@socprime.com
//
Citrix NetScaler ADC and Gateway systems are currently facing a critical security threat, identified as CVE-2025-5777, and widely nicknamed "CitrixBleed 2". This vulnerability, similar to the infamous CitrixBleed from 2023, allows unauthenticated attackers to exploit memory overread issues. This exploitation can lead to the disclosure of sensitive information, including session tokens and user credentials, enabling attackers to bypass multi-factor authentication and hijack active remote sessions. Security researchers have noted that exploitation of this flaw began as early as mid-June, with evidence pointing to its use in active hacking campaigns.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. This designation carries significant weight, and CISA has issued a stern warning, urging federal civilian agencies to apply necessary patches within 24 hours. The urgency stems from the understanding that vulnerabilities like this are frequent vectors for malicious cyber actors, posing a substantial risk to government and corporate networks. While Citrix initially released guidance and patches in June, concerns have been raised about the vendor's response in acknowledging the widespread exploitation of this critical flaw. The exploitation of CitrixBleed 2, alongside other critical vulnerabilities like CVE-2025-5349 and CVE-2025-6543, presents a significant risk to organizations. CVE-2025-5777 specifically allows attackers to steal session tokens, effectively enabling them to impersonate authenticated users and bypass security measures like MFA. This is a direct echo of the impact of the original CitrixBleed vulnerability, which was widely abused by nation-state actors and ransomware groups. The ongoing exploitation means that a considerable portion of the Citrix NetScaler user base may still be vulnerable, underscoring the critical need for immediate patching and diligent security practices. Recommended read:
References :
@cyberalerts.io
//
References:
Cyber Security News
, securityaffairs.com
,
Cybersecurity researchers have uncovered critical vulnerabilities in Kigen's eSIM technology, potentially impacting billions of Internet of Things (IoT) devices and mobile networks worldwide. Security Explorations, a research lab, demonstrated that they could compromise Kigen's eUICC cards, a component essential for eSIM functionality. The attack allowed researchers to extract private encryption keys and download arbitrary eSIM profiles from major mobile network operators. This breach raises significant concerns about identity theft and the potential interception of communications for a vast number of connected devices.
The exploitation of these flaws builds upon prior Java Card research from 2019, which highlighted fundamental weaknesses in virtual machine implementations. Researchers were able to bypass security measures on the eUICC chip, which is designed to securely store and manage mobile carrier profiles. By exploiting type confusion vulnerabilities, they gained unauthorized access to the chip's memory, enabling the extraction of critical cryptographic keys like the private ECC key for GSMA certificates. This effectively undermined the trust model that underpins the entire eSIM ecosystem, as the eSIM profiles themselves and the Java applications stored on the chip were found to lack proper isolation or protection. While Kigen has acknowledged the issue and deployed mitigations, including hardening bytecodes and tightening test profile rules, concerns remain regarding the root cause of the vulnerability. The GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, has been identified as a contributing factor, allowing for the installation of unverified or malicious applets. Although the latest version of the GSMA standard addresses this, the existence of these fundamental flaws in widely deployed eSIM technology highlights the ongoing challenges in securing the rapidly expanding IoT landscape and the potential for widespread compromise if not adequately addressed. Recommended read:
References :
@sec.cloudapps.cisco.com
//
Cisco is urging immediate action following the discovery of a critical vulnerability, CVE-2025-20309, in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw stems from hardcoded SSH root credentials that cannot be modified or removed, potentially allowing remote attackers to gain root-level access to affected systems. This vulnerability has a maximum severity rating with a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.
