

FlagThis - #rce

@securityonline.info //
A critical security vulnerability has been discovered in vBulletin forum software, tracked as CVE-2024-45721, that enables unauthenticated attackers to execute arbitrary code on unpatched systems. This flaw puts millions of online communities at risk of full server compromise. The vulnerability affects vBulletin versions 6.0.0 through 6.1.4 and stems from improper sanitization of user inputs in template rendering modules. Discovered by cybersecurity firm SentinelWatch on May 22, 2025, the flaw has already seen significant exploitation attempts, with over 12,000 attack vectors targeting forums in various sectors within 48 hours of public disclosure.

Exploitation of the vulnerability involves crafting malicious forum posts containing payloads that bypass built-in sandboxing through parameter smuggling techniques. Attackers leverage vBulletin’s `vb:rawtemplate` directive, which fails to properly validate nested function calls when processing user-generated content. Successful exploitation grants SYSTEM-level privileges on Windows hosts and www-data access on Linux systems, enabling the installation of web shells, credential harvesters, and cryptocurrency miners. Proof-of-concept exploits have demonstrated the ability to execute OS commands even when PHP security hardening measures are present, by using PHP's `unserialize()` function with crafted OPcache configurations to bypass `disable_functions` restrictions.

In response to the widespread exploitation, vBulletin released patch 6.1.5 on May 25, 2025, which introduces granular template validation. However, as of the latest reports, 68% of installations remain unupdated, leaving a significant number of forums vulnerable. Observed attack clusters include cryptojacking campaigns, data exfiltration, and precursors to ransomware attacks. Notably, 58% of compromised forums had hidden Monero miners installed, while attackers cloned user databases from 23 gaming communities containing 14 million records, now circulating on dark web markets. Additionally, six enterprise forums received tailored malware potentially leading to Black Basta ransomware deployment.

Recommended read:
References :
  • cyberpress.org: Severe vBulletin Forum Flaw Enables Remote Code Execution
  • securityonline.info: Critical Pre-Auth RCE: vBulletin Flaw Allows Full Server Compromise (PoC Available)
  • infosec.exchange: A newly discovered vulnerability in vBulletin, one of the world’s most popular forum platforms, has exposed thousands of online communities to the risk of unauthenticated Remote Code Execution
  • Cyber Security News: Severe vBulletin Forum Flaw Enables Remote Code Execution

Andres Ramos@Arctic Wolf //
Versa Concerto, a network security and SD-WAN orchestration platform, is facing scrutiny after the public disclosure of multiple unpatched vulnerabilities. ProjectDiscovery researchers revealed technical details on May 21, 2025, following a 90-day responsible disclosure period that began on February 13, 2025. The disclosed flaws include authentication bypasses, remote code execution (RCE), and container escapes, posing a significant threat to the platform and its underlying host systems. The platform is a Spring Boot-based application deployed via Docker containers and routed through Traefik, making it vulnerable to attacks targeting these components.

These vulnerabilities, when chained together, could allow a complete system compromise. One notable flaw, CVE-2025-34027, carries a maximum severity score of 10.0 and involves a URL decoding inconsistency issue. This could facilitate unauthorized access to file upload endpoints and enable remote code execution. Other critical vulnerabilities include CVE-2025-34026, an authentication bypass allowing access to administrative endpoints, and CVE-2025-34025, a privilege escalation leading to Docker container escape and code execution on the host machine.

Despite the disclosure of these vulnerabilities, Versa Networks has stated that patches were implemented in early March and made publicly available in mid-April. According to a Versa Networks spokesperson, all affected customers were notified through established security and support channels with guidance on applying the recommended updates, and there is no indication that these vulnerabilities were exploited in the wild. However, ProjectDiscovery researchers initially noted the lack of patches, prompting the need for public disclosure after the 90-day deadline passed.

