CyberSecurity news
FlagThis - #vulnerability
|
Rescana@Rescana
//
Cisco is urging immediate action following the discovery of a critical vulnerability, CVE-2025-20309, in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw stems from hardcoded SSH root credentials that cannot be modified or removed, potentially allowing remote attackers to gain root-level access to affected systems. This vulnerability has a maximum severity rating with a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.
Cisco's security advisory specifies that all Engineering Special (ES) releases from 15.0.1.13010-1 through 15.0.1.13017-1 are vulnerable, regardless of optional features in use. An unauthenticated remote attacker can exploit this vulnerability by utilizing the static root account credentials to establish SSH connections to vulnerable systems. Once authenticated, the attacker gains complete administrative control over the affected device, enabling the execution of arbitrary commands with root privileges. There are no temporary workarounds to mitigate this risk. To remediate the vulnerability, administrators are advised to upgrade to version 15SU3 or apply the CSCwp27755 patch. Although Cisco discovered the flaw through internal testing and has not found evidence of active exploitation in the wild, the extreme severity necessitates immediate action to safeguard enterprise communications. The company has issued emergency fixes for the critical root credential flaw in Unified CM. Recommended read:
References :
@support.citrix.com
//
Two high-severity vulnerabilities, identified as CVE-2025-5349 and CVE-2025-5777, have been discovered in Citrix NetScaler ADC and NetScaler Gateway products. According to a Citrix advisory released on June 17, 2025, these flaws pose a significant risk to organizations using the affected products. It is strongly recommended that users update their systems as soon as possible to mitigate potential exploits. These vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, and 12.1-FIPS before 12.1-55.328-FIPS. Note that versions 12.1 and 13.0 are End Of Life (EOL) and are also vulnerable.
CVE-2025-5777, which has a CVSS score of 9.3, stems from insufficient input validation, leading to a memory overread. This vulnerability is only exploitable when NetScaler is configured as a Gateway, encompassing VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy, or when configured as an AAA virtual server. CVE-2025-5349, with a CVSS score of 8.7, is attributed to improper access control on the NetScaler Management Interface. Exploitation of this vulnerability requires the attacker to have access to the NSIP address, the Cluster Management IP, or the local GSLB Site IP. The National Vulnerability Database provides additional detail on both CVE-2025-5349 and CVE-2025-5777. To address these vulnerabilities, Citrix advises upgrading to the latest versions of NetScaler ADC and NetScaler Gateway. Additionally, after upgrading all NetScaler appliances in a high availability (HA) pair or cluster to the fixed builds, Citrix recommends executing the following commands to terminate all active ICA and PCoIP sessions: `kill icaconnection -all` and `kill pcoipConnection -all`. CERT-In has also issued an advisory regarding these vulnerabilities. Further information regarding the impact on businesses can be found on Cyberexpress. Recommended read:
References :
Veronika Telychko@SOC Prime Blog
//
Two critical local privilege escalation (LPE) vulnerabilities, CVE-2025-6018 and CVE-2025-6019, have been publicly disclosed, impacting a wide range of Linux distributions. Cybersecurity researchers at Qualys discovered that these vulnerabilities, when chained together, could allow an unprivileged user to gain full root access on vulnerable systems. The flaws reside in the Pluggable Authentication Modules (PAM) configuration (CVE-2025-6018) and the libblockdev library (CVE-2025-6019), with the latter being exploitable through the udisks daemon, which is commonly deployed by default in many Linux distributions.
