CyberSecurity news

FlagThis - #rce

@Talkback Resources //

WhatsApp for Windows Flaw Enables Remote Code Execution - A spoofing vulnerability (CVE-2025-30401) in WhatsApp for Windows allows attackers to trick users and enable remote code execution, and users are advised to update to the latest version to mitigate the risk.
A critical spoofing vulnerability, identified as CVE-2025-30401, has been discovered in WhatsApp for Windows. Meta, the parent company of WhatsApp, has released a security update to address this flaw, which impacts versions prior to 2.2450.6. The vulnerability could allow attackers to trick users and enable remote code execution on their devices. Users of WhatsApp for Windows are strongly advised to update to the latest version immediately to mitigate the risk. This issue arises from a discrepancy in how WhatsApp handles file attachments, specifically the mismatch between the MIME type and file extension handling.

The exploit mechanism involves attackers sending maliciously crafted files with altered file types to potential targets. The WhatsApp application displays attachments based on their MIME type but selects the file opening handler based on the attachment's filename extension. This allows an attacker to craft a malicious file that appears harmless, such as an image, but when opened, executes arbitrary code. The spoofing technique takes advantage of the discrepancy between MIME type and file extension handling, allowing attackers to execute arbitrary code on the victim’s system.

The discovery of CVE-2025-30401 has raised concerns within the cybersecurity community, highlighting the importance of maintaining robust security practices in widely-used applications. While Meta has not reported any exploitation of this vulnerability in the wild, vulnerabilities in messaging applications like WhatsApp are frequently targeted by malicious actors. The impact of a successful exploit could include unauthorized system access and data theft, posing significant risks to users. To ensure protection, users should promptly update their WhatsApp for Windows application to version 2.2450.6 or later.

Recommended read:
References :
  • securityaffairs.com: WhatsApp fixed a spoofing flaw that could enable Remote Code Execution
  • Talkback Resources: WhatsApp Vulnerability Could Facilitate Remote Code Execution [app] [exp]
  • The DefendOps Diaries: Understanding the WhatsApp for Windows Vulnerability: CVE-2025-30401
  • BleepingComputer: Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
  • hackread.com: WhatsApp for Windows Flaw Could Let Hackers Sneak In Malicious Files
  • infosec.exchange: vulnerability CVE-2025-30401 impacting all WhatsApp versions can let attackers execute malicious code on your devices. The flaw can be exploited by attackers by sending maliciously crafted files with altered file types to potential targets:
  • PCMag UK security: WhatsApp Patches Bug That Can Execute Malware on Windows PCs
  • darkwebinformer.com: DarkWebInformer Article on CVE-2025-30401: WhatsApp for Windows Spoofing Prior to Version 2.2450.6
  • cyberinsider.com: WhatsApp for Windows Vulnerable to Spoofing Flaw Leading to Code Execution
  • securityonline.info: SecurityOnline news detail for WhatsApp for Windows Spoofing Vulnerability: Execute Code Risk (CVE-2025-30401)
  • The Register - Security: What a MIME field A bug in WhatsApp for Windows can be exploited to execute malicious code by anyone crafty enough to persuade a user to open a rigged attachment - and, to be fair, it doesn't take much craft to pull that off.
  • bsky.app: Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
  • ComputerWeekly.com: Spoofing vuln threatens security of WhatsApp Windows users
  • www.csoonline.com: CSOOnline article on Whatsapp plugs bug allowing RCE with spoofed filenames
  • Help Net Security: WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401)
  • Malwarebytes: WhatsApp for Windows vulnerable to attacks. Update now!
  • www.bleepingcomputer.com: WhatsApp flaw can let attackers run malicious code on Windows PCs
  • www.scworld.com: Malicious code execution possible with patched WhatsApp flaw
@parquet.apache.org //

Critical RCE Flaw in Apache Parquet Java - A critical remote code execution (RCE) vulnerability (CVE-2025-30065) has been discovered in Apache Parquet’s Java Library.
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-30065, has been discovered in Apache Parquet's Java Library. This flaw carries a maximum severity rating and could allow a remote attacker to execute arbitrary code on susceptible systems. Apache Parquet is a widely used open-source columnar data file format designed for efficient data processing and retrieval, commonly employed in big data processing frameworks like Hadoop and Spark. Given the popularity of Apache Parquet and the severity of the vulnerability, immediate action is crucial to mitigate the risk.

This critical flaw stems from the deserialization of untrusted data within the parquet-avro module of the Java library. An attacker can exploit this vulnerability by tricking a vulnerable system into processing a specially crafted Parquet file. Upon processing the malicious file, the deserialization of untrusted data allows the attacker to execute arbitrary code, potentially gaining full control over the affected system. Consequences of successful exploitation could include data exfiltration or modification, service disruption, and the deployment of malicious payloads such as ransomware.

The vulnerability impacts all versions of Apache Parquet up to and including 1.15.0. Systems and applications that utilize data pipelines and analytics frameworks, particularly those that import Parquet files from external or untrusted sources, are at heightened risk. The flaw was fixed with the release of Apache version 1.15.1. Users are strongly advised to update their Apache Parquet installations to the latest version as soon as possible to address this critical security vulnerability and prevent potential exploitation.