Recommended read:
References :
  • Arctic Wolf: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • The Hacker News: Unpatched Versa Concerto Flaws Let Attackers Escape Docker and Compromise Host
  • securityonline.info: Unpatched 0-Days (CVSS 10): Versa Concerto Flaws Threaten Enterprise Networks
  • BleepingComputer: Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
  • thecyberexpress.com: Versa Patches 3 Concerto SD-WAN Vulnerabilities, Including a Perfect 10.0
  • Arctic Wolf: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • www.scworld.com: Significant compromise possible with critical Versa Concerto flaws
  • arcticwolf.com: Multiple Unpatched Vulnerabilities in Versa Concerto Disclosed
  • Blog: Project Discovery has disclosed several vulnerabilities in Versa Concerto, a tool used to configure and monitor Versa devices in networks.
  • Blog: Security researchers have identified several critical vulnerabilities in Versa Concerto, a centralized management platform for Versa Networks' SD-WAN and SASE solutions.
  • projectdiscovery.io: The Versa Concerto vulnerabilities were revealed by Project Discovery in a earlier this week, which said Versa hadn’t responded to the researchers’ disclosures that were first made in February.

info@thehackernews.com (The@The Hacker News //
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.

UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor.

Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities.

Recommended read:
References :
  • Cisco Talos Blog: Talos has observed exploitation of CVE-2025-0994 in the wild by UAT-6382, a Chinese-speaking threat actor, who then deployed malware payloads via TetraLoader.
  • securityonline.info: Critical 0-Day: Cityworks Flaw Actively Exploited by Chinese APT UAT-6382
  • The Hacker News: Chinese Hackers Exploit Trimble Cityworks Flaw to Infiltrate U.S. Government Networks
  • BleepingComputer: Chinese hackers breach US local governments using Cityworks zero-day
  • bsky.app: Cisco Talos says a group tracked as UAT-6382 has used a recent Trimble CityWorks zero-day (CVE-2025-0944) to breach local governing bodies in the US
  • securityonline.info: SecurityOnline.info article on critical 0-day Cityworks flaw exploited by Chinese APT UAT-6382
  • malware.news: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Chinese Hackers Exploit Cityworks Zero-Day Vulnerability in US Local Governments
  • www.scworld.com: Trimble Cityworks zero-day attacks on US local governments detailed
  • The DefendOps Diaries: Exploitation of Ivanti EPMM Vulnerabilities by Chinese Hackers: A Detailed Analysis
  • BleepingComputer: Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies
  • securityaffairs.com: Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • blog.talosintelligence.com: UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware
  • www.techradar.com: The Chinese used the Cityworks bug to deploy Cobalt Strike beacons and backdoors.
  • www.cybersecuritydive.com: Cisco Talos researchers attribute the exploitation of the CVE-2025-0994 in Trimble Cityworks to Chinese-speaking threat actor UAT-6382, based on tools and TTPs used in the intrusions.
  • www.csoonline.com: A now-patched high-severity security flaw affecting Trimble Cityworks — a specialized software used by local governments in the US, utilities, and public agencies to manage their infrastructure and community services—was abused by Chinese hackers to compromise systems before a patch was available.
  • Blog: The Chinese-speaking cyber-espionage group identified as UAT-6382 has been observed exploiting a critical vulnerability in Trimble's Cityworks software to infiltrate U.S. government networks.
  • StateScoop: Report: Chinese hackers used Cityworks vulnerability to deliver malware
  • Cisco Talos Blog: Hazel observes that cybercriminals often fumble teamwork, with fragile alliances crumbling over missed messages. Plus, how UAT-6382 is exploiting Cityworks and what you can do to stay secure.
  • hackread.com: Warnings on active exploitation of a zero-day vulnerability (CVE-2025-0994) in Cityworks.

info@thehackernews.com (The@The Hacker News //
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.

The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory.

The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities.

