CyberSecurity news

FlagThis - #vulnerability

@github.com //
A critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32434, has been discovered in PyTorch, a widely used open-source machine learning framework. This flaw, detected by security researcher Ji’an Zhou, undermines the safety of the `torch.load()` function, even when configured with `weights_only=True`. This parameter was previously trusted to prevent unsafe deserialization, making the vulnerability particularly concerning for developers who relied on it as a security measure. The discovery challenges long-standing security assumptions within machine learning workflows.

This vulnerability affects PyTorch versions 2.5.1 and earlier and has been assigned a CVSS v4 score of 9.3, indicating a critical security risk. Attackers can exploit the flaw by crafting malicious model files that bypass deserialization restrictions, allowing them to execute arbitrary code on the target system during model loading. The impact is particularly severe in cloud-based AI environments, where compromised models could lead to lateral movement, data breaches, or data exfiltration. As Ji'an Zhou noted, the vulnerability is paradoxical because developers often use `weights_only=True` to mitigate security issues, unaware that it can still lead to RCE.

To address this critical issue, the PyTorch team has released version 2.6.0. Users are strongly advised to immediately update their PyTorch installations. For systems that cannot be updated immediately, the only viable workaround is to avoid using `torch.load()` with `weights_only=True` entirely. Alternative model-loading methods, such as using explicit tensor extraction tools, are recommended until the patch is applied. With proof-of-concept exploits likely to emerge soon, delayed updates risk widespread system compromises.

Recommended read:
References :

@hackread.com //
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.

Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink.

Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging.

Recommended read:
References :
  • Cyber Security News: 17,000+ Fortinet Devices Compromised in Massive Hack via Symbolic Link Exploit
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • systemweakness.com: Fortinet Warns of Persistent Access Exploit in FortiGate Devices
  • gbhackers.com: Over 17,000 Fortinet Devices Hacked Using Symbolic Link Exploit
  • dashboard.shadowserver.org: Over 16,000 Fortinet devices compromised symlink backdoor
  • thehackernews.com: Fortinet Warns Attackers Retain FortiGate Access Post-Patching via SSL-VPN Symlink Exploit
  • www.bleepingcomputer.com: Over 16,000 Fortinet devices compromised with symlink backdoor
  • cyberpress.org: Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts
  • cybersecuritynews.com: Leaked KeyPlug Malware Infrastructure Contains Exploit Scripts to Hack Fortinet Firewall and VPN
  • hunt.io: KeyPlug Server Exposes Fortinet Exploits & Webshell Activity Targeting a Major Japanese Company
  • gbhackers.com: RedGolf Hackers Linked to Fortinet Zero-Day Exploits and Cyber Attack Tools
  • Talkback Resources: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • Cyber Security News: Analysis of the exposed infrastructure linking RedGolf to exploitation tools.
  • gbhackers.com: Security researchers have linked the notorious RedGolf hacking group to a wave of exploits targeting Fortinet firewall zero-days.
  • securityonline.info: APT41/RedGolf Infrastructure Briefly Exposed: Fortinet Zero-Days Targeted Shiseido
  • OpenVPN Blog: SonicWall VPN Exploited, 16,000 Fortinet Devices Compromised | OpenVPN
  • cyberpress.org: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • cyble.com: IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit
  • Cyber Security News: RedGolf Hackers Unmasked: Fortinet Zero-Days and Attack Tools Exposed
  • securityonline.info: In a rare window into the operations of an advanced persistent threat, a KeyPlug-linked infrastructure briefly went live,
  • hackread.com: Fortinet Issues Fixes After Attackers Bypass Patches to Maintain Access
  • fortiguard.fortinet.com: FG-IR-24-435

Iain Thomson@The Register - Security //
The Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts concerning critical vulnerabilities affecting SonicWall SMA 100 series appliances and legacy Oracle Cloud environments. The alerts highlight potential risks to organizations and individuals stemming from exploited vulnerabilities and data theft. CISA is urging affected users to take immediate steps to mitigate potential cyberattacks, including resetting passwords, monitoring authentication logs, and implementing multi-factor authentication. These actions aim to prevent unauthorized access and escalation of privileges within enterprise environments.