Recommended read:
References :
  • The DefendOps Diaries: Addressing the Critical CVE-2025-30065 Vulnerability in Apache Parquet
  • The Hacker News: A maximum severity security vulnerability has been disclosed in Apache Parquet's Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances.
  • BleepingComputer: Max severity RCE flaw discovered in widely used Apache Parquet
  • securityaffairs.com: Critical flaw in Apache Parquet’s Java Library allows remote code execution
  • www.csoonline.com: Big hole in big data: Critical deserialization bug in Apache Parquet allows RCE
  • Blog: Max-severity vulnerability discovered in Apache Parquet, patch now
  • www.scworld.com: Significant big data environment risk likely with maximum severity Apache Parquet bug
Pierluigi Paganini@securityaffairs.com //

CISA Adds Apache Tomcat Flaw to Exploited Vulnerabilities - CISA has added an Apache Tomcat path equivalence vulnerability, CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation, urging users to upgrade to the latest secure versions.
CISA has added a new Apache Tomcat vulnerability, identified as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence that the flaw is being actively exploited in the wild, posing a significant risk to organizations utilizing affected versions of Apache Tomcat. The vulnerability is a path equivalence issue within Apache Tomcat.

To mitigate the risk posed by CVE-2025-24813, impacted users are urged to upgrade their Apache Tomcat installations to the latest secure versions. Specifically, upgrades to Apache Tomcat 11.0.3 or later, Apache Tomcat 10.1.35 or later, or Apache Tomcat 9.0.99 or later are recommended. The advisory also includes IPS protection measures to detect and block potential attack attempts targeting this vulnerability affecting the Apache Tomcat web server.

Recommended read:
References :
do son@Daily CyberSecurity //

CISA Warns of RESURGE Malware Exploiting Ivanti Flaw - CISA released a report detailing the RESURGE malware, exploiting CVE-2025-0282 in Ivanti Connect Secure appliances, which can create web shells, manipulate integrity checks, and modify files for unauthorized access.
CISA has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing a new malware variant named RESURGE, which exploits a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282). The analysis indicates that RESURGE exhibits capabilities similar to the SPAWNCHIMERA malware, including surviving system reboots, but contains distinctive commands that alter its behavior. According to CISA, RESURGE can create web shells, manipulate integrity checks, and modify files, enabling credential harvesting, account creation, password resets, and escalating permissions.

RESURGE can also copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image, ensuring persistence and unauthorized access. CISA strongly advises organizations using Ivanti Connect Secure devices to take immediate action to mitigate this threat by applying security patches for CVE-2025-0282, monitoring network traffic for unusual SSH connections, and implementing robust logging practices to detect tampering attempts. The vulnerability, CVE-2025-0282, is a stack-based buffer overflow vulnerability affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways that could result in remote code execution.

Recommended read:
References :
  • securityonline.info: CISA Warns of RESURGE Malware: Exploiting Ivanti Vulnerability
  • Cyber Security News: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Malware Analysis Report (MAR-25993211-r1.v1) detailing the exploitation of a critical vulnerability in Ivanti Connect Secure devices (CVE-2025-0282).
  • bsky.app: CISA has published a technical report on RESURGE, a web shell installed on Ivanti Connect Secure devices via CVE-2025-0282
  • thehackernews.com: RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features
  • securityaffairs.com: CISA warns of RESURGE malware exploiting Ivanti flaw
  • Help Net Security: CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day.
  • : It’s the end of March 2025...of course CISOs still need to worry about Ivanti Connect Secure flaws.
  • www.cybersecuritydive.com: CVE-2025-0282, a critical vulnerability that affects Ivanti’s Connect Secure, Policy Secure and ZTA Gateway products, was disclosed and patched in January.
  • : CISA recommends immediate action to address malware variant RESURGE exploiting Ivanti vulnerability CVE-2025-0282
  • thecyberexpress.com: CISA Details New Malware Used in Ivanti Attacks
  • Sam Bent: A newly discovered malware named RESURGE is targeting Ivanti Connect Secure vulnerabilities, delivering stealth capabilities like rootkits and web shells. Tied to China-linked espionage groups.
  • The Register - Security: CISA spots spawn of Spawn malware targeting Ivanti flaw
  • Arctic Wolf: CVE-2025-22457: Ivanti Connect Secure VPN Vulnerable to Zero-Day RCE Exploitation
  • cert.europa.eu: 2025-016: Critical Vulnerability in Ivanti Products
  • securityonline.info: CVE-2025-22457: UNC5221 Exploits Ivanti Zero-Day Flaw to Deploy TRAILBLAZE and BRUSHFIRE Malware
  • Help Net Security: Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)
  • securityaffairs.com: China-linked group UNC5221 exploited Ivanti Connect Secure zero-day since mid-March
  • The Register - Security: Suspected Chinese spies right now hijacking buggy Ivanti gear – for third time in 3 years
  • www.bleepingcomputer.com: Ivanti patches Connect Secure zero-day exploited since mid-March
  • BleepingComputer: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
  • Threats | CyberScoop: China-backed espionage group hits Ivanti customers again
  • www.scworld.com: Mandiant warns of attacks on newly-disclosed Ivanti remote takeover threat
  • The Hacker News: Critical Ivanti Flaw Actively Exploited to Deploy TRAILBLAZE and BRUSHFIRE Malware
  • bsky.app: Mandiant links the exploitation of a Connect Secure vulnerability to a China-linked APT (UNC5221).
  • bsky.app: Ivanti has released security updates to patch a critical Connect Secure remote code execution vulnerability exploited by a China-linked espionage actor to deploy malware since at least mid-March 2025.
  • research.kudelskisecurity.com: CVE-2025-22457: Critical Ivanti Connect Secure Vulnerability
  • Arctic Wolf: Ivanti disclosed a critical zero-day vulnerability, CVE-2025-22457, affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways
  • Vulnerable U: The vulnerability affects many versions of Ivanti appliances and is being exploited by a Chinese actor
  • darkwebinformer.com: CVE-2025-22457: April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)
info@thehackernews.com (The@The Hacker News //

