CyberSecurity news

FlagThis - #securitypatch

@nvd.nist.gov //
Two high-severity vulnerabilities, identified as CVE-2025-5349 and CVE-2025-5777, have been discovered in Citrix NetScaler ADC and NetScaler Gateway products. According to a Citrix advisory released on June 17, 2025, these flaws pose a significant risk to organizations using the affected products. It is strongly recommended that users update their systems as soon as possible to mitigate potential exploits. These vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, and 12.1-FIPS before 12.1-55.328-FIPS. Note that versions 12.1 and 13.0 are End Of Life (EOL) and are also vulnerable.

CVE-2025-5777, which has a CVSS score of 9.3, stems from insufficient input validation, leading to a memory overread. This vulnerability is only exploitable when NetScaler is configured as a Gateway, encompassing VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy, or when configured as an AAA virtual server. CVE-2025-5349, with a CVSS score of 8.7, is attributed to improper access control on the NetScaler Management Interface. Exploitation of this vulnerability requires the attacker to have access to the NSIP address, the Cluster Management IP, or the local GSLB Site IP. The National Vulnerability Database provides additional detail on both CVE-2025-5349 and CVE-2025-5777.

To address these vulnerabilities, Citrix advises upgrading to the latest versions of NetScaler ADC and NetScaler Gateway. Additionally, after upgrading all NetScaler appliances in a high availability (HA) pair or cluster to the fixed builds, Citrix recommends executing the following commands to terminate all active ICA and PCoIP sessions: `kill icaconnection -all` and `kill pcoipConnection -all`. CERT-In has also issued an advisory regarding these vulnerabilities. Further information regarding the impact on businesses can be found on Cyberexpress.

Recommended read:
References :
  • thecyberexpress.com: Two High-Severity Flaws Found in NetScaler Products: CVE-2025-5349 and CVE-2025-5777
  • cert.europa.eu: CERT-In has issued an advisory regarding these vulnerabilities.
  • nvd.nist.gov: The National Vulnerability Database provides additional detail on CVE-2025-5349 and CVE-2025-5777.
  • Blog: How to find Citrix NetScaler ADC & Gateway instances on your network
  • doublepulsar.com: CitrixBleed 2: Electric Boogaloo — CVE-2025–5777
  • infosec.exchange: Critical Netscaler CVE-2025-5777 patch released!
  • www.helpnetsecurity.com: Critical Netscaler CVE-2025-5777 patch released! Like CtirixBleed this vulnerability allows attackers to grab valid session tokens from the memory of internet-facing devices by sending malformed request:

@cyberinsider.com //
Mozilla has released Firefox 139 to address a critical security vulnerability within the libvpx video codec encoder. This flaw, identified as a double-free vulnerability, could potentially lead to memory corruption and allow for arbitrary code execution on affected systems. Security experts are urging users to update to the latest version of Firefox immediately to mitigate the risk.

The vulnerability is particularly concerning because it is a zero-interaction exploit, meaning that an attacker could potentially execute malicious code without any user action beyond normal browsing activity. This underscores the importance of applying the patch as soon as possible to prevent potential compromise. The update aims to protect users from remote code execution attacks that could exploit the flaw in the libvpx codec.

The Cybersecurity community has highlighted the importance of prioritizing critical patches such as this one to defend against exploitation. This vulnerability demonstrates the persistent threat landscape and the need for constant vigilance in maintaining secure systems. By updating to Firefox 139, users can ensure they are protected against this potentially severe vulnerability.

Recommended read:
References :
  • cyberinsider.com: Mozilla Patches Critical libvpx Double-Free Vulnerability in Firefox 139
  • securityonline.info: Firefox Alert: Zero-Interaction Exploit in libvpx Allows Arbitrary Code Execution

@sec.cloudapps.cisco.com //
Cisco has issued a critical security advisory to address CVE-2025-20188, a severe vulnerability affecting its IOS XE Wireless LAN Controllers (WLCs). This flaw, which has been assigned a CVSS score of 10.0, allows an unauthenticated, remote attacker to upload arbitrary files to a vulnerable system. The root cause of this vulnerability lies in a hard-coded JSON Web Token (JWT) present within the affected system, enabling attackers to potentially gain root privileges. The vulnerability impacts several products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controllers on Catalyst APs.

