CyberSecurity news

FlagThis - #vulnerability

@securityonline.info //

Critical Microsoft Cloud Vulnerabilities Confirmed with High Severity - Microsoft has confirmed several cloud security vulnerabilities in Azure services and Microsoft Power Apps, with one receiving a maximum critical rating of 10, highlighting significant risks and emphasizing the need for robust security measures and timely patching.
Microsoft has recently addressed several critical security vulnerabilities affecting its Azure cloud services and Microsoft Power Apps. The flaws, identified in Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, highlighted the importance of proactive security measures within cloud-native development environments. One vulnerability, CVE-2025-29813, received the maximum Common Vulnerability Scoring System (CVSS) score of 10, indicating its severity.

The most critical vulnerability, found in Azure DevOps, allowed attackers with project-level access to escalate their privileges by exchanging short-term pipeline job tokens for long-term ones, potentially gaining extensive access within a project environment. Additional vulnerabilities included CVE-2025-29827 in Azure Automation, where improper authorization could enable a user to elevate privileges, CVE-2025-29972, an SSRF vulnerability in Azure Storage Resource Provider, and CVE-2025-47733 in Microsoft Power Apps, which allowed unauthorized information disclosure over a network through a Server-Side Request Forgery (SSRF).

Despite the severity of these vulnerabilities, Microsoft has assured users that no action is required on their part. The company has already mitigated the flaws at the platform level, preventing potential exploitation. These patches underscore Microsoft's commitment to maintaining a secure cloud environment and highlight the ongoing need for robust security practices within cloud-native development.

Recommended read:
References :
  • securityonline.info: Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
  • Talkback Resources: Microsoft addressed critical vulnerabilities in various Azure services, including Azure Automation, Azure Storage, Azure DevOps, and Microsoft Power Apps, emphasizing the need for proactive security measures in cloud-native development environments.
  • Davey Winder: Microsoft has confirmed several cloud security vulnerabilities, including one with a maximum critical rating of 10.
  • Davey Winder: Critical 10/10 Microsoft Cloud Security Vulnerability Confirmed
@www.helpnetsecurity.com //

SonicWall Patches Exploited VPN Flaws Allowing Root Code - SonicWall has released patches for SMA 100 appliances to address actively exploited vulnerabilities that could lead to remote code execution as root.
SonicWall has released critical security patches to address three vulnerabilities affecting its SMA 100 series of Secure Mobile Access (SMA) appliances. These flaws, which could lead to remote code execution with root privileges, pose a significant threat to organizations using the affected devices. One of the vulnerabilities, CVE-2025-32819, is already being actively exploited in the wild, underscoring the urgency of applying the patches. The vulnerabilities impact SMA 200, 210, 400, 410, and 500v appliances running versions 10.2.1.14-75sv and earlier.

CVE-2025-32819 allows a remote, authenticated attacker with SSL-VPN user privileges to bypass path traversal checks and delete arbitrary files, potentially resetting the device to factory default settings. CVE-2025-32820 enables an attacker with similar privileges to inject a path traversal sequence, making any directory on the SMA appliance writable. CVE-2025-32821 permits an attacker with SSL-VPN admin privileges to inject shell command arguments to upload a file on the appliance. Security researchers have demonstrated that chaining these vulnerabilities together allows attackers to gain root-level remote code execution.

To mitigate these risks, SonicWall strongly advises users of the affected SMA 100 series products to upgrade to version 10.2.1.15-81sv or higher. As a further safeguard, SonicWall recommends enabling multifactor authentication (MFA) and Web Application Firewall (WAF) on SMA100 devices. The company also suggests resetting passwords for users who may have logged into the device via the web interface. These measures, along with the security update, will help protect systems from potential exploitation.

