CyberSecurity news

FlagThis - #remotecodeexecution

Sead Fadilpašić@techradar.com //

ASUS DriverHub Vulnerabilities Expose Users to RCE - Critical security flaws were discovered in ASUS DriverHub, allowing remote code execution, emphasizing the need for immediate updates.
ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.

Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe.

ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards.

Recommended read:
References :
  • securityonline.info: Critical Security Flaws Found in ASUS DriverHub: Update Immediately
  • Rescana: Vulnerabilities in ASUS DriverHub Exposed: CVE-2025-3462 and CVE-2025-3463 Analysis
  • cyberinsider.com: Critical Flaw in ASUS DriverHub Exposes Users to Remote Code Execution
  • securityaffairs.com: Researchers found one-click RCE in ASUS’s pre-installed software DriverHub
  • The DefendOps Diaries: ASUS DriverHub Vulnerability: Understanding and Mitigating CVE-2025-3463
  • The Hacker News: ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files
  • BleepingComputer: The ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
  • bsky.app: ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.
  • www.techradar.com: Details on ASUS DriverHub driver management tool targeted by RCE vulnerability
  • www.scworld.com: ASUS DriverHub vulnerabilities fixed
  • Tech Monitor: TechMonitor article about ASUS DriverHub security vulnerability
  • the420.in: The420.in
  • Blog: ASUS patches RCE flaw in DriverHub utility
  • socradar.io: CVE-2025-3462 & CVE-2025-3463: ASUS DriverHub Flaws Enable RCE
@sec.cloudapps.cisco.com //

Cisco Patches Critical Flaw in IOS XE Controller - Cisco has released software updates to address a critical vulnerability in IOS XE Wireless Controller that allows remote attackers to load arbitrary files and gain root access.
Cisco has issued a critical security advisory to address CVE-2025-20188, a severe vulnerability affecting its IOS XE Wireless LAN Controllers (WLCs). This flaw, which has been assigned a CVSS score of 10.0, allows an unauthenticated, remote attacker to upload arbitrary files to a vulnerable system. The root cause of this vulnerability lies in a hard-coded JSON Web Token (JWT) present within the affected system, enabling attackers to potentially gain root privileges. The vulnerability impacts several products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controllers on Catalyst APs.

The exploitation requires the Out-of-Band AP Image Download feature to be enabled, which is not enabled by default. An attacker can exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could enable the attacker to perform path traversal and execute arbitrary commands with root privileges, leading to a complete compromise of the affected system. Cisco advises administrators to check if the Out-of-Band AP Image Download feature is enabled by using the `show running-config | include ap upgrade` command. If the command returns `ap upgrade method https`, the feature is enabled, and the device is vulnerable.

Currently, there are no direct workarounds available to address this vulnerability. However, as a mitigation measure, administrators can disable the Out-of-Band AP Image Download feature. This will cause AP image downloads to use the CAPWAP method. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed. Cisco has released free software updates to address this vulnerability, advising customers with service contracts to obtain these security fixes through their usual update channels, urging them to upgrade to the fixed release as soon as possible. As of now, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability.