Researchers have released proof-of-concept (PoC) exploit code demonstrating the effectiveness of the vulnerability chain, raising concerns about potential exploitation in the wild. CVE-2025-6018 allows an unprivileged local user to elevate permissions to "allow_active" status, enabling them to invoke Polkit actions typically reserved for users with physical access to the machine. CVE-2025-6019 then permits an "allow_active" user to gain full root privileges, effectively bypassing security controls and allowing for broader post-compromise actions. The teams responsible for the development of most popular Linux builds have already begun working on fixes for these vulnerabilities. Patches for Ubuntu are reportedly ready, and users of other distributions are advised to closely monitor for updates and promptly install them as they become available. As a temporary workaround, Qualys recommends modifying the Polkit rule for "org.freedesktop.udisks2.modify-device" to require administrator authentication ("auth_admin"). This highlights the critical importance of regular patching and vulnerability management in maintaining the security of Linux systems. Recommended read:
References :
@cert.europa.eu
//
A number of critical security vulnerabilities have been identified and addressed in several software products, highlighting the persistent need for vigilance and timely updates. One of the most severe issues is a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-23121, in Veeam Backup & Replication. This flaw, which received a CVSS score of 9.9, allows an authenticated domain user to execute code remotely on the Backup Server, specifically impacting domain-joined backup servers. Veeam has released security updates to fix this and other vulnerabilities, urging users to upgrade to the latest version, 12.3.2 (build 12.3.2.3617), as soon as possible.
Affected products include Veeam Backup & Replication versions 12, 12.1, 12.2, 12.3, and 12.3.1, along with Veeam Agent for Microsoft Windows versions 6.0, 6.1, 6.2, 6.3, and 6.3.1. In addition to the critical RCE in Veeam, a high severity Arbitrary Code Execution (ACE) vulnerability (CVE-2025-24286) in Veeam Backup & Replication was also addressed, allowing an authenticated user with the Backup Operator role to modify backup jobs, potentially leading to arbitrary code execution. Further more, a medium severity local privilege escalation bug (CVE-2025-24287) was identified affecting the Windows Veeam agent, which allows local system users to execute arbitrary code with elevated permissions by modifying specific directory contents. Users are strongly advised to update their software to the latest versions to mitigate the risks associated with these vulnerabilities. For Veeam users, it is recommended to implement best practices provided by the vendor, such as using a separate management workgroup or domain for Veeam components. The discovery of an undocumented root shell access (CVE-2025-26412) in the SIMCom SIM7600G modem, highlighting the dangers of backdoors and undocumented features in embedded devices. Furthermore, a critical vulnerability (CVE-2025-3464) in Asus Armoury Crate allows attackers to gain SYSTEM privileges via hard link manipulation, advising users to update or disable the software. Recommended read:
References :
@cyberpress.org
//
GitLab has issued critical security updates on June 11, 2025, to address multiple vulnerabilities in both the Community Edition (CE) and Enterprise Edition (EE) of its platform. These patches are crucial for self-managed GitLab installations, with experts urging immediate upgrades to prevent potential exploits. The updates tackle high-severity vulnerabilities that could allow attackers to achieve complete account takeover and compromise enterprise development environments, emphasizing the importance of proactive security measures in DevSecOps environments.
One of the most concerning vulnerabilities, CVE-2025-5121, affects GitLab Ultimate EE customers and carries a CVSS score of 8.5. This missing authorization issue allows attackers with authenticated access to a GitLab instance with a GitLab Ultimate license to inject malicious CI/CD jobs into all future pipelines of any project. This can lead to backdoors being added, validation steps being skipped, and secrets used during the build process being exposed, significantly compromising the software development lifecycle. Other notable vulnerabilities addressed in this patch release include CVE-2025-4278, an HTML injection vulnerability with a CVSS score of 8.7 that could lead to account takeover, and CVE-2025-2254, a cross-site scripting (XSS) vulnerability, also with a CVSS score of 8.7, allowing attackers to act in the context of legitimate users. GitLab has released versions 18.0.2, 17.11.4, and 17.10.8 for both CE and EE to address these issues, and it's strongly recommended that all affected installations be updated as soon as possible. Recommended read:
References :
Anna Ribeiro@Industrial Cyber
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.
CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation. CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
US CISA has issued a warning about critical vulnerabilities discovered in SinoTrack GPS devices, which could allow attackers to remotely control vehicles and track their locations. The vulnerabilities affect all versions of the SinoTrack IoT PC Platform. Successful exploitation of these flaws could grant unauthorized access to device profiles through the common web management interface, enabling malicious actors to perform remote functions on connected vehicles.
