CyberSecurity news

FlagThis - #vulnerability

@nvd.nist.gov //
Two high-severity vulnerabilities, identified as CVE-2025-5349 and CVE-2025-5777, have been discovered in Citrix NetScaler ADC and NetScaler Gateway products. According to a Citrix advisory released on June 17, 2025, these flaws pose a significant risk to organizations using the affected products. It is strongly recommended that users update their systems as soon as possible to mitigate potential exploits. These vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, and 12.1-FIPS before 12.1-55.328-FIPS. Note that versions 12.1 and 13.0 are End Of Life (EOL) and are also vulnerable.

CVE-2025-5777, which has a CVSS score of 9.3, stems from insufficient input validation, leading to a memory overread. This vulnerability is only exploitable when NetScaler is configured as a Gateway, encompassing VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy, or when configured as an AAA virtual server. CVE-2025-5349, with a CVSS score of 8.7, is attributed to improper access control on the NetScaler Management Interface. Exploitation of this vulnerability requires the attacker to have access to the NSIP address, the Cluster Management IP, or the local GSLB Site IP. The National Vulnerability Database provides additional detail on both CVE-2025-5349 and CVE-2025-5777.

To address these vulnerabilities, Citrix advises upgrading to the latest versions of NetScaler ADC and NetScaler Gateway. Additionally, after upgrading all NetScaler appliances in a high availability (HA) pair or cluster to the fixed builds, Citrix recommends executing the following commands to terminate all active ICA and PCoIP sessions: `kill icaconnection -all` and `kill pcoipConnection -all`. CERT-In has also issued an advisory regarding these vulnerabilities. Further information regarding the impact on businesses can be found on Cyberexpress.

Recommended read:
References :
  • thecyberexpress.com: Two High-Severity Flaws Found in NetScaler Products: CVE-2025-5349 and CVE-2025-5777
  • cert.europa.eu: CERT-In has issued an advisory regarding these vulnerabilities.
  • nvd.nist.gov: The National Vulnerability Database provides additional detail on CVE-2025-5349 and CVE-2025-5777.
  • Blog: How to find Citrix NetScaler ADC & Gateway instances on your network

Veronika Telychko@SOC Prime Blog //
References: Blog , SOC Prime Blog , The Hacker News ...
Two critical local privilege escalation (LPE) vulnerabilities, CVE-2025-6018 and CVE-2025-6019, have been publicly disclosed, impacting a wide range of Linux distributions. Cybersecurity researchers at Qualys discovered that these vulnerabilities, when chained together, could allow an unprivileged user to gain full root access on vulnerable systems. The flaws reside in the Pluggable Authentication Modules (PAM) configuration (CVE-2025-6018) and the libblockdev library (CVE-2025-6019), with the latter being exploitable through the udisks daemon, which is commonly deployed by default in many Linux distributions.

Researchers have released proof-of-concept (PoC) exploit code demonstrating the effectiveness of the vulnerability chain, raising concerns about potential exploitation in the wild. CVE-2025-6018 allows an unprivileged local user to elevate permissions to "allow_active" status, enabling them to invoke Polkit actions typically reserved for users with physical access to the machine. CVE-2025-6019 then permits an "allow_active" user to gain full root privileges, effectively bypassing security controls and allowing for broader post-compromise actions.

The teams responsible for the development of most popular Linux builds have already begun working on fixes for these vulnerabilities. Patches for Ubuntu are reportedly ready, and users of other distributions are advised to closely monitor for updates and promptly install them as they become available. As a temporary workaround, Qualys recommends modifying the Polkit rule for "org.freedesktop.udisks2.modify-device" to require administrator authentication ("auth_admin"). This highlights the critical importance of regular patching and vulnerability management in maintaining the security of Linux systems.

Recommended read:
References :
  • Blog: Field Effect details the vulnerabilities and the availability of proof-of-concept exploit code.
  • SOC Prime Blog: SocPrime's blog post discusses the CVE-2025-6018 and CVE-2025-6019 vulnerabilities and their potential impact.
  • Kaspersky official blog: Vulnerability CVE-2025-6019 allows an attacker to gain root privileges in most Linux distributions.
  • The Hacker News: New Linux Kernel Vulnerabilities Allow Full Root Access via PAM and Udisks Across Major Distributions
  • securityaffairs.com: This article explains the two LPE vulnerabilities impacting Linux systems.

