@itpro.com
//
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.
This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Multiple critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters to the public internet. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have a CVSS score of 9.8. Cloud security firm Wiz discovered these flaws and reported that approximately 43% of cloud environments are susceptible to these vulnerabilities.
Specifically, IngressNightmare affects the admission controller component of the Ingress NGINX Controller, which utilizes NGINX as a reverse proxy and load balancer. Attackers can exploit the unrestricted network accessibility of admission controllers by injecting malicious NGINX configurations, gaining unauthorized access to cluster secrets and potentially leading to a complete cluster takeover. Kubernetes users are urged to update to versions v1.11.5, v1.12.1, or later to mitigate these risks. Recommended read:
References :
@cyberalerts.io
//
A critical vulnerability has been discovered in the widely-used Next.js framework, identified as CVE-2025-29927. This flaw allows attackers to bypass authorization checks within the framework's middleware system. Middleware is commonly used to enforce authentication, authorization, path rewriting, and security-related headers, making this vulnerability particularly severe. Vercel, the company behind Next.js, disclosed the issue on March 21st, 2025, highlighting its potential impact on services relying on vulnerable versions of the framework.
To mitigate the risk, developers using Next.js version 11 or higher are urged to update to the patched versions: 15.2.3, 14.2.25, 13.5.9, or 12.3.5. For those unable to immediately update, a temporary workaround involves blocking user requests with the 'x-middleware-subrequest' header. Some hosting platforms, like Vercel and Netlify, have already implemented this measure to protect their users. The vulnerability allows login screens to be bypassed without proper credentials, potentially compromising user data and sensitive information. Recommended read:
References :
Bill Toulas@BleepingComputer
//
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.
The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks. Recommended read:
References :
@The DefendOps Diaries
//
Mozilla has issued an urgent security update for its Firefox browser on Windows to address a critical sandbox escape vulnerability, identified as CVE-2025-2857. This flaw allows attackers to bypass the browser's security sandbox, posing significant risks to Windows users. Mozilla is releasing security updates for Firefox versions 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1 to patch this vulnerability.
The vulnerability, reported by Mozilla developer Andrew McCreight, involves an incorrect handle that could lead to sandbox escapes, potentially enabling attackers to execute arbitrary code on affected systems. This comes after a similar exploit, CVE-2025-2783, was identified in Google Chrome. Windows users are advised to update their browsers to the latest version as soon as possible to mitigate this risk. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.
Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.
Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users. Recommended read:
References :
Nathaniel Morales@feeds.trendmicro.com
//
The Albabat ransomware has evolved, now targeting Windows, Linux, and macOS systems, according to recent research. This marks a significant expansion in the group's capabilities, showcasing increased sophistication in exploiting multiple operating systems. Trend Micro researchers uncovered this evolution, noting the ransomware group leverages GitHub to streamline their operations, enhancing the efficiency and reach of their attacks.
Albabat ransomware version 2.0 gathers system and hardware information on Linux and macOS systems and uses a GitHub account to store and deliver configuration files. This allows attackers to manage operations centrally and update tools efficiently. The GitHub repository, though private, is accessible through an authentication token, demonstrating active development through its commit history. Recent versions of Albabat ransomware retrieve configuration data through the GitHub REST API, utilizing a User-Agent string labeled "Awesome App." It encrypts file extensions, including .exe, .dll, .mp3, and .pdf, while ignoring folders like Searches and AppData. The ransomware also terminates processes like taskmgr.exe and regedit.exe to evade detection. It tracks infections and payments through a PostgreSQL database, potentially selling stolen data. Recommended read:
References :
Bill Toulas@BleepingComputer
//
GitLab has released critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) platforms. The updates, included in versions 17.9.2, 17.8.5, and 17.7.7, fix nine vulnerabilities. Two of these are critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) within the ruby-saml library, used when SAML SSO authentication is enabled at the instance or group level. GitLab has already patched GitLab.com and will update GitLab Dedicated customers, but self-managed installations require immediate manual updates.
Exploitation of these flaws could allow attackers with access to a legitimate signed SAML document from an identity provider to impersonate any valid user, potentially leading to unauthorized access to sensitive repositories and data breaches. The issue stems from differences in XML parsing between REXML and Nokogiri. GitLab strongly advises all affected installations to upgrade to the latest versions as soon as possible to mitigate potential risks. Other vulnerabilities that were addressed are CVE-2025-27407, a high severity Ruby graphql vulnerability. Recommended read:
References :
@itpro.com
//
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.
