CyberSecurity news
FlagThis - #vulnerability
|
@github.com
//
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32434, has been discovered in PyTorch, a widely used open-source machine learning framework. This flaw, detected by security researcher Ji’an Zhou, undermines the safety of the `torch.load()` function, even when configured with `weights_only=True`. This parameter was previously trusted to prevent unsafe deserialization, making the vulnerability particularly concerning for developers who relied on it as a security measure. The discovery challenges long-standing security assumptions within machine learning workflows.
This vulnerability affects PyTorch versions 2.5.1 and earlier and has been assigned a CVSS v4 score of 9.3, indicating a critical security risk. Attackers can exploit the flaw by crafting malicious model files that bypass deserialization restrictions, allowing them to execute arbitrary code on the target system during model loading. The impact is particularly severe in cloud-based AI environments, where compromised models could lead to lateral movement, data breaches, or data exfiltration. As Ji'an Zhou noted, the vulnerability is paradoxical because developers often use `weights_only=True` to mitigate security issues, unaware that it can still lead to RCE. To address this critical issue, the PyTorch team has released version 2.6.0. Users are strongly advised to immediately update their PyTorch installations. For systems that cannot be updated immediately, the only viable workaround is to avoid using `torch.load()` with `weights_only=True` entirely. Alternative model-loading methods, such as using explicit tensor extraction tools, are recommended until the patch is applied. With proof-of-concept exploits likely to emerge soon, delayed updates risk widespread system compromises. Recommended read:
References :
@hackread.com
//
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.
Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink. Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging. Recommended read:
References :
Iain Thomson@The Register - Security
//
References:
DataBreaches.Net
, The Register - Security
,
The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts concerning critical vulnerabilities affecting SonicWall SMA 100 series appliances and legacy Oracle Cloud environments. The alerts highlight potential risks to organizations and individuals stemming from exploited vulnerabilities and data theft. CISA is urging affected users to take immediate steps to mitigate potential cyberattacks, including resetting passwords, monitoring authentication logs, and implementing multi-factor authentication. These actions aim to prevent unauthorized access and escalation of privileges within enterprise environments.
The alert regarding Oracle Cloud addresses the compromise of legacy Oracle Cloud servers earlier in the year. CISA warns that the nature of the reported activity presents a potential risk, especially where credential material may be exposed, reused across separate systems, or embedded within scripts and applications. Compromised credentials, including usernames, emails, passwords, authentication tokens, and encryption keys, can significantly impact enterprise security. The agency has specifically emphasized the danger of embedded credentials, which are difficult to detect and remove, potentially enabling long-term unauthorized access. CISA has also added CVE-2021-20035, a high-severity OS command-injection vulnerability in SonicWall SMA100 remote-access appliances, to its known exploited vulnerabilities catalog. SonicWall initially disclosed and patched the vulnerability in September 2021, later raising its severity score. The vulnerability allows a threat actor to remotely inject arbitrary commands, potentially leading to code execution. Federal civilian executive branch agencies have been directed to patch their SonicWall appliances by May 7 or discontinue use of the product. SonicWall is actively investigating the scope of the exploitation and urges customers to upgrade to the latest firmware. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
A critical vulnerability, identified as CVE-2025-20236, has been discovered in the Cisco Webex App, posing a significant security risk to users. The vulnerability allows unauthenticated attackers to gain client-side remote code execution through maliciously crafted meeting invite links. The flaw stems from insufficient input validation within the app's custom URL parser, which processes these meeting invites. An attacker can exploit this weakness by tricking a user into clicking on a malicious link, which can then download arbitrary files and execute commands on the user's system with their privileges.
Cisco has acknowledged the vulnerability and released security updates to address the flaw. The affected versions include Webex App version 44.6, which has been fixed in version 44.6.2.30589. Users running version 44.7 are advised to migrate to a fixed release. Versions 44.5 and earlier, as well as 44.8 and later, are not vulnerable. The vulnerability has been assigned a high CVSS score of 8.8, reflecting its severe risk level. Users and administrators are strongly urged to immediately check their Webex App version and apply the necessary patches to mitigate the risk of exploitation. Organizations relying on Cisco Webex for communication and collaboration are particularly at risk, as successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, disruption of operations, and the potential spread of malware or ransomware within their networks. Cisco's Product Security Incident Response Team (PSIRT) has stated that, at the time of publication, they had not observed any malicious use or public exploitation of CVE-2025-20236. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical security vulnerability, CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation, potentially allowing unauthenticated remote code execution (RCE). The flaw, which has been assigned a maximum CVSS score of 10.0, could enable attackers to execute arbitrary code on affected systems without providing any credentials. Researchers at Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk, identified the vulnerability. It stems from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication, leading to a complete system compromise if the SSH daemon is running with root privileges.
The vulnerability affects all users running an SSH server based on the Erlang/OTP SSH library. According to the official Ericsson security advisory, any application providing SSH access using the Erlang/OTP SSH library should be considered affected. This vulnerability poses a significant risk, especially to critical infrastructure and high-availability systems where Erlang/OTP is widely used, such as in telecommunications equipment, industrial control systems, and connected devices. Expert Mayuresh Dani of Qualys emphasizes the critical nature, noting Erlang's frequent installation on high-availability systems. This vulnerability could allow actions such as installing ransomware or siphoning off sensitive data. Proof-of-concept (PoC) exploits for CVE-2025-32433 have already been released, increasing the urgency for organizations to take immediate action. SecurityOnline reported the release of PoC code, and the Horizon3 Attack Team confirmed they had developed their own exploit, describing it as "surprisingly easy" to reproduce. Mitigation strategies include immediately updating to the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround, it is recommended to disable the SSH server or restrict access via firewall rules until the updates can be applied. Organizations should evaluate their systems for potential compromise. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.
This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes. CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform. The flaw, which carries a CVSS score of 10.0, affects all versions from 1.0.0 up to and including 6.1.4. This vulnerability allows malicious actors to retain unauthorized access to blog sites even after a password change.
The core of the issue lies in insufficient session expiration. When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions. Consequently, any session tokens or cookies issued before the password change remain valid, creating a significant security risk. An attacker who has compromised a user’s credentials can maintain access to the application through the old session, effectively bypassing the intended protection of a password change. Administrators and users of Apache Roller are strongly advised to upgrade to version 6.1.5 or later. This update implements centralized session management, ensuring that all active sessions are terminated immediately upon password changes or user deactivation. In related news, a critical vulnerability in Gladinet CentreStack also affects its Triofox remote access solution, leading to multiple organizations being compromised. Recommended read:
References :
|