CyberSecurity news

FlagThis - #zeroday

@securityonline.info //
The Play ransomware gang has been actively exploiting a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824. This high-severity flaw allows attackers to gain SYSTEM privileges on compromised systems, enabling them to deploy malware and carry out other malicious activities. The vulnerability was patched by Microsoft in April 2025; however, it was actively exploited in targeted attacks across various sectors before the patch was released.

The Play ransomware gang's attack methodology is sophisticated, employing custom tools and techniques such as dual extortion. A key tool used is the Grixba infostealer, which scans networks and steals information. In addition to the Grixba infostealer, the group uses a payload injection technique where a malicious payload is injected into the winlogon.exe process. This allows them to inject the Sysinternals procdump.exe tool into various processes for malicious purposes.

The Symantec Threat Hunter Team identified this zero-day vulnerability being actively exploited, including an attack targeting an unnamed organization in the United States. The attackers likely used a public-facing Cisco Adaptive Security Appliance (ASA) as an entry point. During the execution of the exploit, batch files are created to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user, and clean up traces of exploitation. The exploitation of CVE-2025-29824 highlights the trend of ransomware actors using zero-days to infiltrate targets, underscoring the importance of prompt patching and robust security measures.

Recommended read:
References :
  • securityaffairs.com: Security Affairs reports Play ransomware affiliate leveraged zero-day to deploy malware
  • The DefendOps Diaries: The Defend Ops Diaries discusses Understanding the Play Ransomware Threat: Exploiting Zero-Day Vulnerabilities.
  • The Hacker News: The Hacker News reports Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day to Breach U.S. Organization
  • BleepingComputer: BleepingComputer reports Play ransomware exploited Windows logging flaw in zero-day attacks.
  • www.csoonline.com: Windows flaw exploited as zero-day by more groups than previously thought
  • securityonline.info: Zero-Day CLFS Vulnerability (CVE-2025-29824) Exploited in Ransomware Attacks
  • bsky.app: The Play ransomware group has exploited a Windows Common Log File System flaw in zero-day attacks to gain SYSTEM privileges and deploy malware on compromised systems.
  • Davey Winder: Play Ransomware Zero-Day Attacks — US, Saudi Arabia Have Been Targeted
  • www.techradar.com: Ransomware hackers target a new Windows security flaw to hit businesses
  • www.scworld.com: Windows CLFS zero-day leveraged in Play ransomware attacks

@source.android.com //
Google has released its May 2025 Android security update, addressing a total of 46 or 47 security flaws affecting Android devices. The update includes a fix for CVE-2025-27363, a high-severity vulnerability in the Android System component that has been actively exploited in the wild. The vulnerability, which is present in versions of FreeType up to 2.13, could allow for local code execution without requiring any additional execution privileges or user interaction. Google noted that there are indications that this flaw may be under limited, targeted exploitation.

The actively exploited vulnerability, CVE-2025-27363, is an out-of-bounds write defect in the FreeType font rendering library. FreeType is a widely used open-source library that allows developers to render fonts and is found in over a billion devices. The vulnerability, discovered by Facebook security researchers in March 2025, has a base score of 8.1 on the CVSS scale. Exploitation of this flaw could lead to arbitrary code execution when parsing TrueType GX and variable font files.

The May 2025 security update contains two patch levels, 2025-05-01 and 2025-05-05, allowing Android partners to address a range of vulnerabilities on different devices. In addition to the FreeType flaw, the update also resolves eight other flaws in the Android System and 15 flaws in the Framework module, which could be abused to facilitate privilege escalation, information disclosure, and denial-of-service attacks. Google Pixel users will automatically receive the update, while other Android device manufacturers will release the patches after customizing the operating system for their specific hardware. Source code patches for all addressed vulnerabilities will be released to the Android Open Source Project repository.

