CyberSecurity news

FlagThis - #securitypatch

@csoonline.com //
Broadcom has issued urgent security patches to address three actively exploited vulnerabilities affecting VMware ESXi, Workstation, and Fusion products. These flaws, tracked as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, could enable attackers to execute code and disclose sensitive information. VMware ESXi is under active exploitation in the wild, making timely patching crucial to prevent potential attacks. The vulnerabilities impact various versions of VMware ESXi 8.0, 7.0, Workstation 17.x, Fusion 13.x, Cloud Foundation 5.x and 4.x, and Telco Cloud Platform.

The most critical flaw, CVE-2025-22224, boasts a CVSS score of 9.3 and is a heap-overflow vulnerability leading to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine could exploit this to execute code as the virtual machine's VMX process running on the host. Broadcom credited Microsoft's MSTIC security team with discovering and reporting these vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal civilian agencies to patch them by March 25, 2025.

Recommended read:
References :
  • bsky.app: Broadcom released security patches to patch an actively exploited zero-day in its VMware ESXi products. Broadcom credited Microsoft's MSTIC security team with spotting and reporting the attacks.
  • The Hacker News: Broadcom Releases Urgent Patches
  • The Register - Software: VMware splats guest-to-hypervisor escape bugs already exploited in wild
  • www.csoonline.com: VMware ESXi gets critical patches for in-the-wild virtual machine escape attack
  • securityaffairs.com: VMware fixed three actively exploited zero-days in ESX products
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
  • bsky.app: BleepingComputer article on VMware zero-days.
  • Vulnerability-Lookup: A new bundle, VMSA-2025-0004: VMware ESXi, Workstation, and Fusion updates address multiple vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226), has been published on Vulnerability-Lookup:
  • The Record: Three product lines from technology giant VMware — ESXI, Workstation and Fusion — have patches for vulnerabilities that the company and the federal government have said are being exploited by hackers
  • securityaffairs.com: U.S. CISA adds Linux kernel and VMware ESXi and Workstation flaws to its Known Exploited Vulnerabilities catalog
  • borncity.com: 0-day vulnerabilities in VMWare ESXi, Workstation and Fusion
  • socradar.io: VMware Security Alert: Active Exploitation of Zero-Day Vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226)
  • Arctic Wolf: Three VMware Zero-Days Exploited in the Wild Patched by Broadcom
  • Blog: Multiple zero-days in VMware products actively exploited
  • gbhackers.com: CISA Issues Alert on Actively Exploited VMware Vulnerabilities
  • www.tenable.com: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226: Zero-Day Vulnerabilities in VMware ESXi, Workstation and Fusion Exploited
  • Information Security Buzz: Broadcom warns VMware users of Critical Zero-Day Exploits
  • www.cybersecuritydive.com: 37K+ VMware ESXi instances vulnerable to critical zero-day
  • www.itpro.com: Broadcom issues urgent alert over three VMware zero-days
  • Carly Page: Broadcom is warning that a trio of VMware vulnerabilities are being actively exploited by hackers to compromise the networks of its corporate customers
  • techcrunch.com: Security experts warn of ‘huge impact’ of actively exploited hypervisor flaws that allow sandbox escape
  • Security Risk Advisors: Three Critical VMware Vulnerabilities Exploited in Wild Targeting ESXi, Workstation, and Fusion
  • www.cybersecuritydive.com: Broadcom urges customers to patch 3 zero-day VMware flaws
  • MSSP feed for Latest: Broadcom: VMware Zero-Days Being Exploited in the Wild
  • www.bleepingcomputer.com: Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild.
  • research.kudelskisecurity.com: Critical VMware ESXi, Workstation, Fusion Vulnerabilities Seen Exploited in Wild
  • cyble.com: Three VMware Zero-Days Under Active Exploitation – What You Need to Know
  • Zack Whittaker: VMware emergency hypervisor escape bugs under attack

MSSP Alert@MSSP feed for Latest //
Apple has issued critical security updates for iOS 18.3.2 and iPadOS 18.3.2, addressing a actively exploited WebKit vulnerability identified as CVE-2025-24201. This flaw allowed cybercriminals to use maliciously crafted web content to bypass the Web Content sandbox. The update is available for iPhone XS and later, multiple iPad Pro models, iPad Air (3rd generation and later) and iPad mini (5th generation and later).