Recommended read:
References :
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • circl: Security Advisory - SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities
  • BleepingComputer: BleepingComputer reports about SonicWall urging admins to patch VPN flaw exploited in attacks
  • Help Net Security: HelpNetSecurity details SonicWall SMA100 vulnerability exploited in the wild
  • Rapid7 Cybersecurity Blog: Multiple vulnerabilities in SonicWall SMA 100 series (FIXED)
  • MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
  • bsky.app: SonicWall has urged its customers to patch three security vulnerabilities affecting its Secure Mobile Access (SMA) appliances, one of them tagged as exploited in attacks https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/
  • Caitlin Condon: Today, disclosed 3 new vulnerabilities in SonicWall SMA-100 series appliances, one of which we believe may have been used in the wild.
  • vulnerability.circl.lu: Security Advisory - SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities and following the following technical disclosure: 🔗 It's exploited. 🔗 Bundle with all the vulnerabilities and the sighting
  • securityaffairs.com: SonicWall fixed SMA 100 flaws that could be chained to execute arbitrary code
  • MSSP feed for Latest: SonicWall Patches Critical Vulnerabilities in SMA 100 Series Appliances
  • www.scworld.com: SonicWall addresses trio of SMA 100 flaws
  • socradar.io: Severe Vulnerabilities in Cisco & SonicWall Expose Systems to RCE, DoS, and More: Patch Now
  • Threats | CyberScoop: SonicWall customers confront resurgence of actively exploited vulnerabilities
  • cyberscoop.com: The network security device vendor is making a regular appearance on CISA’s known exploited vulnerabilities catalog. Unlike its competitors, SonicWall hasn’t signed the secure-by-design pledge.
  • bsky.app: New SonicWall SMA zero-day. Looks like a post-compromise exploit for EoP
@sec.cloudapps.cisco.com //

Cisco Patches Critical Flaw in IOS XE Controller - Cisco has released software updates to address a critical vulnerability in IOS XE Wireless Controller that allows remote attackers to load arbitrary files and gain root access.
Cisco has issued a critical security advisory to address CVE-2025-20188, a severe vulnerability affecting its IOS XE Wireless LAN Controllers (WLCs). This flaw, which has been assigned a CVSS score of 10.0, allows an unauthenticated, remote attacker to upload arbitrary files to a vulnerable system. The root cause of this vulnerability lies in a hard-coded JSON Web Token (JWT) present within the affected system, enabling attackers to potentially gain root privileges. The vulnerability impacts several products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controllers on Catalyst APs.

The exploitation requires the Out-of-Band AP Image Download feature to be enabled, which is not enabled by default. An attacker can exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could enable the attacker to perform path traversal and execute arbitrary commands with root privileges, leading to a complete compromise of the affected system. Cisco advises administrators to check if the Out-of-Band AP Image Download feature is enabled by using the `show running-config | include ap upgrade` command. If the command returns `ap upgrade method https`, the feature is enabled, and the device is vulnerable.

Currently, there are no direct workarounds available to address this vulnerability. However, as a mitigation measure, administrators can disable the Out-of-Band AP Image Download feature. This will cause AP image downloads to use the CAPWAP method. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed. Cisco has released free software updates to address this vulnerability, advising customers with service contracts to obtain these security fixes through their usual update channels, urging them to upgrade to the fixed release as soon as possible. As of now, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability.

Recommended read:
References :
  • securityonline.info: Critical CVE-2025-20188 (CVSS 10) Flaw in Cisco IOS XE WLCs Allows Remote Root Access
  • The Hacker News: Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT
  • Rescana: Detailed Analysis Report on Cisco Security Advisory: cisco-sa-wlc-file-uplpd-rHZG9UfC Overview The Cisco Security Advisory ID...
  • Anonymous ???????? :af:: New Cisco flaw scores a perfect 10.0 CVSS. A hardcoded token. Root access. No login needed. If you run Catalyst 9800 wireless controllers, you’ll want to check this fast.
  • securityaffairs.com: Cisco fixed a critical flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files.
  • thecyberexpress.com: News about Cisco fixing a 10.0-rated wireless controller flaw (CVE-2025-20188).
  • securityonline.info: SecurityOnline reports on critical CVE-2025-20188 flaw in Cisco IOS XE WLCs allowing remote root access.
  • sec.cloudapps.cisco.com: Security Advisory - Security updates available for Cisco IOS and IOS XE Software
  • BleepingComputer: Cisco fixed a maximum severity IOS XE flaw letting attackers hijack devices
  • Security Risk Advisors: Critical Vulnerability in Cisco IOS XE Wireless Controllers Allows Unauthenticated Remote Code Execution
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices. The flaw, tracked as CVE-2025-20188, is caused by a hardcoded JWT token that lets you bypass authentication and ultimately execute commands as root.
  • www.scworld.com: Cisco patches maximum severity vulnerability in IOS XE Software
  • www.bleepingcomputer.com: Critical vulnerability in Cisco IOS XE Wireless Controllers allows unauthenticated remote code execution
  • darkwebinformer.com: Cisco IOS XE Wireless Controllers Vulnerable to Unauthenticated Root Exploits via JWT (CVE-2025-20188)
  • BleepingComputer: Cisco fixed a maxmimum severity (10.0) flaw in IOS XE for WLCs that allows attackers to hijack devices.
  • www.csoonline.com: Cisco patches max-severity flaw allowing arbitrary command execution
@Talkback Resources //