Recommended read:
References :
  • CyberScoop: Google addresses 1 actively exploited vulnerability in May’s Android security update
  • securityaffairs.com: Google fixed actively exploited Android flaw CVE-2025-27363
  • The Hacker News: Update ASAP: Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
  • Talkback Resources: Google Fixes Actively Exploited Android System Flaw in May 2025 Security Update [app] [exp] [sys]
  • www.bleepingcomputer.com: Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability.
  • BleepingComputer: Google fixes actively exploited FreeType flaw on Android
  • CyberInsider: CyberInsider reports Android May 2025 Security Update Fixes Actively Exploited FreeType Zero-Day
  • thecyberexpress.com: The Cyber Express article discussing Google's May 2025 Android Security Bulletin.
  • BleepingComputer: Google has released the May 2025 security updates for Android with fixes for 45 security flaws, including an actively exploited zero-click FreeType 2 code execution vulnerability.
  • www.helpnetsecurity.com: Actively exploited FreeType flaw fixed in Android (CVE-2025-27363)
  • Help Net Security: Security news article on Actively exploited FreeType flaw fixed in Android (CVE-2025-27363)
  • socradar.io: Android’s May 2025 Update Tackles CVE-2025-27363 & More – Langflow & MagicINFO Exploited, Kibana at Risk

Rescana@Rescana //
A critical zero-day vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer is under active exploitation, posing a significant threat to organizations, particularly those in the manufacturing sector. This flaw is a critical unauthenticated file upload vulnerability that allows for remote code execution, enabling attackers to compromise entire systems. The vulnerability has been exploited in the wild, raising alarm bells across the cybersecurity sector due to the potential for data breaches and operational disruptions.

Attributed to a China-linked threat actor dubbed Chaya_004, the attacks have been ongoing since early 2025. Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor. Attackers are exploiting the vulnerability by uploading malicious JSP webshells to public directories on compromised SAP NetWeaver servers without authentication, granting them persistent access and control. During post-exploitation, tools like the Brute Ratel red team tool and techniques like Heaven's Gate are employed to bypass security checks and maintain stealth operations, complicating detection efforts.

The vulnerability impacts SAP NetWeaver Visual Composer and allows attackers to upload malicious executable files without authentication, leading to remote code execution and potential full system compromise. The endpoint responsible is '/developmentserver/metadatauploader', which has been leveraged by attackers to deploy JSP webshells. These webshells enable unauthorized command execution and file management actions, making the system vulnerable to further exploitation. Organizations using SAP NetWeaver are urged to apply the emergency patch released by SAP immediately and to monitor their systems for suspicious activity to mitigate the risk of compromise.

Recommended read:
References :
  • SOC Prime Blog: Zero-day vulnerabilities are no longer rare anomalies—they’re now a core weapon in the modern attacker’s arsenal, with exploitation activity escalating year over year.
  • Rescana: The recent discovery of a zero-day vulnerability in SAP NetWeaver Visual Composer has raised alarm bells across the...
  • onapsis.com: Onapsis | Deloitte: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
  • securityaffairs.com: Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324
  • www.cysecurity.news: Over 1,200 SAP Instances Exposed to Critical Vulnerability Exploited in the Wild
  • Onapsis: Learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
  • onapsis.com: Onapsis and Mandiant: Latest Intelligence on Critical SAP Zero-Day Vulnerability (CVE-2025-31324)
  • MSSP feed for Latest: Second Wave of Attacks Targets SAP NetWeaver
  • The Hacker News: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell
  • onapsis.com: Onapsis in collaboration with Mandiant invites you to a webinar to discuss the current state of the attack campaign for CVE-2025-31324 The post appeared first on .
  • bsky.app: A Chinese threat actor that Forescout tracks as Chaya_004 is behind a recent SAP NetWeaver zero-day (CVE-2025-31324)
  • Talkback Resources: Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell [app] [exp] [net]
  • BleepingComputer: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • bsky.app: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • Onapsis: Onapsis in collaboration with Mandiant invites you to a webinar to discuss the current state of the attack campaign for CVE-2025-31324
  • Talkback Resources: A threat actor linked to China is exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) for remote code execution, targeting multiple industries globally, prompting the need for prompt patching and enhanced security measures.
  • www.bleepingcomputer.com: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • www.scworld.com: Remote code execution possible of SAP NetWeaver Visual Composer flaw rated 10.0.
  • Anonymous ???????? :af:: Forescout Vedere Labs security researchers have linked ongoing attacks targeting a maximum severity vulnerability impacting SAP NetWeaver instances to a Chinese threat actor.
  • The DefendOps Diaries: Understanding the CVE-2025-31324 Vulnerability in SAP NetWeaver Servers
  • www.cybersecuritydive.com: SAP NetWeaver exploitation enters second wave of threat activity
  • Unit 42: CVE-2025-31324 impacts SAP NetWeaver's Visual Composer Framework. We share our observations on this vulnerability using incident response cases and telemetry.