@cert.europa.eu //
A number of critical security vulnerabilities have been identified and addressed in several software products, highlighting the persistent need for vigilance and timely updates. One of the most severe issues is a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-23121, in Veeam Backup & Replication. This flaw, which received a CVSS score of 9.9, allows an authenticated domain user to execute code remotely on the Backup Server, specifically impacting domain-joined backup servers. Veeam has released security updates to fix this and other vulnerabilities, urging users to upgrade to the latest version, 12.3.2 (build 12.3.2.3617), as soon as possible.

Affected products include Veeam Backup & Replication versions 12, 12.1, 12.2, 12.3, and 12.3.1, along with Veeam Agent for Microsoft Windows versions 6.0, 6.1, 6.2, 6.3, and 6.3.1. In addition to the critical RCE in Veeam, a high severity Arbitrary Code Execution (ACE) vulnerability (CVE-2025-24286) in Veeam Backup & Replication was also addressed, allowing an authenticated user with the Backup Operator role to modify backup jobs, potentially leading to arbitrary code execution. Further more, a medium severity local privilege escalation bug (CVE-2025-24287) was identified affecting the Windows Veeam agent, which allows local system users to execute arbitrary code with elevated permissions by modifying specific directory contents.

Users are strongly advised to update their software to the latest versions to mitigate the risks associated with these vulnerabilities. For Veeam users, it is recommended to implement best practices provided by the vendor, such as using a separate management workgroup or domain for Veeam components. The discovery of an undocumented root shell access (CVE-2025-26412) in the SIMCom SIM7600G modem, highlighting the dangers of backdoors and undocumented features in embedded devices. Furthermore, a critical vulnerability (CVE-2025-3464) in Asus Armoury Crate allows attackers to gain SYSTEM privileges via hard link manipulation, advising users to update or disable the software.

Recommended read:
References :
  • cert.europa.eu: On June 17, 2025, Veeam released an advisory addressing several vulnerabilities in Veeam Backup & Replication, one of which is rated as critical. It is recommended updating as soon as possible.
  • research.kudelskisecurity.com: Summary On June 1 7, data resilience vendor Veeam released security updates to fix three vulnerabilities: one critical severity RCE and one high severity ACE
  • The Register - Security: Veeam patches third critical RCE bug in Backup & Replication in space of a year
  • securityaffairs.com: Veeam addressed a new critical flaw in Backup & Replication product that could potentially result in remote code execution.
  • www.cybersecuritydive.com: Researchers urge vigilance as Veeam releases patch to address critical flaw
  • Security Risk Advisors: Critical Remote Code Execution Vulnerability Patched in Veeam Backup & Replication 12.3.2
  • research.kudelskisecurity.com: Veeam Backup & Replication: Critical RCE Patched
  • www.veeam.com: Critical Remote Code Execution Vulnerability Patched in Veeam Backup & Replication 12.3.2 . CVE-2025-23121 & CVE-2025-24286 & CVE-2025-24287 The post appeared first on .
  • Blog: On June 17, Veeam released , tracked as CVE-2025-23121, CVE-2025-24286, and CVE-2025-24287. The fixes were applied in and .
  • The Hacker News: Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication
  • thecyberexpress.com: This article discusses various vulnerabilities and recommends applying patches.
  • www.veeam.com: Veeam KB 4696

@cyberpress.org //
GitLab has issued critical security updates on June 11, 2025, to address multiple vulnerabilities in both the Community Edition (CE) and Enterprise Edition (EE) of its platform. These patches are crucial for self-managed GitLab installations, with experts urging immediate upgrades to prevent potential exploits. The updates tackle high-severity vulnerabilities that could allow attackers to achieve complete account takeover and compromise enterprise development environments, emphasizing the importance of proactive security measures in DevSecOps environments.

One of the most concerning vulnerabilities, CVE-2025-5121, affects GitLab Ultimate EE customers and carries a CVSS score of 8.5. This missing authorization issue allows attackers with authenticated access to a GitLab instance with a GitLab Ultimate license to inject malicious CI/CD jobs into all future pipelines of any project. This can lead to backdoors being added, validation steps being skipped, and secrets used during the build process being exposed, significantly compromising the software development lifecycle.