The exploitation requires the Out-of-Band AP Image Download feature to be enabled, which is not enabled by default. An attacker can exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could enable the attacker to perform path traversal and execute arbitrary commands with root privileges, leading to a complete compromise of the affected system. Cisco advises administrators to check if the Out-of-Band AP Image Download feature is enabled by using the `show running-config | include ap upgrade` command. If the command returns `ap upgrade method https`, the feature is enabled, and the device is vulnerable.

Currently, there are no direct workarounds available to address this vulnerability. However, as a mitigation measure, administrators can disable the Out-of-Band AP Image Download feature. This will cause AP image downloads to use the CAPWAP method. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed. Cisco has released free software updates to address this vulnerability, advising customers with service contracts to obtain these security fixes through their usual update channels, urging them to upgrade to the fixed release as soon as possible. As of now, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability.

Recommended read:
References :
  • securityonline.info: Critical CVE-2025-20188 (CVSS 10) Flaw in Cisco IOS XE WLCs Allows Remote Root Access
  • The Hacker News: Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT
  • Rescana: Detailed Analysis Report on Cisco Security Advisory: cisco-sa-wlc-file-uplpd-rHZG9UfC Overview The Cisco Security Advisory ID...
  • Anonymous ???????? :af:: New Cisco flaw scores a perfect 10.0 CVSS. A hardcoded token. Root access. No login needed. If you run Catalyst 9800 wireless controllers, you’ll want to check this fast.
  • securityaffairs.com: Cisco fixed a critical flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files.
  • thecyberexpress.com: News about Cisco fixing a 10.0-rated wireless controller flaw (CVE-2025-20188).
  • securityonline.info: SecurityOnline reports on critical CVE-2025-20188 flaw in Cisco IOS XE WLCs allowing remote root access.
  • sec.cloudapps.cisco.com: Security Advisory - Security updates available for Cisco IOS and IOS XE Software
  • BleepingComputer: Cisco fixed a maximum severity IOS XE flaw letting attackers hijack devices
  • Security Risk Advisors: Critical Vulnerability in Cisco IOS XE Wireless Controllers Allows Unauthenticated Remote Code Execution
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices. The flaw, tracked as CVE-2025-20188, is caused by a hardcoded JWT token that lets you bypass authentication and ultimately execute commands as root.
  • www.scworld.com: Cisco patches maximum severity vulnerability in IOS XE Software
  • www.bleepingcomputer.com: Critical vulnerability in Cisco IOS XE Wireless Controllers allows unauthenticated remote code execution
  • darkwebinformer.com: Cisco IOS XE Wireless Controllers Vulnerable to Unauthenticated Root Exploits via JWT (CVE-2025-20188)
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices.
  • www.csoonline.com: Cisco patches max-severity flaw allowing arbitrary command execution
  • nvd.nist.gov: CVE-2025-20188 Details

Ddos@securityonline.info //
SonicWall has released critical security updates to address three vulnerabilities affecting its Secure Mobile Access (SMA) 100 series products. The vulnerabilities, discovered by Rapid7 cybersecurity researcher Ryan Emmons, impact SMA 200, 210, 400, 410, and 500v devices running firmware version 10.2.1.14-75sv and earlier. The most severe of these flaws, CVE-2025-32819, has a CVSS score of 8.8 and could allow a remote authenticated attacker with SSL-VPN user privileges to bypass path traversal checks and delete arbitrary files, potentially leading to a reboot to factory default settings. SonicWall urges users to upgrade to the fixed release version 10.2.1.15-81sv and higher immediately.

Additionally, the advisory outlines CVE-2025-32820, a post-authentication SSLVPN user Path Traversal vulnerability with a CVSS score of 8.3. This flaw enables a remote authenticated attacker with SSLVPN user privileges to inject a path traversal sequence, making any directory on the SMA appliance writable. A third vulnerability, CVE-2025-32821, carries a CVSS score of 6.7 and allows a remote authenticated attacker with SSLVPN admin privileges to inject shell command arguments to upload a file on the appliance. Security researchers suggest that these vulnerabilities can be chained together by attackers to gain remote code execution as root and compromise vulnerable instances.

As a workaround and additional safety measure, SonicWall recommends enabling multifactor authentication (MFA) on the devices, enabling WAF on SMA100 and resetting the passwords for any users who may have logged into the device via the web interface. The cybersecurity company also noted that CVE-2025-32819 may have been exploited in the wild as a zero-day based on known indicators of compromise. Users are advised to update their instances to the latest version for optimal protection.

Recommended read:
References :
  • bsky.app: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks
  • securityonline.info: SonicWall has released a security advisory detailing multiple vulnerabilities affecting its Secure Mobile Access (SMA) 100 series products.
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • BleepingComputer: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks [...]