The two main vulnerabilities are CVE-2025-5484 and CVE-2025-5485. CVE-2025-5484 is a weak authentication flaw stemming from the use of a default password and a username that is the identifier printed on the receiver. CVE-2025-5485 is an observable response discrepancy where the username used to authenticate to the web management interface is a numerical value of no more than 10 digits, making it easy for attackers to guess valid usernames. An attacker could retrieve device identifiers with physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay. CISA recommends that device users take defensive measures to minimize the risk of exploitation of these vulnerabilities. The most crucial step is to change the default password to a unique, complex password as soon as possible. In the absence of a patch, users are advised to also take steps to conceal the identifier. Security researcher Raúl Ignacio Cruz Jiménez stated that due to its lack of security, this device allows remote execution and control of the vehicles to which it is connected and also steals sensitive information about you and your vehicles. As of June 11, 2025, SinoTrack has not responded to CISA’s requests for information or provided fixes for these problems. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities discovered in SinoTrack GPS devices. These flaws could allow malicious actors to remotely control vehicles and track their locations. The vulnerabilities affect all known SinoTrack devices and the SinoTrack IOT PC Platform. This alert follows the disclosure of these security weaknesses by independent researcher Raúl Ignacio Cruz Jiménez.
The identified vulnerabilities include a weak authentication flaw (CVE-2025-5484) and an observable response discrepancy (CVE-2025-5485). The weak authentication stems from the use of a default password across all devices and the use of the device identifier as the username. The identifier, which is printed on the receiver, is easily accessible, either through physical access to the device or through images posted online. The observable response discrepancy arises from the numerical structure of usernames, which are up to 10 digits long. This enables attackers to guess valid usernames by trying different number sequences. Successful exploitation of these vulnerabilities could grant attackers unauthorized access to device profiles through the web management interface. This access could then be used to perform remote functions on connected vehicles, such as tracking the vehicle's location and, in some cases, disconnecting power to the fuel pump. With a CVSS v4 score of 8.8, CVE-2025-5485 is considered highly severe. While there are currently no official fixes available, CISA advises users to change the default password immediately and to conceal the device identifier, particularly in publicly accessible photographs. SinoTrack has not yet responded to CISA’s request. Recommended read:
References :
@gbhackers.com
//
SAP has released its June 2025 Security Patch Day update, addressing a critical vulnerability in SAP NetWeaver Application Server for ABAP, identified as CVE-2025-42989. The flaw, which carries a CVSS score of 9.6, allows attackers to bypass authorization checks and escalate privileges. This could grant unauthorized access to critical system functions, allowing manipulation of application data or disruption of services. The vulnerability affects NetWeaver kernel versions 7.89, 7.93, 9.14, and 9.15, making patching an urgent priority.
SAP warns that successful exploitation of this vulnerability could critically impact the integrity and availability of affected systems. The flaw stems from a missing authorization check within the Remote Function Call (RFC) framework, which enables authenticated attackers to bypass standard authorization checks on the S_RFC object when leveraging transactional or queued RFCs under specific conditions. SAP advises immediate patching and notes that post-patch, additional S_RFC permissions may need to be assigned to certain users. Detailed guidance on identifying affected users and activating enhanced checks is provided in SAP Note #3601919. Beyond the critical NetWeaver vulnerability, SAP's June Patch Day addresses a total of 14 new vulnerabilities across multiple enterprise products. These include high-severity flaws in SAP GRC, SAP Business Warehouse, and SAP BusinessObjects BI. A serious information disclosure vulnerability in SAP GRC (CVE-2025-42982) could allow non-administrative users to initiate sensitive transactions and manipulate system credentials. A missing authorization check in SAP Business Warehouse and SAP Plug-In Basis (CVE-2025-42983) could allow authenticated users to delete arbitrary database tables, resulting in data loss. Additionally, a cross-site scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace (CVE-2025-23192) could allow attackers to execute code in the browser of unsuspecting users, risking data theft and interface manipulation. Recommended read:
References :
TIGR Threat@Security Risk Advisors
//
Cisco has issued a critical security advisory regarding a vulnerability, CVE-2025-20286, in its Identity Services Engine (ISE) when deployed on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This static credential flaw enables unauthenticated remote attackers to potentially access sensitive data, perform limited administrative actions, modify system configurations, or disrupt services. The vulnerability stems from improperly generated credentials during cloud deployments, resulting in multiple ISE deployments sharing the same static credentials, provided they are on the same software release and cloud platform.