The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025. Recommended read:
References :
MSSP Alert@MSSP feed for Latest
//
Multiple Mirai-based botnets have been actively exploiting a zero-day vulnerability, tracked as CVE-2025-1316, in Edimax IP cameras for nearly a year. The attacks targeting these vulnerable cameras began around May of last year, with intrusions observed by security researchers. While initial exploitation occurred in May, there was a pause before a resurgence in activity in September and again from January to February.
The attackers are leveraging default credentials on the Edimax devices to deploy the Mirai malware. A proof-of-concept exploit has been available since June 2023, suggesting possible earlier attack attempts. Edimax disclosed that a patch for the zero-day is not possible, because the affected IP cameras have reached end-of-life over 10 years ago and the source code and development environment are no longer available. Therefore, organizations are urged to ensure they are using up-to-date software and firmware on their devices to prevent botnet compromise. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, CVE-2025-1316, affecting Edimax Internet of Things (IoT) devices is being exploited to spread Mirai malware. According to reports, multiple botnets are actively targeting Edimax IP cameras, exploiting the flaw to compromise devices and incorporate them into their networks. The attacks involve leveraging default credentials to facilitate the deployment of Mirai, known for orchestrating distributed denial-of-service (DDoS) attacks.
Initial exploitation attempts were observed as early as May 2024, with increased activity in September and again from January to February 2025. Although a proof-of-concept exploit has been available since June 2023, the intrusions highlight the ongoing risk posed by unpatched vulnerabilities in IoT devices. Edimax has stated that the affected IP cameras are end-of-life for over 10 years and they are unable to provide patches. Organizations are urged to update software and firmware. Recommended read:
References :
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow, a widely used cloud-based platform, are being actively exploited by hackers, resulting in escalated attacks. Security researchers at GreyNoise have observed a resurgence of malicious activity targeting three year-old, but previously patched, flaws: CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. These vulnerabilities can lead to unauthorized access and potentially full database compromise if left unpatched.
Organizations that failed to apply ServiceNow patches last year are now falling victim to these exploits. Israel has been significantly impacted, with over 70% of recent malicious activity directed at systems within the country. However, attacks have also been detected in Lithuania, Japan, and Germany. Security experts urge organizations to apply the necessary patches and monitor for unusual authentication attempts, unauthorized data access logs, and unexpected server behavior. Recommended read:
References :
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow are being actively exploited, posing a significant threat, especially to systems in Israel. Three key flaws, CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, have been identified and are under active attack. These vulnerabilities, some over a year old, were initially disclosed in early 2023 and patches were provided by ServiceNow. Despite the patches, exploitation activities have surged, particularly targeting Israeli systems.
These vulnerabilities allow threat actors to gain unauthorized access, potentially leading to data breaches and operational disruptions. CVE-2024-4879 is a template injection vulnerability allowing remote code execution. CVE-2024-5217 and CVE-2024-5178 involve input validation errors that can be exploited to manipulate data and bypass security controls, potentially granting full database access. Organizations that failed to apply ServiceNow patches last year are continuing to fall victim. Recommended read:
References :
SC Staff@scmagazine.com
//
Attackers are intensifying their efforts to exploit old ServiceNow vulnerabilities, specifically CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, which were patched last year. GreyNoise, a threat intelligence firm, has observed a resurgence of in-the-wild activity targeting these flaws, putting unpatched company instances at risk. These vulnerabilities can potentially lead to unauthorized access to sensitive data, remote code execution, and full database compromise, even by unauthenticated actors.
The attacks have predominantly targeted systems in Israel, accounting for over 70% of recent malicious activity. However, organizations in Lithuania, Japan, and Germany have also been affected. Security experts urge organizations to apply the necessary patches to protect their ServiceNow platforms and mitigate the risk of exploitation. These vulnerabilities were initially discovered by Assetnote in May 2024, and ServiceNow promptly released patches, but a failure to apply these updates has left some systems vulnerable. Recommended read:
References :
@itpro.com
//
A critical security incident has been detected involving the widely-used GitHub Action "tj-actions/changed-files," resulting in CVE-2025-30066. The compromise involved attackers modifying the action's code and retroactively updating multiple version tags to point to the malicious commit. This allowed the malicious code to print CI/CD secrets in GitHub Actions build logs, potentially exposing them in public repositories. The "tj-actions/changed-files" GitHub Action is used in over 23,000 repositories, making the scale of this compromise significant. GitHub has removed the "tj-actions/changed-files" Action, preventing it from being used in GitHub Actions workflows.