Critical Ingress NGINX Vulnerabilities: Kubernetes Clusters at Risk - Multiple critical vulnerabilities in the Ingress NGINX Controller for Kubernetes could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters, urging users to update to the latest patched versions.
Multiple critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters to the public internet. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have a CVSS score of 9.8. Cloud security firm Wiz discovered these flaws and reported that approximately 43% of cloud environments are susceptible to these vulnerabilities.

Specifically, IngressNightmare affects the admission controller component of the Ingress NGINX Controller, which utilizes NGINX as a reverse proxy and load balancer. Attackers can exploit the unrestricted network accessibility of admission controllers by injecting malicious NGINX configurations, gaining unauthorized access to cluster secrets and potentially leading to a complete cluster takeover. Kubernetes users are urged to update to versions v1.11.5, v1.12.1, or later to mitigate these risks.

Recommended read:
References :
  • Open Source Security: Multiple vulnerabilities in ingress-nginx
  • The Hacker News: Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication
  • Wiz Blog | RSS feed: IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
  • The Register - Software: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw
  • Open Source Security: [kubernetes] Multiple vulnerabilities in ingress-nginx
  • ciso2ciso.com: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw – Source: go.theregister.com
  • securityonline.info: CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
  • dragosr: "CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required." ingress-nginx is deployed in 40% of k8s clusters.
  • research.kudelskisecurity.com: Critical Unauthenticated Remote Code Execution Vulnerabilities inIngress NGINX
  • securityboulevard.com: Security Boulevard answers FAQs about IngressNightmare.
  • : Wiz Security finds four critical RCE vulnerabilities in the Ingress NGINX Controller for Kubernetes
  • Resources-2: IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
  • www.csoonline.com: Critical RCE flaws put Kubernetes clusters at risk of takeover
  • www.cybersecuritydive.com: Critical vulnerabilities put Kubernetes environments in jeopardy
  • Arctic Wolf: CVE-2025-1974: Critical Unauthenticated RCE Vulnerability in Ingress NGINX for Kubernetes
  • Tenable Blog: CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare
  • open-appsec: On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsanitized user...
  • Threats | CyberScoop: String of defects in popular Kubernetes component puts 40% of cloud environments at risk
  • Blog: Ingress NGINX Kubernetes Controller vulnerabilities a ‘nightmare’ for impacted users
  • circl: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. CVE-2025-1974 but also CVE-2025-1097 CVE-2025-1098 CVE-2025-24513 CVE-2025-24514 🔗 For more details about Ingress NGINX Controller for Kubernetes release
  • Sysdig: Detecting and Mitigating IngressNightmare – CVE-2025-1974
  • thecyberexpress.com: Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise
  • Datadog Security Labs: The "IngressNightmare" vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation
  • Information Security Buzz: Five critical security vulnerabilities have been found in the Ingress NGINX Controller for Kubernetes, potentially enabling unauthenticated remote code execution. This exposure puts over 6,500 clusters at immediate risk by making the component accessible via the public internet.
  • MSSP feed for Latest: Researchers aren’t aware of active exploitation in the wild, but they warn the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high.
  • Latest Bulletins: Addresses issues with Kubernetes ingress-nginx controller
  • nsfocusglobal.com: Kubernetes Ingress-nginx Remote Code Execution Vulnerability (CVE-2025-1974)
  • Dynatrace news: NGINX vulnerability: Quickly detect and mitigate IngressNightmare vulnerabilities with Dynatrace
  • securityonline.info: ingress-nginx maintainers released fixes for multiple vulnerabilities that could allow threat actors to take over Kubernetes clusters.
  • Delinea Blog: Discusses vulnerabilities enabling access to Kubernetes clusters’ secrets.
  • Kali Linux Tutorials: Details on IngressNightmare Vulnerabilities
Rescana@Rescana //