The alert regarding Oracle Cloud addresses the compromise of legacy Oracle Cloud servers earlier in the year. CISA warns that the nature of the reported activity presents a potential risk, especially where credential material may be exposed, reused across separate systems, or embedded within scripts and applications. Compromised credentials, including usernames, emails, passwords, authentication tokens, and encryption keys, can significantly impact enterprise security. The agency has specifically emphasized the danger of embedded credentials, which are difficult to detect and remove, potentially enabling long-term unauthorized access.

CISA has also added CVE-2021-20035, a high-severity OS command-injection vulnerability in SonicWall SMA100 remote-access appliances, to its known exploited vulnerabilities catalog. SonicWall initially disclosed and patched the vulnerability in September 2021, later raising its severity score. The vulnerability allows a threat actor to remotely inject arbitrary commands, potentially leading to code execution. Federal civilian executive branch agencies have been directed to patch their SonicWall appliances by May 7 or discontinue use of the product. SonicWall is actively investigating the scope of the exploitation and urges customers to upgrade to the latest firmware.

Recommended read:
References :

Sergiu Gatlan@BleepingComputer //
A critical vulnerability, identified as CVE-2025-20236, has been discovered in the Cisco Webex App, posing a significant security risk to users. The vulnerability allows unauthenticated attackers to gain client-side remote code execution through maliciously crafted meeting invite links. The flaw stems from insufficient input validation within the app's custom URL parser, which processes these meeting invites. An attacker can exploit this weakness by tricking a user into clicking on a malicious link, which can then download arbitrary files and execute commands on the user's system with their privileges.

Cisco has acknowledged the vulnerability and released security updates to address the flaw. The affected versions include Webex App version 44.6, which has been fixed in version 44.6.2.30589. Users running version 44.7 are advised to migrate to a fixed release. Versions 44.5 and earlier, as well as 44.8 and later, are not vulnerable. The vulnerability has been assigned a high CVSS score of 8.8, reflecting its severe risk level.

Users and administrators are strongly urged to immediately check their Webex App version and apply the necessary patches to mitigate the risk of exploitation. Organizations relying on Cisco Webex for communication and collaboration are particularly at risk, as successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, disruption of operations, and the potential spread of malware or ransomware within their networks. Cisco's Product Security Incident Response Team (PSIRT) has stated that, at the time of publication, they had not observed any malicious use or public exploitation of CVE-2025-20236.

Recommended read:
References :
  • securityonline.info: Cisco Patches CVE-2025-20236: Unauthenticated RCE Flaw in Webex App via Malicious Meeting Links
  • The DefendOps Diaries: Understanding the Cisco Webex App Vulnerability: A Call to Action
  • BleepingComputer: Cisco Webex bug lets hackers gain code execution via meeting links
  • bsky.app: Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links.
  • www.bleepingcomputer.com: Cisco Webex bug lets hackers gain code execution via meeting links
  • securityonline.info: Cisco Patches CVE-2025-20236: Unauthenticated RCE Flaw in Webex App via Malicious Meeting Links

info@thehackernews.com (The@The Hacker News //
A critical security vulnerability, CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation, potentially allowing unauthenticated remote code execution (RCE). The flaw, which has been assigned a maximum CVSS score of 10.0, could enable attackers to execute arbitrary code on affected systems without providing any credentials. Researchers at Ruhr University Bochum, including Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk, identified the vulnerability. It stems from improper handling of SSH protocol messages, allowing attackers to send connection protocol messages prior to authentication, leading to a complete system compromise if the SSH daemon is running with root privileges.