Recommended read:
References :
  • BleepingComputer: Fortinet released security updates to patch a critical remote code execution vulnerability exploited as a zero-day in attacks targeting FortiVoice enterprise phone systems.
  • The DefendOps Diaries: Fortinet's Swift Response to Zero-Day Exploits in FortiVoice Systems
  • BleepingComputer: Fortinet fixes critical zero-day exploited in FortiVoice attacks
  • Help Net Security: Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756)
  • gbhackers.com: Gbhackers post on fortinet zero-day
  • Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • malware.news: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • arcticwolf.com: Arctic Wolf blog post on CVE-2025-32756
  • cert.europa.eu: 2025-019: Critical Vulnerabilities in Fortinet Products
  • RedPacket Security: Fortinet Products Multiple Vulnerabilities
  • securityaffairs.com: Fortinet fixed actively exploited FortiVoice zero-day
  • The Hacker News: Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems
  • www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
  • www.redhotcyber.com: Fortinet: RCE critica su FortiVoice già sfruttata attivamente in campo. Aggiornate subito!
  • socradar.io: Critical Vulnerabilities in Fortinet and Ivanti Products: Multiple Zero-Day Threats Addressed
  • Tenable Blog: CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
  • Arctic Wolf: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • arcticwolf.com: CVE-2025-32756: Exploitation of Critical Severity Zero-Day Vulnerability in Fortinet FortiVoice
  • Virus Bulletin: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
  • securityaffairs.com: APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq
  • The Hacker News: Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers
  • www.microsoft.com: Microsoft researchers look into a recent campaign of a Türkiye-affiliated espionage threat actor. Marbled Dust has been observed exploiting user accounts that have not applied fixes to a zero-day vulnerability (CVE-2025-27920) in the messaging app Output Messenger.
  • securityaffairs.com: U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog
  • Rapid7 Cybersecurity Blog: CVE-2025-32756 Exploited in the Wild, Affecting Multiple Fortinet Products

Sead Fadilpašić@techradar.com //
ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.

Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe.

ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards.

Recommended read:
References :
  • securityonline.info: Critical Security Flaws Found in ASUS DriverHub: Update Immediately
  • Rescana: Vulnerabilities in ASUS DriverHub Exposed: CVE-2025-3462 and CVE-2025-3463 Analysis
  • cyberinsider.com: Critical Flaw in ASUS DriverHub Exposes Users to Remote Code Execution
  • securityaffairs.com: Researchers found one-click RCE in ASUS’s pre-installed software DriverHub
  • The DefendOps Diaries: ASUS DriverHub Vulnerability: Understanding and Mitigating CVE-2025-3463
  • The Hacker News: ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files
  • BleepingComputer: The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
  • bsky.app: ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
  • www.techradar.com: Details on ASUS DriverHub driver management tool targeted by RCE vulnerability
  • www.scworld.com: ASUS DriverHub vulnerabilities fixed
  • Tech Monitor: TechMonitor article about ASUS DriverHub security vulnerability
  • the420.in: The420.in
  • Blog: ASUS patches RCE flaw in DriverHub utility
  • socradar.io: CVE-2025-3462 & CVE-2025-3463: ASUS DriverHub Flaws Enable RCE

@cyberscoop.com //
SonicWall customers are facing a resurgence of actively exploited vulnerabilities, posing a significant threat to their network security. The company recently addressed three flaws in its Secure Mobile Access (SMA) 100 appliances, including a potential zero-day vulnerability. These vulnerabilities can be chained together to achieve remote code execution, potentially granting attackers root-level access to affected systems. The network security vendor has been making frequent appearances on CISA's Known Exploited Vulnerabilities catalog.

Multiple security flaws in SMA 100 Series devices have been actively exploited recently. The disclosed vulnerabilities, identified as CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, affect SMA 100 appliances and could enable attackers to run code as root. Specifically, CVE-2025-32819 allows for arbitrary file deletion, potentially resetting the device to factory settings, while CVE-2025-32820 enables overwriting system files, potentially causing denial-of-service. CVE-2025-32821 can lead to shell command injections, further facilitating remote code execution.