Critical Langflow Flaw Exploited, Added to CISA KEV List - A critical security flaw in Langflow (CVE-2025-3248) allows unauthenticated remote code execution, prompting CISA to add it to the KEV catalog.
A critical security vulnerability in Langflow, an open-source platform used for building agentic AI workflows, is under active exploitation, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-3248, carries a critical CVSS score of 9.8 out of 10, indicating its high severity. Organizations are being urged to immediately apply security updates and mitigation measures to prevent potential attacks.

The flaw is caused by a missing authentication vulnerability in the `/api/v1/validate/code` endpoint of Langflow. This allows unauthenticated remote attackers to execute arbitrary code through crafted HTTP requests. Specifically, the endpoint improperly invokes Python's built-in `exec()` function on user-supplied code without adequate authentication or sandboxing. This allows attackers to execute arbitrary commands on the server, potentially leading to full system compromise. The vulnerability affects most versions of Langflow and has been addressed in version 1.3.0, released on March 31, 2025.

According to security researchers, the vulnerability is easily exploitable and allows unauthenticated remote attackers to take control of Langflow servers. There are currently 466 internet-exposed Langflow instances, with a majority of them located in the United States, Germany, Singapore, India, and China. While the specifics of real-world exploitation are not fully known, exploit attempts have been recorded against honeypots. Federal Civilian Executive Branch (FCEB) agencies have been given until May 26, 2025, to apply the necessary fixes.

Recommended read:
References :
  • Talkback Resources: Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence [app] [exp] [net]
  • The Hacker News: Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence
  • BleepingComputer: The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has tagged a Langflow remote code execution vulnerability as actively exploited, urging organizations to apply security updates and mitigations as soon as possible.
  • securityaffairs.com: U.S. CISA adds Langflow flaw to its Known Exploited Vulnerabilities catalog
  • www.scworld.com: Critical 9.8 Langflow RCE bug added to CISA vulnerability list
  • gbhackers.com: gbhackers.com
  • www.csoonline.com: Critical flaw in AI agent dev tool Langflow under active exploitation
  • www.bleepingcomputer.com: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has tagged a Langflow remote code execution vulnerability as actively exploited, urging organizations to apply security updates and mitigations as soon as possible.
  • www.helpnetsecurity.com: A missing authentication vulnerability (CVE-2025-3248) in Langflow, a web application for building AI-driven agents, is being exploited by attackers in the wild, CISA has confirmed by adding it to its Known Exploited Vulnerabilities (KEV) catalog.
  • www.bleepingcomputer.com: Critical Langflow RCE flaw exploited to hack AI app servers
@cyberalerts.io //

Samsung MagicINFO Exploited To Deploy Mirai Botnet - Samsung’s MagicINFO 9 Server is under active exploitation due to an unauthenticated remote code execution (RCE) vulnerability (CVE-2024-7399) that allows hackers to deploy malware, including the Mirai botnet.
Cybersecurity researchers have confirmed that the Samsung MagicINFO 9 Server is under active exploitation, with hackers leveraging a remote code execution (RCE) vulnerability, CVE-2024-7399, to deploy the Mirai botnet. This vulnerability, a path traversal flaw, allows attackers to write arbitrary files as system authority, ultimately leading to remote code execution. The unauthenticated nature of the flaw exacerbates the risk, allowing threat actors to exploit systems without requiring any user credentials. The attacks target the file upload functionality in the MagicINFO 9 Server, intended for updating display content, but is being abused to upload malicious code and execute a shell script responsible for downloading the botnet.

The exploitation of CVE-2024-7399 began shortly after a proof-of-concept (PoC) exploit was made public. Arctic Wolf researchers have observed this exploitation in the wild, noting that the vulnerability allows for arbitrary file writing by unauthenticated users. This improper sanitation of filename input, without validating the file extension or checking for authentication, allows threat actors to upload JSP files and execute arbitrary code with system authority on vulnerable servers. While Samsung released a patch for this vulnerability in August 2024, many systems remain unpatched, leaving them vulnerable to these attacks.