Recommended read:
References :
  • securityonline.info: Critical CVE-2025-20188 (CVSS 10) Flaw in Cisco IOS XE WLCs Allows Remote Root Access
  • The Hacker News: Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT
  • Rescana: Detailed Analysis Report on Cisco Security Advisory: cisco-sa-wlc-file-uplpd-rHZG9UfC Overview The Cisco Security Advisory ID...
  • Anonymous ???????? :af:: New Cisco flaw scores a perfect 10.0 CVSS. A hardcoded token. Root access. No login needed. If you run Catalyst 9800 wireless controllers, you’ll want to check this fast.
  • securityaffairs.com: Cisco fixed a critical flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files.
  • thecyberexpress.com: News about Cisco fixing a 10.0-rated wireless controller flaw (CVE-2025-20188).
  • securityonline.info: SecurityOnline reports on critical CVE-2025-20188 flaw in Cisco IOS XE WLCs allowing remote root access.
  • sec.cloudapps.cisco.com: Security Advisory - Security updates available for Cisco IOS and IOS XE Software
  • BleepingComputer: Cisco fixed a maximum severity IOS XE flaw letting attackers hijack devices
  • Security Risk Advisors: Critical Vulnerability in Cisco IOS XE Wireless Controllers Allows Unauthenticated Remote Code Execution
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices. The flaw, tracked as CVE-2025-20188, is caused by a hardcoded JWT token that lets you bypass authentication and ultimately execute commands as root.
  • www.scworld.com: Cisco patches maximum severity vulnerability in IOS XE Software
  • www.bleepingcomputer.com: Critical vulnerability in Cisco IOS XE Wireless Controllers allows unauthenticated remote code execution
  • darkwebinformer.com: Cisco IOS XE Wireless Controllers Vulnerable to Unauthenticated Root Exploits via JWT (CVE-2025-20188)
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices.
  • www.csoonline.com: Cisco patches max-severity flaw allowing arbitrary command execution
  • nvd.nist.gov: CVE-2025-20188 Details
@documentation.commvault.com //

Critical RCE Vulnerability in Commvault Command Center - A critical RCE vulnerability (CVE-2025-34028) in Commvault Command Center allows unauthenticated remote attackers to execute arbitrary code, potentially compromising the system.
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-34028, has been discovered in Commvault Command Center. This security flaw, rated a severity of 9.0 out of 10, allows unauthenticated remote attackers to execute arbitrary code on affected installations. The vulnerability stems from a path traversal issue that can lead to a complete compromise of the Command Center environment. Commvault acknowledged the flaw in an advisory released on April 17, 2025, highlighting the potential for attackers to gain control of the system without requiring authentication.

Commvault Command Center versions 11.38.0 through 11.38.19 of the 11.38 Innovation Release are impacted by this vulnerability. The root cause lies within the "deployWebpackage.do" endpoint, which is susceptible to a pre-authenticated Server-Side Request Forgery (SSRF) attack. This is because there is no filtering as to what hosts can be communicated with. Attackers can exploit this by sending an HTTP request to the vulnerable endpoint, causing the Commvault instance to retrieve a malicious ZIP file from an external server. Once retrieved, the contents of the ZIP file are unzipped into a temporary directory under the attacker's control.

The vulnerability was discovered and reported by Sonny Macdonald, a researcher at watchTowr Labs, on April 7, 2025. watchTowr published technical details and a proof-of-concept (PoC) exploit on April 24, 2025, increasing the urgency for users to apply the necessary patches. Commvault has addressed the vulnerability in versions 11.38.20 and 11.38.25, urging all users to upgrade immediately. The vulnerability was last modified by NIST’s National Vulnerability Database on April 23. watchTowr has also created a Detection Artefact Generator that organizations can use to determine if their instance is vulnerable to the vulnerability.