Cisco's security advisory specifies that all Engineering Special (ES) releases from 15.0.1.13010-1 through 15.0.1.13017-1 are vulnerable, regardless of optional features in use. An unauthenticated remote attacker can exploit this vulnerability by utilizing the static root account credentials to establish SSH connections to vulnerable systems. Once authenticated, the attacker gains complete administrative control over the affected device, enabling the execution of arbitrary commands with root privileges. There are no temporary workarounds to mitigate this risk. To remediate the vulnerability, administrators are advised to upgrade to version 15SU3 or apply the CSCwp27755 patch. Although Cisco discovered the flaw through internal testing and has not found evidence of active exploitation in the wild, the extreme severity necessitates immediate action to safeguard enterprise communications. The company has issued emergency fixes for the critical root credential flaw in Unified CM. Recommended read:
References :
@support.citrix.com
//
Two high-severity vulnerabilities, identified as CVE-2025-5349 and CVE-2025-5777, have been discovered in Citrix NetScaler ADC and NetScaler Gateway products. According to a Citrix advisory released on June 17, 2025, these flaws pose a significant risk to organizations using the affected products. It is strongly recommended that users update their systems as soon as possible to mitigate potential exploits. These vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, and 12.1-FIPS before 12.1-55.328-FIPS. Note that versions 12.1 and 13.0 are End Of Life (EOL) and are also vulnerable.
CVE-2025-5777, which has a CVSS score of 9.3, stems from insufficient input validation, leading to a memory overread. This vulnerability is only exploitable when NetScaler is configured as a Gateway, encompassing VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy, or when configured as an AAA virtual server. CVE-2025-5349, with a CVSS score of 8.7, is attributed to improper access control on the NetScaler Management Interface. Exploitation of this vulnerability requires the attacker to have access to the NSIP address, the Cluster Management IP, or the local GSLB Site IP. The National Vulnerability Database provides additional detail on both CVE-2025-5349 and CVE-2025-5777. To address these vulnerabilities, Citrix advises upgrading to the latest versions of NetScaler ADC and NetScaler Gateway. Additionally, after upgrading all NetScaler appliances in a high availability (HA) pair or cluster to the fixed builds, Citrix recommends executing the following commands to terminate all active ICA and PCoIP sessions: `kill icaconnection -all` and `kill pcoipConnection -all`. CERT-In has also issued an advisory regarding these vulnerabilities. Further information regarding the impact on businesses can be found on Cyberexpress. Recommended read:
References :
Veronika Telychko@SOC Prime Blog
//
Two critical local privilege escalation (LPE) vulnerabilities, CVE-2025-6018 and CVE-2025-6019, have been publicly disclosed, impacting a wide range of Linux distributions. Cybersecurity researchers at Qualys discovered that these vulnerabilities, when chained together, could allow an unprivileged user to gain full root access on vulnerable systems. The flaws reside in the Pluggable Authentication Modules (PAM) configuration (CVE-2025-6018) and the libblockdev library (CVE-2025-6019), with the latter being exploitable through the udisks daemon, which is commonly deployed by default in many Linux distributions.
Researchers have released proof-of-concept (PoC) exploit code demonstrating the effectiveness of the vulnerability chain, raising concerns about potential exploitation in the wild. CVE-2025-6018 allows an unprivileged local user to elevate permissions to "allow_active" status, enabling them to invoke Polkit actions typically reserved for users with physical access to the machine. CVE-2025-6019 then permits an "allow_active" user to gain full root privileges, effectively bypassing security controls and allowing for broader post-compromise actions. The teams responsible for the development of most popular Linux builds have already begun working on fixes for these vulnerabilities. Patches for Ubuntu are reportedly ready, and users of other distributions are advised to closely monitor for updates and promptly install them as they become available. As a temporary workaround, Qualys recommends modifying the Polkit rule for "org.freedesktop.udisks2.modify-device" to require administrator authentication ("auth_admin"). This highlights the critical importance of regular patching and vulnerability management in maintaining the security of Linux systems. Recommended read:
References :
@cert.europa.eu
//
A number of critical security vulnerabilities have been identified and addressed in several software products, highlighting the persistent need for vigilance and timely updates. One of the most severe issues is a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-23121, in Veeam Backup & Replication. This flaw, which received a CVSS score of 9.9, allows an authenticated domain user to execute code remotely on the Backup Server, specifically impacting domain-joined backup servers. Veeam has released security updates to fix this and other vulnerabilities, urging users to upgrade to the latest version, 12.3.2 (build 12.3.2.3617), as soon as possible.