The exploitation of the Samsung MagicINFO flaw is not an isolated incident; threat actors are also targeting GeoVision end-of-life (EoL) Internet of Things (IoT) devices to incorporate them into the Mirai botnet for conducting distributed denial-of-service (DDoS) attacks. Given the low barrier to exploitation, the availability of a public PoC, and the potential for widespread impact, organizations are strongly advised to update their Samsung MagicINFO Server instances to version 21.1050 and later, and implement the patch for CVE-2024-7399 immediately to mitigate potential operational impact.

Recommended read:
References :
  • Arctic Wolf: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
  • arcticwolf.com: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
  • cyberinsider.com: Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet
  • thehackernews.com: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
  • www.bleepingcomputer.com: Samsung MagicINFO 9 Server RCE flaw now exploited in attacks
  • arcticwolf.com: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
  • securityaffairs.com: Samsung MagicINFO flaw exploited days after PoC exploit publication
  • The Hacker News: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
  • www.helpnetsecurity.com: Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)
  • BleepingComputer: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware.
  • CyberInsider: Samsung MagicINFO Flaw Now Actively Exploited by Mirai Botnet
  • Help Net Security: Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399)
  • Arctic Wolf: Arctic Wolf Observes Exploitation of Path Traversal Vulnerability in Samsung MagicINFO 9 Server (CVE-2024-7399)
  • bsky.app: A Mirai botnet is exploiting a 2024 bug in MagicINFO, a Samsung digital signage system
  • BleepingComputer: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. [...]
  • The DefendOps Diaries: Understanding and Mitigating the CVE-2024-7399 Vulnerability in Samsung MagicINFO 9 Server
  • The Hacker News: Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet
  • www.techradar.com: Top Samsung software hit by attackers to spread malware and hijack devices
@source.android.com //

Android’s May 2025 Update Tackles Exploited RCE Flaw - Google's May 2025 Android security bulletin addresses 46 vulnerabilities, including a critical RCE flaw (CVE-2025-27363) actively exploited in the wild, affecting Android versions 13-15.
Google has released its May 2025 Android security bulletin, addressing a total of 46 vulnerabilities. The update includes a fix for CVE-2025-27363, a critical Remote Code Execution (RCE) flaw that is already being actively exploited in the wild. The RCE flaw exists within the Android System component, enabling local code execution without requiring user interaction or elevated privileges.

This vulnerability stems from FreeType, an open-source font rendering library widely embedded in Android. Google's advisory underscores the severity of this actively exploited bug, prompting the U.S. CISA to add it to its Known Exploited Vulnerabilities Catalog. U.S. federal agencies are now under directive to apply the patch by May 27, 2025.

The May 2025 Android security bulletin resolves several other high-impact issues across Android versions 13 through 15. These include multiple Elevation of Privilege (EoP) flaws affecting both the framework and system components. Among them are CVE-2025-0087 and CVE-2025-26426. Users are encouraged to check for updates to ensure their devices are protected from these vulnerabilities. The update is available for Android 13, 14, and 15, with Android vendors notified of the issues at least a month before publication.

Recommended read:
References :
  • CyberScoop: Google addresses 1 actively exploited vulnerability in May’s Android security update
  • Malwarebytes: Malwarebytes discusses Android fixes 47 vulnerabilities, including one zero-day.
  • securityaffairs.com: SecurityAffairs Google fixed actively exploited Android flaw CVE-2025-27363
  • The Hacker News: The hackernews update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
  • socradar.io: SocRadar: Android’s May 2025 Update Tackles CVE-2025-27363 & More
  • www.bleepingcomputer.com: bleepingcomputer: Google fixes actively exploited FreeType flaw on Android
  • thecyberexpress.com: Google Rolls Out May 2025 Android Security Bulletin, Fixes 46 Vulnerabilities Including CVE-2025-27363
@source.android.com //

Google Fixes Actively Exploited Android Vulnerability - Google fixed a zero-day vulnerability (CVE-2025-27363) in the Android System component, which was actively exploited, leading to local code execution.
Google has released its May 2025 Android security update, addressing a total of 46 or 47 security flaws affecting Android devices. The update includes a fix for CVE-2025-27363, a high-severity vulnerability in the Android System component that has been actively exploited in the wild. The vulnerability, which is present in versions of FreeType up to 2.13, could allow for local code execution without requiring any additional execution privileges or user interaction. Google noted that there are indications that this flaw may be under limited, targeted exploitation.