@cloud.google.com //
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.

Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices.

Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services.

Recommended read:
References :
  • Threat Intelligence: Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
  • securityaffairs.com: Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to its Threat Intelligence Group’s latest analysis.
  • techcrunch.com: Governments like China and North Korea, along with spyware makers, used the most recorded zero-days in 2024.
  • The Hacker News: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
  • CyberInsider: The Google Threat Intelligence Group (GTIG) has published its annual review of zero-day exploits for 2024, revealing a gradual but persistent rise in zero-day exploitation and a concerning shift towards enterprise-targeted attacks.
  • The Register - Security: Enterprise tech dominates zero-day exploits with no signs of slowdown
  • cyberinsider.com: Google Logs 75 Zero-Days in 2024, Enterprise Attacks at All-Time High
  • securityonline.info: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
  • BleepingComputer: Google's Threat Intelligence Group (GTIG) says attackers exploited 75 zero-day vulnerabilities in the wild last year, over 50% of which were linked to spyware attacks.
  • www.techradar.com: Of all the zero-days abused in 2024, the majority were used in state-sponsored attacks by China and North Korea.
  • thecyberexpress.com: Google's Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices.
  • cloud.google.com: Threat actors exploited 75 zero-days last year, with 33 of those targeting enterprise products
  • socradar.io: Google’s 2024 Zero-Day Report: Key Trends, Targets, and Exploits In late April, Google’s Threat Intelligence Group (GTIG) published its annual report on zero-day exploitation, offering a detailed account of in-the-wild attacks observed throughout 2024. The report draws on GTIG’s original breach investigations, technical analysis, and insights from trusted open-source reporting. GTIG tracked 75 zero-day vulnerabilities
  • Security Risk Advisors: Zero-Day Exploitation Continues to Grow with Shifting Focus Toward Enterprise Security Products

@The DefendOps Diaries //
Millions of Apple AirPlay-enabled devices are at risk due to the discovery of 23 critical vulnerabilities, collectively named "AirBorne." These vulnerabilities, found in Apple's AirPlay protocol and Software Development Kit (SDK), could allow attackers on the same Wi-Fi network to remotely execute code on vulnerable devices. This poses a significant threat, particularly to third-party devices that incorporate AirPlay, such as smart TVs, speakers, and CarPlay systems.

The vulnerabilities stem from flaws in Apple's implementation of the AirPlay protocol and SDK, which is used for streaming media between devices. A successful exploit could lead to zero-click or one-click remote code execution, bypassing access controls, and conducting man-in-the-middle attacks. This could enable attackers to take over devices, access sensitive files, and potentially steal data.

Apple has released patches to address the AirBorne vulnerabilities in its own products, including iPhones, iPads, MacBooks, Apple TVs, and the Vision Pro headset, however devices that use the software from third parties are still at risk. However, the potential for unpatched third-party devices to remain vulnerable for years is a major concern. Cybersecurity experts estimate that tens of millions of devices could be affected, highlighting the far-reaching impact of these newly discovered flaws.

