CyberSecurity news

FlagThis - #vulnerability

@itpro.com //
References: Rescana , Wiz Blog | RSS feed , Dan Goodin ...
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.

This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.

Recommended read:
References :
  • Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
  • Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
  • Open Source Security: tj-action/changed-files GitHub action was compromised
  • Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
  • securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
  • Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
  • www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
  • : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
  • Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
  • The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
  • BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
  • www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
  • Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
  • gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
  • hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
  • www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
  • bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
  • Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
  • unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
  • Legit Security Blog: Github Actions tj-actions/changed-files Attack
  • Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-filesâ€� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
  • securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
  • bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
  • blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
  • Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
  • Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
  • thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
  • The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
  • Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
  • Schneier on Security: Critical GitHub Attack
  • Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
  • www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
  • tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram

info@thehackernews.com (The@The Hacker News //
Multiple critical security vulnerabilities, collectively named IngressNightmare, have been discovered in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), potentially exposing over 6,500 clusters to the public internet. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, have a CVSS score of 9.8. Cloud security firm Wiz discovered these flaws and reported that approximately 43% of cloud environments are susceptible to these vulnerabilities.

Specifically, IngressNightmare affects the admission controller component of the Ingress NGINX Controller, which utilizes NGINX as a reverse proxy and load balancer. Attackers can exploit the unrestricted network accessibility of admission controllers by injecting malicious NGINX configurations, gaining unauthorized access to cluster secrets and potentially leading to a complete cluster takeover. Kubernetes users are urged to update to versions v1.11.5, v1.12.1, or later to mitigate these risks.

Recommended read:
References :
  • Open Source Security: Multiple vulnerabilities in ingress-nginx
  • The Hacker News: Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication
  • Wiz Blog | RSS feed: IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
  • The Register - Software: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw
  • Open Source Security: [kubernetes] Multiple vulnerabilities in ingress-nginx
  • ciso2ciso.com: Public-facing Kubernetes clusters at risk of takeover thanks to Ingress-Nginx flaw – Source: go.theregister.com
  • securityonline.info: CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
  • dragosr: "CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required." ingress-nginx is deployed in 40% of k8s clusters.
  • research.kudelskisecurity.com: Critical Unauthenticated Remote Code Execution Vulnerabilities inIngress NGINX
  • securityboulevard.com: Security Boulevard answers FAQs about IngressNightmare.
  • : Wiz Security finds four critical RCE vulnerabilities in the Ingress NGINX Controller for Kubernetes
  • Resources-2: IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
  • www.csoonline.com: Critical RCE flaws put Kubernetes clusters at risk of takeover
  • www.cybersecuritydive.com: Critical vulnerabilities put Kubernetes environments in jeopardy
  • Arctic Wolf: CVE-2025-1974: Critical Unauthenticated RCE Vulnerability in Ingress NGINX for Kubernetes
  • Tenable Blog: CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare
  • open-appsec: On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsanitized user...
  • Threats | CyberScoop: String of defects in popular Kubernetes component puts 40% of cloud environments at risk
  • Blog: Ingress NGINX Kubernetes Controller vulnerabilities a ‘nightmare’ for impacted users
  • circl: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. CVE-2025-1974 but also CVE-2025-1097 CVE-2025-1098 CVE-2025-24513 CVE-2025-24514 🔗 For more details about Ingress NGINX Controller for Kubernetes release
  • Sysdig: Detecting and Mitigating IngressNightmare – CVE-2025-1974
  • thecyberexpress.com: Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise
  • Datadog Security Labs: The "IngressNightmare" vulnerabilities in the Kubernetes Ingress NGINX Controller: Overview, detection, and remediation
  • Information Security Buzz: Five critical security vulnerabilities have been found in the Ingress NGINX Controller for Kubernetes, potentially enabling unauthenticated remote code execution. This exposure puts over 6,500 clusters at immediate risk by making the component accessible via the public internet.
  • MSSP feed for Latest: Researchers aren’t aware of active exploitation in the wild, but they warn the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high.
  • Latest Bulletins: Addresses issues with Kubernetes ingress-nginx controller
  • nsfocusglobal.com: Kubernetes Ingress-nginx Remote Code Execution Vulnerability (CVE-2025-1974)
  • Dynatrace news: NGINX vulnerability: Quickly detect and mitigate IngressNightmare vulnerabilities with Dynatrace
  • securityonline.info: ingress-nginx maintainers released fixes for multiple vulnerabilities that could allow threat actors to take over Kubernetes clusters.
  • Delinea Blog: Discusses vulnerabilities enabling access to Kubernetes clusters’ secrets.