Exploitation of CVE-2025-20286 could allow attackers to extract user credentials from a compromised Cisco ISE cloud deployment and utilize them to access other ISE instances in different cloud environments via unsecured ports. This could lead to unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. Cisco's Product Security Incident Response Team (PSIRT) has confirmed the existence of a proof-of-concept (PoC) exploit for this vulnerability, though there is no evidence of active exploitation in the wild. The vulnerability impacts specific versions of Cisco ISE, affecting versions 3.1, 3.2, 3.3, and 3.4 on AWS, and versions 3.2, 3.3, and 3.4 on Azure and OCI. Cisco emphasizes that this vulnerability only affects deployments where the Primary Administration node is hosted in the cloud; on-premises deployments are not affected. While there are no official workarounds, Cisco recommends restricting traffic to authorized administrators or using the "application reset-config ise" command to reset user passwords. The company has released security patches to address the flaw and urges users to update their systems promptly. Recommended read:
References :
@nvd.nist.gov
//
HPE has issued critical security patches for its StoreOnce data backup and deduplication platform, addressing eight newly discovered vulnerabilities. The most severe of these is an authentication bypass vulnerability, identified as CVE-2025-37093, which has been assigned a near-maximum CVSS score of 9.8. This indicates a critical risk to affected systems, as it could allow remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise StoreOnce VSA.
The authentication bypass, tracked as ZDI-25-312, exists due to a flaw in the `setLocateBeaconOnHardware` method. The issue stems from the lack of proper validation of a user-supplied string before it's used to execute a system call. Although authentication is typically required to exploit this vulnerability, the existing authentication mechanism can be bypassed, allowing attackers to execute code in the context of root. The ZDI has assigned a CVSS rating of 7.2 to CVE-2025-37089. Users of HPE StoreOnce are strongly advised to upgrade to version 4.3.11 or later to mitigate the risk of exploitation. Hewlett Packard Enterprise has released an update to correct this vulnerability, and more details can be found on their support website. The disclosure timeline indicates that the vulnerability was reported to the vendor on October 31, 2024, followed by a coordinated public release of the advisory on June 2, 2025. Recommended read:
References :
@www.openwall.com
//
Two new information disclosure vulnerabilities have been identified in Linux systems, specifically affecting Ubuntu, Red Hat Enterprise Linux, and Fedora distributions. These flaws reside in the core dump handlers 'apport' (CVE-2025-5054) and 'systemd-coredump' (CVE-2025-4598). The vulnerabilities are characterized as race condition bugs, which could be exploited by a local attacker to gain unauthorized access to sensitive information. Successful exploitation could lead to the exposure of critical data, including password hashes, through the manipulation of core dumps generated during system crashes.
Qualys Threat Research Unit (TRU) discovered that Apport incorrectly handled metadata when processing application crashes. This allows an attacker to induce a crash in a privileged process and quickly replace it with another process with the same process ID inside a mount and pid namespace. Apport will then attempt to forward the core dump, potentially containing sensitive information from the original privileged process, into the namespace. Similarly, systemd-coredump has a race condition that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump. Both vulnerabilities have been assigned a CVSS score of 4.7, indicating a medium severity level. Red Hat has rated CVE-2025-4598 as Moderate due to the high complexity involved in successfully exploiting the flaw. To mitigate the risk, users can disable core dump generation for SUID binaries by running the command "echo 0 > /proc/sys/fs/suid_dumpable" as root. Canonical has released updates for the apport package for all affected Ubuntu releases, addressing CVE-2025-5054, and users are advised to update their systems as soon as possible. Recommended read:
References :
|