The actively exploited vulnerability, CVE-2025-27363, is an out-of-bounds write defect in the FreeType font rendering library. FreeType is a widely used open-source library that allows developers to render fonts and is found in over a billion devices. The vulnerability, discovered by Facebook security researchers in March 2025, has a base score of 8.1 on the CVSS scale. Exploitation of this flaw could lead to arbitrary code execution when parsing TrueType GX and variable font files.

The May 2025 security update contains two patch levels, 2025-05-01 and 2025-05-05, allowing Android partners to address a range of vulnerabilities on different devices. In addition to the FreeType flaw, the update also resolves eight other flaws in the Android System and 15 flaws in the Framework module, which could be abused to facilitate privilege escalation, information disclosure, and denial-of-service attacks. Google Pixel users will automatically receive the update, while other Android device manufacturers will release the patches after customizing the operating system for their specific hardware. Source code patches for all addressed vulnerabilities will be released to the Android Open Source Project repository.

Recommended read:
References :
  • CyberScoop: Google addresses 1 actively exploited vulnerability in May’s Android security update
  • securityaffairs.com: Google fixed actively exploited Android flaw CVE-2025-27363
  • The Hacker News: Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
  • Talkback Resources: Google Fixes Actively Exploited Android System Flaw in May 2025 Security Update [app] [exp] [sys]
  • www.bleepingcomputer.com: Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability.
  • BleepingComputer: Google fixes actively exploited FreeType flaw on Android
  • CyberInsider: CyberInsider reports Android May 2025 Security Update Fixes Actively Exploited FreeType Zero-Day
  • thecyberexpress.com: The Cyber Express article discussing Google's May 2025 Android Security Bulletin.
  • BleepingComputer: Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability.
  • www.helpnetsecurity.com: Actively exploited FreeType flaw fixed in Android (CVE-2025-27363)
  • Help Net Security: Security news article on Actively exploited FreeType flaw fixed in Android (CVE-2025-27363)
  • socradar.io: Android’s May 2025 Update Tackles CVE-2025-27363 & More – Langflow & MagicINFO Exploited, Kibana at Risk
CISA@All CISA Advisories //

CISA Warns of Actively Exploited Apache, SonicWall Flaws - CISA added CVE-2024-38475 in Apache HTTP Server and CVE-2023-44221 in SonicWall SMA100 series to its catalog of known exploited vulnerabilities.
CISA has added two new vulnerabilities, CVE-2024-38475 and CVE-2023-44221, to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities affect Apache HTTP Server and SonicWall SMA100 series appliances, posing significant risks to organizations that utilize these technologies. The agency is urging organizations to take immediate action to mitigate potential exploits. The addition to the KEV catalog highlights the active exploitation of these flaws in the wild, increasing the urgency for patching and remediation.

The vulnerabilities impacting SonicWall SMA 100 devices are particularly concerning due to the potential for complete system takeover and session hijacking. Cybersecurity researchers at watchTowr have discovered that malicious actors are actively combining these vulnerabilities. CVE-2024-38475, an Apache HTTP pre-authentication arbitrary file read vulnerability discovered by Orange Tsai, allows unauthorized file reading. CVE-2023-44221, a post-authentication command injection flaw discovered by Wenjie Zhong (H4lo) of DBappSecurity Co., Ltd, enables attackers to execute arbitrary commands on affected systems.

The combination of these two vulnerabilities allows attackers to extract sensitive information, such as administrator session tokens, effectively bypassing login credentials. Once this initial foothold is established, the command injection vulnerability can be exploited to execute arbitrary commands, potentially leading to session hijacking and full system compromise. The vulnerabilities affect SMA 100 series appliances, including models SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. watchTowr has warned of active exploitation of these vulnerabilities, urging organizations to apply available patches to secure their systems.

Recommended read:
References :
  • watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
  • thecyberexpress.com: CISA Adds Two New Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • thecyberexpress.com: CISA Adds Two New Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
Rescana@Rescana //

Critical SAP NetWeaver Zero-Day Exploited - A critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver Visual Composer is being actively exploited in the wild, allowing for remote code execution.
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.

Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts.

The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise.