@cyberalerts.io //
A critical vulnerability has been discovered in the widely-used Next.js framework, identified as CVE-2025-29927. This flaw allows attackers to bypass authorization checks within the framework's middleware system. Middleware is commonly used to enforce authentication, authorization, path rewriting, and security-related headers, making this vulnerability particularly severe. Vercel, the company behind Next.js, disclosed the issue on March 21st, 2025, highlighting its potential impact on services relying on vulnerable versions of the framework.

To mitigate the risk, developers using Next.js version 11 or higher are urged to update to the patched versions: 15.2.3, 14.2.25, 13.5.9, or 12.3.5. For those unable to immediately update, a temporary workaround involves blocking user requests with the 'x-middleware-subrequest' header. Some hosting platforms, like Vercel and Netlify, have already implemented this measure to protect their users. The vulnerability allows login screens to be bypassed without proper credentials, potentially compromising user data and sensitive information.

Recommended read:
References :
  • securityonline.info: Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)
  • Open Source Security: Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware
  • isc.sans.edu: ISC SANS posting on the Next.js vulnerability
  • bsky.app: It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
  • Lobsters: How to find Next.js on your network
  • Strobes Security: When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered Next.js vulnerability, one of the most widely used...
  • securityaffairs.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
  • Open Source Security: CVE-2025-29927: Authorization Bypass in Next.js Middleware
  • socradar.io: Next.js Middleware Vulnerability (CVE-2025-29927): What You Need to Know and How to Respond
  • thehackernews.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
  • securityboulevard.com: CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability
  • BleepingComputer: Critical flaw in Next.js lets hackers bypass authorization
  • Help Net Security: Help Net Security reports on the critical Next.js authentication bypass vulnerability.
  • cyberscoop.com: Researchers raise alarm about critical Next.js vulnerability
  • Legit Security Blog: Next.js Vulnerability: What You Need to Know
  • Resources-2: Discovered a critical vulnerability affecting Next.js middleware, tracked as CVE-2025-29927.
  • The DefendOps Diaries: Understanding and mitigating CVE-2025-29927: a critical Next.js vulnerability
  • Developer Tech News: Critical security flaw uncovered in Next.js framework
  • nsfocusglobal.com: Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927)
  • www.techradar.com: Critical security flaw in Next.js could spell big trouble for JavaScript users
  • infosec.exchange: : Critical in NextJS (CVE-2025-29927) impacts all NextJS versions before 15.2.3, 14.2.25, 13.5.9, 12.3.5 allowing attackers to bypass authorisation checks. Great explanation and a Proof-of-Concept demonstration by @_JohnHammond 👇
  • SOC Prime Blog: CVE-2025-29927 Next.js Middleware Authorization Bypass Vulnerability
  • Kali Linux Tutorials: CVE-2025-29927 : Next.js Middleware Authorization Bypass – Technical Analysis
  • DEVCLASS: Next.js team fixes vuln that allows authorization bypass when middleware is used, revises documentation recommending this method
  • Rescana: Executive Summary The discovery of CVE-2025-29927 , a critical vulnerability in Next.js , has raised significant cybersecurity concerns...
  • Stormshield: A critical authentication bypass vulnerability impacting the Next.js middleware has been reported. It has been assigned the reference CVE-2025-29927 and a CVSS 3.1 score of 9.1. It should be noted that proof of concept are publicly available about this CVE-2025-29927 vulnerability.
  • Fastly Security Blog: CVE-2025-29927: Authorization Bypass in Next.js
  • hackread.com: Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.
  • NCSC News Feed: The NCSC is encouraging UK organisations to take immediate action to mitigate a vulnerability (CVE-2025-29927) affecting the Next.js framework used to build web applications.