@source.android.com //
Google has released its May 2025 Android security bulletin, addressing a total of 46 vulnerabilities. The update includes a fix for CVE-2025-27363, a critical Remote Code Execution (RCE) flaw that is already being actively exploited in the wild. The RCE flaw exists within the Android System component, enabling local code execution without requiring user interaction or elevated privileges.

This vulnerability stems from FreeType, an open-source font rendering library widely embedded in Android. Google's advisory underscores the severity of this actively exploited bug, prompting the U.S. CISA to add it to its Known Exploited Vulnerabilities Catalog. U.S. federal agencies are now under directive to apply the patch by May 27, 2025.

The May 2025 Android security bulletin resolves several other high-impact issues across Android versions 13 through 15. These include multiple Elevation of Privilege (EoP) flaws affecting both the framework and system components. Among them are CVE-2025-0087 and CVE-2025-26426. Users are encouraged to check for updates to ensure their devices are protected from these vulnerabilities. The update is available for Android 13, 14, and 15, with Android vendors notified of the issues at least a month before publication.

Recommended read:
References :
  • CyberScoop: Google addresses 1 actively exploited vulnerability in May’s Android security update
  • Malwarebytes: Malwarebytes discusses Android fixes 47 vulnerabilities, including one zero-day.
  • securityaffairs.com: SecurityAffairs Google fixed actively exploited Android flaw CVE-2025-27363
  • The Hacker News: The hackernews update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
  • socradar.io: SocRadar: Android’s May 2025 Update Tackles CVE-2025-27363 & More
  • www.bleepingcomputer.com: bleepingcomputer: Google fixes actively exploited FreeType flaw on Android
  • thecyberexpress.com: Google Rolls Out May 2025 Android Security Bulletin, Fixes 46 Vulnerabilities Including CVE-2025-27363

Ddos@securityonline.info //
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.

Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025.

The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data.

Recommended read:
References :
  • The DefendOps Diaries: Understanding SonicWall SMA100 Vulnerabilities: Risks and Mitigation
  • BleepingComputer: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • Arctic Wolf: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • isc.sans.edu: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • thehackernews.com: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
  • securityonline.info: SonicWall confirms active exploitation of SMA 100 vulnerabilities – urges immediate patching
  • Talkback Resources: SonicWall disclosed exploited security flaws in SMA100 Secure Mobile Access appliances, including OS Command Injection and Apache HTTP Server mod_rewrite issues, with patches released in versions 10.2.1.10-62sv and 10.2.1.14-75sv.
  • www.bleepingcomputer.com: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • securityonline.info: SecurityOnline
  • Talkback Resources: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models [net]
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • es-la.tenable.com: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • Arctic Wolf: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • bsky.app: Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • securityaffairs.com: SonicWall confirmed that threat actors actively exploited two vulnerabilities impacting its SMA100 Secure Mobile Access (SMA) appliances.
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
  • MSSP feed for Latest: SonicWall Flags New Wave of VPN Exploits Targeting SMA Devices
  • bsky.app: Security company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • Help Net Security: Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221)
  • www.scworld.com: SonicWall confirms exploitation of two SMA 100 bugs, one critical
  • securityonline.info: SonicWall Issues Patch for SSRF Vulner
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware
  • hackread.com: watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
  • cyberpress.org: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • www.helpnetsecurity.com: Attackers exploited old flaws to breach SonicWall SMA appliances.
  • watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
  • Talkback Resources: Iranian state-sponsored threat group conducted a long-term cyber intrusion targeting critical national infrastructure in the Middle East, exhibiting tradecraft overlaps with Lemon Sandstorm, using custom malware families and sophisticated tactics to maintain persistence and bypass network segmentation.
  • Cyber Security News: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • RedPacket Security: SonicWall Products Multiple Vulnerabilities
  • thecyberexpress.com: CISA Adds Two Known Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • Cyber Security News: SonicWall Secure Mobile Access (SMA) appliances are under active attack due to two critical vulnerabilities- CVE-2023-44221 (post-authentication command injection) and CVE-2024-38475(pre-authentication arbitrary file read)-being chained to bypass security controls.
  • bsky.app: SonicWall urges admins to patch VPN flaw exploited in attacks
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release

@Open Source Security //
A heap buffer overflow vulnerability, identified as CVE-2024-56406, has been discovered in Perl versions 5.34, 5.36, 5.38, and 5.40. This flaw occurs when the "tr" operator transliterates non-ASCII bytes, potentially leading to denial-of-service (DoS) conditions or, in some cases, arbitrary code execution. The vulnerability was introduced in a commit affecting versions 5.33.1 to 5.41.10. The issue can be triggered by a specially crafted Perl command, potentially causing a segmentation fault and system crash.

