CyberSecurity news
FlagThis - #vulnerability
|
@www.qualys.com
//
Two new information disclosure vulnerabilities have been identified in Linux systems, specifically affecting Ubuntu, Red Hat Enterprise Linux, and Fedora distributions. These flaws reside in the core dump handlers 'apport' (CVE-2025-5054) and 'systemd-coredump' (CVE-2025-4598). The vulnerabilities are characterized as race condition bugs, which could be exploited by a local attacker to gain unauthorized access to sensitive information. Successful exploitation could lead to the exposure of critical data, including password hashes, through the manipulation of core dumps generated during system crashes.
Qualys Threat Research Unit (TRU) discovered that Apport incorrectly handled metadata when processing application crashes. This allows an attacker to induce a crash in a privileged process and quickly replace it with another process with the same process ID inside a mount and pid namespace. Apport will then attempt to forward the core dump, potentially containing sensitive information from the original privileged process, into the namespace. Similarly, systemd-coredump has a race condition that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original’s privileged process coredump. Both vulnerabilities have been assigned a CVSS score of 4.7, indicating a medium severity level. Red Hat has rated CVE-2025-4598 as Moderate due to the high complexity involved in successfully exploiting the flaw. To mitigate the risk, users can disable core dump generation for SUID binaries by running the command "echo 0 > /proc/sys/fs/suid_dumpable" as root. Canonical has released updates for the apport package for all affected Ubuntu releases, addressing CVE-2025-5054, and users are advised to update their systems as soon as possible. Recommended read:
References :
@cyberinsider.com
//
References:
cyberinsider.com
, securityonline.info
Mozilla has released Firefox 139 to address a critical security vulnerability within the libvpx video codec encoder. This flaw, identified as a double-free vulnerability, could potentially lead to memory corruption and allow for arbitrary code execution on affected systems. Security experts are urging users to update to the latest version of Firefox immediately to mitigate the risk.
The vulnerability is particularly concerning because it is a zero-interaction exploit, meaning that an attacker could potentially execute malicious code without any user action beyond normal browsing activity. This underscores the importance of applying the patch as soon as possible to prevent potential compromise. The update aims to protect users from remote code execution attacks that could exploit the flaw in the libvpx codec. The Cybersecurity community has highlighted the importance of prioritizing critical patches such as this one to defend against exploitation. This vulnerability demonstrates the persistent threat landscape and the need for constant vigilance in maintaining secure systems. By updating to Firefox 139, users can ensure they are protected against this potentially severe vulnerability. Recommended read:
References :
@cyble.com
//
References:
securityaffairs.com
, ciso2ciso.com
,
A China-linked Advanced Persistent Threat (APT) group, known as UNC5221, has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software. Researchers from EclecticIQ have observed this group chaining two specific flaws, identified as CVE-2025-4427 and CVE-2025-4428, to target organizations across Europe, North America, and the Asia-Pacific region. These vulnerabilities allow for unauthenticated remote code execution, potentially granting the attackers deep access to compromised systems.
The targeted sectors include critical infrastructure such as telecommunications, healthcare, government, defense, finance, and aviation. The exploitation of these flaws began shortly after their disclosure, highlighting the speed at which UNC5221 moved to take advantage of the vulnerabilities. CISA has added the Ivanti EPMM flaw, among others, to its Known Exploited Vulnerabilities catalog, emphasizing the severity of the risk and urging organizations to apply necessary patches. The attacks facilitate further intrusion and data exfiltration, potentially leading to significant breaches and compromise of sensitive information. This campaign underscores the ongoing threat posed by state-sponsored cyberespionage and the importance of proactive security measures to defend against such attacks. Recommended read:
References :
Andres Ramos@Arctic Wolf
//
Versa Concerto, a network security and SD-WAN orchestration platform, is facing scrutiny after the public disclosure of multiple unpatched vulnerabilities. ProjectDiscovery researchers revealed technical details on May 21, 2025, following a 90-day responsible disclosure period that began on February 13, 2025. The disclosed flaws include authentication bypasses, remote code execution (RCE), and container escapes, posing a significant threat to the platform and its underlying host systems. The platform is a Spring Boot-based application deployed via Docker containers and routed through Traefik, making it vulnerable to attacks targeting these components.