The vulnerability affects all users running an SSH server based on the Erlang/OTP SSH library. According to the official Ericsson security advisory, any application providing SSH access using the Erlang/OTP SSH library should be considered affected. This vulnerability poses a significant risk, especially to critical infrastructure and high-availability systems where Erlang/OTP is widely used, such as in telecommunications equipment, industrial control systems, and connected devices. Expert Mayuresh Dani of Qualys emphasizes the critical nature, noting Erlang's frequent installation on high-availability systems. This vulnerability could allow actions such as installing ransomware or siphoning off sensitive data.

Proof-of-concept (PoC) exploits for CVE-2025-32433 have already been released, increasing the urgency for organizations to take immediate action. SecurityOnline reported the release of PoC code, and the Horizon3 Attack Team confirmed they had developed their own exploit, describing it as "surprisingly easy" to reproduce. Mitigation strategies include immediately updating to the patched versions: OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20. As a temporary workaround, it is recommended to disable the SSH server or restrict access via firewall rules until the updates can be applied. Organizations should evaluate their systems for potential compromise.

Recommended read:
References :
  • darkwebinformer.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
  • Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Ubuntu security notices: USN-7443-1: Erlang vulnerability
  • BleepingComputer: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
  • Open Source Security: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • The Hacker News: TheHackerNews Article about CVSS 10.0 in Erlang/OTP SSH
  • The DefendOps Diaries: Explore the critical CVE-2025-32433 vulnerability in Erlang/OTP SSH, its impact, and mitigation strategies.
  • hackread.com: Researchers Find CVSS 10.0 Severity RCE Vulnerability in Erlang/OTP SSH
  • github.com: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.bleepingcomputer.com: Critical Erlang/OTP SSH pre-auth RCE is 'Surprisingly Easy' to exploit, patch now
  • securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.openwall.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • securityonline.info: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Resources-2: Picus Security Blog on Erlang/OTP SSH RCE
  • Tenable Blog: Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices. Background On April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the vulnerability mailing list.
  • securityonline.info: SecurityOnline article on Erlang/OTP CVE-2025-32433 (CVSS 10): Critical SSH Flaw Allows Unauthenticated RCE
  • Security Risk Advisors: Unauthenticated Remote Code Execution in Erlang/OTP SSH (CVE-2025-32433).
  • securityonline.info: Erlang/OTP SSH Vulnerability (CVE-2025-32433).
  • Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.runzero.com: Discusses an SSHamble with remote code execution in Erlang/OTP SSH.
  • Open Source Security: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • Cyber Security News: Cybersecurity News also reported this vulnerability.
  • securityboulevard.com: Vulnerability in Erlang/OTP SSH allows for unauthenticated remote code execution on vulnerable devices.
  • The DefendOps Diaries: Understanding and Mitigating CVE-2025-32433: A Critical Erlang/OTP Vulnerability
  • www.scworld.com: Maximum severity flaw impacts Erlang/OTP SSH Widely used library Erlang/OTP SSH was discovered to be affected by a maximum severity flaw, tracked as CVE-2025-32433, which could be leveraged to allow code execution without required logins, according to Hackread.
  • Open Source Security: Seclists Details on SSH execution in Erlang
  • Blog: CyberReason article on Erlang/OTP RCE Vulnerability.
  • infosecwriteups.com: InfoSec Writeups: Erlang/OTP SSH CVSS 10 RCE
  • securityboulevard.com: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
  • www.bleepingcomputer.com: Critical Erlang/OTP SSH RCE bug now has public exploits, patch now
  • industrialcyber.co: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
  • www.cybersecuritydive.com: Researchers warn of critical flaw found in Erlang OTP SSH
  • Arctic Wolf: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • Industrial Cyber: Frenos warns OT sector of critical Erlang vulnerability enabling remote code execution affecting millions of devices
  • www.csoonline.com: Public exploits already available for a severity 10 Erlang SSH vulnerability; patch now
  • arcticwolf.com: CVE-2025-32433: Maximum Severity Unauthenticated RCE Vulnerability in Erlang/OTP SSH
  • Security Risk Advisors: TheHackerNews post on Erlang/OTP SSH vulnerability.

info@thehackernews.com (The@The Hacker News //
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.