Affected products include Veeam Backup & Replication versions 12, 12.1, 12.2, 12.3, and 12.3.1, along with Veeam Agent for Microsoft Windows versions 6.0, 6.1, 6.2, 6.3, and 6.3.1. In addition to the critical RCE in Veeam, a high severity Arbitrary Code Execution (ACE) vulnerability (CVE-2025-24286) in Veeam Backup & Replication was also addressed, allowing an authenticated user with the Backup Operator role to modify backup jobs, potentially leading to arbitrary code execution. Further more, a medium severity local privilege escalation bug (CVE-2025-24287) was identified affecting the Windows Veeam agent, which allows local system users to execute arbitrary code with elevated permissions by modifying specific directory contents. Users are strongly advised to update their software to the latest versions to mitigate the risks associated with these vulnerabilities. For Veeam users, it is recommended to implement best practices provided by the vendor, such as using a separate management workgroup or domain for Veeam components. The discovery of an undocumented root shell access (CVE-2025-26412) in the SIMCom SIM7600G modem, highlighting the dangers of backdoors and undocumented features in embedded devices. Furthermore, a critical vulnerability (CVE-2025-3464) in Asus Armoury Crate allows attackers to gain SYSTEM privileges via hard link manipulation, advising users to update or disable the software. Recommended read:
References :
@cyberpress.org
//
GitLab has issued critical security updates on June 11, 2025, to address multiple vulnerabilities in both the Community Edition (CE) and Enterprise Edition (EE) of its platform. These patches are crucial for self-managed GitLab installations, with experts urging immediate upgrades to prevent potential exploits. The updates tackle high-severity vulnerabilities that could allow attackers to achieve complete account takeover and compromise enterprise development environments, emphasizing the importance of proactive security measures in DevSecOps environments.
One of the most concerning vulnerabilities, CVE-2025-5121, affects GitLab Ultimate EE customers and carries a CVSS score of 8.5. This missing authorization issue allows attackers with authenticated access to a GitLab instance with a GitLab Ultimate license to inject malicious CI/CD jobs into all future pipelines of any project. This can lead to backdoors being added, validation steps being skipped, and secrets used during the build process being exposed, significantly compromising the software development lifecycle. Other notable vulnerabilities addressed in this patch release include CVE-2025-4278, an HTML injection vulnerability with a CVSS score of 8.7 that could lead to account takeover, and CVE-2025-2254, a cross-site scripting (XSS) vulnerability, also with a CVSS score of 8.7, allowing attackers to act in the context of legitimate users. GitLab has released versions 18.0.2, 17.11.4, and 17.10.8 for both CE and EE to address these issues, and it's strongly recommended that all affected installations be updated as soon as possible. Recommended read:
References :
Anna Ribeiro@Industrial Cyber
//
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding ransomware actors exploiting unpatched instances of SimpleHelp Remote Monitoring and Management (RMM) software. These attacks target customers of utility billing software providers, leveraging a vulnerability to gain unauthorized access. According to a report by The Register, the exploitation involves CVE-2024-57727, a high-severity path traversal vulnerability affecting SimpleHelp versions 5.5.7 and earlier. The attacks, ongoing since January 2025, have led to service disruptions and double extortion incidents, where sensitive data is stolen and systems are encrypted.
CISA's advisory follows reports of the DragonForce ransomware group breaching a managed service provider (MSP) and using its SimpleHelp RMM platform to infiltrate downstream customers. Sophos attributes the breach to a string of known SimpleHelp vulnerabilities, including CVE-2024-57726 through CVE-2024-57728. Once inside, DragonForce actors conducted network reconnaissance, leading to ransomware deployment and data exfiltration. The Register reported that SimpleHelp patched the flaw in January, but many organizations have not applied the update, leaving them vulnerable to exploitation. CISA urges organizations using SimpleHelp RMM to immediately patch their systems, conduct thorough threat hunting, and monitor network traffic for any unusual activity. This is crucial to mitigate the risk of compromise and prevent further disruptions. ConnectWise has also issued warnings, advising users of ScreenConnect and Automate to update to the latest build and validate agent updates to avoid disruptions. The attacks highlight the broader trend of ransomware actors targeting the supply chain, emphasizing the importance of proactive security measures and timely patching. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
US CISA has issued a warning about critical vulnerabilities discovered in SinoTrack GPS devices, which could allow attackers to remotely control vehicles and track their locations. The vulnerabilities affect all versions of the SinoTrack IoT PC Platform. Successful exploitation of these flaws could grant unauthorized access to device profiles through the common web management interface, enabling malicious actors to perform remote functions on connected vehicles.
The two main vulnerabilities are CVE-2025-5484 and CVE-2025-5485. CVE-2025-5484 is a weak authentication flaw stemming from the use of a default password and a username that is the identifier printed on the receiver. CVE-2025-5485 is an observable response discrepancy where the username used to authenticate to the web management interface is a numerical value of no more than 10 digits, making it easy for attackers to guess valid usernames. An attacker could retrieve device identifiers with physical access or by capturing identifiers from pictures of the devices posted on publicly accessible websites such as eBay. CISA recommends that device users take defensive measures to minimize the risk of exploitation of these vulnerabilities. The most crucial step is to change the default password to a unique, complex password as soon as possible. In the absence of a patch, users are advised to also take steps to conceal the identifier. Security researcher Raúl Ignacio Cruz Jiménez stated that due to its lack of security, this device allows remote execution and control of the vehicles to which it is connected and also steals sensitive information about you and your vehicles. As of June 11, 2025, SinoTrack has not responded to CISA’s requests for information or provided fixes for these problems. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding two critical vulnerabilities discovered in SinoTrack GPS devices. These flaws could allow malicious actors to remotely control vehicles and track their locations. The vulnerabilities affect all known SinoTrack devices and the SinoTrack IOT PC Platform. This alert follows the disclosure of these security weaknesses by independent researcher Raúl Ignacio Cruz Jiménez.
The identified vulnerabilities include a weak authentication flaw (CVE-2025-5484) and an observable response discrepancy (CVE-2025-5485). The weak authentication stems from the use of a default password across all devices and the use of the device identifier as the username. The identifier, which is printed on the receiver, is easily accessible, either through physical access to the device or through images posted online. The observable response discrepancy arises from the numerical structure of usernames, which are up to 10 digits long. This enables attackers to guess valid usernames by trying different number sequences. Successful exploitation of these vulnerabilities could grant attackers unauthorized access to device profiles through the web management interface. This access could then be used to perform remote functions on connected vehicles, such as tracking the vehicle's location and, in some cases, disconnecting power to the fuel pump. With a CVSS v4 score of 8.8, CVE-2025-5485 is considered highly severe. While there are currently no official fixes available, CISA advises users to change the default password immediately and to conceal the device identifier, particularly in publicly accessible photographs. SinoTrack has not yet responded to CISA’s request. Recommended read:
References :
@gbhackers.com
//
SAP has released its June 2025 Security Patch Day update, addressing a critical vulnerability in SAP NetWeaver Application Server for ABAP, identified as CVE-2025-42989. The flaw, which carries a CVSS score of 9.6, allows attackers to bypass authorization checks and escalate privileges. This could grant unauthorized access to critical system functions, allowing manipulation of application data or disruption of services. The vulnerability affects NetWeaver kernel versions 7.89, 7.93, 9.14, and 9.15, making patching an urgent priority.
SAP warns that successful exploitation of this vulnerability could critically impact the integrity and availability of affected systems. The flaw stems from a missing authorization check within the Remote Function Call (RFC) framework, which enables authenticated attackers to bypass standard authorization checks on the S_RFC object when leveraging transactional or queued RFCs under specific conditions. SAP advises immediate patching and notes that post-patch, additional S_RFC permissions may need to be assigned to certain users. Detailed guidance on identifying affected users and activating enhanced checks is provided in SAP Note #3601919. Beyond the critical NetWeaver vulnerability, SAP's June Patch Day addresses a total of 14 new vulnerabilities across multiple enterprise products. These include high-severity flaws in SAP GRC, SAP Business Warehouse, and SAP BusinessObjects BI. A serious information disclosure vulnerability in SAP GRC (CVE-2025-42982) could allow non-administrative users to initiate sensitive transactions and manipulate system credentials. A missing authorization check in SAP Business Warehouse and SAP Plug-In Basis (CVE-2025-42983) could allow authenticated users to delete arbitrary database tables, resulting in data loss. Additionally, a cross-site scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace (CVE-2025-23192) could allow attackers to execute code in the browser of unsuspecting users, risking data theft and interface manipulation. Recommended read:
References :
TIGR Threat@Security Risk Advisors
//
Cisco has issued a critical security advisory regarding a vulnerability, CVE-2025-20286, in its Identity Services Engine (ISE) when deployed on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This static credential flaw enables unauthenticated remote attackers to potentially access sensitive data, perform limited administrative actions, modify system configurations, or disrupt services. The vulnerability stems from improperly generated credentials during cloud deployments, resulting in multiple ISE deployments sharing the same static credentials, provided they are on the same software release and cloud platform.
Exploitation of CVE-2025-20286 could allow attackers to extract user credentials from a compromised Cisco ISE cloud deployment and utilize them to access other ISE instances in different cloud environments via unsecured ports. This could lead to unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. Cisco's Product Security Incident Response Team (PSIRT) has confirmed the existence of a proof-of-concept (PoC) exploit for this vulnerability, though there is no evidence of active exploitation in the wild. The vulnerability impacts specific versions of Cisco ISE, affecting versions 3.1, 3.2, 3.3, and 3.4 on AWS, and versions 3.2, 3.3, and 3.4 on Azure and OCI. Cisco emphasizes that this vulnerability only affects deployments where the Primary Administration node is hosted in the cloud; on-premises deployments are not affected. While there are no official workarounds, Cisco recommends restricting traffic to authorized administrators or using the "application reset-config ise" command to reset user passwords. The company has released security patches to address the flaw and urges users to update their systems promptly. Recommended read:
References :
@nvd.nist.gov
//
HPE has issued critical security patches for its StoreOnce data backup and deduplication platform, addressing eight newly discovered vulnerabilities. The most severe of these is an authentication bypass vulnerability, identified as CVE-2025-37093, which has been assigned a near-maximum CVSS score of 9.8. This indicates a critical risk to affected systems, as it could allow remote attackers to execute arbitrary code on vulnerable installations of Hewlett Packard Enterprise StoreOnce VSA.
The authentication bypass, tracked as ZDI-25-312, exists due to a flaw in the `setLocateBeaconOnHardware` method. The issue stems from the lack of proper validation of a user-supplied string before it's used to execute a system call. Although authentication is typically required to exploit this vulnerability, the existing authentication mechanism can be bypassed, allowing attackers to execute code in the context of root. The ZDI has assigned a CVSS rating of 7.2 to CVE-2025-37089. Users of HPE StoreOnce are strongly advised to upgrade to version 4.3.11 or later to mitigate the risk of exploitation. Hewlett Packard Enterprise has released an update to correct this vulnerability, and more details can be found on their support website. The disclosure timeline indicates that the vulnerability was reported to the vendor on October 31, 2024, followed by a coordinated public release of the advisory on June 2, 2025. Recommended read:
References :
|