Recommended read:
References :
  • CyberInsider: ‘AirBorne’ Flaws Expose Apple Devices to Zero-Click RCE Attacks
  • WIRED: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
  • BleepingComputer: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
  • www.bleepingcomputer.com: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
  • cyberinsider.com: ‘AirBorne’ Flaws Expose Apple Devices to Zero-Click RCE Attacks
  • bsky.app: Oligo security researchers have disclosed over two dozen vulnerabilities in the Apple AirPlay protocol and SDK. Collectively named AirBorne, the vulnerabilities can allow attackers on the same network to run malicious code on any Apple device that supports AirPlay.
  • BleepingComputer: A set of security vulnerabilities in Apple's AirPlay Protocol and AirPlay Software Development Kit (SDK) exposed unpatched third-party and Apple devices to various attacks, including remote code execution.
  • securityonline.info: AirBorne Exploits: Zero-Click Wormable RCE Hits Apple & IoT Devices
  • The DefendOps Diaries: Explore AirBorne vulnerabilities in Apple's AirPlay, posing zero-click RCE threats to devices, and learn about mitigation measures.
  • securityaffairs.com: AirBorne flaws can lead to fully hijack Apple devices
  • securityonline.info: AirBorne Exploits: Zero-Click Wormable RCE Hits Apple & IoT Devices
  • BleepingComputer: Mastodon mentions Flaws Expose Apple Devices to Zero-Click RCE Attacks
  • www.oligo.security: Oligo Security blog post on AirBorne vulnerability.
  • www.techradar.com: Millions of Apple AirPlay devices susceptible to 'AirBorne' zero-click RCE attacks, so patch now
  • PCMag UK security: 'AirBorne' Flaw Exposes AirPlay Devices to Hacking: How to Protect Yourself
  • Help Net Security: Vulnerabilities in Apple’s AirPlay Protocol, AirPlay Software Development Kits (SDKs), and the CarPlay Communication Plug-in could allow attackers to compromise AirPlay-enabled devices developed and sold by Apple and by other companies.
  • Blog: New Apple zero-days go ‘AirBorne’
  • bsky.app: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
  • www.helpnetsecurity.com: Airplay-enabled devices open to attack via “AirBorne†vulnerabilities
  • Blog: How to find Apple AirPlay devices on your network
  • Risky.Biz: In other news: Marks & Spencer sends staff home after ransomware attack; China accuses US of hacking cryptography provider; AirBorne vulnerabilities impact Apple's AirPlay.
  • Risky Business Media: The French government calls out Russian hacks for the first time, Marks & Spencer sends staff home after a ransomware attack, China accuses America of hacking a major cryptography provider, and AirBorne vulnerabilities impact Apple’s AirPlay.
  • Risky Business Media: Risky Business #789 -- Apple's AirPlay vulns are surprisingly awful
  • The Record: Millions of Apple Airplay-enabled devices can be hacked via Wi-Fi
  • securityaffairs.com: Vulnerabilities in Apple’s AirPlay protocol and SDK exposed Apple and third-party devices to attacks, including remote code execution. Oligo Security found serious flaws, collectively tracked as AirBorne, in Apple’s AirPlay protocol and SDK, affecting Apple and third-party devices. Attackers can exploit the vulnerabilities to perform zero-/one-click RCE, bypass ACLs, read local files, steal data, and […]
  • arstechnica.com: Millions of Apple AirPlay-Enabled Devices Can Be Hacked via Wi-Fi
  • www.scworld.com: Researchers reveal a collection of bugs known as AirBorne that would allow any hacker on the same Wi-Fi network as a third-party AirPlay-enabled device to surreptitiously run their own code on it.
  • securityaffairs.com: Vulnerabilities in Apple’s AirPlay protocol and SDK exposed Apple and third-party devices to attacks, including remote code execution. Oligo Security found serious flaws, collectively tracked as AirBorne, in Apple’s AirPlay protocol and SDK, affecting Apple and third-party devices. Attackers can exploit the vulnerabilities to perform zero-/one-click RCE, bypass ACLs, read local files, steal data, and […]
  • www.pcmag.com: Apple rolled out a fix with iOS 18.4, but third-party AirPlay-compatible devices remain exposed. Researchers at cybersecurity firm Oligo have found major vulnerabilities in Apple's AirPlay protocol that allow hackers to breach compatible devices on the same Wi-Fi network.
  • Malwarebytes: Apple AirPlay SDK devices at risk of takeover—make sure you update
  • hackread.com: Billions of Apple Devices at Risk from “AirBorne†AirPlay Vulnerabilities
  • PhoneArena - Articles: Millions of AirPlay-enabled devices are at risk of being attacked by "AirBorne" security threat
  • The Hacker News: Wormable AirPlay Flaws Enable Zero-Click RCE on Apple Devices via Public Wi-Fi

@reliaquest.com //
A critical zero-day vulnerability, CVE-2025-31324, has been discovered in SAP NetWeaver Visual Composer Metadata Uploader, posing a significant threat to organizations using the platform. The flaw stems from missing authorization checks on the `/developmentserver/metadatauploader` endpoint, allowing unauthenticated attackers to upload malicious files directly to the system. This unrestricted file upload vulnerability has a CVSS score of 10, indicating its critical severity and potential for widespread exploitation. Security researchers and threat hunters have already observed active exploitation in the wild, with threat actors using the vulnerability to drop web shell backdoors onto exposed systems.