This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes.

CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks.

Recommended read:
References :
  • chemical-facility-security-news.blogspot.com: CISA Adds SonicWall Vulnerability to KEV Catalog – 4-16-25
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog
  • The Hacker News: Details on the exploitation of the vulnerability
  • Cyber Security News: CISA Alerts on Exploited SonicWall Command Injection Vulnerabilityâ€
  • gbhackers.com: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • BleepingComputer: On Wednesday, CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability. [...]
  • gbhackers.com: GBHackers: CISA Issues Alert on SonicWall Flaw Being Actively Exploited
  • securityonline.info: CISA Alert: Actively Exploited SonicWall SMA100 Vulnerability
  • The DefendOps Diaries: CISA flags critical SonicWall vulnerabilities: Urgent mitigation required to prevent cyber attacks
  • www.cybersecuritydive.com: Older SonicWall SMA100 vulnerability exploited in the wild
  • Arctic Wolf: Credential Access Campaign Targeting SonicWall SMA Devices Potentially Linked to Exploitation of CVE-2021-20035
  • Help Net Security: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • Arctic Wolf: On April 15, 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • arcticwolf.com: On 15 April 2025, SonicWall published a product notice regarding CVE-2021-20035, a vulnerability impacting SonicWall SMA 100 series appliances.
  • The DefendOps Diaries: Understanding and Mitigating the SonicWall SMA Vulnerability
  • BleepingComputer: SonicWall SMA VPN devices targeted in attacks since January
  • bsky.app: A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf.
  • www.scworld.com: Cybersecurity Dive reports that active exploitation of the nearly half a decade-old high-severity SonicWall SMA100 remote-access appliance operating system command injection flaw
  • www.helpnetsecurity.com: Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035)
  • securityaffairs.com: CISA adds SonicWall SMA100 Appliance flaw to its Known Exploited Vulnerabilities catalog.
  • Help Net Security: CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers.
  • arcticwolf.com: Details the credential access campaign targeting SonicWall SMA devices and its potential link to CVE-2021-20035 exploitation.
  • securityaffairs.com: Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025.
  • securityaffairs.com: Security Affairs newsletter reports attackers exploited SonicWall SMA appliances since January 2025
  • www.bleepingcomputer.com: SonicWall SMA VPN devices targeted in attacks since January

info@thehackernews.com (The@The Hacker News //
A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform. The flaw, which carries a CVSS score of 10.0, affects all versions from 1.0.0 up to and including 6.1.4. This vulnerability allows malicious actors to retain unauthorized access to blog sites even after a password change.

The core of the issue lies in insufficient session expiration. When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions. Consequently, any session tokens or cookies issued before the password change remain valid, creating a significant security risk. An attacker who has compromised a user’s credentials can maintain access to the application through the old session, effectively bypassing the intended protection of a password change.

Administrators and users of Apache Roller are strongly advised to upgrade to version 6.1.5 or later. This update implements centralized session management, ensuring that all active sessions are terminated immediately upon password changes or user deactivation. In related news, a critical vulnerability in Gladinet CentreStack also affects its Triofox remote access solution, leading to multiple organizations being compromised.

Recommended read:
References :
  • Cyber Security News: A critical security vulnerability, CVE-2025-24859, has been discovered in Apache Roller, a widely used Java-based blogging platform.
  • Anonymous ???????? :af:: A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date.
  • securityaffairs.com: A critical vulnerability, tracked as CVE-2025-24859 (CVSS score of 10.0), affects the Apache Roller open-source, Java-based blogging server software.
  • securityonline.info: A security vulnerability has been identified in Apache Roller, a Java-based blog server, that could allow unauthorized access
  • The Hacker News: A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.