WordPress Plugin Vulnerabilities Lead to Widespread Exploitation - Threat actors are exploiting vulnerabilities in WordPress plugins, including a critical RCE vulnerability in the WP Ghost plugin (CVE-2025-26909), and the DollyWay campaign has compromised over 20,000 WordPress sites to redirect users to malicious sites.
A critical vulnerability, tracked as CVE-2025-26909, has been identified in the WP Ghost plugin, a popular WordPress security plugin used by over 200,000 websites. This Local File Inclusion (LFI) flaw can escalate to Remote Code Execution (RCE), potentially allowing attackers to gain complete control over affected web servers without authentication. The vulnerability stems from insufficient validation of user-supplied input through the URL path, specifically within the `showFile` function invoked by the `maybeShowNotFound` function.

This flaw allows unauthenticated users to manipulate the URL to trigger file inclusion, potentially leading to arbitrary code execution, especially when the "Change Paths" feature is set to Lite or Ghost mode. Exploit techniques such as `php://filter` chains and leveraging `PHP_SESSION_UPLOAD_PROGRESS` can be used. Website administrators are strongly advised to immediately update their WP Ghost plugin to the latest version 5.4.02 to mitigate this severe security risk and implement additional security measures.

In related news, GoDaddy Security researchers have uncovered a long-running malware operation named DollyWay, which targets visitors of infected WordPress sites. This campaign utilizes injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites to redirect users to malicious sites. This highlights the broader issue of WordPress plugin vulnerabilities and the importance of maintaining strong security practices, including regular updates and vigilance.

Recommended read:
References :
  • Sam Bent: Critical Vulnerability Discovered in WP Ghost Plugin: Unauthenticated Remote Code Execution Possible
  • Virus Bulletin: GoDaddy Security researchers have uncovered long-running malware operation DollyWay, which primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of TDS nodes hosted on compromised websites.
  • Rescana: Critical CVE-2025-26909 Vulnerability in WP Ghost Plugin: Immediate Update Required for Over 200,000 Websites
  • The DefendOps Diaries: Explore the critical CVE-2025-26909 vulnerability in WP Ghost plugin and learn how to mitigate its risks.
Julian Tuin@Arctic Wolf //

Critical RCE Vulnerability in Veeam Backup Replication - A critical vulnerability (CVE-2025-23120) in Veeam Backup & Replication allows authenticated domain users to execute remote code, potentially compromising enterprise backup infrastructures; users are urged to apply the patch immediately.
A critical vulnerability, identified as CVE-2025-23120, has been discovered in Veeam Backup & Replication software. This flaw allows authenticated domain users to execute remote code, potentially leading to the compromise of enterprise backup infrastructures. The vulnerability affects versions 12, 12.1, 12.2, and 12.3 of Veeam Backup & Replication and has been assigned a CVSS score of 9.9, indicating a critical severity. The issue was reported by Piotr Bazydlo of watchTowr and highlights the importance of community engagement in addressing security issues.

Veeam has addressed this vulnerability in version 12.3.1 (build 12.3.1.1139), and users are strongly urged to apply the patch immediately. The vulnerability specifically impacts domain-joined backup servers, which goes against Security & Compliance Best Practices. It is imperative for organizations to prioritize updates to ensure their systems remain secure. The company also emphasizes its commitment to customer security through a Vulnerability Disclosure Program and rigorous internal code audits.