Recommended read:
References :
  • SOC Prime Blog: Zero-day vulnerabilities are no longer rare anomalies—they’re now a core weapon in the modern attacker’s arsenal, with exploitation activity escalating year over year.
  • Rescana: The recent discovery of a zero-day vulnerability in SAP NetWeaver Visual Composer has raised alarm bells across the...
  • onapsis.com: Onapsis | Deloitte: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
  • securityaffairs.com: Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324
  • www.cysecurity.news: Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild
  • Onapsis: Learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
  • onapsis.com: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
  • MSSP feed for Latest: Second Wave of Attacks Targets SAP NetWeaver
  • The Hacker News: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
  • onapsis.com: Onapsis in collaboration with Mandiant invites you to a webinar to discuss the current state of the attack campaign for CVE-2025-31324 The post appeared first on .
  • bsky.app: A Chinese threat actor that Forescout tracks as Chaya_004 is behind a recent SAP NetWeaver zero-day (CVE-2025-31324)
  • Talkback Resources: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell [app] [exp] [net]
  • BleepingComputer: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • bsky.app: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • Onapsis: Onapsis in collaboration with Mandiant invites you to a webinar to discuss the current state of the attack campaign for CVE-2025-31324
  • Talkback Resources: A threat actor linked to China is exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) for remote code execution, targeting multiple industries globally, prompting the need for prompt patching and enhanced security measures.
  • www.bleepingcomputer.com: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • www.scworld.com: Remote code execution possible of SAP NetWeaver Visual Composer flaw rated 10.0.
  • Anonymous ???????? :af:: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • The DefendOps Diaries: Understanding the CVE-2025-31324 Vulnerability in SAP NetWeaver Servers
  • www.cybersecuritydive.com: SAP NetWeaver exploitation enters second wave of threat activity
  • Unit 42: CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry.
@cyberpress.org //

NVIDIA TensorRT-LLM Vulnerability Leads to RCE - NVIDIA has released a security update for its TensorRT-LLM framework, addressing a high-severity vulnerability (CVE-2025-23254) that could lead to remote code execution.
NVIDIA has issued a critical security update for its TensorRT-LLM framework to address a high-severity vulnerability, identified as CVE-2025-23254. This flaw poses significant risks, potentially leading to remote code execution, data tampering, and information disclosure. All platforms and versions of TensorRT-LLM prior to 0.18.2 are affected, making this update essential for users to safeguard their systems against potential attacks. The vulnerability resides in the Python executor component of TensorRT-LLM and stems from insecure handling of Inter-Process Communication (IPC).

The specific weakness lies in the Python pickle module's utilization for serialization and deserialization within the socket-based IPC system. An attacker with local access to the TRTLLM server could exploit this by injecting malicious code, gaining unauthorized access to sensitive data, or manipulating existing data. NVIDIA has assigned a CVSS base score of 8.8 to this vulnerability, classifying it as high severity, with the underlying technical risk categorized as "Deserialization of Untrusted Data" (CWE-502). Avi Lumelsky of Oligo Security is credited with responsibly reporting the vulnerability.

To mitigate this threat, NVIDIA has implemented HMAC (Hash-Based Message Authentication Code) encryption by default for all socket-based IPC operations in both the main and release branches of TensorRT-LLM. This security enhancement ensures the integrity and authenticity of serialized data exchanged between processes, preventing unauthorized code execution. NVIDIA strongly advises users not to disable this encryption feature, as doing so would reintroduce the vulnerability and leave systems vulnerable to potential attacks. Users are urged to immediately update to TensorRT-LLM version 0.18.2 or later to fully address the identified risks.

Recommended read:
References :
  • Cyber Security News: NVIDIA has released a crucial security update for its TensorRT-LLM Framework, addressing a high-severity vulnerability that could expose users to significant risks, including remote code execution, data tampering, and information disclosure. The vulnerability, tracked as CVE-2025-23254, affects all platforms and all versions of TensorRT-LLM before 0.18.2. Vulnerability Details The flaw resides in the Python executor
  • securityonline.info: NVIDIA has released a security update for its TensorRT-LLM Framework, addressing a high-severity vulnerability that could expose users The post appeared first on .
  • gbhackers.com: NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in its popular TensorRT-LLM framework, urging all users to update to the latest version (0.18.2) to safeguard their systems against potential attacks. Overview of the Vulnerability The vulnerability, identified as CVE-2025-23254, affects all versions of the NVIDIA TensorRT-LLM framework before 0.18.2 across
Ddos@securityonline.info //