Bill Toulas@BleepingComputer //
A new ransomware campaign is underway, leveraging critical vulnerabilities in Fortinet's FortiOS and FortiProxy systems. The SuperBlack ransomware, deployed by the cybercriminal group Mora_001, targets Fortinet firewalls by exploiting authentication bypass flaws, specifically CVE-2024-55591 and CVE-2025-24472. Once inside, attackers escalate privileges to super-admin and create new administrator accounts, modifying automation tasks to ensure persistent access, even if initially removed.

The vulnerabilities, disclosed in January and February of 2025, allow attackers to gain unauthorized access and encrypt devices after the initial compromise, attackers map the network and attempt lateral movement using stolen VPN credentials and newly added VPN accounts. They utilize Windows Management Instrumentation (WMIC), SSH, and TACACS+/RADIUS authentication, which are protocols for managing and authenticating network access. Organizations are urged to patch their Fortinet systems to mitigate the risk of SuperBlack ransomware attacks.

Recommended read:
References :
  • The DefendOps Diaries: SuperBlack Ransomware: Exploiting Fortinet Vulnerabilities
  • BleepingComputer: New SuperBlack ransomware exploits Fortinet auth bypass flaws
  • Industrial Cyber: Researchers from Forescout Technologies‘ Forescout Research – Vedere Labs identified a series of intrusions exploiting two Fortinet vulnerabilities
  • The Register - Security: New kids on the ransomware block channel Lockbit to raid Fortinet firewalls
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • Blog: Fortinet flaws targeted by new LockBit-like SuperBlack ransomware
  • securityaffairs.com: SuperBlack Ransomware operators exploit Fortinet Firewall flaws in recent attacks
  • www.cybersecuritydive.com: SuperBlack ransomware strain used in attacks targeting Fortinet vulnerabilities
  • www.csoonline.com: Researchers tracked the exploits back to late November/early December last year.
  • techcrunch.com: Hackers are exploiting Fortinet firewall bugs to plant ransomware
  • Security Risk Advisors: New SuperBlack ransomware exploits Fortinet vulnerabilities for network breaches
  • Cyber Security News: CISA Warns: Fortinet FortiOS Vulnerability Actively Exploited
  • gbhackers.com: CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit
  • securityonline.info: Cybersecurity Alert: CISA Adds Fortinet and GitHub Action Vulnerabilities to Exploited List
  • cyble.com: CISA Alerts Users of CVE-2025-24472
  • securityaffairs.com: U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog
  • www.it-daily.net: SuperBlack ransomware exploits Fortinet vulnerability
  • : Fortinet Vulnerability Exploited in Ransomware Attack, CISA Warns The US Cybersecurity and Infrastructure Security Agency added flaws in Fortinet and a popular GitHub Action to its Known Exploited Vulnerabilities catalog
  • chemical-facility-security-news.blogspot.com: CISA Adds FortiGuard Vulnerability to KEV Catalog – 3-18-25

@The DefendOps Diaries //
Mozilla has issued an urgent security update for its Firefox browser on Windows to address a critical sandbox escape vulnerability, identified as CVE-2025-2857. This flaw allows attackers to bypass the browser's security sandbox, posing significant risks to Windows users. Mozilla is releasing security updates for Firefox versions 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1 to patch this vulnerability.

The vulnerability, reported by Mozilla developer Andrew McCreight, involves an incorrect handle that could lead to sandbox escapes, potentially enabling attackers to execute arbitrary code on affected systems. This comes after a similar exploit, CVE-2025-2783, was identified in Google Chrome. Windows users are advised to update their browsers to the latest version as soon as possible to mitigate this risk.