Recommended read:
References :
  • gbhackers.com: Critical Veeam Backup & Replication Vulnerability Allows Remote Execution of Malicious Code
  • securityonline.info: CVE-2025-23120 (CVSS 9.9): Critical RCE Vulnerability Discovered in Veeam Backup & Replication
  • Help Net Security: Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120)
  • www.redhotcyber.com: Vulnerabilità critica da 9.9 di Score in Veeam Backup & Replication che consente RCE
  • borncity.com: Warning for users of Veeam Backup & Replication. Vendor Veeam has informed it's customers on March 19, 2025 about a Remote Code Execution (RCE) vulnerability CVE-2025-23120 in various versions of the mentioned product. It can be abused in domain joined
  • Vulnerability-Lookup: You can now share your thoughts on vulnerability CVE-2025-23120 in Vulnerability-Lookup: Veeam - Backup and Recovery
  • Rescana: Urgent Alert: CVE-2025-23120 Vulnerability in Veeam Backup & Replication Risks RCE Exploitation
  • The DefendOps Diaries: Understanding and Mitigating the CVE-2025-23120 Vulnerability in Veeam Backup & Replication
  • Security Affairs: Veeam fixed critical Backup & Replication flaw CVE-2025-23120
  • socradar.io: Critical Veeam Vulnerability (CVE-2025-23120) Enables Remote Code Execution by Domain Users
  • Arctic Wolf: CVE-2025-23120: Critical Remote Code Execution Vulnerability in Veeam Backup & Replication
  • Blog: Another critical deserialization flaw found in Veeam backup
  • www.bleepingcomputer.com: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations. [...]
  • Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) By Executive Order I hereby BAN deserialization issues. I don't know how many god damned times I've read about how critical software vulnerabilities have been rooted in deserialization issues, and here we go again. Thanks watchTowr for an entertaining read. Summary This research details two Remote Code Execution (RCE) vulnerabilities in Veeam Backup & Replication (CVE-2025-23120) discovered by watchTowr Labs. The vulnerabilities exploit deserialization flaws in Veeam's codebase, specifically targeting the product's reliance on blacklist-based security mechanisms rather than proper whitelisting. The researchers demonstrate how any domain user can exploit these vulnerabilities when the Veeam server is joined to an Active Directory domain, potentially allowing complete system compromise. The vulnerabilities were responsibly disclosed to Veeam, who patched them by simply adding the discovered gadget classes to their blacklist, a solution the researchers criticize as inadequate and likely to lead to similar vulnerabilities in the future.
  • MSSP feed for Latest: Veeam patches critical Backup & Replication flaw CVE-2025-23120
  • www.techradar.com: Researchers criticize the way Veeam handled deserialization flaws.
  • Christoffer S.: By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)
  • bsky.app: Veeam has patched a critical remote code execution vulnerability tracked as CVE-2025-23120 in its Backup & Replication software that impacts domain-joined installations.
  • Security Risk Advisors: Critical RCE in #Veeam Backup & Replication (CVE-2025-23120) lets domain users run rogue code.
  • research.kudelskisecurity.com: A newly discovered vulnerability in Veeam Backup & Replication, tracked as CVE-2025-23120, has emerged as a critical threat for enterprise environments. This flaw enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
  • www.sentinelone.com: A newly disclosed vulnerability, tracked as CVE-2025-23120, affecting Veeam Backup & Replication, enables authenticated domain users to execute arbitrary code remotely, exposing a direct path to compromising backup infrastructure.
  • Cyber Security News: CyberPress : Veeam RCE Vulnerability Allows Domain Users to Compromise Backup Servers
  • www.scworld.com: Veeam patches critical 9.9 flaw in backup and replication product
  • www.csoonline.com: A critical remote code execution flaw patched in Veeam backup servers
  • Arctic Wolf: On March 19, 2025, Veeam published a security advisory for a critical severity vulnerability impacting their Backup & Replication software.
  • Help Net Security: Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware
Bill Toulas@BleepingComputer //

GitLab Releases Critical Patches for Multiple Vulnerabilities - GitLab released security updates to address critical vulnerabilities in Community Edition (CE) and Enterprise Edition (EE), including authentication bypass risks and a Remote Code Execution (RCE) threat.
GitLab has released critical security updates for versions 17.9.2, 17.8.5, and 17.7.7 of both its Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities. The updates are aimed at rectifying authentication bypass risks and a Remote Code Execution (RCE) threat. Users with self-managed GitLab installations are strongly encouraged to upgrade immediately to one of these patched versions to mitigate potential exploits. GitLab.com is already running the patched version, and GitLab Dedicated customers will be notified once their instances have been updated.

Patches address critical vulnerabilities, most notably authentication bypasses in the SAML single sign-on (SSO) authentication mechanism. Specifically, CVE-2025-25291 and CVE-2025-25292 involve authentication bypass issues in the SAML SSO mechanism due to discrepancies in XML parsing within the ruby-saml library. The vulnerability could allow an attacker with a valid signed SAML document to authenticate as another user. Mitigation includes enabling two-factor authentication, disabling SAML two-factor bypass, and mandating admin approval for new users. Another significant high-severity vulnerability, CVE-2025-27407, involves remote code execution via the Ruby graphql library when transferring a malicious project.

Recommended read:
References :
  • Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
  • securityaffairs.com: GitLab addressed critical auth bypass flaws in CE and EE
  • socradar.io: GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
  • BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
  • Rescana: Comprehensive Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7
Bill Toulas@BleepingComputer //

GitLab Patches Critical Authentication Bypass Vulnerabilities - GitLab releases security updates for CE and EE, fixing nine vulnerabilities, including critical ruby-saml library authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) which could allow attackers to impersonate any user.
GitLab has released critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) platforms. The updates, included in versions 17.9.2, 17.8.5, and 17.7.7, fix nine vulnerabilities. Two of these are critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) within the ruby-saml library, used when SAML SSO authentication is enabled at the instance or group level. GitLab has already patched GitLab.com and will update GitLab Dedicated customers, but self-managed installations require immediate manual updates.

Exploitation of these flaws could allow attackers with access to a legitimate signed SAML document from an identity provider to impersonate any valid user, potentially leading to unauthorized access to sensitive repositories and data breaches. The issue stems from differences in XML parsing between REXML and Nokogiri. GitLab strongly advises all affected installations to upgrade to the latest versions as soon as possible to mitigate potential risks. Other vulnerabilities that were addressed are CVE-2025-27407, a high severity Ruby graphql vulnerability.