SonicWall SMA100 VPN Vulnerabilities Under Active Exploitation - SonicWall warned customers about active exploitation of vulnerabilities affecting its Secure Mobile Access (SMA) appliances.
Cybersecurity firm SonicWall has issued warnings to its customers regarding active exploitation of several vulnerabilities affecting its Secure Mobile Access (SMA) appliances. These vulnerabilities, including CVE-2024-38475, CVE-2023-44221 and CVE-2021-20035 can lead to unauthorized access to files and system compromise. Organizations utilizing SonicWall SMA 100 series appliances are strongly urged to apply the necessary patches immediately to mitigate the risk. The active exploitation highlights the critical need for organizations to maintain up-to-date security measures and promptly address security advisories from vendors.

Specifically, CVE-2024-38475 is a critical severity flaw affecting the mod_rewrite module of Apache HTTP Server, potentially allowing unauthenticated remote attackers to execute code. SonicWall addressed this issue in firmware version 10.2.1.14-75sv and later. CVE-2023-44221, a high-severity command injection flaw, allows attackers with administrative privileges to inject arbitrary commands. CVE-2021-20035, an OS command injection vulnerability, which has been actively exploited in the wild since January 2025.

The exploitation of these vulnerabilities has prompted advisories and updates, including CISA adding CVE-2021-20035 to its Known Exploited Vulnerabilities catalog. Security researchers have observed active scanning for CVE-2021-20016. It is paramount that organizations proactively manage and patch vulnerabilities to protect their networks and sensitive data.

Recommended read:
References :
  • The DefendOps Diaries: Understanding SonicWall SMA100 Vulnerabilities: Risks and Mitigation
  • BleepingComputer: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • Arctic Wolf: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • isc.sans.edu: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • thehackernews.com: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models
  • securityonline.info: SonicWall confirms active exploitation of SMA 100 vulnerabilities – urges immediate patching
  • Talkback Resources: SonicWall disclosed exploited security flaws in SMA100 Secure Mobile Access appliances, including OS Command Injection and Apache HTTP Server mod_rewrite issues, with patches released in versions 10.2.1.10-62sv and 10.2.1.14-75sv.
  • www.bleepingcomputer.com: SonicWall: SMA100 VPN vulnerabilities now exploited in attacks
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • securityonline.info: SecurityOnline
  • Talkback Resources: SonicWall Confirms Active Exploitation of Flaws Affecting Multiple Appliance Models [net]
  • arcticwolf.com: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • es-la.tenable.com: Web Scanning Sonicwall for CVE-2021-20016, (Tue, Apr 29th)
  • Arctic Wolf: Follow-Up: SonicWall Updates Advisories for Actively Exploited Vulnerabilities
  • bsky.app: Cybersecurity company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • securityaffairs.com: SonicWall confirmed that threat actors actively exploited two vulnerabilities impacting its SMA100 Secure Mobile Access (SMA) appliances.
  • securityaffairs.com: U.S. CISA adds SonicWall SMA100 and Apache HTTP Server flaws to its Known Exploited Vulnerabilities catalog
  • MSSP feed for Latest: SonicWall Flags New Wave of VPN Exploits Targeting SMA Devices
  • bsky.app: Security company SonicWall has warned customers that several vulnerabilities impacting its Secure Mobile Access (SMA) appliances are now being actively exploited in attacks.
  • Help Net Security: Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221)
  • www.scworld.com: SonicWall confirms exploitation of two SMA 100 bugs, one critical
  • securityonline.info: SonicWall Issues Patch for SSRF Vulner
  • Talkback Resources: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware [ics] [net] [mal]
  • The Hacker News: Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware
  • hackread.com: watchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
  • cyberpress.org: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • www.helpnetsecurity.com: Attackers exploited old flaws to breach SonicWall SMA appliances.
  • watchTowr Labs: SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
  • Talkback Resources: Iranian state-sponsored threat group conducted a long-term cyber intrusion targeting critical national infrastructure in the Middle East, exhibiting tradecraft overlaps with Lemon Sandstorm, using custom malware families and sophisticated tactics to maintain persistence and bypass network segmentation.
  • Cyber Security News: CISA Alerts on Active Exploitation of SonicWall SMA100 Command Injection Flaw
  • securityonline.info: Iranian APT Group Breaches Middle Eastern Critical Infrastructure in Stealth Campaign
  • RedPacket Security: SonicWall Products Multiple Vulnerabilities
  • thecyberexpress.com: CISA Adds Two Known Exploited Vulnerabilities to Its Catalog: CVE-2024-38475 and CVE-2023-44221
  • Cyber Security News: SonicWall Secure Mobile Access (SMA) appliances are under active attack due to two critical vulnerabilities- CVE-2023-44221 (post-authentication command injection) and CVE-2024-38475(pre-authentication arbitrary file read)-being chained to bypass security controls.
  • bsky.app: SonicWall urges admins to patch VPN flaw exploited in attacks
  • securityonline.info: Multi Vulnerabilities Found in SonicWall SMA 100 Series Prompt Urgent Security Update
  • The Hacker News: SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root
  • BleepingComputer: SonicWall urges admins to patch VPN flaw exploited in attacks
  • securityonline.info: SonicWall has released a security advisory detailing multiple vulnerabilities affecting its Secure Mobile Access (SMA) 100 series products.
  • MSSP feed for Latest: Exploited SonicWall Flaws Added to KEV List Amid PoC Code Release
Pierluigi Paganini@Security Affairs //