These vulnerabilities, when chained together, could allow a complete system compromise. One notable flaw, CVE-2025-34027, carries a maximum severity score of 10.0 and involves a URL decoding inconsistency issue. This could facilitate unauthorized access to file upload endpoints and enable remote code execution. Other critical vulnerabilities include CVE-2025-34026, an authentication bypass allowing access to administrative endpoints, and CVE-2025-34025, a privilege escalation leading to Docker container escape and code execution on the host machine. Despite the disclosure of these vulnerabilities, Versa Networks has stated that patches were implemented in early March and made publicly available in mid-April. According to a Versa Networks spokesperson, all affected customers were notified through established security and support channels with guidance on applying the recommended updates, and there is no indication that these vulnerabilities were exploited in the wild. However, ProjectDiscovery researchers initially noted the lack of patches, prompting the need for public disclosure after the 90-day deadline passed. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Chinese-speaking hackers have exploited a zero-day vulnerability, CVE-2025-0994, in Trimble Cityworks software to breach multiple local governing bodies across the United States. This vulnerability, a remote code execution flaw, has been actively exploited since January 2025 by a threat actor tracked as UAT-6382. The attackers targeted enterprise networks of local governing bodies, conducting reconnaissance and deploying web shells and custom-made malware to maintain long-term access, with a particular interest in systems related to utilities management.
UAT-6382 utilized a variety of tools and techniques in their attacks. They rapidly deployed web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. Additionally, they employed Rust-based loaders, known as TetraLoader, to deliver Cobalt Strike and VShell malware, ensuring persistent access to compromised systems. The TetraLoader was built using MaLoader, a malware building framework written in Simplified Chinese, further indicating the origin of the threat actor. Cisco Talos researchers have assessed with high confidence that UAT-6382 is a Chinese-speaking threat actor, based on tooling, TTPs, hands-on-keyboard activity, and victimology. Indicators of compromise (IOCs) related to these intrusions overlap with those listed in Trimble’s advisory. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0994 to its Known Exploited Vulnerabilities (KEV) catalog in February 2025. The exploitation of this flaw highlights the risk of nation-state actors targeting critical infrastructure software used by U.S. local governments and utilities. Recommended read:
References :
@www.csoonline.com
//
A critical authentication bypass vulnerability, identified as CVE-2025-47949, has been discovered in the widely-used samlify library. This flaw allows attackers to bypass Single Sign-On (SSO) protections and gain unauthorized access to systems that rely on SAML for authentication. The vulnerability poses a significant risk, as attackers can impersonate legitimate users, including those with administrative privileges. The severity of this flaw is reflected in its CVSS v4.0 score of 9.9, indicating a critical risk demanding immediate attention.
The vulnerability is a Signature Wrapping attack, targeting the XML structure of SAML responses. By injecting unsigned malicious assertions into legitimately signed SAML responses, attackers can forge SAML responses, effectively impersonating any user, including administrators, within the system. This allows attackers to gain maximum system privileges. The vulnerability affects samlify versions prior to 2.10.0 and is classified under CWE-347: Improper Verification of Cryptographic Signature. The impact of CVE-2025-47949 is significant, primarily affecting the integrity of systems relying on the vulnerable samlify library. While confidentiality and availability are not directly compromised, the ability to impersonate users and gain unauthorized access poses a substantial threat. The attack vector is network-based with low complexity, requiring minimal effort and no privileges. Organizations using samlify for SAML SSO integration, particularly those in SaaS platforms or implementing SSO for internal tools, are strongly urged to update to version 2.10.0 or later to mitigate this critical security risk. Recommended read:
References :
@github.com
//
A critical security vulnerability has been discovered in OpenPGP.js, a widely used JavaScript library that implements the OpenPGP standard for email and data encryption. Tracked as CVE-2025-47934, the flaw allows attackers to spoof both signed and encrypted messages, effectively undermining the trust inherent in public key cryptography. Security researchers from Codean Labs, Edoardo Geraci and Thomas Rinsma, discovered that the vulnerability stems from the `openpgp.verify` and `openpgp.decrypt` functions, and it essentially undermines the core purpose of using public key cryptography to secure communications.