Users are urged to update their devices promptly by navigating to Settings > General > Software Update. Security experts emphasize the importance of these patches, noting that failure to update leaves devices vulnerable to compromise. According to Adam Boynton, senior security strategy manager EMEIA at Jamf, keeping devices up to date is essential. He also stated that this particular flaw allowed attackers to access data in other parts of the operating system.

Recommended read:
References :
  • The DefendOps Diaries: Apple's Swift Response to WebKit Zero-Day Vulnerability: CVE-2025-24201
  • BleepingComputer: Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
  • securityaffairs.com: Apple fixed the third actively exploited zero-day of 2025
  • CyberInsider: Apple Patches Zero-Day Flaw Used in Targeted iPhone Attacks
  • Threats | CyberScoop: Apple released emergency software patches Tuesday that address a newly identified zero-day vulnerability in the company’s WebKit web browser engine.  Tracked as CVE-2025-24201, an attacker can potentially escape the constraints of Webkit’s Web Content sandbox, potentially leading to unauthorized actions.
  • techcrunch.com: The flaw was in the browser engine WebKit, used by Safari and other apps.
  • bsky.app: Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks.
  • bsky.app: Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks.
  • infosec.exchange: NEW: Apple patched a zero-day in WebKit that “may have been exploited in an extremely sophisticated attack against specific targeted individuals.â€� This is second time, AFAICT, that Apple uses the "extremely sophisticated" phrase for a patched bug.
  • The Hacker News: Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks
  • www.csoonline.com: Apple patches zero-day bugs used in targeted iPhone attacks
  • Blog: FieldEffect blog post on apple-emergency-update-extremely-sophisticated-zero-day.
  • www.infosecurity-magazine.com: iOS 18.3.2 Patches Actively Exploited WebKit Vulnerability
  • MSSP feed for Latest: Apple Addresses Actively-Exploited Zero-Day In WebKit Browser Engine
  • Malwarebytes: Update your iPhone now: Apple patches vulnerability used in “extremely sophisticated attacksâ€�
  • SOC Prime Blog: CVE-2025-24201 Exploitation: Apple Fixes the WebKit Zero-Day Vulnerability Used in Sophisticated Attacks
  • bsky.app: Apple pushed additional updates for a zero-day that may have been actively exploited.
  • ApplSec: Apple pushed updates for a new zero-day that may have been actively exploited.
  • iThinkDifferent: iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, and visionOS 2.3.2 released with critical WebKit security fix
  • www.zdnet.com: Apple is patching a vulnerability in iPhones and iPads that could be exploited in "extremely sophisticated" attacks. The vulnerability, dubbed CVE-2025-24201, was found in , Apple's open-source framework that helps render pages in Safari, Mail, App Store, and other apps. It
  • bsky.app: 📣 EMERGENCY UPDATE 📣 Apple pushed updates for a new zero-day that may have been actively exploited. ğŸ�› CVE-2025-24201 (WebKit): - iOS and iPadOS 18.3.2 - macOS Sequoia 15.3.2 - visionOS 2.3.2 #apple #infosec
  • bsky.app: 📣 EMERGENCY UPDATE 📣 Apple pushed updates for a new zero-day that may have been actively exploited. ğŸ�› CVE-2025-24201 (WebKit): - iOS and iPadOS 18.3.2 - macOS Sequoia 15.3.2 - visionOS 2.3.2 #apple #infosec
  • Rescana: Apple Urgently Patches CVE-2025-24201 Zero-Day in iOS, iPadOS, macOS, visionOS, and Safari amid Attacks
  • PCMag UK security: Update Now: Apple Rolls Out Fix for 'Extremely Sophisticated' Zero-Day Bug
  • eWEEK: Apple addressed a zero-day vulnerability, tracked as CVE-2025-24201, that has been exploited in “extremely sophisticatedâ€� cyber attacks.