SonicWall has released patches for these vulnerabilities in version 10.2.1.15-81sv. Security researchers at Rapid7 discovered the vulnerabilities and worked with SonicWall to validate the effectiveness of the patches before public disclosure. Users of SMA 100 series devices, including SMA 200, 210, 400, 410, and 500v, are strongly advised to update their systems to the latest version to mitigate the risk of exploitation. CISA has added SonicWall SMA100 flaws to its Known Exploited Vulnerabilities catalog and urges federal agencies to remediate these issues immediately.

Recommended read:
References :

Pierluigi Paganini@Security Affairs //
SonicWall has released patches to address three significant vulnerabilities impacting its Secure Mobile Access (SMA) 100 series appliances. These flaws, including a potential zero-day, could be chained together by remote attackers to achieve remote code execution. The vulnerabilities affect SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, highlighting the importance of timely updates to prevent exploitation. Cybersecurity experts are urging administrators to apply the patches immediately to mitigate the risk of unauthorized access and potential system compromise.

The most serious of the vulnerabilities, tracked as CVE-2025-32819, is a high-severity arbitrary file delete bug. This flaw could allow attackers to bypass path traversal checks, enabling arbitrary file deletion and potentially leading to reboots to factory settings. SonicWall noted that this vulnerability may have been exploited in the wild, based on known indicators of compromise. Additionally, CVE-2025-32820, another high-severity vulnerability, could facilitate system overwriting, resulting in a denial-of-service condition. The third vulnerability, CVE-2025-32821, is a medium-severity bug that could enable shell command injections, potentially leading to root-level remote code execution.

The fixes are available in firmware version 10.2.1.15-81sv and higher. SonicWall is strongly advising all users of the SMA 100 series products to update their appliances to the latest firmware to protect their systems from these critical vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has also added SonicWall SMA100 flaws to its Known Exploited Vulnerabilities catalog.

Recommended read:
References :
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • circl: Security Advisory - SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities and following the following technical disclosure
  • BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
  • Help Net Security: HelpNetSecurity details SonicWall SMA100 vulnerability exploited in the wild
  • Rapid7 Cybersecurity Blog: Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)
  • MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
  • bsky.app: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/
  • Caitlin Condon: Today, disclosed 3 new vulnerabilities in SonicWall SMA-100 series appliances, one of which we believe may have been used in the wild.
  • vulnerability.circl.lu: Security Advisory - SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities and following the following technical disclosure: 🔗 It's exploited. 🔗 Bundle with all the vulnerabilities and the sighting
  • securityaffairs.com: SonicWall fixed SMA 100 flaws that could be chained to execute arbitrary code
  • MSSP feed for Latest: SonicWall Patches Critical Vulnerabilities in SMA 100 Series Appliances
  • www.scworld.com: SonicWall addresses trio of SMA 100 flaws
  • socradar.io: Severe Vulnerabilities in Cisco & SonicWall Expose Systems to RCE, DoS, and More: Patch Now
  • Threats | CyberScoop: SonicWall customers confront resurgence of actively exploited vulnerabilities
  • cyberscoop.com: The network security device vendor is making a regular appearance on CISA’s known exploited vulnerabilities catalog. Unlike its competitors, SonicWall hasn’t signed the secure-by-design pledge.
  • bsky.app: New SonicWall SMA zero-day. Looks like a post-compromise exploit for EoP

@sec.cloudapps.cisco.com //
Cisco has issued a critical security advisory to address CVE-2025-20188, a severe vulnerability affecting its IOS XE Wireless LAN Controllers (WLCs). This flaw, which has been assigned a CVSS score of 10.0, allows an unauthenticated, remote attacker to upload arbitrary files to a vulnerable system. The root cause of this vulnerability lies in a hard-coded JSON Web Token (JWT) present within the affected system, enabling attackers to potentially gain root privileges. The vulnerability impacts several products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controllers on Catalyst APs.

The exploitation requires the Out-of-Band AP Image Download feature to be enabled, which is not enabled by default. An attacker can exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could enable the attacker to perform path traversal and execute arbitrary commands with root privileges, leading to a complete compromise of the affected system. Cisco advises administrators to check if the Out-of-Band AP Image Download feature is enabled by using the `show running-config | include ap upgrade` command. If the command returns `ap upgrade method https`, the feature is enabled, and the device is vulnerable.