Recommended read:
References :
  • securityonline.info: Mozilla releases urgent security patch for Windows users as researchers uncover another IPC vulnerability echoing a recently exploited
  • The DefendOps Diaries: Mozilla warns of a critical Firefox vulnerability allowing sandbox escapes, posing significant security risks to Windows users.
  • The Hacker News: Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day.
  • BleepingComputer: Mozilla has released Firefox 136.0.4 to patch a critical security vulnerability that can let attackers escape the web browser's sandbox on Windows systems.
  • CyberInsider: Firefox Says It’s Vulnerable to Chrome’s Zero-Day Used in Espionage Attacks
  • The Register - Security: After Chrome patches zero-day used to target Russians, Firefox splats similar bug
  • Security Affairs: Mozilla fixed critical Firefox vulnerability CVE-2025-2857
  • PCMag UK security: Chrome Zero-Day Flaw Also Affects Firefox
  • gbhackers.com: Mozilla is working to patch the vulnerability, tracked as CVE-2025-2857, with security updates for Firefox 136.0.4 and Firefox ESR versions 128.8.1 and 115.21.1.
  • MSPoweruser: Google patches a Chrome zero-day vulnerability used in espionage
  • thecyberexpress.com: Mozilla has issued an urgent update for Firefox on Windows to patch a critical security vulnerability.
  • Blog: Critical sandbox escape flaws in Firefox and Chrome patched
  • techcrunch.com: Mozilla patches Firefox bug ‘exploited in the wild,’ similar to bug attacking Chrome
  • www.scworld.com: Firefox patches flaw similar to exploited Chrome zero-day

Pierluigi Paganini@Security Affairs //
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.

Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets.

Recommended read:
References :
  • securityaffairs.com: US CISA warns that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras.
  • www.bleepingcomputer.com: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • securityonline.info: CISA Warns of Critical Edimax IP Camera Flaw (CVE-2025-1316) with Public Exploits and No Vendor Fix
  • The DefendOps Diaries: Understanding and Mitigating the Edimax IP Camera Vulnerability
  • www.techradar.com: Edimax IC-7100 camera was found vulnerable to a command injection flaw currently being used in remote code execution attacks.
  • www.scworld.com: Edimax IP camera zero-day
  • gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
  • MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
  • www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
  • bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months.

Pierluigi Paganini@Security Affairs //
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.

Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users.

Recommended read:
References :
  • Security Affairs: Broadcom released security updates to address a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
  • securityonline.info: VMware Tools for Windows Hit by CVE-2025-22230 Auth Bypass Flaw
  • The DefendOps Diaries: Understanding the VMware Tools Authentication Bypass Vulnerability
  • thehackernews.com: New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround
  • www.csoonline.com: VMware plugs a high-risk vulnerability affecting its Windows-based virtualization
  • BleepingComputer: Broadcom Warns of Authentication Bypass in VMware Windows Tools
  • www.techradar.com: Broadcom warns of worrying security flaws affecting VMware tools
  • Security Risk Advisors: New VMware Tools vulnerability (CVE-2025-22230) allows non-admin Windows guest users to perform privileged operations.
  • Security | TechRepublic: Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication
  • securityaffairs.com: Broadcom addressed a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.

Nathaniel Morales@feeds.trendmicro.com //
The Albabat ransomware has evolved, now targeting Windows, Linux, and macOS systems, according to recent research. This marks a significant expansion in the group's capabilities, showcasing increased sophistication in exploiting multiple operating systems. Trend Micro researchers uncovered this evolution, noting the ransomware group leverages GitHub to streamline their operations, enhancing the efficiency and reach of their attacks.

Albabat ransomware version 2.0 gathers system and hardware information on Linux and macOS systems and uses a GitHub account to store and deliver configuration files. This allows attackers to manage operations centrally and update tools efficiently. The GitHub repository, though private, is accessible through an authentication token, demonstrating active development through its commit history.

Recent versions of Albabat ransomware retrieve configuration data through the GitHub REST API, utilizing a User-Agent string labeled "Awesome App." It encrypts file extensions, including .exe, .dll, .mp3, and .pdf, while ignoring folders like Searches and AppData. The ransomware also terminates processes like taskmgr.exe and regedit.exe to evade detection. It tracks infections and payments through a PostgreSQL database, potentially selling stolen data.