Other notable vulnerabilities addressed in this patch release include CVE-2025-4278, an HTML injection vulnerability with a CVSS score of 8.7 that could lead to account takeover, and CVE-2025-2254, a cross-site scripting (XSS) vulnerability, also with a CVSS score of 8.7, allowing attackers to act in the context of legitimate users. GitLab has released versions 18.0.2, 17.11.4, and 17.10.8 for both CE and EE to address these issues, and it's strongly recommended that all affected installations be updated as soon as possible.

Recommended read:
References :
  • cert.europa.eu: On 11 June 2025, Gitlab released security updates for their products addressing multiple vulnerabilities in Gitlab Community Edition (CE) and Enterprise Edition (EE).
  • www.csoonline.com: A new vulnerability in GitLab’s Ultimate Enterprise Edition used for managing source code is “dangerous†and needs to be quickly patched, says an expert.
  • Cyber Security News: GitLab has released critical security patches addressing multiple high-severity vulnerabilities that could enable attackers to achieve complete account takeover and compromise enterprise development environments.
  • The DefendOps Diaries: Explore GitLab's proactive measures to patch high-severity vulnerabilities and enhance security in DevSecOps environments.

Anna Ribeiro@Industrial Cyber //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.

CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation.

CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching.

Recommended read:
References :
  • seceon.com: In a recent report by BleepingComputer, DragonForce—a rapidly rising ransomware group—breached a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring and management (RMM) platform to infiltrate downstream customers.
  • go.theregister.com: The Register reports Ransomware scum disrupted utility services with SimpleHelp attacks
  • The Register: Ransomware scum disrupted utility services with SimpleHelp attacks
  • The Register - Security: Ransomware scum disrupted utility services with SimpleHelp attacks
  • arcticwolf.com: Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software for Initial Access
  • health-isac.org: Threat Bulletin: SimpleHelp RMM Software Leveraged in Exploitation Attempt to Breach Networks
  • ciso2ciso.com: Ransomware Gang Exploits SimpleHelp RMM to Compromise Utility Billing Firm – Source: www.infosecurity-magazine.com
  • Industrial Cyber: CISA flags exploitation of SimpleHelp RMM vulnerability in ransomware attacks since January
  • Daily CyberSecurity: Urgent CISA Alert: Ransomware Actors Exploiting SimpleHelp RMM Flaw (CVE-2024-57727)
  • thehackernews.com: Ransomware Actors Exploit Unpatched SimpleHelp Flaws to Target Victims with Double Extortion
  • www.cybersecuritydive.com: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
  • Resources-2: Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM
  • www.scworld.com: CISA: Utility billing provider customers compromised via SimpleHelp exploit
  • Tech Monitor: CISA warns of ransomware exploiting unpatched SimpleHelp RMM vulnerabilities, targeting a utility billing software firm's customers since January.
  • SOC Prime Blog: Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment
  • industrialcyber.co: CISA flags exploitation of SimpleHelp RMM vulnerability in ransomware attacks since January
  • socprime.com: Detect SimpleHelp RMM Vulnerability Exploitation: CISA Warns of Threat Actors Abusing Unpatched Flaws for Persistent Access and Ransomware Deployment
  • www.cybersecuritydive.com: CISA warns of supply chain risks as ransomware attacks exploit SimpleHelp flaws
  • www.threatdown.com: CISA has issued a warning about the exploitation SimpleHelp RMM software by ransomware groups.

Pierluigi Paganini@Security Affairs //
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities discovered in SinoTrack GPS devices. These flaws could allow malicious actors to remotely control vehicles and track their locations. The vulnerabilities affect all known SinoTrack devices and the SinoTrack IOT PC Platform. This alert follows the disclosure of these security weaknesses by independent researcher Raúl Ignacio Cruz Jiménez.

The identified vulnerabilities include a weak authentication flaw (CVE-2025-5484) and an observable response discrepancy (CVE-2025-5485). The weak authentication stems from the use of a default password across all devices and the use of the device identifier as the username. The identifier, which is printed on the receiver, is easily accessible, either through physical access to the device or through images posted online. The observable response discrepancy arises from the numerical structure of usernames, which are up to 10 digits long. This enables attackers to guess valid usernames by trying different number sequences.