Recommended read:
References :
  • Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
  • securityaffairs.com: SecurityAffairs article on GitLab addressed critical flaws in CE and EE
  • socradar.io: SocRadar article on GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
  • The DefendOps Diaries: GitLab's Critical Vulnerability Fixes: What You Need to Know
  • BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
  • Rescana: Rescana Cybersecurity Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7
  • securityonline.info: GitLab urgently patches critical authentication bypass flaws – CVE-2025-25291 & CVE-2025-25292
  • www.scworld.com: Account hijacking possible with ruby-saml library bugs
  • bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.
  • gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication
Matan Mittelman@Cato Networks //

Ballista Botnet Exploits TP-Link Router Vulnerability - The Ballista botnet is exploiting a remote code execution vulnerability in TP-Link Archer routers to spread, targeting over 6,000 routers.
References: bsky.app , Secure Bulletin , Cato Networks ...
The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.

This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns.

Recommended read:
References :
  • bsky.app: New Ballista botnet found -Author seems to be from Italy -Targets TP-Link Archer routers -Used for DDoS accounts -Unique code, not based on Mirai or Mozi
  • Secure Bulletin: The Ballista Botnet: a new IoT threat with italian roots
  • securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
  • Cato Networks: Cato CTRLâ„¢ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
  • The Hacker News: Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices
  • CyberInsider: TP-Link Archer Routers Under Attack by New IoT Botnet ‘Ballista’
  • Blog: New Ballista botnet targets vulnerabilities in popular TP-Link routers
  • www.cybersecuritydive.com: Emerging botnet exploits TP-Link router flaw posing risk to US organizations
  • www.cybersecurity-insiders.com: Cato CTRL researchers observed a new botnet, called Ballista botnet, which is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-1389 (CVSS score 8.8), in TP-Link Archer routers. The CVE-2023-1389 flaw is an unauthenticated command injection […]
  • community.emergingthreats.net: The Ballista Botnet: a new IoT threat with italian roots
  • www.techradar.com: This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
  • securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
  • Schneier on Security: TP-Link Router Botnet
do son@Daily CyberSecurity //

Apache Tomcat Vulnerability Enables RCE and Data Leaks - A path equivalence vulnerability in Apache Tomcat allows for potential remote code execution, information disclosure, or malicious content addition and users are advised to upgrade immediately to patched versions.
A critical security vulnerability, CVE-2025-24813, has been identified in Apache Tomcat, potentially exposing servers to remote code execution (RCE) and data leaks. The vulnerability stems from a path equivalence issue related to how Tomcat handles filenames with internal dots, particularly when writes are enabled for the default servlet and partial PUT support is enabled. This flaw could allow attackers to execute malicious code, disclose sensitive information, or inject malicious content into uploaded files.

Users of Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98 are advised to upgrade immediately to versions 11.0.3, 10.1.35, or 9.0.99 respectively, which include the necessary fixes. The vulnerability exists if an application uses Tomcat's file-based session persistence with the default storage location and includes a library susceptible to deserialization attacks, potentially leading to remote code execution. COSCo Shipping Lines DIC and sw0rd1ight are credited with discovering and reporting the vulnerability.

Recommended read:
References :
  • gbhackers.com: Apache Tomcat Flaw Could Allow RCE Attacks on Servers
  • cR0w :cascadia:: Tomcat vulns are always fun, right? H/T: Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
  • buherator's timeline: [oss-security] CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or ...
  • Open Source Security: CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
  • securityonline.info: CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
  • buherator's timeline: Analysis of CVE-2025-24813 Apache Tomcat Path Equivalence RCE
  • BleepingComputer: A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request. [...]
  • securityonline.info: Tomcat Flaw CVE-2025-24813 Exploited in the Wild, PoC Released
  • securityaffairs.com: Threat actors rapidly exploit new Apache Tomcat flaw following PoC release
  • infosecwriteups.com: CVE-2025–24813: Apache Tomcat Path Equivalence Vulnerability $$$$ BOUNTY
  • The Hacker News: The Hacker News reports on Apache Tomcat Vulnerability Actively Exploited Just 30 Hours After Public Disclosure
  • www.scworld.com: Apache Tomcat flaw actively exploited; could allow 'devastating' RCE
  • bsky.app: Bsky Social - A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.
  • bsky.app: A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.
  • The Register - Software: One PUT request, one poisoned session file, and the server’s yours A trivial flaw in Apache Tomcat that allows remote code execution and access to sensitive files is said to be under attack in the wild within a week of its disclosure.
Sergiu Gatlan@BleepingComputer //

Mass Exploitation of Critical PHP Vulnerability - Mass exploitation of CVE-2024-4577, a critical vulnerability in PHP-CGI, confirmed across multiple regions, allowing remote code execution on vulnerable servers using Apache and PHP-CGI.
Cybersecurity experts are warning of a mass exploitation of a critical PHP vulnerability, CVE-2024-4577. This flaw allows attackers to remotely execute code on vulnerable servers using Apache and PHP-CGI. GreyNoise data has confirmed that the exploitation extends far beyond initial reports, with attack attempts observed across multiple regions. Notable spikes have been detected in the United States, Singapore, Japan, and other countries throughout January 2025, signaling a broad campaign targeting this vulnerability.