Currently, there are no direct workarounds available to address this vulnerability. However, as a mitigation measure, administrators can disable the Out-of-Band AP Image Download feature. This will cause AP image downloads to use the CAPWAP method. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed. Cisco has released free software updates to address this vulnerability, advising customers with service contracts to obtain these security fixes through their usual update channels, urging them to upgrade to the fixed release as soon as possible. As of now, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability.

Recommended read:
References :
  • securityonline.info: Critical CVE-2025-20188 (CVSS 10) Flaw in Cisco IOS XE WLCs Allows Remote Root Access
  • The Hacker News: Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT
  • Rescana: Detailed Analysis Report on Cisco Security Advisory: cisco-sa-wlc-file-uplpd-rHZG9UfC Overview The Cisco Security Advisory ID...
  • Anonymous ???????? :af:: New Cisco flaw scores a perfect 10.0 CVSS. A hardcoded token. Root access. No login needed. If you run Catalyst 9800 wireless controllers, you’ll want to check this fast.
  • securityaffairs.com: Cisco fixed a critical flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files.
  • thecyberexpress.com: News about Cisco fixing a 10.0-rated wireless controller flaw (CVE-2025-20188).
  • securityonline.info: SecurityOnline reports on critical CVE-2025-20188 flaw in Cisco IOS XE WLCs allowing remote root access.
  • sec.cloudapps.cisco.com: Security Advisory - Security updates available for Cisco IOS and IOS XE Software
  • BleepingComputer: Cisco fixed a maximum severity IOS XE flaw letting attackers hijack devices
  • Security Risk Advisors: Critical Vulnerability in Cisco IOS XE Wireless Controllers Allows Unauthenticated Remote Code Execution
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices. The flaw, tracked as CVE-2025-20188, is caused by a hardcoded JWT token that lets you bypass authentication and ultimately execute commands as root.
  • www.scworld.com: Cisco patches maximum severity vulnerability in IOS XE Software
  • www.bleepingcomputer.com: Critical vulnerability in Cisco IOS XE Wireless Controllers allows unauthenticated remote code execution
  • darkwebinformer.com: Cisco IOS XE Wireless Controllers Vulnerable to Unauthenticated Root Exploits via JWT (CVE-2025-20188)
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices.
  • www.csoonline.com: Cisco patches max-severity flaw allowing arbitrary command execution
  • nvd.nist.gov: CVE-2025-20188 Details

@www.helpnetsecurity.com //
A pre-authenticated Remote Code Execution (RCE) vulnerability chain has been discovered in SysAid On-Premises, a self-hosted IT service management platform. Researchers at watchTowr Labs have disclosed technical details and a proof-of-concept exploit for this vulnerability, identified as CVE-2025-2775 along with related XXE injection vulnerabilities (CVE-2025-2776, CVE-2025-2777). The flaws allow threat actors to execute arbitrary code on affected systems without prior authentication. This vulnerability affects the on-premise version of SysAid IT support software, posing a significant risk to organizations using the platform.

SysAid addressed these critical vulnerabilities in early March 2025 with the release of on-premise version 24.4.60 b16. The vulnerabilities are XML External Entity (XXE) injections within specific endpoints (/mdm/checkin and /lshw), which can be exploited via specially crafted HTTP POST requests. Successful exploitation could allow attackers to retrieve sensitive local files, including the "InitAccount.cmd" file containing administrator credentials. This access can then be leveraged to gain full administrative control over the SysAid instance.

The severity of the XXE flaws is compounded by the possibility of chaining them with a separate operating system command injection vulnerability (CVE-2025-2778), enabling remote code execution. Given SysAid's history of being targeted by ransomware groups, including the exploitation of CVE-2023-47246 in zero-day attacks, security experts are urging users to immediately update their SysAid On-Premises installations to the latest version to mitigate the risk of exploitation. A proof-of-concept (PoC) exploit combining the four vulnerabilities has been made available, further emphasizing the need for immediate patching.