Successful exploitation of these vulnerabilities could grant attackers unauthorized access to device profiles through the web management interface. This access could then be used to perform remote functions on connected vehicles, such as tracking the vehicle's location and, in some cases, disconnecting power to the fuel pump. With a CVSS v4 score of 8.8, CVE-2025-5485 is considered highly severe. While there are currently no official fixes available, CISA advises users to change the default password immediately and to conceal the device identifier, particularly in publicly accessible photographs. SinoTrack has not yet responded to CISA’s request.

Recommended read:
References :
  • hackread.com: US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations.
  • securityaffairs.com: Two vulnerabilities in SinoTrack GPS devices can allow remote vehicle control and location tracking by attackers, US CISA warns.
  • The Hacker News: Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations.
  • ciso2ciso.com: CISA Warns of Remote Control Flaws in SinoTrack GPS Trackers – Source:hackread.com
  • thecyberexpress.com: US CISA reports critical vulnerabilities in SinoTrack GPS devices that could let attackers remotely control vehicles and track locations
  • www.helpnetsecurity.com: SinoTrack GPS vulnerabilities may allow attackers to track, control vehicles

@gbhackers.com //
SAP has released its June 2025 Security Patch Day update, addressing a critical vulnerability in SAP NetWeaver Application Server for ABAP, identified as CVE-2025-42989. The flaw, which carries a CVSS score of 9.6, allows attackers to bypass authorization checks and escalate privileges. This could grant unauthorized access to critical system functions, allowing manipulation of application data or disruption of services. The vulnerability affects NetWeaver kernel versions 7.89, 7.93, 9.14, and 9.15, making patching an urgent priority.

SAP warns that successful exploitation of this vulnerability could critically impact the integrity and availability of affected systems. The flaw stems from a missing authorization check within the Remote Function Call (RFC) framework, which enables authenticated attackers to bypass standard authorization checks on the S_RFC object when leveraging transactional or queued RFCs under specific conditions. SAP advises immediate patching and notes that post-patch, additional S_RFC permissions may need to be assigned to certain users. Detailed guidance on identifying affected users and activating enhanced checks is provided in SAP Note #3601919.

Beyond the critical NetWeaver vulnerability, SAP's June Patch Day addresses a total of 14 new vulnerabilities across multiple enterprise products. These include high-severity flaws in SAP GRC, SAP Business Warehouse, and SAP BusinessObjects BI. A serious information disclosure vulnerability in SAP GRC (CVE-2025-42982) could allow non-administrative users to initiate sensitive transactions and manipulate system credentials. A missing authorization check in SAP Business Warehouse and SAP Plug-In Basis (CVE-2025-42983) could allow authenticated users to delete arbitrary database tables, resulting in data loss. Additionally, a cross-site scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace (CVE-2025-23192) could allow attackers to execute code in the browser of unsuspecting users, risking data theft and interface manipulation.

Recommended read:
References :
  • gbhackers.com: SAP NetWeaver Vulnerability Allows Attackers to Escalate Privileges
  • securityaffairs.com: SAP June 2025 Security Patch Day fixed critical NetWeaver bug
  • securityonline.info: SAP Patch Fixes Critical CVSS 9.6 Flaw in NetWeaver: Privilege Escalation and System Integrity at Risk
  • Daily CyberSecurity: SAP Patch Fixes Critical CVSS 9.6 Flaw in NetWeaver: Privilege Escalation and System Integrity at Risk

TIGR Threat@Security Risk Advisors //
Cisco has issued a critical security advisory regarding a vulnerability, CVE-2025-20286, in its Identity Services Engine (ISE) when deployed on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This static credential flaw enables unauthenticated remote attackers to potentially access sensitive data, perform limited administrative actions, modify system configurations, or disrupt services. The vulnerability stems from improperly generated credentials during cloud deployments, resulting in multiple ISE deployments sharing the same static credentials, provided they are on the same software release and cloud platform.

Exploitation of CVE-2025-20286 could allow attackers to extract user credentials from a compromised Cisco ISE cloud deployment and utilize them to access other ISE instances in different cloud environments via unsecured ports. This could lead to unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. Cisco's Product Security Incident Response Team (PSIRT) has confirmed the existence of a proof-of-concept (PoC) exploit for this vulnerability, though there is no evidence of active exploitation in the wild.