Recommended read:
References :
  • Cyber Security News: The Albabat ransomware has expanded its operation by utilizing GitHub to streamline its operation.
  • gbhackers.com: The Albabat ransomware group has been observed expanding its operations to target not only Windows but also Linux and macOS systems, marking a significant evolution in its capabilities. They are leveraging GitHub to streamline their ransomware operations.
  • : Trend Micro observed a continuous development of Albabat ransomware, designed to expand attacks and streamline operations. The authors seem to be targeting Linux and macOS systems now.
  • www.trendmicro.com: New versions of Albabat ransomware have been detected that target Windows, Linux, and macOS devices. The group is utilizing GitHub to streamline their operations.
  • hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
  • Carly Page: Mastodon: Hackers are ramping up attempts to exploit a trio of year-old ServiceNow vulnerabilities to break into unpatched company instances
  • techcrunch.com: TechCrunch: Hackers are ramping up attacks using year-old ServiceNow security bugs to break into unpatched systems
  • www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
  • bsky.app: Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations https://buff.ly/IWRowB3
  • Talkback Resources: New Attacks Exploit Year-Old ServiceNow Flaws - Israel Hit Hardest [app] [exp]
  • www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
  • Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
  • Cyber Security News: Albabat Ransomware Adds Linux and macOS to its Expanding List of Targets
  • gbhackers.com: Albabat Ransomware Expands Reach to Target Linux and macOS Platforms
  • www.cysecurity.news: Albabat Ransomware Evolves with Cross-Platform Capabilities and Enhanced Attack Efficiency
  • ciso2ciso.com: New versions of the Albabat ransomware target Windows, Linux, and macOS, and retrieve configuration files from GitHub. The post appeared first on SecurityWeek.

Bill Toulas@BleepingComputer //
GitLab has released critical security updates to address multiple vulnerabilities in its Community Edition (CE) and Enterprise Edition (EE) platforms. The updates, included in versions 17.9.2, 17.8.5, and 17.7.7, fix nine vulnerabilities. Two of these are critical authentication bypass flaws (CVE-2025-25291 and CVE-2025-25292) within the ruby-saml library, used when SAML SSO authentication is enabled at the instance or group level. GitLab has already patched GitLab.com and will update GitLab Dedicated customers, but self-managed installations require immediate manual updates.

Exploitation of these flaws could allow attackers with access to a legitimate signed SAML document from an identity provider to impersonate any valid user, potentially leading to unauthorized access to sensitive repositories and data breaches. The issue stems from differences in XML parsing between REXML and Nokogiri. GitLab strongly advises all affected installations to upgrade to the latest versions as soon as possible to mitigate potential risks. Other vulnerabilities that were addressed are CVE-2025-27407, a high severity Ruby graphql vulnerability.

Recommended read:
References :
  • Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
  • securityaffairs.com: SecurityAffairs article on GitLab addressed critical flaws in CE and EE
  • socradar.io: SocRadar article on GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
  • The DefendOps Diaries: GitLab's Critical Vulnerability Fixes: What You Need to Know
  • BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
  • Rescana: Rescana Cybersecurity Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7
  • securityonline.info: GitLab urgently patches critical authentication bypass flaws – CVE-2025-25291 & CVE-2025-25292
  • www.scworld.com: Account hijacking possible with ruby-saml library bugs
  • bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.
  • gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication

@itpro.com //
Qualys security researchers have uncovered three bypasses in Ubuntu Linux's unprivileged user namespace restrictions, a security feature intended to reduce the attack surface. These bypasses, present in Ubuntu versions 23.10 and 24.04, could enable a local attacker to gain full administrative capabilities. The unprivileged user namespace restrictions were designed to provide security isolation for applications, however, the newly discovered flaws create a weak spot that attackers can exploit.

The bypasses allow a local attacker to create user namespaces with full administrator capabilities. One method involves exploiting the aa-exec tool, while another utilizes Busybox. A third involves LD_PRELOADing a shell into programs with AppArmor profiles. Successful exploitation could allow attackers to bypass security measures, exploit vulnerabilities in kernel components, and potentially gain full system access. Ubuntu was notified of the vulnerabilities on January 15, 2025.

Recommended read:
References :
  • Full Disclosure: Qualys Security Advisory Three bypasses of Ubuntu's unprivileged user namespace restrictions.
  • The DefendOps Diaries: Understanding Security Bypasses in Ubuntu's Unprivileged User Namespaces
  • www.itpro.com: Qualys discovers three bypasses of Ubuntu's unprivileged user namespace restrictions
  • www.networkworld.com: Ubuntu namespace vulnerability should be addressed quickly: Expert
  • BleepingComputer: New Ubuntu Linux security bypasses require manual mitigations

MSSP Alert@MSSP feed for Latest //
References: bsky.app , gbhackers.com , www.scworld.com ...
Multiple Mirai-based botnets have been actively exploiting a zero-day vulnerability, tracked as CVE-2025-1316, in Edimax IP cameras for nearly a year. The attacks targeting these vulnerable cameras began around May of last year, with intrusions observed by security researchers. While initial exploitation occurred in May, there was a pause before a resurgence in activity in September and again from January to February.