@The DefendOps Diaries //
Mozilla has issued an urgent security update for its Firefox browser on Windows to address a critical sandbox escape vulnerability, identified as CVE-2025-2857. This flaw allows attackers to bypass the browser's security sandbox, posing significant risks to Windows users. Mozilla is releasing security updates for Firefox versions 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1 to patch this vulnerability.

The vulnerability, reported by Mozilla developer Andrew McCreight, involves an incorrect handle that could lead to sandbox escapes, potentially enabling attackers to execute arbitrary code on affected systems. This comes after a similar exploit, CVE-2025-2783, was identified in Google Chrome. Windows users are advised to update their browsers to the latest version as soon as possible to mitigate this risk.

Recommended read:
References :
  • securityonline.info: Mozilla releases urgent security patch for Windows users as researchers uncover another IPC vulnerability echoing a recently exploited
  • The DefendOps Diaries: Mozilla warns of a critical Firefox vulnerability allowing sandbox escapes, posing significant security risks to Windows users.
  • The Hacker News: Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
  • BleepingComputer: Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems.
  • CyberInsider: Firefox Says It’s Vulnerable to Chrome’s Zero-Day Used in Espionage Attacks
  • The Register - Security: After Chrome patches zero-day used to target Russians, Firefox splats similar bug
  • Security Affairs: Mozilla fixed critical Firefox vulnerability CVE-2025-2857
  • PCMag UK security: Chrome Zero-Day Flaw Also Affects Firefox
  • gbhackers.com: Mozilla is working to patch the vulnerability, tracked as CVE-2025-2857, with security updates for Firefox 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1.
  • MSPoweruser: Google patches a Chrome zero-day vulnerability used in espionage
  • thecyberexpress.com: Mozilla has issued an urgent update for Firefox on Windows to patch a critical security vulnerability.

Bill Toulas@BleepingComputer //
GitLab has released critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) platforms. The updates, included in versions 17.9.2, 17.8.5, and 17.7.7, fix nine vulnerabilities. Two of these are critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) within the ruby-saml library, used when SAML SSO authentication is enabled at the instance or group level. GitLab has already patched GitLab.com and will update GitLab Dedicated customers, but self-managed installations require immediate manual updates.

Exploitation of these flaws could allow attackers with access to a legitimate signed SAML document from an identity provider to impersonate any valid user, potentially leading to unauthorized access to sensitive repositories and data breaches. The issue stems from differences in XML parsing between REXML and Nokogiri. GitLab strongly advises all affected installations to upgrade to the latest versions as soon as possible to mitigate potential risks. Other vulnerabilities that were addressed are CVE-2025-27407, a high severity Ruby graphql vulnerability.

Recommended read:
References :
  • Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
  • securityaffairs.com: SecurityAffairs article on GitLab addressed critical flaws in CE and EE
  • socradar.io: SocRadar article on GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
  • The DefendOps Diaries: GitLab's Critical Vulnerability Fixes: What You Need to Know
  • BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
  • Rescana: Rescana Cybersecurity Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7
  • securityonline.info: GitLab urgently patches critical authentication bypass flaws – CVE-2025-25291 & CVE-2025-25292
  • www.scworld.com: Account hijacking possible with ruby-saml library bugs
  • bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.
  • gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication

openwall.com via lattera@Lobsters //
Multiple vulnerabilities have been discovered in rsync, a widely used file transfer program, totaling six distinct security flaws. The most severe of these is a critical remote code execution (RCE) vulnerability identified as CVE-2024-12084. This flaw allows an attacker with only anonymous read access to an rsync server, often found in public mirrors, to execute arbitrary code on the server. This highlights the serious risk facing systems running vulnerable versions of rsync, particularly those with exposed rsync servers. The vulnerability stems from improper handling of checksum lengths.

Other discovered vulnerabilities include information leaks and symlink issues. There is also the potential for an attacker to enumerate the contents of arbitrary files on a client's machine when copying files to a server. To mitigate all six vulnerabilities, users and administrators are strongly advised to upgrade to rsync version 3.4.0, released on January 14th. However, a regression was found in 3.4.0, so version 3.4.1 is now available. It's crucial to apply this patch, especially for systems running the rsyncd daemon.