Cisco Talos has discovered an active exploitation of CVE-2024-4577. The attacker gains access to victim machines and carries out post-exploitation activities. The attempted exploitation has escalated across the U.S., Japan, Singapore, and other parts of the world. GreyNoise detected over 1,000 attacks globally. Experts urge organizations to apply the necessary patches and monitor for suspicious activity to mitigate the risk of compromise.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.
  • securityaffairs.com: Threat actors exploit PHP flaw CVE-2024-4577 for remote code execution. Over 1,000 attacks detected globally.
  • www.scworld.com: Attempted exploitation escalated across the U.S., Japan, Singapore, and other parts of the world.
  • www.cybersecuritydive.com: Critical PHP vulnerability under widespread cyberattack
  • The GreyNoise Blog: GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign
  • MSSP feed for Latest: Targeting Of Critical PHP Vulnerability Expands Gloabally
  • www.techradar.com: Experts warn this critical PHP vulnerability could be set to become a global problem
  • www.scworld.com: Critical 9.8 PHP flaw exploited in US, Japan and Singapore
  • The DefendOps Diaries: Explore CVE-2024-4577, a critical PHP vulnerability affecting CGI mode on Windows, and learn about its implications and mitigation strategies.
  • BleepingComputer: Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation.
  • bsky.app: Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation.
Ameer Owda@socradar.io //

Critical Kibana Vulnerability Exposes Systems to Code Execution - A critical security vulnerability, CVE-2025-25012, has been discovered in Kibana, which could allow attackers to execute arbitrary code on affected systems.
A critical security vulnerability, CVE-2025-25012, has been identified in Kibana, the data visualization platform used with Elasticsearch. This flaw stems from prototype pollution and could enable attackers to execute arbitrary code on affected systems. Given Kibana's widespread adoption across various industries, this vulnerability poses a significant risk to data security, integrity, and system stability. The vulnerability has a CVSS score of 9.9.

Versions 8.15.0 up to 8.17.3 are affected, where users with the Viewer role can be exploited, and versions 8.17.1 and 8.17.2 can be exploited through roles with elevated privileges. It is advised to update Kibana to version 8.17.3. Immediate action is crucial for organizations using vulnerable versions of Kibana to mitigate the potential for unauthorized access, data exfiltration, and service disruption.

Recommended read:
References :
  • socradar.io: Critical Kibana Vulnerability (CVE-2025-25012) Exposes Systems to Code Execution, Patch Now
  • securityaffairs.com: Security Affairs article on Elastic patching critical Kibana flaw.
  • The Hacker News: The Hacker News article on Elastic releasing an urgent fix for a critical Kibana vulnerability.
  • thecyberexpress.com: Elastic Issues Urgent Update for Critical Kibana Vulnerability Exposing Remote Code Execution Risk
  • Rescana: Critical Kibana Vulnerability Report: Urgent Mitigation Needed for CVE-2025-25015
  • securityonline.info: CVE-2025-25012 (CVSS 9.9): Critical Code Execution Vulnerability Patched in Elastic Kibana
  • securityonline.info: CVE-2025-25015 (CVSS 9.9): Critical Code Execution Vulnerability Patched in Elastic Kibana
  • research.kudelskisecurity.com: Critical Kibana Vulnerability Enabling Remote Code Execution (CVE-2025-25012)
  • Tom Sellers: Elastic has published a security advisory for a CVSSv3 9.9 rated RCE in Kibana versions 8.15.0 to 8.17.2. The access required varies depending on the version, see the post below. Kibana version 8.17.3 has been released to address this vulnerability.
  • securityaffairs.com: Elastic patches critical Kibana flaw allowing code execution
Divya@gbhackers.com //

Critical RCE Vulnerability Found in MITRE Caldera - A critical Remote Code Execution vulnerability (CVE-2025-27364) has been discovered in MITRE Caldera, allowing remote attackers to execute arbitrary code via crafted web requests, affecting versions through 4.2.0 and 5.0.0 before commit 35bc06e, requiring patching.
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-27364, has been discovered in MITRE Caldera, a widely used adversarial emulation framework. This flaw allows attackers to remotely execute arbitrary code on affected Caldera servers. The vulnerability stems from Caldera's dynamic agent compilation functionality, which can be manipulated through crafted web requests. This poses a significant security risk, especially given Caldera's use in penetration testing and security automation, potentially granting attackers full control over compromised systems.

Versions of MITRE Caldera through 4.2.0 and 5.0.0 before commit 35bc06e are vulnerable and require immediate patching. The unauthenticated API endpoint in Caldera’s agent compilation process can be exploited by injecting arbitrary commands during compilation, specifically by abusing the `-extldflags` linker flag in GCC. This allows attackers to deploy rogue Sandcat or Manx agents, which can then execute commands on the compromised system leading to data exfiltration and further attacks on connected assets. Proof-of-Concept exploit details are publicly available.