Recommended read:
References :
  • Open Source Security: Posted by Fabian Bäumer on Apr 19 Hi Alexander, We used a technique called state machine learning to infer the state machine of the Erlang/OTP SSH server by interaction. With the state machine at hand, we noticed unexpected state transitions during the handshake caused by SSH_MSG_CHANNEL_OPEN messages. In particular, sending SSH_MSG_CHANNEL_REQUEST without SSH_MSG_CHANNEL_OPEN caused the connection to terminate, while sending SSH_MSG_CHANNEL_OPEN first changed this...
  • Resources-2: On April 16th, 2025, Erlang/OTP team disclosed a critical vulnerability affecting their SSH server implementation [1]. CVE-2025-32433 is an unauthenticated remote code execution vulnerability with a CVSS score of 10.0 (Critical) that allows adversaries to run arbitrary code on vulnerable systems with elevated privileges.
  • Tenable Blog: Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices. Background On April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the vulnerability mailing list.
  • arcticwolf.com: On April 24, 2025, watchTowr published technical details and a proof-of-concept (PoC) exploit for a critical vulnerability in Commvault Command Center, CVE-2025-34028, which had been disclosed earlier in April.
  • The Hacker News: A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations.
  • www.scworld.com: CVE-2025-34028 could lead to a complete compromise of the Command Center.
  • Arctic Wolf: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
  • labs.watchtowr.com: Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) - watchTowr Labs
  • Help Net Security: Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028)
  • Anonymous ???????? :af:: Critical Exploit Alert! A 9.0 CVSS flaw in Commvault Command Center lets hackers run code without logging in. 🯠Targets versions 11.38.0–11.38.19
  • SOC Prime Blog: SocPrime blog post on detecting CVE-2025-34028 exploitation
  • thecyberexpress.com: The Cyber Express article on the Commvault vulnerability
  • arcticwolf.com: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
  • Arctic Wolf: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center
  • hackread.com: Critical Commvault Flaw Allows Full System Takeover – Update NOW
  • socprime.com: CVE-2025-34028 Detection: A Maximum-Severity Vulnerability in the Commvault Command Center Enables RCE
  • fortiguard.fortinet.com: What is the Vulnerability?A critical path traversal vulnerability has been identified in Commvault's Command Center Innovation Release.
  • watchTowr Labs: Fire In The Hole, We’re Breaching The Vault
  • www.csoonline.com: Critical Commvault SSRF could allow attackers to execute code remotely
  • Cyber Defense Magazine: Critical Commvault Flaw Allows Full System Takeover.
  • hackread.com: Enterprises using Commvault Innovation Release are urged to patch immediately against CVE-2025-34028. This critical flaw allows attackers to…
  • hackread.com: Critical Commvault Flaw Allows Full System Takeover – Update NOW
Sergiu Gatlan@BleepingComputer //

Cisco Webex Bug Allows Code Execution - Cisco Webex App has a high-severity vulnerability (CVE-2025-20236) enabling unauthenticated remote code execution via malicious meeting invite links; updates are available.
A critical vulnerability, identified as CVE-2025-20236, has been discovered in the Cisco Webex App, posing a significant security risk to users. The vulnerability allows unauthenticated attackers to gain client-side remote code execution through maliciously crafted meeting invite links. The flaw stems from insufficient input validation within the app's custom URL parser, which processes these meeting invites. An attacker can exploit this weakness by tricking a user into clicking on a malicious link, which can then download arbitrary files and execute commands on the user's system with their privileges.

Cisco has acknowledged the vulnerability and released security updates to address the flaw. The affected versions include Webex App version 44.6, which has been fixed in version 44.6.2.30589. Users running version 44.7 are advised to migrate to a fixed release. Versions 44.5 and earlier, as well as 44.8 and later, are not vulnerable. The vulnerability has been assigned a high CVSS score of 8.8, reflecting its severe risk level.

Users and administrators are strongly urged to immediately check their Webex App version and apply the necessary patches to mitigate the risk of exploitation. Organizations relying on Cisco Webex for communication and collaboration are particularly at risk, as successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, disruption of operations, and the potential spread of malware or ransomware within their networks. Cisco's Product Security Incident Response Team (PSIRT) has stated that, at the time of publication, they had not observed any malicious use or public exploitation of CVE-2025-20236.

Recommended read:
References :
  • securityonline.info: Cisco Patches CVE-2025-20236: Unauthenticated RCE Flaw in Webex App via Malicious Meeting Links
  • The DefendOps Diaries: Understanding the Cisco Webex App Vulnerability: A Call to Action
  • BleepingComputer: Cisco Webex bug lets hackers gain code execution via meeting links
  • bsky.app: Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.
  • www.bleepingcomputer.com: Cisco Webex bug lets hackers gain code execution via meeting links
  • securityonline.info: Cisco Patches CVE-2025-20236: Unauthenticated RCE Flaw in Webex App via Malicious Meeting Links
info@thehackernews.com (The@The Hacker News //

Critical Erlang/OTP SSH Vulnerability Allows Code Execution - A critical unauthenticated remote code execution vulnerability (CVE-2025-32433) has been discovered in Erlang/OTP SSH servers, allowing attackers to execute arbitrary code on vulnerable systems with elevated privileges, and organizations are urged to patch vulnerable SSH servers without delay.
A critical security vulnerability, CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation, potentially allowing unauthenticated remote code execution (RCE). The flaw, which has been assigned a maximum CVSS score of 10.0, could enable attackers to execute arbitrary code on affected systems without providing any credentials. Researchers at Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk, identified the vulnerability. It stems from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication, leading to a complete system compromise if the SSH daemon is running with root privileges.