The vulnerability impacts specific versions of Cisco ISE, affecting versions 3.1, 3.2, 3.3, and 3.4 on AWS, and versions 3.2, 3.3, and 3.4 on Azure and OCI. Cisco emphasizes that this vulnerability only affects deployments where the Primary Administration node is hosted in the cloud; on-premises deployments are not affected. While there are no official workarounds, Cisco recommends restricting traffic to authorized administrators or using the "application reset-config ise" command to reset user passwords. The company has released security patches to address the flaw and urges users to update their systems promptly.

Recommended read:
References :
  • Cyber Security News: Cisco Alerts on ISE Vulnerability Exposing Sensitive Data with Available PoC Exploit
  • Security Affairs: Cisco fixed a critical flaw in the Identity Services Engine (ISE) that could allow unauthenticated attackers to conduct malicious actions.
  • The Hacker News: Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems.
  • Security Risk Advisors: Static credential flaw (CVE-2025-20286) in #Cisco ISE cloud deployments enables unauthorized access across AWS, Azure, and OCI.
  • SOC Prime Blog: A critical vulnerability in Cisco’s Identity Services Engine (ISE) enables unauthenticated remote attackers to retrieve sensitive information and perform administrative actions across various cloud environments upon exploitation.
  • Arctic Wolf: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
  • arcticwolf.com: On 4 June 2025, Cisco released fixes for multiple vulnerabilities, several of which were noted to have publicly available proof-of-concept (PoC) exploit code. The most severe issue, CVE-2025-20286, affects cloud deployments of Cisco Identity Services Engine (ISE) on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
  • sec.cloudapps.cisco.com: Static credential flaw (CVE-2025-20286) in #Cisco ISE cloud deployments enables unauthorized access across AWS, Azure, and OCI.
  • socprime.com: A critical vulnerability in Cisco’s Identity Services Engine (ISE) enables unauthenticated remote attackers to retrieve sensitive information and perform administrative actions across various cloud environments upon exploitation.
  • www.techradar.com: Cisco warns over worrying security flaws in ISE affecting AWS, Azure cloud deployments - here's what you need to know
  • arcticwolf.com: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
  • www.itpro.com: Cisco patches critical flaw affecting Identity Services Engine
  • Arctic Wolf: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
  • Blog: How to find Cisco Identity Services Engine (ISE) installations
  • www.scworld.com: Cisco patches Identity Services Engine flaw affecting AWS, Azure, OCI

@nvd.nist.gov //
HPE has issued critical security patches for its StoreOnce data backup and deduplication platform, addressing eight newly discovered vulnerabilities. The most severe of these is an authentication bypass vulnerability, identified as CVE-2025-37093, which has been assigned a near-maximum CVSS score of 9.8. This indicates a critical risk to affected systems, as it could allow remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise StoreOnce VSA.

The authentication bypass, tracked as ZDI-25-312, exists due to a flaw in the `setLocateBeaconOnHardware` method. The issue stems from the lack of proper validation of a user-supplied string before it's used to execute a system call. Although authentication is typically required to exploit this vulnerability, the existing authentication mechanism can be bypassed, allowing attackers to execute code in the context of root. The ZDI has assigned a CVSS rating of 7.2 to CVE-2025-37089.

Users of HPE StoreOnce are strongly advised to upgrade to version 4.3.11 or later to mitigate the risk of exploitation. Hewlett Packard Enterprise has released an update to correct this vulnerability, and more details can be found on their support website. The disclosure timeline indicates that the vulnerability was reported to the vendor on October 31, 2024, followed by a coordinated public release of the advisory on June 2, 2025.