The attackers are leveraging default credentials on the Edimax devices to deploy the Mirai malware. A proof-of-concept exploit has been available since June 2023, suggesting possible earlier attack attempts. Edimax disclosed that a patch for the zero-day is not possible, because the affected IP cameras have reached end-of-life over 10 years ago and the source code and development environment are no longer available. Therefore, organizations are urged to ensure they are using up-to-date software and firmware on their devices to prevent botnet compromise.

Recommended read:
References :
  • bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months. The earliest evidence of exploitation was traced back to October of last year, although public proof-of-concept had been available for over a year before that
  • gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
  • MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
  • www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
  • bsky.app: Two botnets have exploited a zero-day vulnerability in Edimax security cameras for months. The earliest evidence of exploitation was traced back to October of last year, although public proof-of-concept had been available for over a year before that

Pierluigi Paganini@Security Affairs //
A critical command injection vulnerability, CVE-2025-1316, affecting Edimax Internet of Things (IoT) devices is being exploited to spread Mirai malware. According to reports, multiple botnets are actively targeting Edimax IP cameras, exploiting the flaw to compromise devices and incorporate them into their networks. The attacks involve leveraging default credentials to facilitate the deployment of Mirai, known for orchestrating distributed denial-of-service (DDoS) attacks.

Initial exploitation attempts were observed as early as May 2024, with increased activity in September and again from January to February 2025. Although a proof-of-concept exploit has been available since June 2023, the intrusions highlight the ongoing risk posed by unpatched vulnerabilities in IoT devices. Edimax has stated that the affected IP cameras are end-of-life for over 10 years and they are unable to provide patches. Organizations are urged to update software and firmware.

Recommended read:
References :
  • gbhackers.com: Edimax Camera RCE Vulnerability Exploited to Spread Mirai Malware
  • MSSP feed for Latest: Botnet Attacks Exploiting Edimax IP Camera Zero-Day Ongoing For Nearly One Year
  • www.scworld.com: Attacks exploiting Edimax IP camera zero-day ongoing for nearly a year
  • cyble.com: One of the most concerning vulnerabilities in the new CISA catalog is , which affects the Edimax IC-7100 IP Camera. This vulnerability, identified on March 4, 2025, is an OS Command Injection Vulnerability that allows attackers to execute arbitrary commands on the device remotely.
  • chemical-facility-security-news.blogspot.com: CISA Adds Edimax Vulnerability to KEV Catalog
  • securityaffairs.com: U.S. CISA adds Edimax IC-7100 IP Camera, NAKIVO, and SAP NetWeaver AS Java flaws to its Known Exploited Vulnerabilities catalog

Rescana@Rescana //
References: www.itpro.com , Rescana , hackread.com ...
Critical vulnerabilities in ServiceNow, a widely used cloud-based platform, are being actively exploited by hackers, resulting in escalated attacks. Security researchers at GreyNoise have observed a resurgence of malicious activity targeting three year-old, but previously patched, flaws: CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. These vulnerabilities can lead to unauthorized access and potentially full database compromise if left unpatched.

Organizations that failed to apply ServiceNow patches last year are now falling victim to these exploits. Israel has been significantly impacted, with over 70% of recent malicious activity directed at systems within the country. However, attacks have also been detected in Lithuania, Japan, and Germany. Security experts urge organizations to apply the necessary patches and monitor for unusual authentication attempts, unauthorized data access logs, and unexpected server behavior.

Recommended read:
References :
  • www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
  • Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
  • www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
  • hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest

Rescana@Rescana //
Critical vulnerabilities in ServiceNow are being actively exploited, posing a significant threat, especially to systems in Israel. Three key flaws, CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, have been identified and are under active attack. These vulnerabilities, some over a year old, were initially disclosed in early 2023 and patches were provided by ServiceNow. Despite the patches, exploitation activities have surged, particularly targeting Israeli systems.