The vulnerability, discovered by Nathan Mills, resides in the `S_do_trans_invmap()` function, which can overflow the destination pointer "d" when non-ASCII characters are present on the left-hand side of the "tr" operator. Exploitation of this flaw could allow attackers to crash Perl-based applications or systems, making it a potent denial of service vector. This is especially concerning for shared hosting environments, server-side Perl scripts handling untrusted input, and legacy systems with weak memory protection models.

To mitigate this vulnerability, users are strongly advised to update their Perl installations to versions 5.40.2 or 5.38.4, which contain the necessary patches. Ubuntu users can update their systems to the following package versions: perl-5.38.2-5ubuntu0.1 for Ubuntu 24.10, perl-5.38.2-3.2ubuntu0.1 for Ubuntu 24.04, and perl-5.34.0-3ubuntu1.4 for Ubuntu 22.04. The fix is essentially a revert of the commit that introduced the bug. A standard system update should address the issue for most users.

Recommended read:
References :
  • Open Source Security: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes
  • securityonline.info: CVE-2024-56406: Heap Overflow Vulnerability in Perl Threatens Denial of Service and Potential Code Execution
  • securityonline.info: CVE-2024-56406: Heap Overflow Vulnerability in Perl Threatens Denial of Service and Potential Code Execution
  • Ubuntu security notices: USN-7434-1: Perl vulnerability

Bill Mann@CyberInsider //
References: bsky.app , CyberInsider , The Apple Post ...
Apple has released a series of critical security updates for its operating systems, including iOS 18.4 and macOS Sequoia 15.4. These updates address a total of 145 vulnerabilities, including several zero-day exploits that may have been actively exploited. Users of iOS, iPadOS, macOS, tvOS, visionOS, Safari, and Xcode are urged to update their devices immediately to safeguard against potential security threats. Notably, watchOS was missing from this patch lineup.

Apple pushed emergency updates targeting three zero-day vulnerabilities identified as CVE-2025-24200 (Accessibility) and CVE-2025-24201 (WebKit). These patches have been backported to older iOS and iPadOS versions, specifically 15.8.4 and 16.7.11, ensuring that users on older devices are also protected from these actively exploited flaws. The updates include fixes for bugs in WebKit, Siri, Safari, and libxpc, along with numerous other security enhancements, underscoring Apple's commitment to addressing security vulnerabilities across its product ecosystem.

Recommended read:
References :
  • bsky.app: EMERGENCY UPDATES Apple pushed additional updates for 3 zero-days that may have been actively exploited. CVE-2025-24200 (Accessibility) additional patches, CVE-2025-24201 (WebKit) additional patches: - iOS and iPadOS 15.8.4 - iOS and iPadOS 16.7.11
  • CyberInsider: Apple has issued a wide set of security updates, patching multiple zero-day vulnerabilities across its operating systems — including iOS, macOS, iPadOS, and Safari — and notably extended critical fixes to older software versions, addressing previously exploited flaws.
  • isc.sans.edu: Apple Patches Everything: March 31st 2025 Edition, (Mon, Mar 31st)
  • The Apple Post: Apple releases iOS 18.4 with Priority Notifications feature, Control Center updates, new emoji, more
  • bsky.app: NEW SECURITY CONTENT - macOS Sequoia 15.4 - 131 bugs fixed macOS Sonoma 14.7.5 - 91 bugs fixed macOS Ventura 13.7.5 - 85 bugs fixed iOS and iPadOS 18.4 - 62 bugs fixed visionOS 2.4 - 38 bugs fixed iPadOS 17.7.6 - 38 bugs fixed tvOS 18.4 - 36 bugs fixed
  • securityaffairs.com: Apple has backported fixes for three actively exploited vulnerabilities to older devices and OS versions. The three vulnerabilities are: Apple released the following updates: that are available for the following devices:
  • The Register - Security: Apple belatedly patches actively exploited bugs in older OSes
  • thecyberexpress.com: Apple Backports Zero-Day Patches to Older Devices in Latest Security Update
  • The Hacker News: Apple Backports Critical Fixes for 3 Live Exploits Impacting iOS and macOS Legacy Devices