The vulnerability affects all users running an SSH server based on the Erlang/OTP SSH library. According to the official Ericsson security advisory, any application providing SSH access using the Erlang/OTP SSH library should be considered affected. This vulnerability poses a significant risk, especially to critical infrastructure and high-availability systems where Erlang/OTP is widely used, such as in telecommunications equipment, industrial control systems, and connected devices. Expert Mayuresh Dani of Qualys emphasizes the critical nature, noting Erlang's frequent installation on high-availability systems. This vulnerability could allow actions such as installing ransomware or siphoning off sensitive data.

Proof-of-concept (PoC) exploits for CVE-2025-32433 have already been released, increasing the urgency for organizations to take immediate action. SecurityOnline reported the release of PoC code, and the Horizon3 Attack Team confirmed they had developed their own exploit, describing it as "surprisingly easy" to reproduce. Mitigation strategies include immediately updating to the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround, it is recommended to disable the SSH server or restrict access via firewall rules until the updates can be applied. Organizations should evaluate their systems for potential compromise.

Recommended read:
References :
  • darkwebinformer.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
  • Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Ubuntu security notices: USN-7443-1: Erlang vulnerability
  • BleepingComputer: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
  • Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • The Hacker News: TheHackerNews Article about CVSS 10.0 in Erlang/OTP SSH
  • The DefendOps Diaries: Explore the critical CVE-2025-32433 vulnerability in Erlang/OTP SSH, its impact, and mitigation strategies.
  • hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
  • github.com: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.bleepingcomputer.com: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
  • securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.openwall.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Resources-2: Picus Security Blog on Erlang/OTP SSH RCE
  • Tenable Blog: Details about CVE-2025-32433: Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability.
  • securityonline.info: SecurityOnline article on Erlang/OTP CVE-2025-32433 (CVSS 10): Critical SSH Flaw Allows Unauthenticated RCE
  • Security Risk Advisors: Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433).
  • securityonline.info: Erlang/OTP SSH Vulnerability (CVE-2025-32433).
  • Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.runzero.com: Discusses an SSHamble with remote code execution in Erlang/OTP SSH.
  • Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Cyber Security News: Cybersecurity News also reported this vulnerability.
  • securityboulevard.com: Vulnerability in Erlang/OTP SSH allows for unauthenticated remote code execution on vulnerable devices.
  • The DefendOps Diaries: Understanding and Mitigating CVE-2025-32433: A Critical Erlang/OTP Vulnerability
  • www.scworld.com: Maximum severity flaw impacts Erlang/OTP SSH Widely used library Erlang/OTP SSH was discovered to be affected by a maximum severity flaw, tracked as CVE-2025-32433, which could be leveraged to allow code execution without required logins, according to Hackread.
  • Open Source Security: Seclists Details on SSH execution in Erlang
  • Blog: CyberReason article on Erlang/OTP RCE Vulnerability.
  • infosecwriteups.com: InfoSec Writeups: Erlang/OTP SSH CVSS 10 RCE
  • securityboulevard.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.bleepingcomputer.com: Critical Erlang/OTP SSH RCE bug now has public exploits, patch now
  • industrialcyber.co: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
  • www.cybersecuritydive.com: Researchers warn of critical flaw found in Erlang OTP SSH
  • Arctic Wolf: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • Industrial Cyber: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
  • www.csoonline.com: Public exploits already available for a severity 10 Erlang SSH vulnerability; patch now
  • arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • Security Risk Advisors: TheHackerNews post on Erlang/OTP SSH vulnerability.
  • securityonline.info: Critical RCE Vulnerability in Erlang/OTP SSH Server Impacts Multiple Cisco Products

Posts

Blogs

Research Tools