Recommended read:
References :

do son@Cybersecurity News //
A use-after-free vulnerability, tracked as CVE-2025-30232, has been discovered in the Exim mail transfer agent (MTA), a popular choice for Unix systems. The vulnerability affects Exim versions 4.96 through 4.98.1 and could allow attackers with command-line access to escalate privileges on affected systems. This could potentially lead to unauthorized access to system resources and the execution of arbitrary commands with elevated privileges, compromising the entire server.

It's crucial that systems run one of the vulnerable versions (4.96, 4.97, 4.98, or 4.98.1) and that the attacker has command-line access for exploitation. The Exim project has already released a patch in version 4.98.2 to address this flaw. System administrators are strongly advised to update to this latest version as soon as possible. The vulnerability was reported to Exim on March 13, 2025, by Trend Micro, with a security release made available to distribution maintainers on March 21 and public notification on March 25.

Recommended read:
References :

Bill Toulas@BleepingComputer //
GitLab has released critical security updates for versions 17.9.2, 17.8.5, and 17.7.7 of both its Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities. The updates are aimed at rectifying authentication bypass risks and a Remote Code Execution (RCE) threat. Users with self-managed GitLab installations are strongly encouraged to upgrade immediately to one of these patched versions to mitigate potential exploits. GitLab.com is already running the patched version, and GitLab Dedicated customers will be notified once their instances have been updated.

Patches address critical vulnerabilities, most notably authentication bypasses in the SAML single sign-on (SSO) authentication mechanism. Specifically, CVE-2025-25291 and CVE-2025-25292 involve authentication bypass issues in the SAML SSO mechanism due to discrepancies in XML parsing within the ruby-saml library. The vulnerability could allow an attacker with a valid signed SAML document to authenticate as another user. Mitigation includes enabling two-factor authentication, disabling SAML two-factor bypass, and mandating admin approval for new users. Another significant high-severity vulnerability, CVE-2025-27407, involves remote code execution via the Ruby graphql library when transferring a malicious project.

Recommended read:
References :
  • Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
  • securityaffairs.com: GitLab addressed critical auth bypass flaws in CE and EE
  • socradar.io: GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
  • BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
  • Rescana: Comprehensive Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7

info@thehackernews.com (The Hacker News)@The Hacker News //
Google has released the February 2025 Android security updates, patching a total of 48 vulnerabilities. Among these fixes is a critical zero-day kernel vulnerability, identified as CVE-2024-53104, which Google has confirmed is being actively exploited in the wild. This particular flaw is a privilege escalation issue found within the USB Video Class (UVC) driver, potentially allowing attackers to gain elevated permissions on affected devices.

The vulnerability, with a CVSS score of 7.8, stems from an out-of-bounds write condition within the "uvc_parse_format()" function of the "uvc_driver.c" program, specifically when parsing UVC_VS_UNDEFINED frames. This flaw, present since Linux kernel version 2.6.26 released in mid-2008, could lead to memory corruption, program crashes, or even arbitrary code execution. While the specific actors behind the exploitation remain unclear, the potential for "physical" privilege escalation raises concerns about misuse by forensic data extraction tools.

Recommended read:
References :
  • cyberinsider.com: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • securityaffairs.com: Google fixed actively exploited kernel zero-day flaw
  • The Hacker News: Google Patches 47 Android Security Flaws, Including Actively Exploited CVE-2024-53104
  • CyberInsider: Google Fixes Zero-Day Flaw Exploited in Targeted Android Attacks
  • ciso2ciso.com: Google fixed actively exploited kernel zero-day flaw
  • BleepingComputer: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.
  • Pyrzout :vm:: Social post about google actively exploited kernel zero-day flaw.
  • www.bleepingcomputer.com: The February 2025 Android security updates patch 48 vulnerabilities, including a zero-day kernel vulnerability tagged as exploited in the wild.

Ashish Khaitan@The Cyber Express //
Multiple critical vulnerabilities have been identified in several Apache software products, posing significant risks to users. The Cyber Security Agency of Singapore has issued alerts regarding these flaws, urging immediate updates. CVE-2024-43441 affects Apache HugeGraph-Server, allowing for authentication bypass, potentially granting unauthorized access to systems. Another critical issue, CVE-2024-45387, has been discovered in Apache Traffic Control and is a SQL injection vulnerability that can be exploited by privileged users to execute arbitrary SQL commands, risking data manipulation or exfiltration.