The malicious commit, identified as 0e58ed8 ("chore(deps): lock file maintenance (#2460)"), was added to all 361 tagged versions of the GitHub action. This commit resulted in a script that can leak CI/CD secrets from runner memory. The anomaly was detected by StepSecurity's Harden-Runner, which identified suspicious outbound network requests directed at gist.githubusercontent.com. Immediate actions are necessary to mitigate the risk of credential theft and CI pipeline compromise. Step Security has urged maintainers of public repositories using the compromised Action to review recovery steps immediately, as multiple public repositories have been found to have leaked secrets in build logs. Recommended read:
References :
Divya@gbhackers.com
//
References:
www.scworld.com
, gbhackers.com
,
Critical vulnerabilities in the ruby-saml library, tracked as CVE-2025-25291 and CVE-2025-25292, allow attackers to bypass authentication in applications using the library for Single Sign-On (SSO). These flaws stem from discrepancies in XML parsing between REXML and Nokogiri, potentially leading to account takeovers. An attacker possessing a valid signature from the targeted organization can craft SAML assertions to log in as any user.
The vulnerabilities were discovered during a security review by GitHub's Security Lab, prompting GitLab to release critical patches in versions 17.9.2, 17.8.5, and 17.7.7 for Community Edition and Enterprise Edition. Organizations are urged to upgrade to the latest ruby-saml version to mitigate the risk of authentication bypass and account hijacking. The ruby-saml library is used in various applications and products, including GitLab. Recommended read:
References :
Sam Bent@Sam Bent
//
References:
Sam Bent
, www.bleepingcomputer.com
CISA has issued a warning to U.S. federal agencies regarding a critical vulnerability, CVE-2024-48248, in NAKIVO's Backup & Replication software. This flaw, an absolute path traversal bug, could allow attackers to access sensitive files, potentially compromising configuration files, backups, and credentials. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Agencies are urged to apply necessary mitigations by April 9, 2025.
The vulnerability, affecting versions prior to 10.11.3.86570, was discovered by watchTowr Labs, who also published a proof-of-concept exploit. Successful exploitation could allow an unauthenticated attacker to read arbitrary files on the target host via the "/c/router" endpoint. NAKIVO addressed the issue in November 2024 with version v11.0.0.88174. CISA's directive underscores the need for federal agencies to promptly patch the flaw to secure their networks against potential data exposure. Recommended read:
References :
Rescana@Rescana
//
References:
securityonline.info
, Rescana
A critical security flaw, tracked as CVE-2025-21590, has been identified in Juniper Networks' Junos OS and is currently being exploited in the wild. This vulnerability, characterized by an Improper Isolation or Compartmentalization issue in the kernel, could allow a local attacker with shell access to execute arbitrary code and compromise affected devices. Juniper has released an urgent fix to address this actively exploited flaw, urging users to upgrade to a patched release as soon as possible.
Juniper's Security Incident Response Team (SIRT) has received reports of malicious exploitation of this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog, advising immediate patching. The vulnerability impacts a wide range of Junos OS versions, specifically all versions before 21.2R3-S9, 21.4 versions before 21.4R3-S10, and 22.2 versions before 22.2R3-S6, among others, Juniper Networks strongly advises customers to upgrade to a fixed release as soon as it becomes available. Recommended read:
References :
Rescana@Rescana
//
A critical vulnerability, tracked as CVE-2025-26909, has been identified in the WP Ghost plugin, a popular WordPress security plugin used by over 200,000 websites. This Local File Inclusion (LFI) flaw can escalate to Remote Code Execution (RCE), potentially allowing attackers to gain complete control over affected web servers without authentication. The vulnerability stems from insufficient validation of user-supplied input through the URL path, specifically within the `showFile` function invoked by the `maybeShowNotFound` function.
This flaw allows unauthenticated users to manipulate the URL to trigger file inclusion, potentially leading to arbitrary code execution, especially when the "Change Paths" feature is set to Lite or Ghost mode. Exploit techniques such as `php://filter` chains and leveraging `PHP_SESSION_UPLOAD_PROGRESS` can be used. Website administrators are strongly advised to immediately update their WP Ghost plugin to the latest version 5.4.02 to mitigate this severe security risk and implement additional security measures. In related news, GoDaddy Security researchers have uncovered a long-running malware operation named DollyWay, which targets visitors of infected WordPress sites. This campaign utilizes injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites to redirect users to malicious sites. This highlights the broader issue of WordPress plugin vulnerabilities and the importance of maintaining strong security practices, including regular updates and vigilance. Recommended read:
References :
|