Recommended read:
References :
  • securityaffairs.com: HPE has released security patches for eight vulnerabilities in its StoreOnce backup solution. These issues could allow remote code execution, authentication bypass, data leaks, and more.
  • thecyberexpress.com: Hewlett Packard Enterprise (HPE) has issued a new security advisory addressing eight newly discovered vulnerabilities in its StoreOnce data backup and deduplication platform. Among these, the most severe is an authentication bypass vulnerability tracked as CVE-2025-37093, which carries a near-maximum CVSS score of 9.8, indicating a critical risk to affected systems.
  • ZDI: Published Advisories: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise StoreOnce VSA. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2025-37089.
  • ZDI: Published Advisories: ZDI-25-316: Hewlett Packard Enterprise StoreOnce VSA Authentication Bypass Vulnerability
  • arcticwolf.com: HPE Fixes Critical RCE Vulnerability in StoreOnce
  • The Hacker News: HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass
  • arcticwolf.com: On 2 June 2025, Hewlett Packard Enterprise (HPE) released fixes for multiple vulnerabilities affecting HPE StoreOnce VSA, an enterprise backup storage solution. The most severe of these was CVE-2025-37093, a critical authentication bypass vulnerability discovered by the Zero Day Initiative (ZDI).
  • Arctic Wolf: CVE-2025-37093: HPE Fixes Critical RCE Vulnerability in StoreOnce
  • Arctic Wolf: HPE Fixes Critical RCE Vulnerability in StoreOnce
  • Techzine Global: HPE has issued a security bulletin for eight vulnerabilities in StoreOnce, intended for drive-based backup and deduplication.
  • BleepingComputer: Hewlett Packard Enterprise warns of critical StoreOnce auth bypass

@www.openwall.com //
Two new information disclosure vulnerabilities have been identified in Linux systems, specifically affecting Ubuntu, Red Hat Enterprise Linux, and Fedora distributions. These flaws reside in the core dump handlers 'apport' (CVE-2025-5054) and 'systemd-coredump' (CVE-2025-4598). The vulnerabilities are characterized as race condition bugs, which could be exploited by a local attacker to gain unauthorized access to sensitive information. Successful exploitation could lead to the exposure of critical data, including password hashes, through the manipulation of core dumps generated during system crashes.

Qualys Threat Research Unit (TRU) discovered that Apport incorrectly handled metadata when processing application crashes. This allows an attacker to induce a crash in a privileged process and quickly replace it with another process with the same process ID inside a mount and pid namespace. Apport will then attempt to forward the core dump, potentially containing sensitive information from the original privileged process, into the namespace. Similarly, systemd-coredump has a race condition that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump.

Both vulnerabilities have been assigned a CVSS score of 4.7, indicating a medium severity level. Red Hat has rated CVE-2025-4598 as Moderate due to the high complexity involved in successfully exploiting the flaw. To mitigate the risk, users can disable core dump generation for SUID binaries by running the command "echo 0 > /proc/sys/fs/suid_dumpable" as root. Canonical has released updates for the apport package for all affected Ubuntu releases, addressing CVE-2025-5054, and users are advised to update their systems as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Two Linux flaws can lead to the disclosure of sensitive data
  • The Hacker News: New Linux Flaws Allow Password Hash Theft via Core Dumps in Ubuntu, RHEL, Fedora
  • Ubuntu security notices: USN-7545-1: Apport vulnerability Qualys discovered that Apport incorrectly handled metadata when processing application crashes.
  • Open Source Security: Local information disclosure in apport and systemd-coredump
  • Planet Ubuntu: Ubuntu Blog: Apport local information disclosure vulnerability fixes available
  • ciso2ciso.com: Two Linux flaws can lead to the disclosure of sensitive data – Source: securityaffairs.com
  • ciso2ciso.com: Two Linux flaws can lead to the disclosure of sensitive data – Source: securityaffairs.com Source: securityaffairs.com – Author: Pierluigi Paganini
  • www.qualys.com: Qualys discovers local information disclosure vulnerabilities in apport and systemd-coredump
  • hackread.com: Linux Crash Reporting Flaws (CVE-2025-5054, 4598) Expose Password Hashes
  • Davey Winder: Linux Passwords Warning — 2 Critical Vulnerabilities, Millions At Risk
  • Schneier on Security: They’re : Tracked as , both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems.
  • Full Disclosure: Qualys Security Advisory Local information disclosure in apport and systemd-coredump (CVE-2025-5054 and CVE-2025-4598)
  • blog.qualys.com: New #Linux race condition flaws let attackers steal password hashes from core dumps. Set suid_dumpable=0, patch apport/systemd-coredump, monitor crashes. Affects #Ubuntu #RHEL and #Fedora
  • Open Source Security: Re: Local information disclosure in apport and systemd-coredump
  • Security Risk Advisors: Linux Core Dump Handlers in Ubuntu, RHEL, Fedora Leak Password Hashes via Race Condition