CISA Adds New Exploited Vulnerabilities to Catalog - CISA has added Broadcom Brocade Fabric OS Code Injection Vulnerability, Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability and Commvault Web Server Unspecified Vulnerability to its Known Exploited Vulnerabilities Catalog, urging organizations to prioritize remediation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgent need for organizations to address these security flaws. The newly added vulnerabilities include a code injection flaw in Broadcom Brocade Fabric OS (CVE-2025-1976), an unspecified vulnerability in Commvault Web Server (CVE-2025-3928), and a vulnerability in Qualitia Active! Mail. CISA's inclusion of these vulnerabilities in the KEV catalog indicates that they are being actively exploited in the wild, posing a significant risk to federal enterprises and other organizations.

CISA strongly urges all organizations to prioritize the timely remediation of these Known Exploited Vulnerabilities as part of their vulnerability management practice to reduce their exposure to cyberattacks. The Broadcom Brocade Fabric OS vulnerability (CVE-2025-1976) allows a local user with administrative privileges to execute arbitrary code with full root privileges. The Commvault Web Server vulnerability (CVE-2025-3928) enables a remote, authenticated attacker to create and execute web shells. Successful exploitation of these flaws could lead to significant system compromise and data breaches.

Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches for the Commvault Web Server by May 17, 2025, and for Broadcom Brocade Fabric OS by May 19, 2025. While there are currently no public details on how the vulnerabilities have been exploited in the wild, the scale of the attacks, and who may be behind them, organizations are advised to follow CISA's guidance and implement the necessary security updates to protect their systems. Tenable Vulnerability Watch classification system can help organizations prioritize the exposures that represent the greatest risk to their operations.

Recommended read:
References :
  • securityaffairs.com: U.S. CISA adds Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities catalog
  • The Hacker News: TheHackerNews article on CISA Adding Actively Exploited Broadcom and Commvault Flaws to KEV Database
  • The DefendOps Diaries: Understanding the Broadcom Brocade Fabric OS Vulnerability: A Critical Security Threat
  • BleepingComputer: CISA tags Broadcom Fabric OS, CommVault flaws as exploited in attacks
  • Help Net Security: CISA warns about actively exploited Broadcom, Commvault vulnerabilities
  • Anonymous ???????? :af:: : Two critical flaws — in Broadcom Fabric OS (CVE-2025-1976) and Commvault Web Server (CVE-2025-3928) — are now on the Known Exploited Vulnerabilities (KEV) list. 🔹 Both bugs are actively exploited. 🔹 Admin access can lead to full system compromise. 🔹 Patching deadlines: May 17–19, 2025.
  • www.scworld.com: Ongoing intrusions leveraging a critical Qualitia flaw in Active! mail 6 and a pair of high-severity bugs in the Commvault webserver and Broadcom Brocade Fabric OS have been reported by the Cybersecurity and Infrastructure Security Agency, which urged the remediation of the issues by May 17 following their inclusion in its Known Exploited Vulnerabilities catalog, according to SecurityWeek.
  • securityaffairs.com: U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog

Posts

Blogs

Research Tools