Exploitation of CVE-2025-31324 enables attackers to gain unauthorized access and control over SAP systems. Threat actors are leveraging the vulnerability to upload web shells, facilitating remote code execution and further system compromise. These web shells allow attackers to execute commands, manage files, and perform other malicious actions directly from a web browser. According to SAP security platform Onapsis, the vulnerability can afford attackers the opportunity to take full control over SAP business data and processes, potentially leading to ransomware deployment and lateral movement within a network.

SAP has released an out-of-band emergency patch to address CVE-2025-31324, and organizations are strongly encouraged to apply the patch as soon as possible to mitigate the risk. ReliaQuest researchers also reported investigating multiple customer incidents involving JSP webshells uploaded via this vulnerability. Given the widespread active exploitation and the potential for significant impact, organizations should prioritize patching vulnerable systems and assessing them for any signs of compromise. Experts estimate that a significant percentage of internet-facing SAP NetWeaver systems may be vulnerable, highlighting the urgency of addressing this critical flaw.

Recommended read:
References :
  • Threats | CyberScoop: CyberScoop article about SAP zero-day vulnerability under widespread active exploitation
  • securityaffairs.com: SecurityAffairs article about SAP NetWeaver zero-day allegedly exploited by an initial access broker.
  • The DefendOps Diaries: thedefendopsdiaries.com article on Addressing CVE-2025-31324: A Critical SAP NetWeaver Vulnerability
  • Tenable Blog: Tenable Blog post on CVE-2025-31324 zero day vulnerability in SAP NetWeaver being exploited in the wild.
  • BleepingComputer: SAP fixes suspected Netweaver zero-day exploited in attacks
  • reliaquest.com: ReliaQuest uncovers vulnerability behind SAP NetWeaver compromise
  • MSSP feed for Latest: SAP Patches Critical Zero-Day Vulnerability in NetWeaver Visual Composer
  • Blog: Max severity zero-day in SAP NetWeaver actively exploited
  • thehackernews.com: Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution.
  • cyberscoop.com: SAP zero-day vulnerability under widespread active exploitation
  • www.cybersecuritydive.com: SAP NetWeaver zero-day vulnerability under widespread active exploitation.
  • www.scworld.com: SAP patches zero day rated 10.0 in NetWeaver
  • The Register - Security: Emergency patch for potential SAP zero-day that could grant full system control
  • Resources-2: Picus Security explains SAP NetWeaver Remote Code Execution Vulnerability
  • socradar.io: Critical SAP NetWeaver Vulnerability (CVE-2025-31324) Allows Unauthorized Upload of Malicious Executables
  • Strobes Security: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
  • strobes.co: When a vulnerability is rated 9.9 out of 10 on the CVSS scale, it deserves immediate attention. CVE-2025-31324 affects SAP NetWeaver AS Java, a platform many businesses rely on every...
  • The DefendOps Diaries: The DefendOps Diaries: Understanding and Mitigating the CVE-2025-31324 Vulnerability in SAP NetWeaver
  • Vulnerable U: SAP CVE-2025-31324 Targeted by Attackers
  • www.bleepingcomputer.com: Over 1,200 SAP NetWeaver servers vulnerable to actively exploited flaw
  • www.bleepingcomputer.com: SAP fixes suspected Netweaver zero-day exploited in attacks
  • BleepingComputer: Over 1,200 internet-exposed SAP NetWeaver instances are vulnerable to an actively exploited maximum severity unauthenticated file upload vulnerability that allows attackers to hijack servers.
  • Onapsis: Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)
  • research.kudelskisecurity.com: Critical Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-31324)
  • securityaffairs.com: U.S. CISA adds SAP NetWeaver flaw to its Known Exploited Vulnerabilities catalog
  • onapsis.com: In our SAP CVE-2025-31324 webinar learn how to assess exposure, patch critical vulnerabilities, and defend against active zero-day attacks on SAP systems.
  • research.kudelskisecurity.com: Research Kudelski Security Article on SAP NetWeaver Exploitation
  • Cyber Security News: SAP NetWeaver 0-Day Vulnerability Actively Exploited to Deploy Webshells
  • Caitlin Condon: Rapid7 MDR has observed in-the-wild exploitation of SAP NetWeaver Visual Composer CVE-2025-31324 in customer environments.
  • www.cybersecuritydive.com: Thousands are exposed and potentially vulnerable as researchers warn of widespread exploitation.
  • www.it-daily.net: Security experts have identified a serious security vulnerability in SAP NetWeaver that allows unauthorized access to company systems.
  • securityonline.info: CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
  • redcanary.com: Critical vulnerability in SAP NetWeaver enables malicious file uploads
  • www.stormshield.com: Security alert SAP CVE-2025-31324: Stormshield Products Response
  • Rescana: Critical Zero-Day Vulnerability in SAP NetWeaver Visual Composer: CVE-2025-31324 Exploited in Manufacturing Attacks
  • SOC Prime Blog: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution
  • Stormshield: Security alert SAP CVE-2025-31324: Stormshield Products Response
  • socprime.com: CVE-2025-31324 Detection: SAP NetWeaver Zero-Day Under Active Exploitation Exposes Critical Systems to Remote Code Execution