These vulnerabilities allow threat actors to gain unauthorized access, potentially leading to data breaches and operational disruptions. CVE-2024-4879 is a template injection vulnerability allowing remote code execution. CVE-2024-5217 and CVE-2024-5178 involve input validation errors that can be exploited to manipulate data and bypass security controls, potentially granting full database access. Organizations that failed to apply ServiceNow patches last year are continuing to fall victim.

Recommended read:
References :
  • hackread.com: Report of attacks exploiting year-old ServiceNow flaws, with Israel being the hardest hit.
  • www.itpro.com: ServiceNow vulnerabilities and the impact on unpatched systems.
  • Rescana: Details on the critical vulnerabilities in ServiceNow being exploited, particularly in Israel.
  • www.scworld.com: The threat actors are exploiting three-year-old vulnerabilities in ServiceNow.

SC Staff@scmagazine.com //
Attackers are intensifying their efforts to exploit old ServiceNow vulnerabilities, specifically CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, which were patched last year. GreyNoise, a threat intelligence firm, has observed a resurgence of in-the-wild activity targeting these flaws, putting unpatched company instances at risk. These vulnerabilities can potentially lead to unauthorized access to sensitive data, remote code execution, and full database compromise, even by unauthenticated actors.

The attacks have predominantly targeted systems in Israel, accounting for over 70% of recent malicious activity. However, organizations in Lithuania, Japan, and Germany have also been affected. Security experts urge organizations to apply the necessary patches to protect their ServiceNow platforms and mitigate the risk of exploitation. These vulnerabilities were initially discovered by Assetnote in May 2024, and ServiceNow promptly released patches, but a failure to apply these updates has left some systems vulnerable.

Recommended read:
References :
  • hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
  • Carly Page: Hackers are ramping up attempts to exploit a trio of year-old ServiceNow vulnerabilities to break into unpatched company instances
  • www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
  • www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
  • Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems

@itpro.com //
A critical security incident has been detected involving the widely-used GitHub Action "tj-actions/changed-files," resulting in CVE-2025-30066. The compromise involved attackers modifying the action's code and retroactively updating multiple version tags to point to the malicious commit. This allowed the malicious code to print CI/CD secrets in GitHub Actions build logs, potentially exposing them in public repositories. The "tj-actions/changed-files" GitHub Action is used in over 23,000 repositories, making the scale of this compromise significant. GitHub has removed the "tj-actions/changed-files" Action, preventing it from being used in GitHub Actions workflows.

The malicious commit, identified as 0e58ed8 ("chore(deps): lock file maintenance (#2460)"), was added to all 361 tagged versions of the GitHub action. This commit resulted in a script that can leak CI/CD secrets from runner memory. The anomaly was detected by StepSecurity's Harden-Runner, which identified suspicious outbound network requests directed at gist.githubusercontent.com. Immediate actions are necessary to mitigate the risk of credential theft and CI pipeline compromise. Step Security has urged maintainers of public repositories using the compromised Action to review recovery steps immediately, as multiple public repositories have been found to have leaked secrets in build logs.

Recommended read:
References :
  • Open Source Security: tj-action/changed-files GitHub action was compromised
  • securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
  • Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
  • Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know

Divya@gbhackers.com //
References: www.scworld.com , gbhackers.com ,
Critical vulnerabilities in the ruby-saml library, tracked as CVE-2025-25291 and CVE-2025-25292, allow attackers to bypass authentication in applications using the library for Single Sign-On (SSO). These flaws stem from discrepancies in XML parsing between REXML and Nokogiri, potentially leading to account takeovers. An attacker possessing a valid signature from the targeted organization can craft SAML assertions to log in as any user.

The vulnerabilities were discovered during a security review by GitHub's Security Lab, prompting GitLab to release critical patches in versions 17.9.2, 17.8.5, and 17.7.7 for Community Edition and Enterprise Edition. Organizations are urged to upgrade to the latest ruby-saml version to mitigate the risk of authentication bypass and account hijacking. The ruby-saml library is used in various applications and products, including GitLab.

Recommended read:
References :
  • www.scworld.com: Account hijacking possible with ruby-saml library bugs
  • gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication
  • bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.

Sam Bent@Sam Bent //
CISA has issued a warning to U.S. federal agencies regarding a critical vulnerability, CVE-2024-48248, in NAKIVO's Backup & Replication software. This flaw, an absolute path traversal bug, could allow attackers to access sensitive files, potentially compromising configuration files, backups, and credentials. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Agencies are urged to apply necessary mitigations by April 9, 2025.

The vulnerability, affecting versions prior to 10.11.3.86570, was discovered by watchTowr Labs, who also published a proof-of-concept exploit. Successful exploitation could allow an unauthenticated attacker to read arbitrary files on the target host via the "/c/router" endpoint. NAKIVO addressed the issue in November 2024 with version v11.0.0.88174. CISA's directive underscores the need for federal agencies to promptly patch the flaw to secure their networks against potential data exposure.

Recommended read:
References :
  • Sam Bent: CISA Urges Federal Agencies to Patch NAKIVO Backup & Replication Flaw, Raising Security Concerns
  • www.bleepingcomputer.com: CISA tags NAKIVO backup flaw as actively exploited in attacks

Rescana@Rescana //
A critical security flaw, tracked as CVE-2025-21590, has been identified in Juniper Networks' Junos OS and is currently being exploited in the wild. This vulnerability, characterized by an Improper Isolation or Compartmentalization issue in the kernel, could allow a local attacker with shell access to execute arbitrary code and compromise affected devices. Juniper has released an urgent fix to address this actively exploited flaw, urging users to upgrade to a patched release as soon as possible.

Juniper's Security Incident Response Team (SIRT) has received reports of malicious exploitation of this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities catalog, advising immediate patching. The vulnerability impacts a wide range of Junos OS versions, specifically all versions before 21.2R3-S9, 21.4 versions before 21.4R3-S10, and 22.2 versions before 22.2R3-S6, among others, Juniper Networks strongly advises customers to upgrade to a fixed release as soon as it becomes available.

Recommended read:
References :
  • securityonline.info: Juniper Issues Urgent Fix for Actively Exploited Junos OS Flaw
  • Rescana: Rescana Cybersecurity Report: Exploitation in the Wild of CVE-2025-21590

Rescana@Rescana //
A critical vulnerability, tracked as CVE-2025-26909, has been identified in the WP Ghost plugin, a popular WordPress security plugin used by over 200,000 websites. This Local File Inclusion (LFI) flaw can escalate to Remote Code Execution (RCE), potentially allowing attackers to gain complete control over affected web servers without authentication. The vulnerability stems from insufficient validation of user-supplied input through the URL path, specifically within the `showFile` function invoked by the `maybeShowNotFound` function.

This flaw allows unauthenticated users to manipulate the URL to trigger file inclusion, potentially leading to arbitrary code execution, especially when the "Change Paths" feature is set to Lite or Ghost mode. Exploit techniques such as `php://filter` chains and leveraging `PHP_SESSION_UPLOAD_PROGRESS` can be used. Website administrators are strongly advised to immediately update their WP Ghost plugin to the latest version 5.4.02 to mitigate this severe security risk and implement additional security measures.

In related news, GoDaddy Security researchers have uncovered a long-running malware operation named DollyWay, which targets visitors of infected WordPress sites. This campaign utilizes injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites to redirect users to malicious sites. This highlights the broader issue of WordPress plugin vulnerabilities and the importance of maintaining strong security practices, including regular updates and vigilance.

Recommended read:
References :
  • Sam Bent: Critical Vulnerability Discovered in WP Ghost Plugin: Unauthenticated Remote Code Execution Possible
  • Virus Bulletin: GoDaddy Security researchers have uncovered long-running malware operation DollyWay, which primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of TDS nodes hosted on compromised websites.
  • Rescana: Critical CVE-2025-26909 Vulnerability in WP Ghost Plugin: Immediate Update Required for Over 200,000 Websites
  • The DefendOps Diaries: Explore the critical CVE-2025-26909 vulnerability in WP Ghost plugin and learn how to mitigate its risks.