Recommended read:
References :
  • community.emergingthreats.net: MITRE Caldera Remote Code Execution (CVE-2025-27364)
  • gbhackers.com: Critical RCE Vulnerability in MITRE Caldera – Proof of Concept Released
  • socradar.io: Security Alert: Critical Flaws in MITRE Caldera and Parallels Desktop (CVE-2025-27364, CVE-2024-34331)
  • The Register - Security: MITRE Caldera security suite scores perfect 10 for insecurity
  • cR0w :cascadia:: A perfect 10 in MITRE Caldera? Nice. 🥳 In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote attackers to execute arbitrary code on the server that Caldera is running on via a crafted web request to the Caldera server API used for compiling and downloading of Caldera's Sandcat or Manx agent (implants). This web request can use the gcc -extldflags linker flag with sub-commands.
  • Talkback Resources: CVE-2025-27364 (CVSS 10): Remote Code Execution Flaw Found in MITRE Caldera, PoC Releases
  • SOC Prime Blog: CVE-2025–27364 in MITRE Caldera: Exploitation of a New Max-Severity RCE Vulnerability via Linker Flag Manipulation Can Lead to Full System Compromise
  • thecyberexpress.com: MITRE Caldera Hit by Critical RCE Flaw (CVE-2025-27364) – Here’s What You Need to Know
  • Help Net Security: MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364)
@ciso2ciso.com //

Atlassian Patches Critical Vulnerabilities in Multiple Products - Atlassian releases security patches for 12 critical vulnerabilities affecting Bamboo, Bitbucket, Confluence, Crowd, and Jira, including a remote code execution flaw in Confluence.
Atlassian has released security patches to address 12 critical and high-severity vulnerabilities affecting multiple products, including Bamboo, Bitbucket, Confluence, Crowd, and Jira. The patches address five critical-severity issues in Confluence Data Center and Server and Crowd Data Center and Server that were discovered in third-party dependencies used within the two products.

Updates released for Confluence Data Center and Server address two critical flaws in Apache Tomcat, tracked as CVE-2024-50379 and CVE-2024-56337 (CVSS score of 9.8). These issues could be exploited by unauthenticated attackers to achieve remote code execution. Atlassian urges customers to update their installations as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Australian software firm Atlassian patched 12 critical and high-severity flaws in Bamboo, Bitbucket, Confluence, Crowd, and Jira.
  • ciso2ciso.com: Atlassian Patches Critical Vulnerabilities in Confluence, Crowd – Source: www.securityweek.com
  • heise online English: Security updates Atlassian: Attacks on Bamboo Data Center and Server possible Attackers can attack Atlassian's Bitbucket Data Center and Server with malicious code, among other things.
info@thehackernews.com (The Hacker News)@The Hacker News //

Ivanti Patches Critical RCE Flaws in Connect Secure - Ivanti has released security updates for Connect Secure, Policy Secure, and Secure Access Client to address multiple vulnerabilities, including critical remote code execution flaws.
Ivanti has released critical security updates for Connect Secure (ICS), Policy Secure (IPS), and Secure Access Client (ISAC) to address multiple vulnerabilities. These include three critical severity problems that could allow remote code execution (RCE), posing a significant risk. The updates aim to patch flaws such as external control of a file name (CVE-2024-38657) and a stack-based buffer overflow (CVE-2025-22467), which can be exploited by authenticated attackers to execute arbitrary code and compromise system integrity.

The specific vulnerabilities addressed include CVE-2024-38657, which allows remote authenticated attackers with admin privileges to write arbitrary files, and CVE-2025-22467, a stack-based buffer overflow that enables remote code execution. Also patched is CVE-2024-10644 which is a code injection vulnerability, and CVE-2024-47908, an operating system command injection flaw in the admin web console of Ivanti CSA. Users are urged to update to the latest versions, Ivanti Connect Secure 22.7R2.6, Ivanti Policy Secure 22.7R1.3, and Ivanti CSA 5.0.5, as soon as possible to mitigate potential exploitation. While Ivanti is not aware of active exploitation, it's imperative to apply the patches due to the history of Ivanti appliances being weaponized.

Recommended read:
References :
  • Vulnerability-Lookup: Security advisory for Ivanti Connect Secure, Policy Secure, and Secure Access Client (multiple CVEs).
  • securityonline.info: Ivanti has disclosed multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products, with some The post appeared first on .
  • The Hacker News: Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now
  • BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • securityonline.info: CVE-2025-22467 (CVSS 9.9): Ivanti Connect Secure Vulnerability Allows Remote Code Execution
  • www.bleepingcomputer.com: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • vulnerability.circl.lu: February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs), has been published on Vulnerability-Lookup
  • research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
  • bsky.app: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems.
  • socradar.io: Ivanti Security Update Addresses Severe Vulnerabilities in ICS, IPS, and ISAC (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644)
  • research.kudelskisecurity.com: Ivanti ICS, IPS, ISAC, CSA: Multiple Vulnerabilities Disclosed and Patched
  • BleepingComputer: Ivanti has released security updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Secure Access Client (ISAC) to address multiple vulnerabilities, including three critical severity problems

Posts

Blogs

Research Tools