@securityonline.info //
A new wave of cyberattacks has been detected targeting Ivanti Connect Secure VPN devices, exploiting the zero-day vulnerability CVE-2025-0282. This vulnerability is being leveraged to deploy a previously unseen malware called DslogdRAT, along with a Perl-based web shell. The attacks, which initially targeted organizations in Japan around December 2024, involve the web shell being used for remote command execution, ultimately leading to the installation of DslogdRAT for persistence and command-and-control (C2) communication. Researchers at JPCERT/CC have been closely analyzing this malware and the methods used in these attacks.

The attack sequence begins with the exploitation of the CVE-2025-0282 vulnerability. Once exploited, a Perl web shell is deployed, which is used to execute commands, including those that lead to the installation of DslogdRAT. DslogdRAT establishes a socket connection with an external server, transmitting basic system information and awaiting further instructions. This allows attackers to execute shell commands, upload and download files, and even use the compromised host as a proxy. The malware is designed to operate primarily during business hours, likely to avoid detection, and uses a simple XOR-based encoding method to protect its communication with the C2 server.

Notably, the SPAWNSNARE backdoor has also been observed on systems compromised in these attacks. While it is unclear whether the DslogdRAT campaign is connected to previous attacks involving the SPAWN malware family attributed to the Chinese hacking group UNC5221, the use of CVE-2025-0282 as an initial access vector is a common thread. Furthermore, threat intelligence firms have noted a significant increase in scanning activity targeting Ivanti ICS and Ivanti Pulse Secure appliances, suggesting a coordinated reconnaissance effort that could precede further exploitation attempts. Users of Ivanti Connect Secure VPN devices are strongly advised to apply the available patches and monitor their systems for any signs of compromise.

Recommended read:
References :
  • blogs.jpcert.or.jp: JPCERT/CC: DslogdRAT malware targeting Ivanti Connect Secure
  • thecyberexpress.com: The Cyber Express on DslogdRAT Malware
  • The Hacker News: The Hacker News on DslogdRAT Malware
  • bsky.app: Japan's CERT looks at DslogdRAT, a web shell deployed on hacked Ivanti Connect Secure devices
  • securityaffairs.com: SecurityAffairs: JPCERT warns of DslogdRAT malware deployed in Ivanti Connect Secure
  • cyberpress.org: CyberPress on Ivanti Connect Secure 0-Day Exploited by Hackers to Install DslogdRAT and Web Shell
  • securityonline.info: SecurityOnline: DslogdRAT Malware Targets Ivanti Connect Secure via CVE-2025-0282 Zero-Day Exploit
  • securityonline.info: DslogdRAT Malware Targets Ivanti Connect Secure via CVE-2025-0282 Zero-Day Exploit
  • BleepingComputer: BleepingComputer reports about DslogdRAT Malware being deployed via IVANTI zero day
  • gbhackers.com: Hackers Exploited Ivanti Connect Secure 0-Day to Deploy DslogdRAT and Web Shell

@securityonline.info //
A critical security vulnerability has been discovered in Active! Mail, a web-based email client popular among large Japanese organizations. The vulnerability, identified as CVE-2025-42599, is a stack-based buffer overflow that allows remote attackers to execute arbitrary code on affected systems. This flaw, which has a CVSS score of 9.8, poses a significant threat to over 2,250 organizations in Japan, potentially impacting more than 11 million accounts. The severity of this vulnerability stems from the fact that it can be exploited by unauthenticated attackers, meaning they do not need any login credentials to carry out an attack.