The vulnerability impacts versions 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0 of the OpenPGP.js library. According to an advisory posted on the library's GitHub repository, a maliciously modified message can be passed to one of these functions, and the function may return a result indicating a valid signature, even if the message has not been legitimately signed. This flaw affects both inline signed messages and signed-and-encrypted messages. The advisory also states that to spoof a message, an attacker needs a single valid message signature along with the plaintext data that was legitimately signed. They can then construct a fake message that appears legitimately signed. Users are strongly advised to upgrade to versions 5.11.3 or 6.1.1 as soon as possible to mitigate the risk. Versions 4.x are not affected by the vulnerability. While a full write-up and proof-of-concept exploit are expected to be released soon, the current advisory offers enough details to highlight the severity of the issue. The underlying problem is that OpenPGP.js trusts the signing process without properly verifying it, leaving users open to having signed and encrypted messages spoofed. This vulnerability allows message signature verification to be spoofed. Recommended read:
References :
@securebulletin.com
//
China-linked APT groups are actively exploiting a critical vulnerability, CVE-2025-31324, in SAP NetWeaver to breach systems globally. This flaw, an unauthenticated file upload vulnerability, allows for remote code execution, granting unauthorized access to sensitive systems. EclecticIQ assesses with high confidence that these attacks, which commenced in April 2025, are being launched by Chinese nation-state APTs targeting critical infrastructure networks. The scope of the campaign is significant, with evidence indicating the compromise of over 580 SAP NetWeaver instances across various sectors.
Researchers at EclecticIQ uncovered evidence revealing the campaign's breadth. A publicly accessible directory on a threat actor-controlled server contained event logs confirming compromises across 581 SAP NetWeaver instances worldwide. These systems span critical sectors like natural gas distribution networks, water, waste management utilities, medical device manufacturing plants, and government ministries. Additionally, a list of 800 domains running SAP NetWeaver was found, indicating a large pool of potential future targets. The exploitation of CVE-2025-31324 is being attributed to multiple distinct China-linked threat clusters, including CL-STA-0048, UNC5221, and UNC5174. These groups employ various tactics, techniques, and procedures (TTPs), including the use of reverse shells, Rust-based malware loaders like KrustyLoader, and remote access trojans like VShell. In addition to CVE-2025-31324, SAP addressed a second zero-day vulnerability, CVE-2025-42999, which has also been actively exploited in attacks targeting SAP NetWeaver servers and is being used in conjunction with CVE-2025-31324 by threat actors. Recommended read:
References :
@msrc.microsoft.com
//
Microsoft has released its May 2025 Patch Tuesday updates, addressing a total of 71 or 72 vulnerabilities, depending on the source, across its software. This includes fixes for five actively exploited zero-day vulnerabilities and two publicly known vulnerabilities. The updates target flaws in various Windows components, including the Windows Common Log File System (CLFS), DWM Core Library, Scripting Engine, and Winsock.
Among the critical issues addressed are elevation of privilege (EoP) and remote code execution (RCE) vulnerabilities. Specifically, two zero-days in the CLFS (CVE-2025-32701 and CVE-2025-32706) allow attackers to gain SYSTEM privileges. Another zero-day (CVE-2025-30400) is a use-after-free vulnerability in the Windows Desktop Window Manager (DWM) Core Library, which can also lead to privilege escalation. A scripting engine memory corruption vulnerability (CVE-2025-30397) could allow for remote code execution if a user visits a malicious web page while using Internet Explorer mode in Edge. The Cybersecurity and Infrastructure Security Agency (CISA) has added all five exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, urging administrators to patch these flaws by June 3, 2025. Security experts emphasize the importance of prioritizing these updates to prevent potential privilege escalation, code execution, and other malicious activities. The identified vulnerabilities highlight the ongoing risk posed by CLFS exploitation and the need for continuous monitoring and patching efforts. Recommended read:
References :
@support.broadcom.com
//
Broadcom has issued an urgent patch to address a moderate-severity vulnerability, CVE-2025-22247, affecting VMware Tools versions 11.x.x and 12.x.x. The flaw, characterized as an insecure file handling vulnerability, could be exploited by attackers with limited access within a guest virtual machine (VM). This could allow them to tamper with local files and trigger insecure file operations, potentially leading to further security breaches within the virtual environment. The vulnerability impacts VMware Tools running on Windows and Linux operating systems, while macOS is reportedly unaffected.
Broadcom's security advisory highlights that VMware Tools contains this insecure file handling vulnerability which can be exploited by an attacker with non-administrative privileges within a guest VM. The successful exploitation of CVE-2025-22247 could allow the attacker to tamper with local files, leading to unauthorized actions. VMware has released VMware Tools version 12.5.2 to remediate this vulnerability. For Windows 32-bit systems, the fix is included in VMware Tools 12.4.7, also part of the 12.5.2 release. For Linux systems, the advisory notes that updates addressing CVE-2025-22247 will be distributed by individual Linux vendors. It is crucial for Linux users to stay informed about updates from their respective distribution vendors. System administrators are urged to take immediate action by updating to the latest versions of VMware Tools to mitigate the risks associated with this vulnerability. Sergey Bliznyuk of Positive Technologies has been credited for reporting the vulnerability. Recommended read:
References :
Field Effect@Blog
//
Russian Ransomware-as-a-Service (RaaS) group Qilin exploited a critical SAP NetWeaver vulnerability, CVE-2025-31324, weeks before its public disclosure. This zero-day flaw, an unauthenticated file upload vulnerability, allowed attackers to gain remote code execution in affected enterprise environments across the globe. The vulnerability affects SAP NetWeaver Visual Composer, a component commonly deployed in large enterprise environments. The flaw lies in the `/developmentserver/metadatauploader` endpoint, which fails to properly enforce authentication and authorization, which allows an unauthenticated attacker to upload arbitrary files, including web shells, to the server with ease.
SAP assigned CVE-2025-31324 a CVSS score of 10.0, reflecting its trivial exploitation path and severe impact, including the potential for remote code execution and full system compromise. The vulnerability's accessibility, requiring no authentication and being exposed via standard HTTP(S), made it especially dangerous. OP Innovate discovered the active exploitation of CVE-2025-31324 during an incident response engagement for a major global enterprise, finding evidence of exploitation nearly three weeks before the vulnerability was publicly disclosed. OP Innovate's investigation revealed two separate exploitations of CVE-2025-31324 within a major enterprise environment. The first occurred nearly three weeks before the vulnerability was publicly disclosed, and the second shortly after. While recent articles pointed to China-Linked APTs, OP Innovate identified communication with known Cobalt Strike C2 infrastructure and IP addresses linked directly to Qilin. Organizations using SAP NetWeaver are urged to apply the necessary patches and monitor for potential exploitation attempts to mitigate risks and prevent further breaches. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
A Türkiye-linked hacking group, tracked by Microsoft as Marbled Dust, has been exploiting a zero-day vulnerability, CVE-2025-27920, in the Output Messenger application since April 2024. This espionage campaign has targeted Kurdish military personnel operating in Iraq, resulting in the collection of related user data. The vulnerability impacts Output Messenger version 2.0.62 and involves a directory traversal flaw that allows remote attackers to access and execute arbitrary files. A fix was released by the developer, Srimax, in late December 2024 with version 2.0.63.
The attack chain commences with the threat actor gaining authenticated access to Output Messenger's Server Manager. It is suspected that Marbled Dust uses techniques like DNS hijacking or typosquatted domains to intercept the credentials required for authentication. This access is then abused to collect user credentials and exploit CVE-2025-27920 to drop malicious payloads. These payloads include scripts like "OM.vbs" and "OMServerService.vbs" into the server's startup folder, and an executable "OMServerService.exe" into the server's "Users/public/videos" directory. The final stage involves the execution of a multi-stage backdoor deployment. The "OMServerService.vbs" script is used to invoke "OM.vbs" and "OMServerService.exe." The latter is a Golang backdoor that connects to a hard-coded domain, "api.wordinfos[.]com," for data exfiltration. On the client side, the installer extracts and executes both the legitimate OutputMessenger.exe file and OMClientService.exe, another Golang backdoor. This client-side backdoor also connects to a Marbled Dust command-and-control (C2) domain, enabling further malicious activities. Recommended read:
References :
Sead Fadilpašić@techradar.com
//
ASUS DriverHub, a driver management utility designed to simplify updates by automatically detecting motherboard models, is facing scrutiny following the discovery of critical security flaws. Cybersecurity researchers identified vulnerabilities, designated as CVE-2025-3462 and CVE-2025-3463, that could allow malicious actors to remotely execute code on systems with the software installed. These flaws stem from insufficient HTTP request validation, potentially enabling unauthorized remote interactions with the software and the ability for malicious sites to execute commands with administrative rights.
Researchers discovered a one-click remote code execution vulnerability in ASUS's pre-installed DriverHub software. The attack vector involves tricking users into visiting a malicious subdomain of driverhub.asus[.]com. By leveraging the DriverHub's UpdateApp endpoint, attackers can execute a legitimate version of "AsusSetup.exe" with modified parameters that enable the execution of arbitrary files hosted on the attacker's domain. This exploit requires the creation of a malicious domain hosting three files: the payload, a modified AsusSetup.ini with a "SilentInstallRun" property pointing to the payload, and the legitimate AsusSetup.exe. ASUS has released an update, version 1.0.6.0 or newer, to address these vulnerabilities and urges users to update immediately. The update includes important security fixes to mitigate the risk of remote code execution. Users are advised to open the ASUS DriverHub utility and click the "Update Now" button to complete the patching process. While there are no confirmed cases of active exploitation in the wild, a proof of concept exploit exists, highlighting the potential danger, especially for sectors relying heavily on ASUS motherboards. Recommended read:
References :
@cyberinsider.com
//
References:
cyberinsider.com
Recent reports highlight a surge in the exploitation of critical software vulnerabilities across various platforms. These vulnerabilities, affecting both widely used software like Microsoft products and open-source tools such as the Linux kernel, pose significant risks to system security. A particularly concerning flaw has been identified in ASUS DriverHub, potentially allowing remote code execution with administrative privileges. This highlights the persistent challenge of maintaining secure software ecosystems and the importance of vigilant monitoring and rapid patching.
The vulnerabilities span a range of severity levels, with some enabling privilege escalation and remote code execution, as demonstrated by the ASUS DriverHub flaw. Cyble has issued weekly vulnerability reports, emphasizing the presence of zero-day vulnerabilities and active exploits targeting popular IT products. Specific details include Commvault updating its advisory for a critical Commvault Command Center Vulnerability (CVE-2025-34028) and Ubuntu releasing a security notice (USN-7506-3) addressing multiple vulnerabilities within the Linux kernel (FIPS). These instances underscore the need for comprehensive vulnerability management strategies for both enterprises and individual users. Security experts emphasize the critical role of timely patching and robust vulnerability management practices in mitigating these risks. For example, Arctic Wolf noted that updating to Commvault versions 11.38.20 or 11.38.25 alone is insufficient to fully address the CVE-2025-34028 vulnerability. Ubuntu users are advised to perform a standard system update followed by a reboot to apply the necessary Linux kernel fixes, while also being aware of the need to recompile and reinstall third-party kernel modules due to an unavoidable ABI change. Organizations are urged to implement proactive security measures, including continuous monitoring, vulnerability scanning, and rapid deployment of security patches to protect their systems from exploitation. Recommended read:
References :
Ddos@securityonline.info
//
A critical vulnerability, CVE-2025-31324, affecting SAP NetWeaver is under active exploitation by China-linked Advanced Persistent Threat (APT) groups. This zero-day flaw, boasting a maximum CVSS score of 10.0, is an unauthenticated file upload vulnerability that grants attackers the ability to execute remote code on compromised systems. The vulnerability allows attackers to upload malicious files and gain unauthorized access, posing a significant threat to organizations relying on SAP systems and has led to breaches of critical systems worldwide.
Multiple Chinese hacking groups, including UNC5221, UNC5174, and CL-STA-0048, are leveraging CVE-2025-31324 to maintain persistent remote access, conduct reconnaissance, and deploy malicious programs. Attackers are exploiting this vulnerability to deploy web shells, maintain persistent access, and execute arbitrary commands on compromised systems. EclecticIQ researchers uncovered an exposed directory on attacker-controlled infrastructure, revealing that 581 SAP NetWeaver instances have already been compromised and backdoored with web shells. The targets of these attacks include critical infrastructure sectors globally, ranging from natural gas distribution networks and water management utilities to medical device manufacturing plants and government ministries. Organizations are urged to immediately apply the emergency patches released by SAP to mitigate the risk of exploitation. CISA has added CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, further emphasizing the urgency for organizations to address this critical flaw to protect their systems and data from potential compromise. Recommended read:
References :
|