Recommended read:
References :
  • Arctic Wolf: CVE-2025-2775: PoC Released for SysAid On-Premises Pre-Auth RCE Vulnerability
  • labs.watchtowr.com: SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends) - watchTowr Labs
  • The Hacker News: Threat actors can achieve pre-authenticated remote code execution on the on-premise version of SysAid IT support software
  • www.scworld.com: Significant RCE compromise likely with SysAid vulnerabilities
  • Help Net Security: HelpNetSecurity reports on PoC exploit for SysAid pre-auth RCE released, upgrade quickly!
  • Arctic Wolf: Arctic Wolf details CVE-2025-2775: PoC Released for SysAid On-Premises Pre-Auth RCE Vulnerability

@securityonline.info //
A critical vulnerability, CVE-2025-46762, has been identified in Apache Parquet Java, a widely used open-source columnar storage format. This flaw exposes systems to potential remote code execution (RCE) attacks through insecure schema parsing in the parquet-avro module. The vulnerability resides in how Avro schemas are deserialized from metadata stored in Parquet files, potentially allowing malicious actors to inject code into the file's metadata. If an application uses parquet-avro to read Parquet files and employs the specific or reflective Avro deserialization models, processing an untrusted Parquet file could trigger unauthorized code execution during schema parsing.

The vulnerability impacts all versions of Apache Parquet Java up to and including 1.15.1, where schema parsing in the parquet-avro module allows bad actors to execute arbitrary code. While version 1.15.1 introduced restrictions on untrusted packages, the default list of trusted packages remained permissive, possibly enabling attackers to exploit the vulnerability using classes from whitelisted packages. Exploitability is contingent upon specific usage patterns, primarily when applications use parquet-avro, employ the specific or reflective Avro deserialization models, and process untrusted or user-supplied Parquet files.

To mitigate this serious threat, Apache recommends upgrading to version 1.15.2, which includes hardened default settings to prevent execution from trusted but potentially dangerous packages. Users on version 1.15.1 can explicitly set the system property org.apache. Although this vulnerability is not exploitable by default, the potential for RCE makes it a high-priority concern for organizations utilizing Apache Parquet in data-intensive applications and analytics pipelines, especially those dealing with untrusted data sources.

Recommended read:
References :
  • securityonline.info: CVE-2025-46762: Apache Parquet Java Flaw Allows Potential RCE via Avro Schema
  • securityonline.info: CVE-2025-46762: Apache Parquet Java Flaw Allows Potential RCE via Avro Schema
  • thecyberexpress.com: Apache Parquet Java Vulnerability CVE-2025-46762 Exposes Systems to Remote Code Execution Attacks
  • F5 Labs All: Canary Exploit tool for CVE-2025-30065 Apache Parquet Avro Vulnerability
  • BleepingComputer: Apache Parquet exploit tool detect servers vulnerable to critical flaw
  • The DefendOps Diaries: TheDefendOpsDiaries about Apache Parquet
  • securityaffairs.com: Canary Exploit tool allows to find servers affected by Apache Parquet flaw
  • Security Risk Advisors: CVE-2025-30065 – Critical Vulnerability in Apache Parquet Enables Arbitrary Class Instantiation via Malicious Avro Files

Rescana@Rescana //
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.

Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts.

The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise.

Recommended read:
References :
  • SOC Prime Blog: Zero-day vulnerabilities are no longer rare anomalies—they’re now a core weapon in the modern attacker’s arsenal, with exploitation activity escalating year over year.
  • Rescana: The recent discovery of a zero-day vulnerability in SAP NetWeaver Visual Composer has raised alarm bells across the...
  • The Hacker News: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
  • Anonymous ???????? :af:: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • The DefendOps Diaries: Understanding the CVE-2025-31324 Vulnerability in SAP NetWeaver Servers