This zero-day remote code execution vulnerability is actively being exploited in attacks targeting large organizations in Japan. Successful exploitation of CVE-2025-42599 can lead to full server compromise, data theft, service disruption, or the installation of malware. Given that Active! Mail is a vital component in many Japanese-language business environments, including corporations, universities, government agencies, and banks, the potential impact is substantial. It is crucial to note that Active! mail is used in over 2,250 organizations, boasting over 11,000,000 accounts, making it a significant player in the country's business webmail market.

In response to the active exploitation of this vulnerability, Qualitia, the developer of Active! Mail, released a security bulletin and a corrective patch on April 18, 2025. Users are strongly urged to update to Active! Mail 6 BuildInfo: 6.60.06008562 as soon as possible to mitigate the risk. The Japan Computer Emergency Response Team (JPCERT) has also issued an advisory emphasizing the urgency of applying the patch. For organizations unable to update immediately, JPCERT recommends configuring Web Application Firewalls (WAF) to inspect HTTP request bodies and block excessively large multipart/form-data headers as a temporary mitigation strategy.

Recommended read:
References :
  • bsky.app: An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
  • securityonline.info: CVE-2025-42599: Critical Buffer Overflow in Active! mail Exploited in the Wild
  • The DefendOps Diaries: Explore the critical Active! Mail vulnerability impacting over 11 million accounts, highlighting the need for robust cybersecurity measures.
  • BleepingComputer: An Active! Mail zero-day remote code execution vulnerability is actively exploited in attacks on large organizations in Japan.
  • securityonline.info: CVE-2025-42599: Critical Buffer Overflow in Active! mail Exploited in the Wild

info@thehackernews.com (The@The Hacker News //
Microsoft has issued a critical security update as part of its April 2025 Patch Tuesday to address a zero-day vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS). The vulnerability, classified as an elevation of privilege flaw, is being actively exploited by the RansomEXX ransomware gang to gain SYSTEM privileges on compromised systems. According to Microsoft, the attacks have targeted a limited number of organizations across various sectors and countries, including the IT and real estate sectors in the United States, the financial sector in Venezuela, a software company in Spain, and the retail sector in Saudi Arabia.

Microsoft Threat Intelligence Center (MSTIC) has attributed the exploitation activity to a group tracked as Storm-2460, which deployed the PipeMagic malware to facilitate the attacks. Successful exploitation of CVE-2025-29824 allows an attacker with a standard user account to escalate privileges, enabling them to install malware, modify system files, disable security features, access sensitive data, and maintain persistent access. This can result in full system compromise and lateral movement across networks, leading to the widespread deployment and detonation of ransomware within the affected environment.

The zero-day vulnerability is located in the CLFS kernel driver and is due to a use-after-free weakness. Microsoft recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks. While Microsoft has issued security updates for impacted Windows versions, patches for Windows 10 x64 and 32-bit systems are pending release. In addition to fixing the zero-day flaw, Microsoft's April 2025 Patch Tuesday includes fixes for 134 other vulnerabilities, with 11 of them classified as critical remote code execution vulnerabilities.