Apache MINA is also affected by CVE-2024-52046 which allows remote code execution through deserialization flaws. It is crucial that users apply security patches promptly. For Apache MINA, additional configuration is required to restrict class deserialization further mitigating the risk. Furthermore, a high-risk vulnerability, CVE-2024-56512, has been found in Apache NiFi, a data processing and distribution system, which can expose sensitive information to unauthorized users, especially if using component-based authorization policies. A patch for NiFi has been issued in version 2.1.0, users should upgrade immediately.

Recommended read:
References :
  • BleepingComputer: The Apache Software Foundation has released security updates to address three severe problems that affect MINA, HugeGraph-Server, and Traffic Control products.
  • malware.news: Apache fixes Traffic Control bug that attackers could exploit
  • www.bleepingcomputer.com: Apache warns of critical flaws in MINA, HugeGraph, Traffic Control
  • www.scworld.com: Apache fixes Traffic Control bug that attackers could exploit
  • thecyberexpress.com: Critical Apache Vulnerabilities: Update Now to Avoid Major Risks
  • www.csa.gov.sg: CVE-2024-45387: PoC Published for Critical SQL Injection in Apache Traffic Control
  • securityonline.info: CVE-2024-45387: PoC Published for Critical SQL Injection in Apache Traffic Control

@securityonline.info //
TeamViewer has released patches to address a high-severity privilege escalation vulnerability affecting its Windows client and host applications. The vulnerability, identified as CVE-2025-0065, has a CVSS score of 7.8, indicating a significant risk. The flaw stems from improper handling of argument delimiters in the "TeamViewer_service.exe" component. This could allow a local, unprivileged attacker to inject malicious arguments, thereby gaining elevated privileges on the compromised system potentially granting full control. The vulnerability affects TeamViewer clients for Windows prior to version 15.62.

While there is no evidence that this vulnerability is being exploited in the wild, TeamViewer is strongly urging all Windows users to update to the latest available versions of the client, specifically version 15.62 or later, to mitigate any potential risk. The vulnerability was discovered by an anonymous researcher working with Trend Micro Zero Day Initiative. TeamViewer has released updated packages for TeamViewer Remote and TeamViewer Tensor including versions 11.0.259318, 12.0.259319, 13.2.36226, 14.7.48799 and 15.62 for both full client and host versions, available for download on their website.

Recommended read:
References :
  • securityaffairs.com: TeamViewer fixed a vulnerability in Windows client and host applications
  • securityonline.info: CVE-2025-0065: TeamViewer Patches Privilege Escalation Vulnerability in Windows Clients
  • securityonline.info: CVE-2025-0065: TeamViewer Patches Privilege Escalation Vulnerability in Windows Clients
  • www.heise.de: Teamviewer: Rights expansion possible due to security vulnerability Teamviewer warns of a vulnerability in the Windows versions of the remote maintenance software that allows attackers to escalate rights.
  • heise online English: Teamviewer: Rights expansion possible due to security vulnerability

@ciso2ciso.com //
Atlassian has released security patches to address 12 critical and high-severity vulnerabilities affecting multiple products, including Bamboo, Bitbucket, Confluence, Crowd, and Jira. The patches address five critical-severity issues in Confluence Data Center and Server and Crowd Data Center and Server that were discovered in third-party dependencies used within the two products.

Updates released for Confluence Data Center and Server address two critical flaws in Apache Tomcat, tracked as CVE-2024-50379 and CVE-2024-56337 (CVSS score of 9.8). These issues could be exploited by unauthenticated attackers to achieve remote code execution. Atlassian urges customers to update their installations as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Australian software firm Atlassian patched 12 critical and high-severity flaws in Bamboo, Bitbucket, Confluence, Crowd, and Jira.
  • ciso2ciso.com: Atlassian Patches Critical Vulnerabilities in Confluence, Crowd – Source: www.securityweek.com
  • heise online English: Security updates Atlassian: Attacks on Bamboo Data Center and Server possible Attackers can attack Atlassian's Bitbucket Data Center and Server with malicious code, among other things.