Recommended read:
References :
  • isc.sans.edu: This month, Microsoft has released patches addressing a total of 125 vulnerabilities.
  • The DefendOps Diaries: Microsoft's April 2025 Patch Tuesday addresses 134 vulnerabilities, including a critical zero-day, highlighting the need for robust security.
  • Cyber Security News: Microsoft’s April 2025 Patch Tuesday update has arrived, delivering critical fixes for 121 security vulnerabilities across its broad suite of software products.
  • BleepingComputer: Today is Microsoft's April 2025 Patch Tuesday, which includes security updates for 134 flaws, including one actively exploited zero-day vulnerability.
  • Tenable Blog: Microsoft’s April 2025 Patch Tuesday Addresses 121 CVEs (CVE-2025-29824)
  • Cisco Talos Blog: Microsoft Patch Tuesday for April 2025 — Snort rules and prominent vulnerabilities
  • CyberInsider: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
  • bsky.app: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
  • The DefendOps Diaries: Understanding the Impact of CVE-2025-29824: A Critical Windows Vulnerability
  • Threats | CyberScoop: Microsoft patches zero-day actively exploited in string of ransomware attacks
  • thecyberexpress.com: TheCyberExpress article on Microsoft Patch Tuesday April 2025.
  • cyberinsider.com: Microsoft Fixes Actively Exploited CLFS Zero-Day Used in Ransomware Attacks
  • www.microsoft.com: Microsoft Security Blog on CLFS zero-day exploitation.
  • BleepingComputer: Microsoft says the RansomEXX ransomware gang has been exploiting a high-severity zero-day flaw (CVE-2025-29824) in the Windows Common Log File System to gain SYSTEM privileges on victims' systems.
  • bsky.app: Sky News post on Microsoft April 2025 Patch Tuesday.
  • Cyber Security News: CybersecurityNews article on Windows CLFS Zero-Day Vulnerability Actively Exploited by Ransomware Group
  • Microsoft Security Blog: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows Common Log File System (CLFS) against a small number of targets.
  • Malwarebytes: Microsoft releases April 2025 Patch Tuesday updates, including fixes for 121 vulnerabilities, one of which is an actively exploited zero-day in the Windows Common Log File System (CLFS) driver.
  • isc.sans.edu: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
  • Blog RSS Feed: Report on the April 2025 Patch Tuesday analysis, including CVE-2025-29824.
  • krebsonsecurity.com: Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.
  • securityonline.info: SecurityOnline discusses Windows CLFS Zero-Day Exploited to Deploy Ransomware
  • securityonline.info: Windows CLFS Zero-Day Exploited to Deploy Ransomware
  • securityaffairs.com: U.S. CISA adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) Driver flaws to its Known Exploited Vulnerabilities catalog
  • www.cybersecuritydive.com: Windows CLFS zero-day exploited in ransomware attacks
  • Security | TechRepublic: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
  • The Register - Software: Bad luck, Windows 10 users. No fix yet for ransomware-exploited bug
  • The Hacker News: Microsoft released security fixes to address a massive set of 126 flaws affecting its software products, including one vulnerability that it said has been actively exploited in the wild.
  • www.microsoft.com: Read how cyberattackers exploit domain controllers to gain privileged system access where they deploy ransomware that causes widespread damage and operational disruption.
  • The Hacker News: PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware
  • securityonline.info: Recently, the Cybersecurity and Infrastructure Security Agency (CISA) added two significant vulnerabilities to its Known Exploited Vulnerabilities Catalog, highlighting the urgency for users to apply necessary patches.
  • Arctic Wolf: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities.
  • arcticwolf.com: On April 8, 2025, Microsoft released its April 2025 security update, addressing 126 newly disclosed vulnerabilities. Arctic Wolf has highlighted five vulnerabilities affecting Microsoft Windows in this security bulletin, including one exploited vulnerability and four vulnerabilities that Microsoft has labeled as Critical.Â
  • Know Your Adversary: Hello everyone! I think you already heard about a zero-day vulnerability in the Common Log File System (CLFS) weaponized by RansomEXX affiliates. I'm talking about  CVE 2025-29824 .
  • Sophos News: One actively exploited issue patched; five Critical-severity Office vulns exploitable via Preview Pane
  • Security | TechRepublic: One CVE was used against “a small number of targets.†Windows 10 users needed to wait a little bit for their patches.
  • www.threatdown.com: April’s Patch Tuesday fixes a whopping 126 Microsoft vulnerabilities.
  • Logpoint: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
  • Arctic Wolf: Microsoft Patch Tuesday: April 2025
  • www.logpoint.com: The Microsoft Security blog highlights the active exploitation of CVE-2025-24983, a zero-day vulnerability in the Windows Common Log File System (CLFS) that allows local privilege escalation to SYSTEM-level access.
  • arcticwolf.com: Microsoft Patch Tuesday: April 2025
  • ciso2ciso.com: Microsoft: Windows CLFS Vulnerability Could Lead to ‘Widespread Deployment and Detonation of Ransomware’
  • Security Risk Advisors: New CLFS Zero-Day (CVE-2025-29824) Enables Rapid Privilege Escalation, Leading to Ransomware Deployment
  • cyberscoop.com: Microsoft patches zero-day actively exploited in string of ransomware attacks
  • www.tenable.com: Tenable's analysis of the CLFS vulnerability and its exploitation by Storm-2460.
  • Help Net Security: Article on Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed