Cybersecurity Alerts

Overview:

Apple has released emergency updates to patch a zero-day vulnerability (CVE-2025-43300) in its Image I/O framework that was exploited in a highly sophisticated attack targeting specific individuals. The flaw allows attackers to craft malicious image files that can corrupt memory and potentially execute arbitrary code.

This vulnerability affects a wide range of Apple devices—including both newer and older models—and has been actively exploited in the wild.

What You Need to Know:

• Vulnerability ID: CVE-2025-43300
• Affected Systems:
  • iPhone XS and later
  • iPads including:
    • iPad Pro 13-inch
    • iPad Pro 12.9-inch (2nd gen and later)
    • iPad Pro 11-inch (1st gen and later)
    • iPad Air (3rd gen and later)
    • iPad 6th gen and later
    • iPad mini (5th gen and later)
    • macOS Sequoia, Sonoma, and Ventura
• Risk: High – Exploited in targeted attacks
• Impact: Remote code execution through image processing
• Detection Difficulty: Very high – Targets may be unaware of compromise
• Exploitation Status: Confirmed in the wild by Apple

Recommended Actions:

• Update Immediately
• Apply the latest patches available in:
  • iOS 18.6.2 / iPadOS 18.6.2
  • iPadOS 17.7.10
  • macOS Sequoia 15.6.1
  • macOS Sonoma 14.7.8
  • macOS Ventura 13.7.8
• Monitor for Suspicious Activity
  • Especially if your organization handles sensitive data or operates in a high-risk sector.
• Limit Image Processing from Unknown Sources
  • Exercise caution when opening image files from untrusted or unknown origins.

Additional Resources:

Apple Security Updates Page

Overview:

Cisco has disclosed a maximum severity vulnerability (CVSS 10.0) in its Secure Firewall Management Center (FMC) software, tracked as CVE-2025-20265. This flaw affects the RADIUS subsystem and could allow unauthenticated remote attackers to execute arbitrary shell commands with elevated privileges on affected systems.

The vulnerability stems from improper handling of user input during the authentication phase and impacts FMC versions 7.0.7 and 7.7.0, specifically when RADIUS authentication is enabled for either the web interface, SSH, or both.

Although no active exploitation has been detected in the wild, Cisco strongly recommends applying the patch immediately.

What You Need to Know:

• Vulnerability ID: CVE-2025-20265
• Severity: Critical (CVSS 10.0)
• Affected Software: Cisco Secure Firewall Management Center (FMC) 7.0.7 and 7.7.0
• Attack Vector: Remote, unauthenticated
• Exploitation Status: Not currently exploited
• Authentication Required: No
• Privilege Required: None
• Impact: Remote code execution with root-level privileges

Recommended Actions:

• Apply Cisco’s Security Update Immediately
  Cisco has released updates for impacted versions through standard channels to all customers with a valid service contract.
• If Patch Deployment Is Not Possible:
  Disable RADIUS authentication and use another method such as:
  • Local user accounts
  • LDAP
  • SAML SSO
  • Note: Cisco has tested this workaround, but its effectiveness should be confirmed in your specific environment.
• Verify Authentication Configuration
  Ensure RADIUS is not inadvertently enabled where not required.
• Monitor for Unusual Administrative Activity
  Enable detailed logging to detect any unauthorized access attempts, especially via web or SSH interfaces.

Additional Cisco Advisories:

Cisco also released fixes for 13 high-severity vulnerabilities in other products including ASA, Firepower Threat Defense, IOS XE, and Secure FTD. While none are known to be actively exploited, administrators should review and apply updates where applicable.

Further Information:

Cisco Event Response Page

Overview:

Two newly discovered critical vulnerabilities in N-able N-central—widely used by MSPs and IT departments to monitor and manage client systems—are now under active exploitation in the wild. These flaws, tracked as CVE-2025-8875 and CVE-2025-8876, affect on-premises N-central servers and allow authenticated attackers to execute arbitrary commands.

N-able released patches in version 2025.3.1 and urges immediate updates. Exploitation has been observed in limited on-prem environments, but not in hosted cloud instances. CISA has added both vulnerabilities to its Known Exploited Vulnerabilities Catalog and directed U.S. federal agencies to patch by August 20.

What You Need to Know:

• Vulnerability IDs: CVE-2025-8875, CVE-2025-8876
• Affected Systems: On-prem N-able N-central servers prior to 2025.3.1
• Risk: Critical – actively exploited
• Impact: Remote command execution
• Authentication: Required
• Detection Difficulty: May be difficult to detect in unmonitored systems
• Exploitation Status: Confirmed exploitation in the wild (limited scope reported by N-able)

Recommended Actions:

• Upgrade to N-central 2025.3.1 Immediately
  This version includes patches for both vulnerabilities. Do not delay deployment.

• Audit Server Exposure
  Identify any publicly accessible N-central servers. If possible, restrict access to trusted IP ranges.

• Enable Enhanced Logging
  Ensure detailed logging is enabled for N-central administrative activity to detect post-exploitation behavior.

• Follow CISA BOD 22-01 Guidance (if applicable)
  While BOD 22-01 is mandatory for U.S. federal agencies, CISA strongly recommends all organizations follow the same mitigation steps.

• Watch for Additional Patch Details
  As per N-able’s policy, full CVE details will be released three weeks after the patch date. Monitor for updates.

Additional Resources:

NVD CVE-2025-8875

NVD CVE-2025-8876

Overview:

Fortinet has issued an urgent advisory for a critical remote command injection vulnerability in FortiSIEM, tracked as CVE-2025-25256, with a CVSS score of 9.8. This flaw affects multiple supported and unsupported versions and is already being actively exploited in the wild.

FortiSIEM is widely deployed in enterprise, government, healthcare, finance, and MSSP environments for centralized security monitoring, logging, and analytics. Exploitation allows unauthenticated attackers to remotely execute arbitrary commands on affected systems via specially crafted CLI requests.

What You Need to Know:

• Vulnerability ID: CVE-2025-25256
• Severity: Critical (CVSS 9.8)
• Impact: Remote unauthenticated command injection
• Affected Versions: FortiSIEM versions 5.4 to 7.3 (see fix list below)
• Exploit Status: In-the-wild exploit code confirmed
• Detection: Fortinet states no distinctive IOCs are generated during exploitation

Recommended Actions:

• Apply Fortinet's Security Updates Immediately
  Fortinet has issued patches for the following versions:
  • FortiSIEM 7.3.2
  • FortiSIEM 7.2.6
  • FortiSIEM 7.1.8
  • FortiSIEM 7.0.4
  • FortiSIEM 6.7.10
    • Note: Versions 5.4 to 6.6 will not be patched and must be upgraded to a supported release.
• If You Cannot Patch Immediately:
  • Limit access to phMonitor on port 7900 as a temporary workaround to reduce exposure
  • Note that this does not remediate the underlying vulnerability
• Audit and Monitor FortiSIEM Instances
  Due to the lack of clear IOCs, consider reimaging systems if compromise is suspected
  Review firewall logs and access records for unusual CLI activity over port 7900

Further Information:

WatchTowr Labs Report

Overview:

Six major password managers—including 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce—are vulnerable to clickjacking attacks that could trick users into unknowingly autofilling login credentials, 2FA codes, and payment data on malicious or compromised websites.

The flaw, disclosed at DEF CON 33 by security researcher Marek Tóth and validated by Socket, affects the browser extensions of these password managers. Attackers can manipulate browser rendering to overlay invisible password manager controls with decoy UI elements, capturing sensitive data during autofill.

What You Need to Know:

• Vulnerability Type: Clickjacking via invisible overlays and UI manipulation
• Affected Products:
  • 1Password 8.11.4.27
  • Bitwarden 2025.7.0
  • Enpass 6.11.6 (partial fix in 6.11.4.2)
  • iCloud Passwords 3.1.25
  • LastPass 4.146.3
  • LogMeOnce 7.12.4
• Risk: High – Sensitive data exposure including credentials and credit card information
• Impact: Stealthy credential theft via invisible browser extension UI controls
• Exploitation Status: Proof-of-concept presented; no widespread exploitation reported yet
• Fixes Available For: Dashlane, NordPass, ProtonPass, RoboForm, Keeper

Recommended Actions:

• Disable Autofill Function
  Until fixes are released, disable autofill features in your password manager browser extensions.
• Use Copy and Paste
  Manually copy credentials from your password manager instead of using autofill.
• Watch for UI Manipulation
  Be alert for unusual popups, cookie banners, or CAPTCHA overlays—these may be decoys masking password manager UI elements.
• Update Extensions Regularly
  Ensure your browser extension is always up to date. Bitwarden has issued a fix in version 2025.8.0.
• Limit Use of Browser-Based Extensions
  Where feasible, use standalone password manager apps instead of browser-integrated tools.

Vendor Responses:

• 1Password: Acknowledged the issue but framed it as a general browser limitation. Plans to expand autofill confirmation alerts in future versions.
• Bitwarden: Confirmed the vulnerability and released a fix in version 2025.8.0.
• LastPass: Acknowledged the risk and emphasized existing safeguards; further protections under review.
• LogMeOnce: No official response yet.
• Other vendors (Dashlane, Keeper, etc.): Released fixes ahead of public disclosure.

Additional Resources:

DEF CON 33 Presentation (Marek Tóth)

Bleeping Computer Coverage

Trend Micro has confirmed active exploitation of a critical vulnerability in its Apex One endpoint security platform. The flaw affects the on-premises Apex One Management Console and allows unauthenticated attackers to execute commands remotely, potentially leading to a full system compromise. No patch is currently available, but a mitigation tool has been released.

What You Need to Know:

• Product Affected: Trend Micro Apex One (on-prem)
• Vulnerabilities:
  • CVE-2025-54948 (x64 systems)
  • CVE-2025-54987 (x86 systems)
• Flaw Type: Command Injection
• Attack Vector: Remote, pre-authenticated access to the Management Console
• Impact: Remote Code Execution (RCE), complete system compromise
• Exploitation Status: Actively exploited in the wild
• Mitigation: Temporary mitigation tool available; patch expected mid-August 2025
• Tradeoff: Mitigation disables Remote Install Agent functionality until patched

Recommended Actions:

1. Apply Mitigation Tool Immediately
   • Download and apply Trend Micro’s mitigation tool to block known exploitation attempts.
2. Restrict Console Access
   • Ensure the Apex One Management Console is not exposed to the public internet.
   • Implement IP source restrictions if external access is required.
3. Prepare for Mid-August Patch
   • Trend Micro will release a security update mid-August to fully resolve the issue and restore Remote Install Agent capabilities. Monitor for availability.
4. Audit for Signs of Compromise
   • Review access logs and system behavior for suspicious activity.

Microsoft has disclosed a serious vulnerability affecting organizations with hybrid Exchange deployments (on-premises Exchange servers connected to Microsoft 365 Exchange Online). The flaw—tracked as CVE-2025-53786—could allow attackers to escalate privileges in the cloud environment undetected if they first gain access to the on-premises server. This abuse stems from the shared service principal identity used for authentication between environments.

Microsoft and CISA both warn that successful exploitation could result in full domain compromise across both cloud and on-prem systems.

New Update – August 2025:

Security scans reveal over 29,000 Exchange servers remain exposed online without the April 2025 patch. CISA issued Emergency Directive 25-02, mandating that all U.S. federal agencies were to mitigate this vulnerability by Monday, August 11 at 9:00 AM ET.

While this mandate does not apply to private organizations, CISA strongly urges every Exchange hybrid user to take the same precautions immediately.

What You Need to Know:

• Vulnerability ID: CVE-2025-53786
• Affected Systems: Exchange Server 2016, 2019, and Subscription Edition
• Risk: High – Exploitation marked as “More Likely” by Microsoft
• Impact: Cloud privilege escalation, undetected lateral movement, potential total domain compromise
• Detection Difficulty: Activities originating from on-prem Exchange may not appear in M365 audit logs
• Exploitation Status: Not currently exploited, but Microsoft believes consistent exploit code is achievable

Recommended Actions:

• Apply April 2025 Hotfixes
  Install Microsoft’s hotfix updates for on-prem Exchange servers immediately.
• Deploy a Dedicated Hybrid Application
  Replace the default shared service principal with a dedicated app identity to reduce the blast radius.
• Use the Exchange Health Checker
  Run this tool after applying patches to ensure your environment is properly configured.
• Clean Up Legacy Hybrid Configurations
  If you previously used Exchange Hybrid but no longer do, follow Microsoft’s Service Principal Clean-Up Mode guidance to reset credentials and remove unnecessary trust.
• Limit Internet Exposure
  Disconnect any public-facing Exchange servers that are out-of-date or no longer in use.

Additional Resources:

CISA Security Alert

Exchange Team Blog

SonicWall has issued an urgent advisory after multiple ransomware attacks were linked to a potential zero-day vulnerability in its Gen 7 firewall series, specifically targeting SSL VPN services. Security researchers have observed threat actors bypassing multi-factor authentication (MFA) and quickly moving to take over networks—often within hours of breaching the firewall.

The attacks, attributed to the Akira ransomware gang, have prompted cybersecurity firms Arctic Wolf and Huntress to recommend disabling SonicWall SSL VPNs immediately until further investigation and patches are available.

What You Need to Know:

• Product Affected: SonicWall Gen 7 Firewalls (SSL VPN enabled)
• Vulnerability Status: Likely zero-day (unpatched, actively exploited)
• Attack Vector: Remote access via SonicWall SSL VPN
• Impact: Full network compromise, ransomware deployment
• Exploitation Confirmed: Yes – observed in the wild since mid-July
• Mitigations Available: Yes – see below

Recommended Actions:

1. Disable SSL VPN Services Immediately
   • If your organization doesn’t require VPN access, disable it altogether as a precaution.
2. Restrict VPN Access by IP
   • Allow access only from trusted IP addresses to limit exposure.
3. Enforce MFA and Remove Unused Accounts
   • Strengthen your access policies by enforcing multi-factor authentication and eliminating unused or outdated user accounts.
4. Enable SonicWall Security Features
   • Turn on Botnet Protection and Geo-IP Filtering to help block malicious connections.
5. Monitor for Indicators of Compromise (IOCs)
   • Review Huntress report and threat indicators

Additional Resources:

SonicWall Security Advisory

Lenovo has released firmware updates for select all-in-one desktop models to patch six high-severity vulnerabilities in UEFI firmware that could allow attackers to bypass Secure Boot protections and execute persistent malware. The flaws reside in System Management Mode (SMM), a highly privileged CPU mode that runs beneath the operating system, making it a prime target for stealthy attacks. These issues stem from OEM-specific customizations made by Insyde for Lenovo devices.

What You Need to Know:

• Vulnerabilities: CVE-2025-4421 through CVE-2025-4426
• Severity: High (CVSS up to 8.2)
• Impact: Secure Boot bypass, firmware-level privilege escalation, memory corruption, and persistent implants
• Affected Models:
  • IdeaCentre AIO 3: 24ARR9 and 27ARR9
  • Yoga AIO: 27IAH10, 32ILL10, and 32IRH8
• Firmware Source: InsydeH2O UEFI, customized for Lenovo
• Root Cause: Vulnerabilities in SMI handlers enabling attackers to manipulate SMRAM memory and system settings

Recommended Actions:

1. Update Firmware Immediately:
   • IdeaCentre AIO 3 users should upgrade to firmware version O6BKT1AA available on Lenovo’s support site.
   • Yoga AIO models will receive updates between September 30 and November 30, 2025 — monitor Lenovo’s Product Security Advisory Portal for release.
2. Limit Local Access:
   • These vulnerabilities require local access for exploitation, so limit physical and administrative access to trusted personnel.
3. Enable Secure Boot & UEFI Protections:
   • Ensure Secure Boot is enabled and BIOS protections (such as firmware write protection) are configured appropriately.
4. Monitor for Suspicious Behavior:
   • Persistent threats can survive OS reinstallations. Monitor for signs of low-level compromise such as unexpected firmware behavior, reoccurring malware, or issues with Secure Boot integrity.

Additional Resources:

Lenovo Security Advisories

Mitel has disclosed a critical authentication bypass vulnerability affecting its MiVoice MX-ONE enterprise communications platform, impacting versions 7.3 through 7.8 SP1. The flaw exists in the Provisioning Manager component and allows unauthenticated attackers to gain administrator access through low-complexity attacks without user interaction. Though it has not yet been assigned a CVE ID, Mitel has released patches in versions 7.8 and 7.8 SP1. All customers are urged to request and apply the update through their authorized service provider. Mitel strongly advises against exposing MX-ONE services to the public internet and recommends isolating the system within a trusted network. While not known to be exploited in the wild, the flaw joins a growing list of severe vulnerabilities affecting Mitel’s product suite, including MiCollab. Given Mitel's extensive footprint across healthcare, education, and government, immediate action is advised.

What You Need to Know:

• Affected Versions: MiVoice MX-ONE 7.3 (7.3.0.0.50) through 7.8 SP1 (7.8.1.0.14)
• Patched Versions: 7.8 (MXO-15711_78SP0) and 7.8 SP1 (MXO-15711_78SP1)
• Attack Requirements: No authentication or user interaction needed
• Potential Impact: Full administrative access to the platform
• Exploit Status: Not currently known to be exploited in the wild

Recommended Actions:

1. Apply the Patch Immediately
   • Customers on affected versions should contact their authorized Mitel service provider to request and apply the patch.
2. Restrict Access
   • Ensure MiVoice MX-ONE services are not exposed to the public internet.
   • Limit access to the Provisioning Manager to trusted, internal networks.
3. Audit Network Exposure
   • Review firewall rules and network segmentation to confirm MX-ONE systems are not accessible externally.
4. Monitor for Signs of Unauthorized Access
   • Check system logs for suspicious access attempts or unexpected administrative activity.

Additional Resources:

Mitel Security Advisory

Mitel Advisory List

A serious vulnerability in the widely used Post SMTP plugin for WordPress could allow attackers to hijack administrator accounts and take full control of affected websites. The flaw impacts all versions up to 3.2.0 and is currently unpatched on over 200,000 websites. This plugin is commonly used to improve email delivery on WordPress sites, replacing the built-in wp_mail() function.

What You Need to Know:

• Vulnerability ID: CVE-2025-24000
• Severity: High (CVSS 8.8)
• Impact: Unauthorized access to admin accounts via email log exposure
• Affected Plugin: Post SMTP (≤ v3.2.0)
• Active Installs at Risk: ~200,000 sites
• Exploit Method:
  • Low-privileged users (e.g., Subscribers) could exploit a broken access control flaw in the plugin’s REST API.
  • These users could view sensitive email logs, intercept admin password reset links, and take over accounts.
• Status: Fix released in version 3.3.0 on June 11, 2025

Recommended Actions:

1. Update Immediately:
   • Upgrade Post SMTP to version 3.3.0 or newer via your WordPress admin panel or from the official plugin page.
2. Audit User Roles:
   • Review all user accounts on your WordPress site. Remove or downgrade suspicious accounts, especially those with elevated privileges.
3. Monitor Logs and Admin Activity:
   • Check for signs of compromise such as unknown admin logins, unauthorized plugin installs, or unusual email activity.
4. Reset Credentials if Compromised:
   • If you suspect exploitation, reset all administrator passwords and review email server logs for unusual access.

Additional Resources:

Patchstack Analysis

SonicWall has released a critical security update for its SMA 100 series appliances (SMA 210, 410, and 500v) to address a remote code execution (RCE) vulnerability. Tracked as CVE-2025-40599, this flaw allows authenticated users with administrative privileges to upload arbitrary files and execute code remotely via the device’s web management interface.

What You Need to Know:

• CVE-2025-40599: Critical authenticated file upload vulnerability that can lead to remote code execution
• Affected Products: SMA 100 series (SMA 210, 410, 500v)
• Not Affected: SMA 1000 series or SSL-VPN running on SonicWall firewalls
• Exploit Conditions: Requires admin-level credentials, but no active exploitation confirmed at this time
• Severity: Critical – due to potential for full system compromise

Recommended Action:

• Patch Immediately: Upgrade SMA 100 series appliances to the latest fixed firmware release
• Limit Remote Access: Disable remote management on external interfaces
• Reset Passwords: All admin and user credentials should be reset
• Reinitialize OTP: Rebind one-time password configurations
• Enforce MFA: Enable multi-factor authentication for all users
• Enable WAF: Turn on Web Application Firewall for additional protection

Additional Context:

While no active exploitation of CVE-2025-40599 has been confirmed, SMA 100 series devices are already known targets. Google’s Threat Intelligence Group (GTIG) recently reported that threat actor UNC6148 is exploiting SonicWall appliances using previously disclosed vulnerabilities and stolen credentials to deploy malware and potentially ransomware.

If Compromised:

• Review logs for unauthorized access
• Check connection history for anomalies
• Contact SonicWall Support if compromise is suspected

Related Incidents:

• Earlier this year, multiple SMA 100 vulnerabilities (CVE-2025-32819, CVE-2025-32820, CVE-2025-32821) were actively exploited
• A rootkit dubbed OVERSTEP was recently discovered targeting fully patched SMA 100 devices
• Previous RCE flaws dating back to 2021 continue to be used in credential-theft campaigns

Resources:

SonicWall Security Advisory

A critical vulnerability in Microsoft SharePoint Server is being actively exploited by attackers to achieve remote code execution and take full control of vulnerable servers. Tracked as CVE-2025-53770 and nicknamed "ToolShell," this flaw poses a severe risk, especially for internet-facing SharePoint deployments. Government agencies and organizations across multiple sectors have already been breached, including the U.S. Department of Energy.

What You Need to Know:

• CVE-2025-53770 (CVSS 9.8) is a critical RCE vulnerability affecting SharePoint Server Subscription Edition, 2019, and 2016
• Attackers can bypass authentication, upload malicious .aspx files, steal cryptographic machine keys, and escalate privileges
• Live exploitation began around July 18, 2025, and continues globally
• Confirmed breaches include U.S. government agencies, European and Middle Eastern institutions, and over 148 organizations

Recommended Action:

1. Patch Immediately
   • Subscription Edition - KB5002768
   • SharePoint 2019 - KB5002754
   • SharePoint 2016 - KB5002760
2. Enable AMSI Integration
   • Activating AMSI (Antimalware Scan Interface) helps detect and block malicious code in SharePoint
   • Configure AMSI in SharePoint
3. Rotate Machine Keys
   • Immediately rotate ASP.NET machine keys after patching to prevent impersonation attacks
4. Harden Server Exposure
   • Restrict internet access to unpatched servers
   • Monitor or block unusual POST requests to /_layouts/15/ToolPane.aspx and .aspx file uploads
5. Audit and Validate
   • Check IIS logs, verify critical file integrity, and confirm backups haven’t been altered

Why It Matters:

SharePoint servers often hold sensitive business data and are highly privileged within a network. A successful compromise can allow attackers to implant backdoors, steal credentials, move laterally across the network, and deploy ransomware such as Warlock and Lockbit.

Nation-state groups including Storm-2603, Linen Typhoon, and Violet Typhoon have already exploited this flaw. In some cases, malware was deployed weeks before detection. Threat actors used tools like Mimikatz, PsExec, and WMI to spread across systems.

Recent Incidents:

• U.S. National Nuclear Security Administration (NNSA)
• Department of Education and NIH
• Florida Department of Revenue
• Rhode Island General Assembly
• Multiple European and Middle Eastern governments

Additional Resources:

Microsoft Security Update

UPDATE - July 22, 2025

Cisco has confirmed that the three maximum-severity vulnerabilities in Identity Services Engine (ISE)—CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337—are now being actively exploited in the wild. These flaws allow unauthenticated attackers to gain full root access to affected systems via crafted API requests or malicious file uploads. Cisco has not disclosed the nature or success of these exploitation attempts but strongly urges all customers to immediately upgrade to ISE 3.3 Patch 7 or ISE 3.4 Patch 2 to mitigate the risk. With no available workarounds and real-world attacks underway, this update is critical for organizations relying on ISE to enforce network security policies.

Cisco has disclosed a new critical vulnerability (CVE-2025-20337) in Identity Services Engine (ISE) that allows unauthenticated remote attackers to execute arbitrary code with root privileges. This flaw, rated 10.0 (maximum severity), joins two previously disclosed vulnerabilities (CVE-2025-20281 and CVE-2025-20282), which also affect ISE and Passive Identity Connector (ISE-PIC) versions 3.3 and 3.4.

What You Need to Know:

• CVE-2025-20337: Enables unauthenticated remote attackers to store malicious files, run code, or gain root access via crafted API requests.
• Severity: Critical (CVSS 10.0)
• Affected Versions: Cisco ISE and ISE-PIC 3.3 and 3.4
• Unaffected Versions: 3.2 and earlier
• No Workaround Available: Patching is the only mitigation
• Important Note: Fixes for CVE-2025-20281 and CVE-2025-20282 do not cover CVE-2025-20337

Required Action:

• Upgrade to ISE 3.3 Patch 7 or ISE 3.4 Patch 2 to address all three critical vulnerabilities
• Older versions (3.2 and earlier) are not affected, but ensure no outdated systems remain in production
• Review Cisco’s advisory to verify system compatibility and available memory before upgrading

Additional Cisco Vulnerabilities Disclosed:

• CVE-2025-20274: Arbitrary file upload in Cisco Unified Intelligence Center (fixed in 12.5(1) SU ES05 and 12.6(2) ES05)
• CVE-2025-20272: SQL injection in Cisco Prime Infrastructure and EPNM (fixed in 3.10.6 SU2 and EPNM 8.0.1/8.1.1)
• CVE-2025-20283 to 20285: Authenticated RCE and IP bypass in Cisco ISE (fixed in 3.3 Patch 7 / 3.4 Patch 2)
• CVE-2025-20288: SSRF in Cisco Unified Intelligence Center (fixed in 12.5(1) SU ES05 and 12.6(2) ES05)

Key Takeaway:

If you're running Cisco ISE or ISE-PIC in versions 3.3 or 3.4, apply the latest patches immediately. These flaws can be exploited without authentication and leave systems vulnerable to complete remote compromise.

Additional Resources:

Zero Day Initiative Advisory

Cisco Advisory

VMware has released security updates addressing four critical vulnerabilities discovered during the Pwn2Own Berlin 2025 hacking competition. Three of the vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238) are rated 9.3 in severity and allow code execution from within a guest virtual machine on the host. A fourth vulnerability (CVE-2025-41239), rated 7.1, allows information disclosure and was used in conjunction with one of the code execution bugs during the event.

What You Need to Know:

• CVE-2025-41236: Integer overflow in VMXNET3 virtual network adapter (used by STARLabs SG)
• CVE-2025-41237: Integer underflow in VMCI interface leading to out-of-bounds write (used by REverse Tactics)
• CVE-2025-41238: Heap overflow in PVSCSI controller leading to code execution (used by Synacktiv)
• CVE-2025-41239: Info disclosure in VMware Tools for Windows (chained with CVE-2025-41237)
• Affected Products: VMware ESXi, Workstation, Fusion, and VMware Tools for Windows
• Attack Vector: Exploitable by a user or process with local admin access inside a guest VM
• Severity Ratings: Three critical (9.3), one high (7.1)
• Exploitation Status: Demonstrated live as zero-days during the Pwn2Own contest

Recommended Actions:

• Update Immediately: VMware has released patches for all affected products. No workarounds are available.
• Patch VMware Tools for Windows separately, as it follows a different update process.
• Audit VM access control policies: These vulnerabilities require local access inside VMs. Restrict administrative privileges where possible.
• Monitor for suspicious guest-to-host behavior post-update to ensure no prior exploitation occurred.

 

A critical vulnerability (CVE-2025-5394) in the popular WordPress Alone theme is being actively exploited by threat actors to take full control of affected websites. The flaw, which allows unauthenticated remote code execution through arbitrary file uploads, has already been used in over 120,000 attack attempts, according to Wordfence. The theme is commonly used by charities, NGOs, and other non-profit organizations, making it a high-value target for attackers.

What You Need to Know:

• Vulnerability: CVE-2025-5394
• Affected Versions: All versions of the Alone theme up to 7.8.3
• Patched Version: 7.8.5, released June 16, 2025
• Exploit Method: Attackers use the theme’s AJAX function alone_import_pack_install_plugin()—which lacks proper nonce validation—to upload malicious ZIP files containing webshells or file managers. This allows full site compromise and persistent access.
• Indicators of Compromise:
  • New unauthorized admin users
  • Suspicious ZIP/plugin folders
  • Requests to: admin-ajax.php?action=alone_import_pack_install_plugin
  • Traffic from known malicious IPs:
    • 193.84.71.244
    • 87.120.92.24
    • 146.19.213.18
    • 2a0b:4141:820:752::2

Recommended Actions:

• Update Immediately: Upgrade the Alone theme to version 7.8.5 or later.
• Audit Your Site:
  • Check for unfamiliar admin accounts.
  • Review plugin folders for suspicious ZIP or PHP files.
  • Inspect server and firewall logs for unusual POST requests or the listed IP addresses.
• Block Malicious IPs: Add the IP addresses listed above to your deny list.
• Enable 2FA: Require two-factor authentication for admin accounts to reduce future risk.
• Scan for Backdoors: Use a trusted malware scanner to check for webshells or hidden file managers.

Additional Resources:

Wordfence Vulnerability Database

Envato Alone Theme Page

Google has released a critical Chrome update to address six vulnerabilities, including one zero-day (CVE-2025-6558) that has been actively exploited in the wild. This flaw allows attackers to escape Chrome’s sandbox and potentially execute code beyond the browser, posing significant risk to users.

What You Need to Know:

• CVE-2025-6558: A high-severity vulnerability (CVSS 8.8) in ANGLE/GPU due to insufficient input validation.
• Impact: Remote attackers can use malicious web pages to escape the browser’s sandbox and execute code.
• Actively Exploited: Yes – attackers are already using this in real-world attacks.
• Affected Versions: Chrome versions prior to 138.0.7204.157 (Windows/Mac) and 138.0.7204.158 (Linux).
• Component Involved: ANGLE – Chrome's graphics engine that handles GPU commands from web content.
• Discovery: Found by Google’s Threat Analysis Group (TAG) on June 23, 2025.

Recommended Action:

• Update Immediately:
  Navigate to chrome://settings/help in your browser and allow it to check for updates. Restart the browser to apply the patch.
• Auto-Updates: Chrome typically updates automatically, but manual checks ensure timely protection.
• Security Reminder: Regular browser updates are essential to defend against zero-day exploits that target high-risk individuals and organizations.

Additional Security Fixes in This Release:

• CVE-2025-7656: High-severity flaw in the V8 JavaScript engine
• CVE-2025-7657: Use-after-free vulnerability in WebRTC
• These additional bugs are not known to be actively exploited but are still important to patch.

Context:

This is the fifth actively exploited Chrome zero-day vulnerability Google has patched in 2025 alone. Similar flaws earlier this year were used in espionage campaigns and account hijacking attacks. Chrome’s sandbox is a critical security feature, and flaws that bypass it represent serious threats.

Apple has released security updates to address a high-severity zero-day vulnerability (CVE-2025-6558) in WebKit that was actively exploited in attacks targeting Chrome users. The flaw originates from improper validation of untrusted input in ANGLE—a graphics layer used across multiple platforms—and may allow attackers to execute arbitrary code and escape browser sandbox protections. This vulnerability has been linked to targeted campaigns, likely involving spyware and state-sponsored threat actors.

What You Need to Know:

• Vulnerability: CVE-2025-6558
• Severity: High (CVSS 8.8)
• Impact: Remote code execution and potential sandbox escape via crafted HTML pages
• Actively Exploited: Yes – discovered and disclosed by Google’s Threat Analysis Group (TAG)
• Affected Platforms:
  • iOS / iPadOS: iOS 18.6, iPadOS 18.6, and iPadOS 17.7.9
  • macOS: macOS Sequoia 15.6
  • tvOS: tvOS 18.6
  • visionOS: visionOS 2.6
  • watchOS: watchOS 11.6

The issue affects WebKit, Apple’s browser engine used in Safari and other system applications. If exploited, it could lead to device compromise through malicious web content.

Recommended Actions:

1. Update Devices Immediately:
   • Install the latest security updates on all Apple devices running iOS, iPadOS, macOS, watchOS, tvOS, and visionOS.
   • Affected users include iPhone XS and newer, Apple Watch Series 6 and newer, all Apple TV models, iPad 6th gen and later, and others listed in Apple’s release notes.
2. Review Web Browsing Activity:
   • If your organization permits sensitive work on Apple devices, review access to suspicious websites and consider temporary restrictions if patching is delayed.
3. Notify High-Risk Users:
   • Users working in politics, media, or activism should be especially vigilant, as past exploitation of this flaw class has been linked to spyware campaigns.

Additional Resources:

Apple Security Updates

Cisco has disclosed a critical security flaw in its Unified Communications Manager (CUCM) and Session Management Edition (SME) that could allow unauthenticated, remote attackers to log in using a built-in root account with static credentials. This backdoor was intended for development use and affects several engineering special releases. The vulnerability is rated with the highest severity and can only be mitigated through patching.

What You Need to Know:

• Vulnerability ID: CVE-2025-20309
• Severity: Critical (CVSS 10.0)
• Affected Products: Cisco Unified CM and Unified CM SME versions 15.0.1.13010-1 through 15.0.1.13017-1
• Exploitation does not require authentication
• Successful exploitation grants full root access
• No workarounds are available
• Cisco is not aware of active exploitation at this time, but administrators should act immediately

Recommended Actions:

• Upgrade to Cisco Unified CM or Unified CM SME version 15SU3 (July 2025)
• Alternatively, apply the Cisco patch identified as CSCwp27755
• Review system logs for unusual root login activity
• Ensure remote access to administrative systems is restricted to trusted sources

Additional Resources:

Cisco Security Advisory

A high-severity vulnerability has been discovered in the Forminator WordPress plugin, which is currently active on over 600,000 websites. The flaw allows unauthenticated attackers to delete arbitrary files on a server — including WordPress core files like wp-config.php — potentially leading to full site compromise. The vulnerability affects all versions up to 1.44.2 and has been patched in version 1.44.3.

What You Need to Know:

• Vulnerability ID: CVE-2025-6463
• Affected Plugin: Forminator (by WPMU DEV)
• Affected Versions: Up to and including 1.44.2
• Severity: High (CVSS score 8.8)
• Exploitation allows attackers to delete critical WordPress files
• A compromised site may be forced into a setup mode, making it vulnerable to takeover
• No current reports of exploitation in the wild, but public proof-of-concept details increase risk

Recommended Actions:

• Immediately update the Forminator plugin to version 1.44.3 or later
• If you are unable to update immediately, disable the plugin until it can be safely updated
• Monitor your site for any unusual behavior, especially missing configuration files or unexpected redirects to WordPress setup pages
• Limit access to file deletion features in the WordPress dashboard to trusted administrators only

Additional Resources:

Product Details

Google has released an emergency update to address a high-severity zero-day vulnerability in Chrome that is already being exploited in the wild. Tracked as CVE-2025-6554, this marks the fourth actively exploited Chrome zero-day fixed so far in 2025. The flaw is a type confusion issue in Chrome’s V8 JavaScript engine, which could allow attackers to execute arbitrary code on unpatched systems.

What You Need to Know:

• Vulnerability ID: CVE-2025-6554
• Affected Product: Google Chrome (all platforms)
• Severity: High
• Exploited in the wild prior to patch release
• Root Cause: Type confusion in V8 JavaScript engine
• Patch Release Date: June 26, 2025
• Affected Versions: Chrome versions prior to 138.0.7204.96 (Windows/Linux) and 138.0.7204.92 (Mac)
• Discovered by: Clément Lecigne, Google Threat Analysis Group (TAG)
• Attack Use: Believed to be targeted attacks, often associated with state-sponsored threat actors

Recommended Actions:

• Immediately update Google Chrome to the latest version:
  • Windows: 138.0.7204.96 or later
  • Mac: 138.0.7204.92 or later
  • Linux: 138.0.7204.96 or later
• Restart your browser after updating to ensure the patch is applied
• Enable auto-updates if not already active
• Monitor high-risk users in your organization, such as executives or those with access to sensitive data

Additional Resources:

Release Notes

A new phishing campaign is actively exploiting a Microsoft 365 feature called Direct Send to deliver internal-looking emails that bypass standard email security protections, including SPF, DKIM, and DMARC. This allows attackers to impersonate employees and send phishing emails from seemingly legitimate company addresses—without authentication.

The campaign has already targeted over 70 organizations, with a strong focus on Financial Services, Manufacturing, Construction, Engineering, Healthcare, and Insurance sectors.

What You Need to Know

• Direct Send is designed to allow devices like scanners or on-premises apps to send mail through Microsoft 365 without authentication.
• In this attack, PowerShell commands are used to send messages through a company’s Microsoft 365 smart host (e.g., company-com.mail.protection.outlook.com), appearing to come from internal users.
• The phishing emails impersonate voicemail or fax notifications and use PDF attachments containing QR codes instead of clickable links.
• Victims are tricked into scanning the QR code on their phones, leading to a fake Microsoft login page that steals credentials.
• Because messages are routed through the smart host, they appear to come from inside the organization, even though they fail standard authentication checks.

Recommended Actions

1. Enable “Reject Direct Send” (introduced April 2025) in Exchange Admin Center to block unauthenticated mail sent through Direct Send.
2. Enforce stricter DMARC policies (p=reject) to prevent spoofed emails from being delivered.
3. Enable SPF hard fail and configure anti-spoofing policies in Microsoft 365.
4. Flag or quarantine unauthenticated internal messages in Exchange Online Protection.
5. Disable Direct Send entirely unless it is absolutely required—and ensure it is correctly locked down.
6. Train users to recognize phishing attacks involving QR codes in PDFs, and encourage reporting of suspicious messages.

Additional Resources

Microsoft Learn

Varonis Report

Cisco has disclosed two maximum-severity vulnerabilities (CVSS 10.0) in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These flaws allow unauthenticated remote attackers to achieve full root-level remote code execution, completely compromising affected systems without user interaction.

Given the central role ISE plays in network access control (NAC), identity policy enforcement, and secure access, these vulnerabilities represent a major risk to enterprise networks.

What You Need to Know

• CVE-2025-20281 – Affected Versions: ISE/ISE-PIC 3.3 and 3.4
  • Cause: Improper input validation in an exposed API
  • Impact: Allows attackers to execute OS commands as root via crafted API requests
• CVE-2025-20282 – Affected Version: ISE 3.4
  • Cause: Inadequate file validation in an internal API
  • Impact: Allows unauthenticated file uploads to privileged directories and execution with root privileges
• CVE-2025-20264 – Affected: All ISE versions up to 3.4
  • Type: Medium-severity authentication bypass via SAML SSO misconfiguration
  • Impact: Valid SSO-authenticated users can modify system settings or force restarts

Why It Matters

Cisco ISE is a critical component in the IT infrastructure of enterprises, universities, service providers, and governments. These flaws:

• Require no credentials to exploit
• Offer full control over the target system
• Bypass all access controls and can be exploited over the network

Recommended Actions

1. Update Immediately:
   • ISE 3.3: Upgrade to Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4)
   • ISE 3.4: Upgrade to Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1)
   • ISE 3.2: Fix pending in Patch 8 (expected November 2025)
   • Older versions (3.1 and earlier) are unsupported—migrate to a supported release.
2. Check Access Controls:
   • Review public exposure of ISE management and API interfaces.
   • Apply firewall rules and network segmentation to limit access.
3. Audit for Unauthorized Access:
   • Review logs and monitor for suspicious API or file upload activity.
   • Ensure alerts are configured for unexpected changes or reboots.
4. Fix SSO Integration (CVE-2025-20264):
   • Validate SAML SSO configurations.
   • Upgrade to ISE 3.3 Patch 5 or ISE 3.4 Patch 2.

References

Cisco CVE-2025-20264 Advisory

Researchers have discovered a critical flaw (CVE-2024-51978) in the default password system of 689 Brother printer models, along with select models from Fujifilm, Toshiba, Ricoh, and Konica Minolta. This vulnerability allows an unauthenticated attacker to generate the printer’s default administrator password using a predictable algorithm—no hacking tools or credentials required.

Unfortunately, the issue is rooted in the way these printers are manufactured and cannot be fixed by firmware alone. Any device made before the manufacturing change will remain vulnerable unless users manually change the admin password.

What You Need to Know

• Who is affected? Owners of 689+ Brother printers and 53 others from Fujifilm, Toshiba, Ricoh, and Konica Minolta.
• What’s the risk? Remote attackers can generate the admin password and access the printer. This can lead to:
  • Reconfiguration of device settings

  • Access to stored scans or address books

  • Remote code execution (RCE) if chained with other flaws

  • Use of the printer to move deeper into your network

• Why it’s urgent: The flaw (CVSS 9.8 Critical) is already public. Attackers only need the printer’s serial number—which is often accessible via the network or physical label.

Recommended Actions

1. Immediately change the default admin password on any affected Brother printer (or any business-class model that hasn’t been reviewed recently).

2. Apply firmware updates released by the manufacturer. While not enough to fix this specific issue, they address related vulnerabilities that attackers can chain with this flaw.

3. Restrict network access to printer administration pages. Only allow internal IT access, and disable unnecessary services like FTP, LDAP, and PJL if not used.

4. Review device logs and settings for signs of unauthorized access.

5. If in doubt, replace high-risk models—especially those exposed to public networks or holding sensitive data.

---

Additional Resources

Brother Support FAQ

Konica Minolta Advisory

Fujifilm Notice

Ricoh Security Advisory

Toshiba Notice

Citrix has disclosed three new vulnerabilities impacting NetScaler ADC and Gateway appliances, two of which are critical remote code execution or session hijacking flaws (CVE-2025-5777, CVE-2025-5349) and one that is actively exploited in the wild to cause denial of service (CVE-2025-6543).

These vulnerabilities impact NetScaler appliances configured as VPNs, ICA Proxies, Clientless VPNs, RDP Proxies, and AAA virtual servers.

Key Vulnerabilities

1. CVE-2025-5777 — “CitrixBleed 2”
   • Type: Out-of-bounds memory read.
   • Impact: Allows unauthenticated attackers to access sensitive session memory (e.g., session tokens, credentials).
   • Risk: Stolen session tokens can bypass MFA and hijack user sessions.
   • Action: Patch immediately and terminate all active ICA and PCoIP sessions after patching.
2. CVE-2025-5349
   • Type: Improper access control in NetScaler Management Interface.
   • Impact: Allows unauthorized access if the attacker can reach the NSIP, Cluster Management IP, or GSLB Site IP.
   • Action: Apply updates and restrict management interface exposure.
3. CVE-2025-6543 — Active DoS Exploit
   • Type: Remote unauthenticated denial-of-service.
   • Impact: Remote attackers can crash vulnerable appliances by sending crafted requests.
   • Status: Actively exploited in the wild (as confirmed by Citrix).
   • Action: Patch immediately to version 14.1-47.46, 13.1-59.19, or 13.1-37.236-FIPS/NDcPP.

Affected Versions

• NetScaler ADC and Gateway before 14.1-43.56, 13.1-58.32, and 13.1-37.235-FIPS/NDcPP are vulnerable to CitrixBleed 2 and CVE-2025-5349.
• Versions before 14.1-47.46, 13.1-59.19, and 13.1-37.236-FIPS/NDcPP are vulnerable to the DoS flaw (CVE-2025-6543).
• Versions 12.1 and 13.0 are end-of-life and will not receive patches. Upgrade is mandatory.

Recommended Actions

• Update immediately to patched versions provided by Citrix.
• After patching for CitrixBleed 2, review and terminate active sessions:
• Use show icaconnection and related commands to review.
• Use kill icaconnection -all and kill pcoipconnection -all to terminate.
• Audit logs for suspicious access or token replay attempts.
• Restrict access to management interfaces (NSIP, GSLB) using firewall rules or IP whitelisting.
• Monitor for DoS symptoms and apply mitigations to maintain service availability.

Additional Information

Citrix Security Bulletins

Over 56,500 NetScaler devices are publicly accessible, posing a serious risk for unpatched environments.

CISA has added CVE-2023-0386 to its Known Exploited Vulnerabilities list after confirming in-the-wild attacks. The flaw is an ownership-handling bug in the Linux kernel’s OverlayFS subsystem that lets any local user escalate to root. Proof-of-concept code has been public on GitHub since May 2023, and exploitation is considered trivial on kernels older than 6.2 across many major distributions.

What You Need to Know

• OverlayFS incorrectly preserves capabilities when a file is copied from a nosuid mount to another mount.
• Exploitable on Debian, Ubuntu, Red Hat, Amazon Linux, and others shipping kernels prior to 6.2 (patched in January 2023).
• CISA has ordered U.S. federal civilian agencies to patch by 8 July 2025 under BOD 22-01, signalling confirmed abuse in real attacks.
• Qualys and Datadog labs both report that reliable one-line exploits exist; an attacker with shell access can gain root in seconds.

Recommended Actions

1. Patch immediately – upgrade to a distribution kernel that includes the January 2023 OverlayFS fix (≥ 6.2 or vendor-backported patch).
2. Reboot after updating so the new kernel takes effect.
3. Audit user namespaces – consider disabling unprivileged user namespaces or restricting OverlayFS usage if your workload allows.
4. Monitor logs for unusual use of OverlayFS mounts or sudden privilege changes on user accounts.
5. Apply the patch by 8 July if you operate within U.S. federal networks; other organizations should treat this with equal urgency.

Additional Resources

Red Hat

NetApp Advisory

Veeam has issued version 12.3.2.3617 of Backup & Replication (VBR) to close a critical flaw that lets any authenticated domain user run code on the backup server. Even low-privilege accounts can exploit it, which means a single compromised workstation could give attackers direct control over your backups.

What You Need to Know

• Who is exposed? VBR 12.x installations that are joined to a Windows domain. Stand-alone servers are not vulnerable.
• Attack impact: A domain user can send a simple request and gain full code execution on the Veeam backup server—often the crown-jewel target for ransomware gangs.
• Why it matters: Attackers routinely wipe or encrypt backups first, ensuring victims must pay. This flaw gives them a built-in back door.
• Previous pattern: Veeam fixed a similar RCE (CVE-2025-23120) in March. Older bugs (e.g., CVE-2024-40711) are already being weaponised by Frag, Akira, Fog, and other ransomware crews.

Recommended Actions

1. Upgrade immediately to VBR 12.3.2.3617 on every backup server.
2. Segment your backups – keep VBR servers in a separate AD forest or, at minimum, an isolated VLAN; restrict interactive logins to backup admins only.
3. Harden credentials – enforce MFA on all Veeam service accounts and backup operators; rotate passwords after patching.
4. Monitor for abuse – review Veeam event logs for unusual job edits or unexpected PowerShell commands; investigate any domain user access to backup consoles.
5. Plan an offline copy – maintain immutable or air-gapped backup sets so an attacker who reaches VBR cannot delete every copy.

 

Multiple high-severity vulnerabilities in Dell’s ControlVault3 firmware—dubbed “ReVault”—could allow attackers with physical access to bypass Windows login protections, escalate privileges, and install malware that survives OS reinstalls. The flaws impact over 100 Dell Latitude and Precision laptop models commonly used in enterprise, government, and industrial environments where strong authentication is critical.

Discovered by Cisco Talos, the vulnerabilities affect both the firmware and Windows APIs associated with ControlVault, Dell's hardware-based security module responsible for biometric and smartcard authentication.

What You Need to Know:

• Vulnerabilities: 5 flaws, including out-of-bounds reads/writes, arbitrary memory operations, stack overflow, and unsafe deserialization
  • CVE-2025-24311
  • CVE-2025-25050
  • CVE-2025-25215
  • CVE-2025-24922
  • CVE-2025-24919
• Affected Models: Over 100 Dell Latitude and Precision laptops (see Dell’s advisory for full list)
• Attack Vector: Requires physical access to the device
• Impact:
  • Bypass Windows login
  • Force biometric acceptance (any fingerprint will work)
  • Install persistent firmware-level malware
  • Escalate privileges without credentials
• Persistence: Exploits can survive Windows reinstalls
• Exploit Method: Custom USB connection to the Unified Security Hub (USH) board enables direct communication with vulnerable firmware

Recommended Actions:

• Apply Firmware and Driver Updates
  • Visit Dell’s ReVault Security Advisory and install the latest firmware and ControlVault3 driver updates.
• Disable Unused Security Features
  • If not in use, turn off fingerprint scanners, smart card readers, and NFC modules in the BIOS or OS.
• Enable BIOS Security Protections
  • Turn on Chassis Intrusion Detection to log or alert on physical tampering.
  • Enable Enhanced Sign-In Security (ESS) in Windows to validate CV firmware integrity.
• Restrict Physical Access
  • Consider physical locks, tamper-evident seals, and restricted environments for high-value assets using affected devices.

Additional Resources:

Cisco/Talos Vulnerability Spotlight

A newly disclosed flaw in ASUS Armoury Crate—software pre-installed or commonly added to ASUS gaming laptops, desktops, and motherboards—lets an attacker already on a Windows machine jump from a normal user account to full SYSTEM control. The bug (CVE-2025-3464, CVSS 8.8) lives in the AsIO3.sys kernel driver and affects Armoury Crate versions 5.9.9.0 through 6.1.18.0. ASUS has released an update and urges all users to install it immediately.

What You Need to Know

• Who is at risk? Anyone running Armoury Crate on Windows—this includes most recent ASUS ROG and TUF systems, plus many DIY builds that use Aura Sync for RGB lighting.
• How the attack works: A local attacker (or malware) can trick the driver into thinking an untrusted program is one of ASUS’s own signed services, then use that trust to run code with kernel-level privileges.
• Why it matters: Once an attacker has SYSTEM, they can disable security tools, dump credentials, install rootkits, or run ransomware with complete control of the OS.
• No public exploitation yet, but kernel LPE bugs are a favorite among ransomware groups—patch before that changes.

Recommended Actions

1. Update Armoury Crate now.

   • Open Armoury Crate → Settings → Update Center → Check for Updates → Update to the latest release (6.1.19.0 or newer).

2. Reboot after updating to load the new driver.
3. Remove Armoury Crate on systems that don’t need RGB/fan control—fewer drivers mean less attack surface.
4. Harden local accounts (MFA, least-privilege, software-restrict policies) to make initial footholds harder for attackers.

 

BeyondTrust has patched a Server-Side Template Injection defect that lets an unauthenticated attacker run code on Remote Support (RS) or Privileged Remote Access (PRA) servers. Cloud tenants were fixed on 16 June 2025, but on-prem installations must be updated manually.

What You Need to Know

• Vulnerability – CVE-2025-5309; unescaped input in the chat feature is fed to the template engine.
• Impact – Remote code execution in the server context; for Remote Support, no login is required.
• Affected on-prem builds
  • RS 24.2.2 – 24.2.4 • RS 24.3.1 – 24.3.3
  • PRA 24.2.2 – 24.2.4 • PRA 24.3.1 – 24.3.3 • PRA 25.1.1
• Fixed versions
  • RS patched by installing the HELP-10826-2 patch (or by upgrading to RS 24.3.4 or later).
  • PRA patched by HELP-10826-2 (24.x branch) or HELP-10826-1 (25.1.1) or by upgrading to PRA 25.1.2+.
• No exploitation has been reported, but earlier BeyondTrust zero-days were weaponised against U.S. federal agencies, so the risk is real.

Recommended Actions

1. Apply the patch or upgrade to a fixed build at once.
2. Enable SAML on the Public Portal if you cannot patch today; disable the Representative List and Issue Submission Survey and require session keys.
3. Restrict access to the RS/PRA web interface to trusted IPs/VPN until fully patched.
4. Review logs after updating for any suspicious chat activity or template errors dating back to early June.
5. Rotate API keys used by RS/PRA integrations if you suspect any compromise.

 

GitLab has released versions 18.0.2, 17.11.4, and 17.10.8 to fix several high-severity vulnerabilities, including an HTML-injection bug that can hijack user accounts and a missing-authorization flaw that lets attackers plant malicious CI/CD jobs in future pipelines. GitLab.com is already patched, but all self-managed instances must upgrade immediately.

What You Need to Know

• CVE-2025-4278 – HTML injection leads to account takeover. A remote attacker can inject malicious code into the search page, hijacking the victim’s session.
• CVE-2025-5121 – Missing authorization (GitLab Ultimate EE only). An authenticated user can create malicious CI/CD jobs that will run in any project’s future pipeline. Requires the target instance to be licensed for GitLab Ultimate.
• CVE-2025-2254 – Stored XSS. Lets an attacker execute JavaScript in the context of another user.
• CVE-2025-0673 – Denial of service. Malicious requests trigger infinite redirect loops, exhausting memory and blocking legitimate users.

No exploits are publicly confirmed yet, but GitLab repositories often hold sensitive data and have been targeted in recent breaches.

Recommended Actions

1. Upgrade immediately to 18.0.2, 17.11.4, or 17.10.8 depending on your track.
2. Restart GitLab after upgrading to ensure all services use the patched code.
3. Restrict user input where possible and review recently created CI/CD jobs for suspicious commands, especially on Ultimate-licensed instances.
4. Monitor logs for unusual search-page requests, rogue pipeline triggers, or repeated redirects that could indicate attempted exploitation.

Additional Resources

GitLab Releases

GitLab Update Page

Trend Micro has released patches that close multiple critical vulnerabilities in two flagship management platforms: Endpoint Encryption PolicyServer (TMEE) and Apex Central. Left unpatched, these bugs let unauthenticated attackers run code as SYSTEM or bypass login entirely. Trend Micro says no in-the-wild exploitation is known, but recommends immediate updates.

What You Need to Know

• Endpoint Encryption PolicyServer (TMEE)
  • Four critical issues (CVE-2025-49212, 49213, 49216, 49217) stem from unsafe deserialization or broken authentication. Any one of them lets a remote, unauthenticated attacker gain SYSTEM-level control.

• • Additional high-severity flaws (SQL injection, privilege escalation) are also fixed.

  • All versions up to 6.0.0.4012 are vulnerable; patched in 6.0.0.4013 (Patch 1 Update 6).

• Apex Central 2019 (on-premises)

  • Two critical pre-auth RCE bugs (CVE-2025-49219, CVE-2025-49220) in report-handling routines. Attackers can execute code as NETWORK SERVICE without logging in.

  • Fixed in Patch B7007. Apex Central “as-a-Service” received the fix automatically.

• No work-arounds are provided. Updating is the only way to close the holes.

Recommended Actions

1. Patch immediately.

   • For PolicyServer: download and apply version 6.0.0.4013 (Patch 1 Update 6).
     • For Apex Central 2019: install Patch B7007.

2. Restrict management access until patched—allow only trusted admin subnets or VPN.

3. Review logs for unexplained logins, policy changes, or service restarts dating back to the previous patch level.

4. Rotate privileged credentials after updating, and verify that backups have not been tampered with.

Additional Resources

Trend Micro Published Advisories

Cisco has released emergency patches for three security flaws that already have publicly available proof-of-concept exploit code. The most serious, CVE-2025-20286, affects cloud-hosted Identity Services Engine (ISE) deployments and can grant an unauthenticated attacker full administrative access across multiple environments that share a hard-coded password.

What You Need to Know

• CVE-2025-20286 is critical and impacts ISE nodes deployed in AWS, Azure, and OCI when the Primary Administration Node is in the cloud. The flaw arises from a static credential that is reused across tenants.
• On-prem ISE appliances and hybrids where all admin personas stay on-prem are not vulnerable to this static-credential issue.
• CVE-2025-20130 allows authenticated users to upload arbitrary files to ISE, potentially leading to code execution.
• CVE-2025-20129 lets attackers extract sensitive information from Cisco Customer Collaboration Platform (formerly SocialMiner).
• Cisco confirms public exploit code exists for all three vulnerabilities, raising the risk of real-world attacks.

Recommended Actions

1. Patch immediately. Install Cisco’s hotfixes for ISE and CCP that address CVE-2025-20286, 20130, and 20129.
2. Reset cloud ISE credentials if you must delay. On vulnerable cloud ISE nodes, run application reset-config ise to generate new passwords—but only after understanding this command wipes the configuration. Restore backups only after upgrading, or you will reintroduce the flaw.
3. Restrict access to ISE and CCP web interfaces. Limit login IP ranges or require VPN/MFA until all systems are patched.
4. Rotate all administrator passwords on ISE and CCP once updates are in place.
5. Audit logs for unexplained admin logins, file uploads, or configuration changes dating back to the earliest unpatched date.

Additional Resources

Cisco Software Checker Tool

Cisco Security Advisories Page

Hewlett Packard Enterprise has released StoreOnce Software 4.3.11 to fix eight newly disclosed vulnerabilities, the most serious being CVE-2025-37093—an authentication-bypass bug that scores 9.8 (CVSS v3.1). When combined with the accompanying remote-code-execution (RCE) flaws, an attacker could gain full control of a StoreOnce backup appliance, delete data, or siphon backups without a valid login.

What You Need to Know

• All StoreOnce versions prior to 4.3.11 are vulnerable.
• CVE-2025-37093 stems from a logic error in the machineAccountCheck method; it lets a remote attacker skip the login process entirely.
• Once the bypass succeeds, additional bugs—three RCEs, two directory-traversal issues, and an SSRF flaw—become trivial to exploit.
• Affected deployments include both physical StoreOnce appliances and virtual StoreOnce VSA nodes typically integrated with Veeam, Commvault, Veritas, HPE Data Protector, and similar enterprise backup stacks.
• Zero Day Initiative reported these flaws to HPE in October 2024; fixes are finally available, and no active exploitation has been reported yet.

Recommended Actions

1. Upgrade all StoreOnce installations to version 4.3.11 without delay; HPE offers no mitigations or work-arounds.
2. If immediate patching is impossible, isolate the management interfaces: restrict access to trusted admin subnets or a jump host until you can upgrade.
3. Review backup logs and system events for unexplained deletions, configuration changes, or failed logins dating back to October 2024.
4. After patching, rotate any administrative credentials and re-evaluate firewall rules to ensure StoreOnce management is not exposed to untrusted networks.

Additional Resources

Trend Micro Zero Day Initiative Advisory

Google has shipped an emergency Chrome update to fix CVE-2025-5419, a high-severity zero-day flaw in the browser’s V8 JavaScript engine. Google confirms the bug is already being exploited in the wild, though details are withheld until most users patch. Fixed builds are rolling out now: Chrome 137.0.7151.68/.69 for Windows and macOS, and 137.0.7151.68 for Linux.

What You Need to Know

• The vulnerability is an out-of-bounds read/write in V8, discovered by Google TAG researchers Clément Lecigne and Benoît Sevens.
• Google mitigated the issue in the Stable channel with a server-side configuration change on May 27 and followed up with a full code patch on June 3.
• Exploitation has been observed—attackers can use the bug to execute code in the browser context, potentially chaining with other flaws to escape the sandbox.
• This is Chrome’s third zero-day of 2025; two others were patched in March (CVE-2025-2783) and May.

Recommended Actions

1. Update Chrome immediately.
   • Menu → Help → About Google Chrome → allow download → Relaunch.
   • Verify you’re on 137.0.7151.68 or newer (Linux) or 137.0.7151.69 (Windows/macOS).
2. Restart the browser after updating to ensure the patch is active.
3. Monitor Chromium-based browsers such as Edge, Brave, and Vivaldi; they typically issue their own updates within days.
4. Stay alert for follow-up guidance from Google once more technical details are released.

Additional Resources

Google Stable Channel Update advisory (June 3 2025)

Researchers have uncovered a stealth campaign nicknamed AyySSHush that has already taken control of more than 9,000 ASUS home-office routers. Attackers break in, turn off logging, and quietly add their own SSH backdoor that survives reboots and even routine firmware upgrades. The activity began in March 2025 and abuses an older command-injection flaw, CVE-2023-39780.

What You Need to Know

• Targeted models – confirmed on RT-AC3100, RT-AC3200, RT-AX55, and likely others running factory firmware
• How the backdoor works
  1. Attackers brute-force or bypass the router’s admin login.
  2. They exploit CVE-2023-39780 to run commands that:
     • Enable SSH on TCP 53282.
     • Insert the attacker’s public SSH key into the router’s settings.
  3. Because the change is stored in non-volatile memory, the rogue access persists after firmware updates.
• Indicators of compromise
  • SSH service listening on port 53282.
  • Unknown key in the router’s authorized_keys file.
  • Router logs disabled or Trend Micro AiProtection turned off.
• Attacker IPs to block – 101.99.91.151, 101.99.94.173, 79.141.163.179, 111.90.146.237. 

Recommended Actions

1. Update firmware – ASUS has patched CVE-2023-39780; install the latest release for your router model.
2. Check for a backdoor
   • See if SSH is enabled on 53282 and review the authorized_keys list.
   • If either is unfamiliar, your router is likely compromised.
3. Factory-reset if infected – Perform a full reset, then reconfigure from scratch using a strong admin password. Firmware upgrades alone won’t remove the backdoor.
4. Harden remote access – Disable WAN-side administration, keep AiProtection on, and apply future firmware updates promptly.

Additional Resources

Greynoise

Bleeping Computer

A critical vulnerability (CVE-2025-3935) in ScreenConnect up to 25.2.3 lets attackers with stolen machine keys craft a malicious ViewState, send it to the web service, and execute code on the server. ConnectWise released ScreenConnect 25.2.4 on 24 April 2025 to disable ViewState entirely. Cloud-hosted servers were patched automatically, but on-premises instances require admin action. The flaw is rated CVSS 8.1 / Priority 1-High and was likely used in a nation-state breach disclosed 28 May 2025.

 

What You Need to Know

 

• Affected versions – ScreenConnect 25.2.3 and earlier (on-prem) and archival builds back to 23.9.
• Attack pre-conditions – An attacker must first gain privileged system-level access to steal the server’s machine keys; with those keys, they can inject a rogue ViewState payload and run arbitrary code.
• Exposure path – Cloud instances at screenconnect.com / hostedrmm.com were patched by ConnectWise before the public advisory; on-prem servers remain vulnerable until upgraded.
• Severity – CVSS 8.1 (Remote Code Execution). ConnectWise tags this as Priority 1 (High) because exploits “are either being targeted or have higher risk of being targeted.”
• Related breach – ConnectWise says a state-sponsored actor used a small subset of cloud ScreenConnect instances in an August 2024–May 2025 campaign; exact details remain under investigation.

 

Recommended Actions

 

Deployment	Action	Notes
Cloud-hosted (screenconnect.com, hostedrmm.com)	No customer action—servers already patched	Still audit logs for unusual admin sessions
On-prem (active maintenance)	Upgrade to 25.2.4 immediately	Admin → License → Version Check → download/update
On-prem (out-of-maintenance)	Renew maintenance and install 25.2.4, or apply free security patch for your legacy branch (23.9+ builds dated 22 Apr 2025 or later)	Legacy downloads at https://screenconnect.com/download/archive
All on-prem	After upgrade, hunt for compromise: review audit logs, rotate passwords, force tech re-logins, rebuild any server that shows suspicious activity	Follow ConnectWise IR checklist

 

Additional Resources

 

ConnectWise ScreenConnect 25.2.4 security bulletin & download links

CRN News Coverage

Bleeping Computer Coverage

Google has issued an emergency Chrome update to close a high-severity vulnerability that attackers can use to harvest sensitive information—like OAuth tokens—from other websites you’re logged into. Google says a working exploit is already public, so updating promptly is essential.

What You Need to Know

• Bug name & CVE: CVE-2025-4664, rated High.
• Component affected: Chrome’s Loader.
• How it works: A malicious webpage can manipulate the HTTP Link header on sub-resource requests to weaken Chrome’s referrer policy, leaking full URLs (including query strings) from other sites. Those strings may contain OAuth tokens or other secrets, enabling account takeover on services you’re signed into.
• Patched versions: Chrome 136.0.7103.113 (Windows/macOS/Linux) and 136.0.7103.114 (Windows/macOS).
• Other browsers: Chromium-based browsers (Edge, Brave, Opera, Vivaldi, etc.) will need their own updates—check with each vendor.

Recommended Actions

1. Update Chrome right away
   • Menu → Help → About Google Chrome → it should auto-download the fix; restart to apply.
2. Verify the version
   • After relaunching, revisit About Chrome and confirm you’re on 136.0.7103.113/114 or later.
3. Refresh passwords or tokens if exposed
   • If you suspect a malicious site accessed your account URLs, change affected passwords and revoke active OAuth sessions.
4. Keep auto-updates enabled
   • Let Chrome update itself in the background to receive future fixes quickly.

Additional Resources

Google Chrome Release Notes

Bleeping Computer Coverage

Ivanti has released patches for its on-premises Neurons for ITSM service-desk platform to close a critical bug that lets an outsider sign in as an administrator—no password required. The issue, CVE-2025-22462, affects versions 2023.4, 2024.2, and 2024.3. While Ivanti says it has no evidence of active attacks, a public patch is now available, so organisations should update quickly.

What You Need to Know

• Who is at risk? On-prem Neurons for ITSM servers running 2023.4, 2024.2, or 2024.3. Cloud-hosted instances are not affected.
• Impact: An unauthenticated visitor can gain full admin rights in a low-complexity attack, depending on how you’ve exposed the site.
• Reduced exposure: Customers who already restricted IIS access to a small set of IPs or placed the service behind a DMZ face lower risk—but still need to patch.
• Other fix today: Ivanti also corrected a default-credentials weakness (CVE-2025-22460) in its Cloud Services Appliance. If you run CSA 5.0.5, follow Ivanti’s extra steps or reinstall to be certain the fix applies.

Recommended Actions

1. Apply the May 2025 security patch for your ITSM version (2023.4, 2024.2, or 2024.3). Packages are on the Ivanti download portal.
2. Restrict external access to the ITSM IIS site—allow only trusted IPs or place the service behind a VPN/DMZ if users must connect from outside the corporate network.
3. Review admin accounts & logs after patching for any unexpected sign-ins.
4. Address CSA default credentials
   • If you upgraded to CSA 5.0.5, follow Ivanti’s instructions to ensure the fix for CVE-2025-22460 is active, or perform a clean install.

Additional Resources

Ivanti security advisory

Government of Canada Advisory

Fortinet has pushed emergency patches for a stack-based overflow (CVE-2025-32756) actively exploited against FortiVoice enterprise phone systems. The same bug also affects FortiMail, FortiNDR, FortiRecorder, and FortiCamera. Attackers on the internet can run arbitrary code or commands simply by sending crafted HTTP requests to the device. Fortinet spotted real-world attacks that turn on hidden debugging, wipe crash logs, harvest credentials, and deploy malware.

What You Need to Know

• Impacted products & fixed builds
  • FortiVoice: upgrade to the hotfix listed in Fortinet’s May 13 advisory.
  • FortiMail, FortiNDR, FortiRecorder, FortiCamera: see same advisory for patched firmware.
• Attack indicators
  • fcgi debugging unexpectedly set to “general to-file ENABLED” (check via diag debug application fcgi).
  • Unexplained system-crash log deletions.
  • Connections from known attacker IPs: 198.105.127[.]124, 43.228.217[.]173/82, 156.236.76[.]90, 218.187.69[.]244/59. 
• Risk – Unauthenticated RCE lets intruders implant malware, pivot inside the network, or steal voice-mail and email content.
• Temporary mitigation – Disable HTTP/HTTPS admin access on vulnerable devices until patched.

Recommended Actions

1. Install the patched firmware for every affected Fortinet product as soon as possible.
2. Disable web admin on FortiVoice/FortiMail etc. if you cannot patch today.
3. Hunt for compromise
   • Check for the fcgi debugging flag.
   • Review logs or backups for unexpected cron jobs, new binaries, or network scans.
4. Segment VoIP and security appliances from core networks to limit lateral movement.

Additional Resources

Fortinet PSIRT advisory

BleepingComputer coverage

ASUS’s DriverHub utility—automatically installed on many recent ASUS motherboards—contained two bugs that let any website run commands on your PC with administrator rights. By tricking you into visiting a malicious page, an attacker could download and silently launch malware through DriverHub’s background service. ASUS released a fix on 18 April 2025 and urges all users to update.

What You Need to Know

• Affected software – ASUS DriverHub service (enabled by default on boards that support “DriverHub OS Auto-Install”).
• Vulnerabilities –
  • CVE-2025-3462: Origin-check bypass—DriverHub accepts any request whose Origin header merely contains driverhub.asus.com.
  • CVE-2025-3463: UpdateApp endpoint lets DriverHub fetch and run any .exe from a *.asus.com URL without asking the user.
• Attack chain – A malicious site sends crafted requests to http://127.0.0.1:53000, spoofs the origin, then instructs DriverHub to download an ASUS-signed installer plus a rogue .ini and payload. The signed installer runs as admin and executes the attacker’s payload. 
• Who is at risk? – Desktop PCs and laptops that have ever installed DriverHub. ASUS initially said only motherboards are affected, but systems with the utility present are vulnerable regardless of form factor. 
• No exploitation observed – Researcher “MrBruh” found no certificates mimicking driverhub.asus.com, suggesting the bug wasn’t abused before disclosure. 

Recommended Actions

1. Update DriverHub
   • Open ASUS DriverHub → Update Now or download the latest version from ASUS Support (published 9 May 2025). 
2. Disable DriverHub if unused
   • In BIOS/UEFI, set DriverHub (or “OS Auto-Install”) to Disabled to stop the background service entirely.
3. Restrict browser exposure
   • Use a modern browser with first-party isolation features and consider a script-blocking extension to reduce risk from drive-by sites.
4. Audit for remnants
   • Check %ProgramData%\ASUS\DriverHub\Downloads for unexpected .ini or .exe files and delete them.

Additional Resources

ASUS Product Security Bulletin

Three newly disclosed flaws in SonicWall’s SMA 100‑series VPN appliances let an attacker who already has any user‑level VPN account jump to full root control of the device. Evidence from incident‑response cases shows the bugs have been weaponised since January 2025. SonicWall has released firmware 10.2.1.15‑81sv (and later) to remove the risk. 

What You Need to Know

• Affected models – SMA 200/210, 400/410 hardware and SMA 500v virtual appliances.
• How the attack works –
  1. CVE‑2025‑32819 lets a low‑level VPN user wipe the device’s main database and reset the default admin password.
  2. CVE‑2025‑32820 opens a system folder for writing.
  3. CVE‑2025‑32821 uploads and runs code as root.
• Using the three together gives the intruder total control.
• Exploitation confirmed – Rapid7 and Arctic Wolf have found real‑world break‑ins; CISA added the bugs to its Known Exploited Vulnerabilities list. 
• Fixed firmware – 10.2.1.15‑81sv (or any later build for your branch). Older versions remain vulnerable.

Recommended Actions

1. Patch now
   • Upgrade every SMA 100 appliance to 10.2.1.15‑81sv (or newer).
2. Tighten account security
   • Remove unused VPN accounts; change any default passwords.
   • Turn on multi‑factor authentication for all users.
3. Limit access
   • If possible, restrict the SSL VPN portal to trusted IP ranges only.
4. Check for compromise
   • Review logs for unexplained admin log‑ins or configuration resets dating back to January 2025.
   • Look for new or altered files in system directories.

Additional Resources

• SonicWall PSIRT advisory and firmware downloads

Apply the update and audit your VPN accounts today to close the door on the CVE‑2025‑32819‑‑32821 attack chain.

Cisco has patched a maximum‑severity bug (CVSS 10.0) in IOS XE Wireless LAN Controllers that could let anyone on the internet seize full control of the device. The problem is a hard‑coded authentication token used by the “Out‑of‑Band AP Image Download” feature. If that feature is enabled, an attacker can impersonate an authorized user and push files or run commands as root. Although the feature is off by default, large or automated deployments sometimes enable it for faster access‑point imaging.

What You Need to Know

• Affected products – Catalyst 9800‑CL (cloud), Catalyst 9800 Series hardware, Catalyst 9300/9400/9500 embedded wireless controllers, and the Embedded Wireless Controller on Catalyst APs running IOS XE with Out‑of‑Band AP Image Download switched on.
• Risk – A crafted HTTPS request to the image‑download interface lets the attacker upload files, traverse directories, and execute commands with root privileges, leading to total device takeover.
• Unaffected – Cisco IOS (non‑XE), IOS XR, Meraki gear, NX‑OS, and AireOS‑based controllers.
• No active exploits yet – Cisco PSIRT says it has seen no in‑the‑wild attacks, but scanning is expected to start quickly.

Recommended Action

1. Patch now
   • Use the Cisco Software Checker (or your controller’s update page) to install the fixed IOS XE release for your model.
2. Disable the vulnerable feature (strongly advised if you can’t patch immediately)
   • Turn off Out‑of‑Band AP Image Download in the controller GUI or CLI; access‑points will fall back to the safer CAPWAP method. 
3. Restrict management access
   • Limit HTTPS management to trusted IP ranges and require multi‑factor authentication where possible.
4. Monitor logs
   • Watch for unexpected file uploads or command‑execution events on wireless controllers.

Additional Resources

Cisco advisory for CVE‑2025‑20188

BleepingComputer coverage

Update or disable the feature today to protect your wireless infrastructure from CVE‑2025‑20188.

A newly disclosed bug in the OttoKit (formerly SureTriggers) WordPress plugin lets anyone on the internet turn themselves into a site administrator in seconds. The flaw (CVE‑2025‑27007) is already being weaponised—attackers began creating rogue admin accounts within 90 minutes of public disclosure. OttoKit powers more than 100,000 sites, so patching is urgent.

What You Need to Know

• Affected versions – OttoKit/SureTriggers 1.0.82 and earlier.
• Fixed version – 1.0.83 (released 21 April 2025).
• How the attack works – A logic error in the plugin’s create_wp_connection API endpoint lets an unauthenticated visitor skip authentication if the site owner never set an “application password.” The attacker then fires a second API call that silently creates a new administrator account.
• Active exploitation – Patchstack monitoring shows automated attacks started ~90 minutes after the bug was announced. 

Recommended Actions

1. Update the plugin
   • In WordPress → Plugins, upgrade OttoKit/SureTriggers to v 1.0.83 or newer.
2. Audit user accounts
   • Check Users → All Users for unfamiliar administrators created recently and delete any you didn’t authorise.
3. Review logs
   • Look for hits to /wp-json/sure-triggers/v1/connection/create-wp-connection or /automation/action endpoints and payloads containing "type_event":"create_user_if_not_exists".
4. Set or rotate an application password
   • Generate a strong application password in OttoKit settings; this blocks the bypass vector and adds an extra layer of protection.
5. Apply general hardening
   • Enable a Web Application Firewall and disable user self‑registration unless required.

Additional Resources

Patchstack advisory & exploit timeline

Update OttoKit and audit your admin list today to shut down exploitation of CVE‑2025‑27007.

Researchers have disclosed 23 flaws in Apple’s AirPlay protocol and SDK, collectively dubbed “AirBorne.” An attacker on the same Wi‑Fi network can chain these bugs to take over iPhones, Macs, Apple TVs, Vision Pro headsets, and millions of third‑party speakers, TVs, and CarPlay systems—sometimes with zero clicks from the victim. Apple issued patches on March 31 2025 (iOS/iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, plus updated AirPlay and CarPlay SDKs). 

What You Need to Know

• Attack scope – Works only if the attacker is on the same network (or using peer‑to‑peer AirPlay), but once one device is compromised it can spread “worm‑style” to others. 
  BleepingComputer
• Key CVEs –
  • CVE‑2025‑24252 & CVE‑2025‑24132: enable zero‑click remote code execution.
  • CVE‑2025‑24206: bypasses the “Accept” prompt, turning one‑click attacks into zero‑click.
• Affected products – All modern Apple devices plus any third‑party hardware built with vulnerable AirPlay audio/video SDKs or the CarPlay Communication plug‑in.
• Patches shipped – iOS/iPadOS 18.4, macOS Ventura 13.7.5, Sonoma 14.7.5, Sequoia 15.4, tvOS 18.4, visionOS 2.4, updated AirPlay SDKs and CarPlay plug‑in. 
  Oligo Security
• Risk – A compromised device can be used to steal data, move laterally on corporate Wi‑Fi, or deploy ransomware.

Recommended Actions

1. Update immediately
   • Install the latest OS version on all iPhones, iPads, Macs, Apple TVs, Vision Pro, and any other Apple gear.
   • For third‑party gear (speakers, TVs, car infotainment), check the vendor for firmware that includes the new AirPlay SDK version.
2. Harden AirPlay settings
   • Disable AirPlay Receiver if you don’t use it.
   • Set AirPlay access to “Current User only” or require a PIN.
3. Reduce exposure on corporate networks
   • Segregate guest Wi‑Fi from corporate devices; restrict mDNS/Bonjour if feasible.
   • Use firewall rules to allow AirPlay traffic only between trusted IP ranges.
4. Watch for unusual activity
   • Monitor logs for unexpected AirPlay pairing attempts or sudden traffic between peer devices.

Additional Resources

Oligo Security Research

Bleeping Computer

 

ASUS has disclosed a critical flaw in the AiCloud remote-access feature found on many of its home and small-office routers. A remote attacker can send a single crafted request to the router and run functions without logging in, potentially altering settings, exposing files, or adding the device to botnets. The vulnerability, CVE-2025-2492, carries a CVSS v4 score of 9.2 (Critical). Patches are available for all supported firmware branches.

What You Need to Know

• Affected devices – Multiple ASUS router models running firmware in the 3.0.0.4_382, 386, 388, and 3.0.0.6_102 series with AiCloud enabled. See ASUS’s advisory for the model list.
• Attack scenario – No password needed; a specially crafted web request slips past authentication and triggers privileged functions.
• Exposure – Routers that have AiCloud or remote management open to the internet are at highest risk; threat actors often exploit similar flaws to install malware or build DDoS botnets.
• Fixed firmware – Updates are now published for every affected branch; users should install the latest build for their model. 

Recommended Actions

1. Update Firmware
   • Log in to the router’s admin page or visit ASUS Support to install the latest firmware for your model.
2. Use Strong, Unique Passwords
   • Change the router admin password to at least 10 characters with a mix of letters, numbers, and symbols. 
3. Disable AiCloud or Internet-Facing Services (If You Can’t Patch Immediately)
   • Turn off AiCloud, WAN access, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP until you can upgrade. 
4. Limit Remote Management
   • If remote access is required, restrict it to trusted IP addresses only.
5. Monitor for Unusual Activity
   • Check logs for unexpected log-ins or configuration changes after updating.

Additional Resources

Bleeping Computer

Asus Security Advisory

Apply the firmware update—or disable AiCloud services—today to prevent unauthorized access via CVE-2025-2492.

Cisco has patched a Webex bug that lets attackers hide malicious file downloads inside a meeting-invite link. If a user on an unpatched Webex app clicks the link, the attacker can run code on that person’s computer with their own permissions. The flaw is high severity and affects Webex on all operating systems.

What You Need to Know

• Problem – Webex’s custom URL parser didn’t fully check meeting-invite links, making it possible to slip in a download and run it.
• Who is affected? – Webex desktop and mobile apps in the 44.6 and 44.7 release lines. Versions before 44.5 and after 44.8 are not vulnerable.
• Attack method – The attacker emails or chats a crafted meeting link; the victim clicks, Webex downloads a rogue file, and the attacker’s code runs with the victim’s user rights.
• No work-around – The only protection is to install the fixed version. 

Recommended Actions

1. Update Webex now
   • Upgrade to 44.6.2.30589 (if you are on the 44.6 branch) or move to the latest 44.8 release.
2. Be cautious with links
   • Until everyone is patched, treat unexpected meeting invites like any other unknown link—verify the sender before you click.
3. Review software-update policies
   • Make sure automatic updates are enabled, or schedule regular checks, so future Webex security fixes are applied promptly.

Additional Resources

Cisco security advisory

BleepingComputer

Updating Webex is the quickest way to block attacks that abuse meeting links via CVE-2025-20236.

Researchers have uncovered a flaw in the Erlang/Open Telecom Platform (OTP) SSH server that lets an attacker break in and run code without even logging in first. Because Erlang underpins many telecom, IoT, and high‑availability systems, the risk is broad. The bug has been rated the maximum CVSS 10.0 (Critical), and real‑world attacks would give intruders full control of any device running a vulnerable SSH service.

What You Need to Know

• Who is affected? Any product or service that uses the Erlang/OTP SSH library (common in telecom gear, edge devices, and some Cisco/Ericsson systems).
• What can happen? An attacker on the network can send a single, specially crafted SSH message and immediately run their own code on the server—no password or key required. If the SSH process runs as root, they gain complete device control.
• Vulnerable versions: OTP 25.x, 26.x, 27.x up to—but not including—25.3.2.20, 26.2.5.11, 27.3.3.
• Fix available: Erlang/OTP 27.3.3, 26.2.5.11, 25.3.2.20 (released 17 April 2025).

Recommended Actions

1. Update Erlang/OTP to the fixed release your vendor provides (or 27.3.3 / 26.2.5.11 / 25.3.2.20 if you manage Erlang directly).
2. Restrict SSH access until you can patch—use firewall rules so only trusted IPs can reach the service.
3. Review device inventories for routers, IoT gateways, or applications that bundle Erlang/OTP and check with vendors for patches.
4. Monitor logs on critical systems for unusual SSH connections or processes spawned by the SSH daemon.

Additional Resources

https://nvd.nist.gov/vuln/detail/CVE-2025-32433

https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html

https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

 

Apple has issued emergency patches to stop an “extremely sophisticated” campaign that used two previously unknown flaws to compromise iPhones. The bugs—found in CoreAudio and RPAC—affect iOS, iPadOS, macOS, tvOS, and visionOS. Updates released as iOS 18.4.1, macOS Sequoia 15.4.1, and related versions block the attacks. Although only a small, targeted group was hit, Apple recommends that all users update immediately.

What You Need to Know

• CVE-2025-31200 (CoreAudio) – Playing a booby-trapped audio stream could let attackers run code on the device. Discovered by Apple & Google’s Threat Analysis Group.
• CVE-2025-31201 (RPAC) – Lets attackers who already have read/write access bypass Pointer Authentication (PAC), a key iOS memory-protection feature.
• Affected devices – iPhone XS and newer, modern iPads, Apple TV HD / 4K, Macs running macOS Sequoia, and Apple Vision Pro.
• Active exploitation – Apple says the zero-days were used in a highly targeted attack against specific individuals. No wider campaign is known at this time, but the flaws are now public.
• Patched versions – iOS/iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1.

Recommended Actions

1. Update all Apple devices
   • Go to Settings → General → Software Update (iPhone/iPad), System Settings → General → Software Update (Mac), or the equivalent menu on Apple TV and Vision Pro.
2. Enable automatic security updates so future fixes arrive quickly.
3. Be cautious with unknown media files and links until your devices are patched.
4. Watch for security advisories from Apple or trusted news outlets; additional exploit details often emerge after patches roll out.

Additional Resources

Apple security bulletin

BleepingComputer coverage of the zero-day campaign

Install the updates as soon as possible to protect against the CoreAudio and RPAC zero-day exploits.

A high‑severity flaw in the OttoKit (formerly SureTriggers) WordPress plugin lets unauthenticated attackers create new administrator accounts and seize full control of a site. The bug affects all versions ≤ 1.0.78 and is already being exploited in the wild only hours after public disclosure. A fixed release, v 1.0.79, is available and should be applied immediately.

What You Need to Know

• Who is affected? All sites running OttoKit/SureTriggers version 1.0.78 or earlier.
• What can happen? An outsider can slip past login checks and set up their own admin account, giving them full control of the site. 
  
  
• Why now? Security firms recorded the first break‑in attempts about four hours after the flaw was announced.
• Fix available: Update to version 1.0.79 (released 3 April 2025), which closes the gap. 

Recommended Actions

1. Update the plugin to v 1.0.79 or newer via WordPress → Plugins.

2. Review your user list for unfamiliar administrator accounts and delete any you didn’t create.

3. Add (or rotate) an API key in the OttoKit settings; an empty key is what allows the bypass.

4. Check recent logs for odd activity—new plugins, theme changes, or settings edits you didn’t make.

5. Consider extra protection such as a Web Application Firewall and disabling account self‑registration if you don’t need it.

Additional Resources

• Wordfence technical advisory on CVE‑2025‑3102
• Patchstack incident timeline (first attacks within four hours)

Fortinet has fixed a critical flaw that lets anyone on the network—or on an internet‑facing FortiSwitch—change the administrator password without logging in. The bug affects FortiSwitch firmware 6.4.0 through 7.6.0 and is rated 9.8/10 (Critical). Patches are now available.

What You Need to Know

• Who is at risk? All FortiSwitch models running firmware 6.4.x, 7.0.x, 7.2.x, 7.4.x, or 7.6.0.
• What can happen? A remote attacker can send one crafted web‑request to the switch’s GUI and reset the admin password, taking full control—no login or user interaction required. 
  fortiguard.fortinet
• How widespread? Internet scans show ≈ 860 FortiSwitch units openly reachable online; many more are likely exposed on internal networks.
• Fixed versions: 6.4.15, 7.0.11, 7.2.9, 7.4.5, 7.6.1.

Recommended Actions

1. Patch immediately

• Upgrade FortiSwitch to the firmware version that matches your branch (6.4.15, 7.0.11, 7.2.9, 7.4.5, or 7.6.1).

2. Restrict management access (if you cannot patch right away)

• Disable HTTP/HTTPS Access on the switch’s admin interface.
• Limit management traffic to a trusted IP range or out‑of‑band network. 

3. Audit your devices

• Confirm that admin credentials have not been altered.
• Review logs for unexpected password‑change events or new admin accounts.

4. Monitor for future advisories

• Fortinet appliances are frequent targets; keep firmware up to date and subscribe to Fortinet PSIRT notices.

Additional Resources

Fortinet PSIRT advisory FG‑IR‑24‑435 (official patch notice)

Apply the patch as soon as possible and lock down management interfaces to prevent unauthorized password changes via CVE‑2024‑48887.

A flaw in Gladinet CentreStack—software that lets companies give cloud‑style, remote access to on‑prem Windows file servers—has been exploited since March 2025 to break into storage servers. The bug (CVE‑2025‑30406) lets attackers run their own code on an unpatched server simply by sending it a booby‑trapped CentreStack file request. Patches are now available.

What You Need to Know

• Who is affected? All CentreStack versions up to 16.1.10296.56315 on Windows and macOS.
• Why does it matter? The product is used by thousands of businesses in 49 countries—including MSPs that host file services for many clients—so a single vulnerable server can expose large amounts of data. 
• How the attack works: CentreStack stores a hard‑coded cryptographic key (“machineKey”) in its configuration. Knowing that key lets an attacker craft a malicious file request that the server trusts, leading to remote code execution.
• Active exploitation: Security teams and CISA confirm the bug has been used in the wild as a zero‑day since March.

Recommended Actions

1. Update immediately

• Install one of the patched builds released 3 April 2025:
• 16.4.10315.56368 (latest)
• 16.3.4763.56357 (Windows)
• 15.12.434 (macOS) 

2. If you can’t patch right now

• Rotate the machineKey in both root\web.config and portal\web.config, then restart IIS. Keep the same key on every node in a multi‑server cluster. 

3. Harden and monitor

• Limit CentreStack portal access to trusted networks/IPs.
• Enable logging and watch for unusual file‑access patterns or new administrator accounts.

4. Follow CISA deadlines

• U.S. federal and state agencies must patch or disable vulnerable servers by 29 April 2025.

 Additional Resources

Gladinet security advisory

CISA News Alert entry for CVE‑2025‑30406

Apply the patch—or rotate the key as a stop‑gap—today to block ongoing exploits of CVE‑2025‑30406.

Ivanti has released emergency patches for a critical vulnerability in Ivanti Connect Secure (ICS), previously known as Pulse Connect Secure. The flaw, tracked as CVE-2025-22457, enables remote code execution (RCE) on vulnerable appliances. Security researchers from Mandiant and Google Threat Intelligence Group (GTIG) report the vulnerability has been exploited since at least mid-March 2025 by a China-linked espionage actor known as UNC5221.

• Vulnerability: CVE-2025-22457 (Stack-based buffer overflow)
• Affected Products:
  • Ivanti Connect Secure 22.7R2.5 and earlier (22.7R2.6 fixes this issue)
  • Pulse Connect Secure 9.1R18.9 and earlier (End-of-support since December; migration to Ivanti Connect Secure recommended)
  • Ivanti Policy Secure (22.7R1.3 and earlier) – Patch due April 21
  • Ivanti Neurons for ZTA Gateways (22.8R2 and earlier) – Patch due April 19
• Impact: Remote code execution in high-complexity attacks that do not require authentication or user interaction.

Recommended Actions

1. Update to ICS 22.7R2.6 or Later

• This release resolves CVE-2025-22457.
• For Pulse Connect Secure (9.x), Ivanti recommends migrating to a supported ICS version.

2. Monitor for Indicators of Compromise

• Run the Integrity Checker Tool (ICT) and watch for:
  • Web server crashes
  • Signs of unauthorized modifications or suspicious files
• If you detect compromise, factory reset the appliance and restore using a clean software version.

3. Plan for Upcoming Patches

• ZTA Gateways: Version 22.8R2.2 available on April 19
• Ivanti Policy Secure: Version 22.7R1.4 available on April 21

4. Restrict Access & Harden Edge Devices

• Limit administrative ports to trusted IP ranges only.
• Audit and rotate credentials, especially if suspicious activity is found.

Why It Matters

• Repeated Exploits: Ivanti (formerly Pulse Secure) has faced multiple zero-day attacks in the past two years, indicating persistent threat interest.
• Edge Appliance Vulnerabilities: Once compromised, attackers gain privileged access to internal networks, often bypassing other security controls.
• Nation-State Involvement: The Chinese-linked UNC5221 is sophisticated, frequently targeting unpatched or end-of-support appliances for espionage campaigns.

References & Further Reading

Mandiant Blog Coverage

Ivanti Security Advisory

A remote code execution (RCE) vulnerability has been discovered in Apache Parquet, a popular columnar data storage format widely used for data analytics and “big data” processing. Tracked under CVE-2025-30065, this flaw can allow attackers to execute arbitrary code if they can convince a target to import a malicious Parquet file.

Key Details

1. Affected Versions

• All Apache Parquet releases up to 1.15.0 (inclusive).
• Fixed in 1.15.1, released on April 1, 2025.

2. Attack Vector

• Requires a user or automated system to import a specially crafted Parquet file, leading to deserialization of untrusted data.
• Exploitable in low-complexity, high-impact scenarios where the attacker can control or provide Parquet files.

3. Why It Matters

• Parquet is ubiquitous in modern data engineering and analytics environments, including on platforms like Hadoop, AWS, GCP, Azure, and various ETL tools.
• Large organizations (Netflix, Uber, Airbnb, LinkedIn) heavily rely on Parquet, meaning a successful exploit could disrupt critical analytics pipelines and potentially impact thousands of downstream services.

Possible Impact

• Remote Code Execution: Attackers could run arbitrary code on vulnerable systems.
• Data Exfiltration & Tampering: Access to or modification of sensitive data stored and processed in Parquet files.
• Service Disruption: Potential for planting malware, including ransomware, or causing denial of service.

Recommended Actions

1. Upgrade to Parquet 1.15.1

• Visit Apache’s official website to obtain the patched release.
• Ensure all relevant data pipelines and applications utilize the updated library version.

2. Validate & Restrict Untrusted Inputs

• Avoid processing Parquet files from unknown or untrusted sources.
• Perform rigorous file validation and scanning before ingestion into critical systems.

3. Monitor & Log Processing Systems

• Increase logging and monitoring on systems that handle Parquet data to quickly detect malicious payloads or unusual behavior.
• Maintain updated intrusion detection/prevention systems (IDS/IPS).

4. Coordinate with Vendors & Dev Teams

• Check the software bills of materials (SBOMs) or dependency lists of platforms that rely on Parquet to ensure they are no longer using vulnerable versions.
• Engage in patch management processes that include thorough testing before deployment.

Additional Resources

Apache Parquet Official Site – Obtain the latest version and release notes.

Conclusion

Given Parquet’s widespread use in data analytics and big data operations, this vulnerability demands prompt attention. Upgrading to Apache Parquet 1.15.1 and practicing strict file validation are the best immediate safeguards against potential remote code execution. While there are no known active exploits yet, the risk remains high due to the high-impact nature of the flaw.

Mozilla has released Firefox 136.0.4 to address a critical vulnerability that allows attackers on Windows systems to escape the browser sandbox and potentially execute malicious code. If you use Firefox on Windows—particularly for enterprise or mass deployments—it’s crucial to update immediately.

What You Need to Know

1. Vulnerability Overview

• CVE: CVE-2025-2857
• Severity: Critical (Sandbox escape)
• Affected Versions:
  • Firefox 136.0.3 and earlier
  • Firefox ESR 115.21.0 and earlier
  • Firefox ESR 128.8.0 and earlier
• Patched Releases:
  • Firefox 136.0.4
  • Firefox ESR 115.21.1
  • Firefox ESR 128.8.1

2. Attack Method

• An attacker could craft content or leverage inter-process communication (IPC) to confuse the parent process into leaking Windows handles.
• This flaw is Windows-specific; macOS, Linux, and other operating systems are not affected.

3. Connection to Chrome Zero-Day

• The vulnerability closely resembles CVE-2025-2783 in Google Chrome, which was exploited in the wild to bypass Chrome’s sandbox and target Russian media and government organizations (“Operation ForumTroll”).
• While Mozilla has not confirmed active in-the-wild exploitation of CVE-2025-2857, the similarity to Chrome’s zero-day underscores the urgent need for patching.

Recommended Actions

1. Update Firefox Immediately

• Windows Users should upgrade to Firefox 136.0.4 or the corresponding ESR releases (115.21.1 or 128.8.1).
• Automatic updates are on by default; you can also go to “Help” → “About Firefox” to trigger a manual update check.

2. Monitor for Suspicious Activity

• Especially in enterprise environments, keep an eye on browsing logs and endpoint security alerts for signs of exploitation attempts.

3. Stay Informed

• Follow the Mozilla Security Advisories for detailed information and any future patches or workarounds.

By updating Firefox and remaining watchful for suspicious activity, Windows users can significantly reduce the risk posed by CVE-2025-2857 and other emerging threats.

Broadcom has released security updates to address a high-severity vulnerability in VMware Tools for Windows. If left unpatched, this flaw could allow local attackers with non-administrative privileges to carry out privileged operations on the affected virtual machine (VM).

What You Need to Know

• Vulnerability Overview
  • CVE-2025-22230
  • Severity: High (Improper access control leading to authentication bypass)
  • Impact: Potential privilege escalation on Windows guest VMs within VMware environments
• Attack Prerequisites
  • The attacker must have local, low-level privileges on a Windows guest.
  • No user interaction or complex configuration is required.
• Exploit Outcome
  • Successful exploitation lets malicious actors perform certain high-privilege operations that normally require administrative access.

Affected Products & Versions

• VMware Tools for Windows – Specific versions haven’t been publicly identified in the announcement, so users should apply the latest available patch from the official VMware downloads or through Broadcom’s security advisories.

Why It Matters

• Common Enterprise Deployment: VMware Tools is widely used to enhance the performance and integration of Windows VMs in corporate data centers.
• Escalation Vector: Local privilege escalation can be exploited for further network compromise, data theft, or ransomware attacks if an attacker gains initial foothold on a VM.
• Recent Exploits: Earlier this month, Broadcom patched three critical VMware zero days that state-backed hackers exploited for VM sandbox escapes.

Recommended Actions

1. Apply Patches Immediately
   • Visit the VMware Tools Downloads or Broadcom’s advisories for the latest patches.
   • Keep VMware hypervisors and guest tools updated as a best practice.
2. Restrict VM Access
   • Limit low-privilege user accounts where possible.
   • Use role-based access control (RBAC) to minimize lateral movement opportunities.
3. Monitor for Suspicious Activity
   • Check logs for unusual guest VM processes or access attempts.
   • Deploy endpoint protection or intrusion detection tools within VMs.
4. Stay Informed
   • Follow official VMware security advisories from Broadcom.
   • Track reputable sources like BleepingComputer and threat intelligence feeds for indicators of exploit campaigns.

Additional Information

• Broadcom Security Advisory: Refer to Broadcom’s official website for detailed release notes and mitigation steps.

Given that ransomware gangs and state-sponsored attackers frequently target VMware products for their high-value data and critical infrastructure role, patching CVE-2025-22230 is essential to protect your virtual environments from privilege escalation and potential system takeover.

 

CrushFTP has released a security fix for a critical vulnerability that could allow unauthenticated attackers to gain unauthorized access to servers. If your CrushFTP instance is accessible over HTTP or HTTPS, you should apply the patch immediately.

What Happened

• Vulnerability: CVE-2025-2825 is an authentication bypass flaw that affects CrushFTP v10 and v11, per an official CrushFTP advisory. Attackers can exploit this bug to access an internet-exposed CrushFTP server without valid credentials.
• Official Warning: CrushFTP sent an urgent email on March 21, 2025, urging users to update as soon as possible.

Who’s Affected

• CrushFTP v10 and v11: The company previously indicated that only v11 was affected, but subsequent communications show v10 is also impacted.
• Servers Exposed over HTTP(S): If you’re running older, unpatched versions on a publicly available port, you could be at significant risk.
• DMZ Mitigation: If you have DMZ mode configured, it can help reduce exposure, though updating is still strongly recommended.

Patch & Workarounds

• Update to Fixed Versions
  • CrushFTP v10.8.4+ or CrushFTP v11.3.1+.
  • Download the latest release from CrushFTP’s website.
• Use DMZ Mode (Temporary Workaround)
  • If you can’t patch right away, enable the DMZ feature for your CrushFTP environment. This helps segment potentially malicious traffic until you can apply updates.

Why It Matters

• High Exposure: Search engine Shodan shows 3,400+ CrushFTP instances with a web interface open to the internet, and over 36,000 total results for publicly reachable CrushFTP servers. Many may still be vulnerable.
• History of Exploits:
  • In April 2024, CVE-2024-4040 was exploited to escape the virtual file system (VFS) and download system files in targeted attacks against U.S. entities.
  • In November 2023, CVE-2023-43177 (remote code execution) required urgent patching after proof-of-concept exploits emerged.
• File Transfer Services Under Siege: Ransomware groups—particularly Clop—often target managed file transfer (MFT) products (e.g., MOVEit Transfer, GoAnywhere MFT) to exfiltrate data and disrupt operations.

Recommended Actions

1. Patch Immediately: Upgrade to v10.8.4+ or v11.3.1+.

2. Restrict Public Access: Where possible, limit or disable public HTTP(S) access.

3. Monitor for Unusual Activity: Check logs for failed login attempts or suspicious file transfers.

4. Plan for Incident Response: If you suspect any breach, contact your cybersecurity team or relevant authorities.

Additional Information

CrushFTP Official Site – Download fixes and read official advisories.

BleepingComputer Report – Coverage of CrushFTP’s vulnerability announcements and broader security news.

By updating promptly and employing best practices, organizations can reduce the risk of unauthorized access and protect their sensitive data stored on CrushFTP servers.

A critical vulnerability has been discovered in the WP Ghost WordPress security plugin, used by over 200,000 websites. The flaw (CVSS score: 9.6) allows unauthenticated attackers to include arbitrary files via manipulated URL paths, potentially enabling remote code execution (RCE) and leading to full site takeover in certain configurations.

What You Need to Know

• Affected Versions: All versions of WP Ghost up to v5.4.01.
• Patched Versions: v5.4.02 and v5.4.03 (both contain the necessary security fix).
• Vulnerability Details:
  • Insufficient input validation in the showFile() function can lead to Local File Inclusion (LFI).
  • WP Ghost’s “Change Paths” feature must be in Lite or Ghost mode (not enabled by default) for RCE to occur, though LFI is possible in nearly all setups.
  • Local File Inclusion can still pose serious risks, such as revealing sensitive information, enabling session hijacking, or causing denial-of-service (DoS) attacks.
• Discovery & Disclosure:
  • Researchers at Patchstack identified the bug after Dimas Maulana reported it on February 25, 2025.
  • WP Ghost developers released a patch on March 4, adding additional input validation.

Recommended Actions

1. Upgrade Immediately

• Update WP Ghost to v5.4.02, v5.4.03, or any subsequent release.

2. Confirm Plugin Settings

• Review whether WP Ghost’s “Change Paths” feature is enabled in Lite or Ghost mode; if it’s not essential, disable it to reduce potential exposure.

3. Monitor Your Site

• Check logs for suspicious file access or unexpected activity.
• Use a Web Application Firewall (WAF) or equivalent security solution to monitor and block malicious URL requests.

4. Stay Informed

• Keep track of official notices from Patchstack for any further details.

By ensuring your WP Ghost plugin is updated to the latest version and carefully reviewing site configurations, you can significantly reduce the risk of compromise stemming from CVE-2025-26909.

Veeam has released a patch for a critical remote code execution (RCE) vulnerability—tracked as CVE-2025-23120—in its Backup & Replication software. This flaw affects version 12.3.0.310 and all earlier V12 builds. It has been addressed in version 12.3.1 (build 12.3.1.1139), made available yesterday.

What You Need to Know

• Vulnerability Type: Deserialization flaw in .NET classes, allowing attackers to craft malicious objects that can execute code remotely.
• Affected Systems: Only domain-joined Veeam Backup & Replication servers.
• Risk: Any domain user can potentially exploit the flaw, giving easy access to backups and restoration files—a prime target for ransomware gangs.
• Patch Availability: Fixed in Veeam Backup & Replication 12.3.1 (build 12.3.1.1139).

Technical Details:

Researchers at watchTowr Labs discovered that, while Veeam previously added a blacklist to block certain deserialization gadgets, a new “gadget chain” was found that was not included on that list. If exploited, attackers gain the ability to run arbitrary code on the Veeam server.

Ransomware actors already favor Veeam installations as high-value targets, since compromising backup solutions can disrupt restoration efforts and enable data theft. Although there are no confirmed in-the-wild exploits at this time, public proof-of-concept (PoC) code could appear soon.

Recommended Actions:

• Upgrade Immediately: Install Veeam Backup & Replication 12.3.1 (build 12.3.1.1139) to patch this vulnerability.
• Review Best Practices: Follow Veeam’s longstanding guidance to avoid domain-joining your Veeam server. If it is domain-joined, strongly consider removing it from the domain.
• Monitor for Exploits: Stay vigilant for any new PoC releases or active exploitation reports.
• Harden Your Environment: Implement strong segmentation, restrict access to backup servers, and regularly review domain privileges.

For more details on the vulnerability and patch guidance, refer to:

• https://www.veeam.com/kb4724

Stay safe, and ensure your backup environment remains secure by updating immediately and following Veeam’s official best practices.

Juniper Networks has released emergency updates to fix a vulnerability (CVE-2025-21590) in Junos OS, which attackers have already abused to backdoor routers and gain stealthy access to compromised networks.

What You Need to Know

• Vulnerability: A Junos OS improper isolation or compartmentalization weakness that lets local, high-privilege attackers run arbitrary code on the device.
• Impact: Threat actors can take over vulnerable routers entirely, compromising their integrity and using them for further attacks on the network.
• Real-World Exploitation: Juniper has confirmed at least one case (non-Amazon) where attackers leveraged this security flaw in the wild.

Affected Products

• NFX-Series
• Virtual SRX
• SRX-Series (Branch & HE)
• EX-Series
• QFX-Series
• ACX
• MX-Series

For exact device models and OS versions, see Juniper’s official advisory. The issue has been fixed in Junos releases:

• 21.4R3-S10
• 22.2R3-S6
• 22.4R3-S6
• 23.2R2-S3
• 24.2R1-S2
• 24.2R2
• 24.4R1
• All subsequent releases

How It’s Exploited

According to Mandiant, Chinese nation-state hackers (group UNC3886) have exploited this flaw since 2024 to plant custom backdoors on Juniper routers—particularly on older, end-of-life hardware. This stealthy approach allows them long-term access to targeted networks without raising alarms.

Additional research from Black Lotus Labs and other security teams suggests multiple, ongoing campaigns to covertly compromise Juniper routers acting as VPN gateways, indicating sustained interest from various threat actors.

What You Need to Do

1. Update Immediately

• Install the latest fixed Junos OS release mentioned above. Delaying could leave your network devices open to stealthy, long-term compromise.

2. Restrict High-Privilege Access

• Limit who can obtain shell or administrator privileges on these devices to minimize the risk of local exploitation.

3. Enable Monitoring & Alerts

• Watch router logs and network traffic for unusual behavior (e.g., unknown connections or abnormal CPU usage).
• Use intrusion detection/prevention systems (IDS/IPS) to identify suspicious activity.

4. Follow Official Juniper Guidance

• Review Juniper’s out-of-cycle security bulletin.

Why It Matters

• High-Privilege Threat: Once attackers gain code execution on a router, they can quietly pivot into broader network compromise.
• Nation-State Interest: Multiple Chinese-linked groups have been observed using these flaws to facilitate cyber espionage.
• Long-Term Access: Backdoors and stealthy tooling allow adversaries to stay hidden, gathering sensitive info or attacking internal resources at will.

Protecting core network infrastructure is critical—update your Juniper devices now and monitor access carefully to reduce the risk of state-sponsored or criminal exploitation.

Cisco has fixed a high-risk flaw (CVE-2025-20115) in some of its carrier-grade routers that could allow attackers to knock devices offline with a single rogue message. The vulnerability exists in how these routers handle certain Border Gateway Protocol (BGP) settings, potentially letting criminals force a reboot or denial of service (DoS) without needing any login credentials.

What You Need to Know

• Which Devices? The flaw affects Cisco IOS XR routers, including models like the ASR 9000, NCS 5500, and 8000 series, but only if they are configured to use “BGP confederation.”
• How It Works: A specially crafted BGP update message can cause memory corruption, making the router crash and restart the BGP process.
• Potential Impact: Attackers can disrupt network operations, leading to downtime for internet service providers, large enterprise networks, or any organization relying on these routers.

What You Need to Do

1. Update Your Router Software: Cisco has released patches that fix this vulnerability. If you run an older version of IOS XR, upgrading to the latest recommended software is the safest option.
2. Use the Workaround (If You Can’t Patch Yet): Limit the number of “autonomous systems” in certain BGP settings to fewer than 255. This helps prevent the malicious message from causing a crash.
3. Check Cisco’s Official Guidance: Detailed instructions and version-specific fixes are in Cisco’s security advisory. If you’re unsure how to proceed, contact your IT department or a Cisco support representative.

Why It Matters

• Easily Exploitable: Attackers don’t need a password—just the ability to send a carefully designed network message.
• Serious Consequences: A single successful attack can interrupt internet connectivity or business operations.
• No Current Exploits: Cisco hasn’t seen this flaw used in real-world hacks yet, but they strongly recommend applying updates as soon as possible.

By updating your Cisco routers and reviewing your BGP settings, you can help safeguard against disruptions caused by this vulnerability. If in doubt, reach out to a trusted IT security professional to ensure your network is protected.

Apple has released urgent security patches to address a zero-day flaw (CVE-2025-24201) actively exploited in highly targeted attacks. This vulnerability resides in WebKit, the browser engine behind Safari and many other macOS, iOS, and third-party browsers.

What You Need to Know

1. Zero-Day Vulnerability: CVE-2025-24201 allows attackers to escape the Web Content sandbox using maliciously crafted web content. Apple warns it has been weaponized in an “extremely sophisticated” campaign.

2. Wide Range of Affected Devices:

• iPhone XS and later
• iPad Pro 13-inch, iPad Pro 12.9-inch (3rd gen+), iPad Pro 11-inch (1st gen+), iPad Air (3rd gen+), iPad (7th gen+), iPad mini (5th gen+)
• Macs running macOS Sequoia
• Apple Vision Pro

3. Fixed in Multiple Updates:

• iOS 18.3.2
• iPadOS 18.3.2
• macOS Sequoia 15.3.2
• visionOS 2.3.2
• Safari 18.3.1

4. “Extremely Sophisticated” Attacks

• Apple has not yet disclosed details on how these exploits are carried out.
• The attacks appear to be highly targeted rather than widespread.

Recommended Actions

• Update Immediately
  • Install the latest software versions for iOS, iPadOS, macOS, visionOS, or Safari.
  • Even though the bug seems to be used in targeted attacks, promptly updating shields your device from potential threats.
• Stay Informed
  • Keep an eye on Apple Security Updates for more details or future announcements.
  • Follow reputable security news outlets for information on any emerging proof-of-concept code or active exploit campaigns.
• Review Security Settings
  • Enable automatic updates where possible.
  • Avoid clicking on unfamiliar links or visiting untrusted websites while the vulnerability remains under investigation.

Why It Matters

Zero-day exploits can grant attackers far-reaching access—even on the latest devices. Although primarily seen in high-profile cyber-espionage or targeted operations, timely updates are crucial to ensure your device stays protected from potentially ongoing threats.

For more information on CVE-2025-24201, refer to:

• National Vulnerability Database (NVD)
• Apple’s Official Security Updates Page

Users should install Apple’s newest patches without delay to keep their devices secure.

A recently discovered security issue in Apache Tomcat—one of the most widely used web servers—has become a top concern as attackers are actively exploiting it in the wild. Known as CVE-2025-24813, this flaw could allow criminals to remotely break into servers running certain Tomcat versions.

What You Need to Know

• Active Exploitation: Cybercriminals are taking advantage of this vulnerability by sending specially crafted requests that appear normal but can trick Tomcat into running malicious code.
• Easy to Execute: The attack method doesn’t require a login and uses base64 encoding to sneak past many traditional security tools.
• Serious Consequences: If successful, attackers can take complete control of the server, potentially stealing data, planting malware, or disrupting services.

Who’s Affected

• Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98 are all vulnerable.
• Many organizations use Apache Tomcat to power websites and web apps. If these versions aren’t updated or properly configured, they remain at high risk.

What You Can Do

1. Update Immediately

• Upgrade to Tomcat 11.0.3+, 10.1.35+, or 9.0.99+. This is the surest way to fix the vulnerability.
• Instructions are available on Apache’s official website.

2. Review Your Settings

• Make sure Tomcat’s “default servlet” is not allowing file writes (readonly="false") unless absolutely necessary.
• Disable or restrict “partial PUT” if you don’t need it.
• Check if your apps store user sessions in files; consider switching to a different session storage method or restricting permissions.

3. Monitor for Strange Activity

• Look for unexpected file uploads or base64-encoded content in your server logs.
• Consider employing a security tool or Web Application Firewall (WAF) that can spot suspicious traffic.

4. Report Any Suspicious Incidents

• If you determine malicious activity has occurred, contact your national cybersecurity center or local authorities. In Canada, you can report incidents at [email protected].

5. Why It Matters

Apache Tomcat is a backbone for many websites and online services. A vulnerability that grants complete remote control to attackers has massive implications for data privacy, site reliability, and overall trust in the affected platforms.

Additional Resources:

• Government of Canada Alert
• NIST CVE Record
• Apache Vendor Advisory

By promptly updating Apache Tomcat and following security best practices, you can reduce the chance of cybercriminals exploiting CVE-2025-24813 to hijack your systems.

CISA and watchTowr have warned organizations about a high-severity path traversal vulnerability—CVE-2024-48248—affecting NAKIVO Backup & Replication. This flaw allows unauthenticated attackers to read arbitrary files on vulnerable systems, potentially exposing sensitive data (e.g., configuration files, backups, credentials) and leading to data breaches or further compromises.

What You Need to Know

• Affected Versions: NAKIVO Backup & Replication v10.11.3.86570 and earlier.
• Patched Version: v11.0.0.88174, released in November.
• Exploitation in the Wild: CISA has added this bug to its Known Exploited Vulnerabilities catalog, indicating active targeting.
• Risk Factors: Access to system files can undermine data integrity, compromise disaster recovery efforts, and expose critical organizational data.

Recommended Actions

• Upgrade Immediately
  • Install v11.0.0.88174 or later to mitigate CVE-2024-48248.
• Review Access Logs
  • Investigate any unusual or unauthorized access attempts.
  • Pay close attention to unexpected file access activities.
• Harden Network & Authentication
  • Segment your network to isolate backup systems from untrusted networks.
  • Configure firewall rules to allow only trusted connections.
  • Use strong authentication mechanisms and adhere to security best practices.

Additional Resources

• NAKIVO Security Advisory
• BleepingComputer’s coverage of CVE-2024-48248

On March 4, 2025, Broadcom (VMware) published a critical VMware Security Advisory (VMSA-2025-0004) addressing multiple vulnerabilities in VMware ESX. These flaws could potentially allow threat actors to gain unauthorized access to the hypervisor via a running virtual machine, posing significant risk to virtualized environments.

---

Affected Products

• VMware ESX
• VMware vSphere
• VMware Cloud Foundation
• VMware Telco Cloud Platform

All versions prior to the “fixed” releases specified in VMSA-2025-0004 are affected. If you are uncertain whether your system is vulnerable, assume it is and take immediate action.

---

Vulnerabilities & Severity

• CVE-2025-22224 – CVSS v3.1 Score: 9.3 (Critical)
• CVE-2025-22225 – CVSS v3.1 Score: 8.2 (High)
• CVE-2025-22226 – CVSS v3.1 Score: 7.1 (High)

Source:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

---

Recommended Actions

1. Review VMSA-2025-0004

   • Check the VMware Security Advisory for the official list of affected products and fixed versions.

2. Apply Patches Immediately

   • These vulnerabilities qualify as an emergency change (per ITIL).
   • Update to the patched versions specified in VMSA-2025-0004.

3. Consult InfoSec Teams

   • Work with your organization’s information security staff to determine the urgency of patch deployment.
   • Develop a plan to safely patch and validate that no exploitation has occurred.

4. Verify Update Access

   • If experiencing issues accessing patched versions on the Broadcom Support Portal, check the advisory section titled:
     “I currently have an active entitlement however I cannot see all the fixed versions relating to the VMSA”
   • Ensure your entitlement is active and has visibility of the newly released patches.

---

Importance of Prompt Action

• Attackers frequently target critical flaws in hypervisors due to their potential for complete environment compromise.
• Delay in applying patches can lead to privilege escalation, data exfiltration, or malicious takeover of virtual infrastructure.

For additional details on these vulnerabilities and patch instructions, refer directly to VMSA-2025-0004 on the official VMware/Broadcom site.

Microsoft has patched a high-severity elevation of privilege vulnerability in Power Pages, which attackers exploited as a zero-day to bypass user registration controls and gain unauthorized access. The flaw, tracked as CVE-2025-24989, has been mitigated at the service level, and Microsoft has notified affected customers with instructions for detecting and remediating any potential compromise.

Summary of the Vulnerability

• What’s Affected: Microsoft Power Pages (part of the Microsoft Power Platform)
• Severity: High
• Type: Improper access control leading to elevation of privilege
• Tracking: CVE-2025-24989
• Exploit Status: Exploited in the wild as a zero-day

Microsoft Action:

• The flaw has been fixed at the service level, preventing further exploitation.
• Impacted customers received direct notifications containing guidance to review site logs and remediate compromised accounts.

Recommended Actions

1. Check if You Were Notified

   • If you did not receive a notification from Microsoft, your Power Pages environment was likely not affected.

2. Review Activity Logs

   • Look for unusual user registrations, privilege escalations, or suspicious administrative actions.
   • Investigate any unexpected configuration changes or unauthorized access attempts.

3. Inspect User Lists and Privileges

   • Carefully verify administrators and high-privileged user accounts.
   • Pay close attention to recent privilege changes, security roles, and permissions for anomalies.

4. Remove Rogue Accounts & Reset Credentials

   • Immediately revoke or remove any unauthorized accounts.
   • Reset passwords for compromised or suspicious users.
   • Enable Multi-Factor Authentication (MFA) for enhanced security on all user accounts.

5. Keep Software & Security Controls Up to Date

   • Apply the latest Power Pages and Power Platform updates.
   • Maintain robust logging and monitoring policies for early threat detection.

If you suspect your Power Pages site has been compromised or need assistance reviewing your environment, please contact our support team.

Juniper Networks has released critical security updates for Session Smart Router (SSR) devices after discovering a vulnerability (CVE-2025-21589) that allows attackers to bypass authentication and gain administrative control. This flaw also impacts Session Smart Conductor and WAN Assurance Managed Routers.

Juniper discovered this vulnerability during internal testing and states it has no evidence of active exploitation at this time. However, given how frequently Juniper devices are targeted in the wild, immediate patching is strongly recommended.

Affected Products & Versions

• Session Smart Router (SSR)
• Session Smart Conductor
• WAN Assurance Managed Routers

Fixed Versions

Juniper has released patched software in the following versions (and subsequent releases):

• SSR-5.6.17
• SSR-6.1.12-lts
• SSR-6.2.8-lts
• SSR-6.3.3-r2

If your devices are connected to the Mist Cloud, Juniper may have automatically applied some updates. Even so, administrators should verify that all affected systems have been upgraded to these versions—or newer—to ensure complete remediation.

How to Patch

1. Upgrade to Fixed SSR Versions

   • Download and install one of the fixed versions (SSR-5.6.17, SSR-6.1.12-lts, SSR-6.2.8-lts, SSR-6.3.3-r2, or later) from Juniper’s Support Portal.

2. Conductor-Managed Environments

   • Upgrading only the Conductor nodes applies the fix automatically to all connected routers.
   • Recommendation: Still plan to upgrade routers directly to a fixed version for full assurance.

3. Validate Post-Upgrade

   • Verify the upgrade via router and Conductor status interfaces.
   • Check logs to confirm no unauthorized access attempts remain.

4. Review Security Controls

   • Change default credentials immediately if any remain in use.
   • Limit administrative access to trusted IPs/networks.
   • Monitor logs for abnormal login attempts or changes in configuration.

Why This Matters

• Frequent Target: Juniper gear is often used in critical infrastructures and experiences prompt exploitation when vulnerabilities are disclosed.
• Past Exploit Patterns: Attackers quickly leveraged a similar SSR authentication bypass (CVE-2024-2973) in June last year. Large-scale scanning and attempts to compromise unpatched Juniper devices are common in the wild.

Recommended Next Steps

1. Upgrade Immediately to mitigate CVE-2025-21589.
2. Secure Configurations—disable default credentials, restrict privileged access, and monitor traffic for anomalies.
3. Implement Network Segmentation where possible to limit the blast radius of any intrusion.
4. Review Logs & Alerts frequently to catch suspicious activity early.

For additional help applying patches or securing your Juniper environment, please contact our support team.

Netgear has disclosed two critical security flaws—unauthenticated remote code execution (RCE, PSV-2023-0039) and an authentication bypass (PSV-2021-0117)—affecting multiple WiFi 6 access points and Nighthawk Pro Gaming router models. These low-complexity vulnerabilities can be exploited without user interaction, making it essential to apply the latest firmware updates immediately.

---

Affected Devices & Fixed Firmware Versions

Vulnerable Router Model	Patched Firmware Version
XR1000	1.0.0.74
XR1000v2	1.1.0.22
XR500	2.3.2.134
WAX206	1.0.5.3
WAX220	1.0.5.3
WAX214v2	1.0.2.5

---

Why This Matters

• Unauthenticated RCE: Attackers can gain control of vulnerable routers without valid credentials.
• Authentication Bypass: Allows threat actors to access router management interfaces without logging in, potentially changing critical settings or installing malicious firmware.

---

What You Should Do

1. Identify Your Model

   • Locate your router’s model number on the device label or via your router’s admin interface.

2. Download and Install the Latest Firmware

   • Go to NETGEAR Support and enter your model number.
   • Under Downloads, select the latest Firmware Version for your specific model.
   • Follow the Release Notes carefully to install the update.
   • Important: Failure to complete the recommended steps may leave your device partially vulnerable.

3. Restart & Verify

   • Restart your router post-update and confirm the firmware version matches the patched release above.

4. Implement Best Practices

   • Disable remote management if not needed.
   • Use strong, unique admin credentials.
   • Regularly check for new firmware updates.

---

Further Information & References

• Netgear Security Advisory:
  https://kb.netgear.com/000066557/Security-Advisory-for-Authentication-Bypass-on-Some-Wireless-Access-Points-PSV-2024-0117
• BleepingComputer Report:
  https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch-critical-wifi-router-vulnerabilities/

For assistance applying these updates or assessing your network security posture, please contact us directly.

Over 12,000 GFI KerioControl firewall instances remain exposed to a critical remote code execution (RCE) vulnerability tracked as CVE-2024-52875, potentially allowing attackers to steal admin CSRF tokens and carry out further network compromises.

Who Is Affected?

• GFI KerioControl versions prior to 9.4.5 Patch 2 (released January 31, 2025)
• Especially those that have not installed Patch 1 (released December 19, 2024)

Threat Details

• Proof-of-concept (PoC) available: Security researcher Egidio Romano (EgiX) released a PoC in mid-December 2024, demonstrating a “1-click” RCE attack.
• Active Exploitation: Greynoise reported active scans trying to exploit this flaw, while The Shadowserver Foundation detects over 12,000 exposed KerioControl instances (mainly in Iran, the U.S., Italy, Germany, Russia, Kazakhstan, Uzbekistan, France, Brazil, and India).

Required Actions

1. Upgrade Immediately:

   • If you are using KerioControl firewall on any version before 9.4.5 Patch 2, update now to 9.4.5 Patch 2 or newer.
   • This update includes the fixes introduced in Patch 1 (December 19, 2024) and additional security enhancements released on January 31, 2025.

2. Monitor Traffic and Logs:

   • Check system event logs for suspicious activities, unauthorized access attempts, or anomalies in traffic.
   • Implement intrusion detection/prevention measures where possible.

3. Restrict Administrative Access:

   • Limit KerioControl management interfaces (e.g., via VPN or trusted IPs only).
   • Disable or limit any unnecessary external access points.

References & Further Reading

• GFI KerioControl Official Download/Support:
  https://www.gfi.com/products-and-solutions/security-and-compliance/gfi-keriocontrol

For assistance with patching or further guidance on securing your GFI KerioControl firewall, please contact our support team immediately. Keeping your perimeter defenses current and monitored is critical to safeguarding your network from RCE attacks.

There are two critical security vulnerabilities recently identified in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. These vulnerabilities allow remote, unauthenticated attackers to gain access to affected devices and escalate their privileges. This can ultimately lead to remote code execution, unauthorized data access, and complete network compromise. 

Ivanti has admitted and warned that there have been a “limited number of customers” using Ivanti Connect Secure appliances that have been affected by the remote code execution vulnerability, adding more urgency to the necessity of updating affected devices immediately. 

QUICK POINTS: 

• Vulnerability IDs:
  • CVE-2025-0282 (CVSS score: 9.0) – Remote Code Execution
  • CVE-2025-0283 (CVSS score: 7.0) – Privilege Escalation
• Severity: Critical
• Affected Devices: Ivanti Connect Secure, Policy Secure, and Neurons for ZTA 

IMMEDIATE ACTIONS: 

• Patch Immediately: Ivanti has released a patch for Connect Secure (version 22.7R2.5). Patches for Policy Secure and ZTA Gateways are expected by January 21, 2025.
• Run ICT Scans: Perform Integrity Checker Tool (ICT) scans on all affected devices to detect potential compromise.
• Factory Reset if Compromised: If ICT reveals signs of compromise, perform a factory reset before applying patches.
• Monitor for Suspicious Activity: Watch for unusual behavior in DNS queries, LDAP responses, and privilege escalations. 

SonicWall has released critical patches for multiple firewall products to address an authentication bypass vulnerability (CVE-2024-53704) in SSL VPN and SSH management that is actively being exploited. Additional high and medium-severity issues (CVE-2024-40762, CVE-2024-53705, CVE-2024-53706) are also resolved in these updates.

Who is Affected?

• Generation 6 / 6.5 hardware firewalls running SonicOS 6.5.4.15-117n and older
• Generation 7 firewalls running SonicOS 7.0.1-5161 and older
• Generation 6 / 6.5 NSv firewalls on SonicOS 6.5.4.v-21s-RC2457 and older
• TZ80 on SonicOS 8.0.0-8037 and older

Required Actions

• Update SonicOS immediately to the following or newer versions:
  • Gen 6 / 6.5 hardware firewalls: SonicOS 6.5.5.1-6n
  • Gen 6 / 6.5 NSv firewalls: SonicOS 6.5.4.v-21s-RC2457
  • Gen 7 firewalls: SonicOS 7.0.1-5165, 7.1.3-7015
  • TZ80: SonicOS 8.0.0-8037
• Limit SSLVPN and SSH access to trusted sources only, or disable internet-facing access if not required.

Vulnerabilities at a Glance

• CVE-2024-53704 (Authentication Bypass) – Rated high severity (8.2 CVSS v3.0). Could allow attackers to bypass access controls via SSL VPN or SSH management.
• CVE-2024-40762 (Weak PRNG in Authentication Token Generator) – May enable attackers to predict tokens and bypass authentication in certain scenarios.
• CVE-2024-53705 (SSRF) – Allows remote, authenticated attackers to open TCP connections to arbitrary IP addresses/ports via the SSH management interface.
• CVE-2024-53706 (Privilege Escalation on Cloud NSv) – Enables low-privileged attackers to escalate to root and potentially execute code on AWS/Azure cloud editions.
• For more detailed information, please review the official SonicWall Security Bulletin at:
  https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-53704

Immediate Steps to Protect Your Environment

• Check your current SonicOS version and verify if it is one of the recommended patched releases.
• Schedule an update at your earliest convenience (preferably off-hours).
• Implement temporary mitigations by restricting SSLVPN and SSH access to trusted IP ranges if an immediate update is not possible.

If you need assistance in upgrading or securing your SonicWall firewall, please reach out to our support team.

There is a critical security vulnerability discovered in Apache Traffic Control, a content delivery network tool. This vulnerability allows hackers unauthorized access to your database, potentially leading to data manipulation, sensitive data theft, and, ultimately, complete compromise of your network.  

The critical vulnerability stems from a SQL injection vulnerability in Traffic Ops within Apache Traffic Control. This allows users with the role “admin”, “federation”, “operations”, “portal”, or “steering” to send specially crafted PUT requests against the database to execute arbitrary SQL commands.  

This comes off the heels of another critical vulnerability found in Apache Tomcat servers, tracked as CVE-2024-56337, which allows a hacker to perform remote code execution. These vulnerabilities stress the importance of keeping Apache products up to date with the latest updates and patches.  

QUICK POINTS  

• Vulnerability ID: CVE-2024-45387 (CVSS score 9.9)
• Severity: Critical
• Affected Devices: Apache Traffic Control (see Immediate Action section for specific versions) 

IMMEDIATE ACTION  

• Patch Immediately: Apache Software Foundation (ASF) has released a patch to address this vulnerability in Apache Traffic Control
  • Upgrade to version 8.0.2 or later
  • Note: Traffic Control versions 7.0.0 (before 8.0.0) are not affected by this vulnerability
• Temporary Workarounds: For those unable to update immediately, it is advised to restrict access to the Traffic Ops for users with affected roles (admin, federation, operations, portal, steering) 

 There is an escalating cyber threat targeting macOS devices that impacts 100 million users worldwide. The malicious actor in question? Banshee Stealer.  

This credential-stealing malware is wreaking havoc, with capabilities to exfiltrate browser credentials, sensitive files, and even cryptocurrency wallets. Banshee is spread through phishing attacks and fake GitHub repositories, masquerading as legitimate software downloads. Its latest evolution includes hijacked encryption algorithms from macOS's XProtect antivirus, making detection more challenging than ever.  

Adding to the urgency, Microsoft researchers have recently identified a macOS vulnerability (CVE-2024-44243) that allows attackers to bypass System Integrity Protection (SIP). This critical defense typically blocks unauthorized system changes. Left unchecked, attackers can exploit this flaw to install rootkits and infiltrate the OS kernel.  

Key Facts at a Glance:  

• Target: Credentials, sensitive files, and crypto wallets on macOS devices.  
• Affected Population: 100 million macOS users globally.  
• Critical Vulnerability: SIP bypass, resolved in macOS Sequoia 15.2 (December update).  
   

What You Need to Do Now  

• Have Us Analyze Mac Devices: Prioritize removing stored browser credentials and purging unencrypted files of Personally Identifiable Information (PII) to enhance security and reduce vulnerabilities.  
• Educate Your End Users: Enroll your users in Self-Defense Training to ensure you're building a strong foundation of evidence every step of the way.  
• Update Immediately: Ensure all devices are running macOS Sequoia 15.2 or higher.  

There are two critical vulnerabilities found on Windows servers, including Domain Controllers (DCs). These vulnerabilities could allow a remote hacker to crash and/or execute arbitrary code on any unpatched servers without any user interaction, and, therefore, potentially steal sensitive information and take complete control of a network. 

These vulnerabilities stem from an integer overflow in LDAP-related code and are exploitable if the DNS server of the victim DC is connected to the Internet. A hacker could send specially crafted RPC calls to trigger malicious LDAP queries which could crash the server or allow for remote code execution.  

These vulnerabilities are very dangerous since exploitation requires no user interaction and could enable hackers to take complete control over an entire domain. This makes any unpatched Windows server a prime target for ransomware groups and threat actors. On top of that, a proof of concept (PoC) has been released by SafeBreach that illustrates both vulnerabilities.  

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-49112 (CVSS score: 9.8) - Remote Code Execution
  • CVE-2024-49113 (CVSS score: 7.5) - Denial of Service
• Severity: Critical
• Affected Devices: Any Windows Server and Domain Controller running prior to Microsoft’s December 2024 Patch 

IMMEDIATE ACTION 

• Patch Immediately: Apply the Microsoft December 2024 Patch update from Microsoft to any Windows Server in your environment
• Temporary Workarounds: Configure domain controllers to block inbound Remote Procedure Calls (RPC) from untrusted networks
• Monitor for Suspicious Activity: Monitor DNS SRV queries, CLDAP referral responses, and DsrGetDcNameEx2 calls 

There are two critical vulnerabilities with Veeam’s Service Provider Console. These two exploits allow attackers to take over the VSPC server, giving hackers possible access to your network and possibly your data backups.  

The first flaw, CVE-2024-42448, carries a 9.9 severity score out of 10 and allows attackers to execute code remotely (RCE) on unpatched servers. This flaw combines with CVE-2024-42449, an exploit allowing NTLM hash stealing, which then provides access to servers where the Veeam management agent is authorized.

Veeam has released patches for these vulnerabilities and is advising an immediate update for organizations. While this flaw is not yet being seen actively exploited in the wild, due to Veeam being a recent target of Akira and Fog ransomware attacks, it makes this patching even more crucial and timely.

QUICK POINTS  

• Vulnerability IDs:
  • CVE-2024-42448 (CVSS score 9.9)
  • CVE-2024-42449 (CVSS score 7.1)
• Severity: Critical
• Affected Devices: Please see the “Immediate Action” section for list of specific devices  

IMMEDIATE ACTION  

• Patch Affected Devices: As VSPC versions 8.1.0.21377 and earlier are impacted (including unsupported versions) please update to version 8.1.0.21999 to address these vulnerabilities. 

 There are several critical vulnerabilities affecting QNAP Network Attached Storage (NAS) and router software. These dangerous flaws could allow remote attackers to gain unauthorized access, execute commands and take over your critical systems.  

Two of these critical vulnerabilities affect the NAS systems from QNAP and involve a lack of proper authentication mechanisms. This would allow attackers, who obviously lack proper credentials, to gain unauthorized access and execute system functions. The other vulnerability in the NAS systems is a server-side request forgery (SSRF) vulnerability that allows remote attackers to send crafted requests to the server-side, leading to exposure of sensitive data.  

The third critical vulnerability affects QNAP router system, QuRouter. This vulnerability is a command injection flaw that allows remote attackers to execute commands on the host system.  

QNAP has released patches to address these exploits, as well as a multitude of others in various other products. Due to the critical nature of these vulnerabilities and the major impact they could have, it is advised to apply these updates immediately.

QUICK POINTS  

• Vulnerability IDs
  • CVE-2024-38643 (CVSS score: 9.3) - NAS authentication vulnerability
  • CVE-2024-38645  (CVSS score: 9.4) - NAS server-side request forgery (SSRF) vulnerability
  • CVE-2024-48860 (CVSS score: 9.5) - QuRouter OS command injection
• Severity: Critical
• Affected Products:  QNAP Notes Station 3 and QuRouter 2.4.x products 

IMMEDIATE ACTION 

• Patch Systems Immediately
  • QNAP Notes Station 3 – update to version 3.9.7 and later
  • QuRouter 2.4.x - update to version 2.4.3.106 and later
  • Please note that QNAP has released updates for other products as well that address other vulnerabilities, those should be updated as well  .

Reporting on two actively exploited zero-day vulnerabilities affecting Apple devices. These vulnerabilities pose significant risks and have been confirmed by Apple as being used in targeted campaigns, particularly on Intel-based Macs and devices running macOS, iOS, and other Apple platforms. These exploits allow attackers to take control of devices, steal sensitive data, or even set up dangerous ransomware.

The first vulnerability is an arbitrary code execution flaw in the JavaScriptCore engine. By exploiting this, attackers can execute malicious code through specially crafted web content, compromising device integrity and potentially giving unauthorized access to sensitive systems. The second vulnerability lies in WebKit's cookie management and enables cross-site scripting (XSS) attacks, allowing attackers to steal session tokens or manipulate web applications.

Apple has released patches to address these vulnerabilities, which are available for IOS, iPadOS, macOS, visionOS, and Safari. These updates are critical, and Apple is advising they be applied as soon as possible. 

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-44308: JavaScriptCore flaw enabling remote code execution.
  • CVE-2024-44309: WebKit flaw enabling cross-site scripting (XSS).
• Severity: Critical.
• Affected Products:
  • iOS, iPadOS, macOS, Safari, and visionOS across multiple versions. 

IMMEDIATE ACTION 

• Patch Systems Immediately:
  • Apply Apple’s latest updates for iOS, macOS, Safari, and visionOS. 
• Strengthen Monitoring:
  • Monitor for unusual web activity, unauthorized access attempts, or signs of exploitation. 

There are multiple critical vulnerabilities recently disclosed in Ivanti products including:

• Connect Secure
• Policy Secure
• Endpoint Manager.

The first set of vulnerabilities that you want to address are remote code execution (RCE) flaws. These specific vulnerabilities allow unauthenticated attackers to execute arbitrary code remotely, which could lead to sensitive data theft and even deployment of ransomware.  

Other vulnerabilities that Ivanti has addressed include privilege escalation flaws, DoS conditions, arbitrary folder creation, and path traversal flaws. Due to the volume of vulnerabilities being disclosed, we expect many to be used for attacks in the future, which adds to the urgency of patching your Ivanti software as soon as possible to mitigate your risk of being exposed.  

QUICK POINTS 

• Vulnerability IDs: RCE vulnerabilities
  • CVE-2024-50330 (CVSS score: 9.8)
  • CVE-2024-38655/38656 (CVSS score: 9.1)
  • CVE-2024-39710, CVE-2024-39711, CVE-2024-39712 (CVSS score: 9.1)
  • CVE-2024-11005, CVE-2024-11006, CVE-2024-11007 (CVSS score: 9.1)
• Severity: Critical 
• Affected Products: 
  • Connect Secure, Policy Secure, Avalanche, and Endpoint Manager
  • Please see the “Immediate Action” section for specific updates for each 

IMMEDIATE ACTION

• Patch All Systems: Apply necessary patches and updates to software to mitigate risk of exposure. 
  • Connect Secure
    • Update to version 22.7R2.3 or above
  • Policy Secure
    • Update to version 22.7R1.2 or above
  • Avalanche
    • Update to version 6.4.6 or above
  • Endpoint Manager
    • Update to the release of the 2024 November Security Update and 2022 SU6 November Security Update (instructions for update can be found on Ivanti’s advisory page) 

There is a critical vulnerability in the WordPress plugin “Really Simple Security”. This flaw enables attackers to escalate their privileges to administrator level, allowing them to take over affected websites entirely.

This vulnerability is the result of a flaw within the two-factor authentication function in the “Really Simple Security” plugin in both the free and Pro versions. It is caused by improper handling of user authentication in the REST API actions. This flaw is especially dangerous as it can be exploited even when two-factor authentication is enabled. This then allows a remote attacker to gain access to any account on the site, including administrators.  

Researchers have warned that this vulnerability can be scripted, which allows attackers to automate their attacks on a larger scale. Paired with the widespread use of this plugin across over 4 million WordPress sites, this vulnerability presents a significant risk to websites managed by you or your clients. Immediate updating is necessary to prevent exploitation.

QUICK POINTS: 

• Vulnerability ID: CVE-2024-10924 (CVSS score: 9.8)
• Severity: Critical
• Affected Systems: WordPress plugin “Really Simple Security”, please see “Immediate Action” section to see specific versions and updates 
  
  

IMMEDIATE ACTION:

• Update affected plugins immediately: Check all WordPress sites for the vulnerable plugin and apply the latest patches released.
  • For both free and Pro/Pro Multisite versions – update to version 9.1.2 or above 

Over 60,000 D-Link NAS devices are vulnerable to a critical command injection flaw (CVE-2024-10914) with a severity score of 9.2, affecting models commonly used by small businesses. The vulnerability is located in the cgi_user_add command, where insufficient sanitization of the name parameter allows unauthenticated attackers to inject shell commands via crafted HTTP GET requests.

Impacted Models:

• DNS-320 (v1.00)
• DNS-320LW (v1.01.0914.2012)
• DNS-325 (v1.01, v1.02)
• DNS-340L (v1.08)

Vendor Advisory:

D-Link has confirmed no future fix for these devices and recommends retiring them. If immediate retirement is not feasible, users should at least isolate affected devices from the public internet or impose stricter access controls.

Additional Note:

A similar command injection vulnerability (CVE-2024-3273) was discovered in April, impacting the same models. D-Link has reiterated that these NAS devices are end-of-life and will not receive further security updates.

There are critical vulnerabilities within Hewlett Packard Enterprise’s (HPE) Aruba Networking Access Points. These vulnerabilities could allow remote, unauthenticated attackers to gain high-privilege access to your network and execute malicious code on your systems.

Stemming from an issue within the command line interface (CLI) service within these products, which is typically accessed via the PAPI protocol, the vulnerabilities allow a remote attacker to perform an unauthenticated command injection by sending specially crafted packets to Aruba’s Access Point Management protocol over UDP port 8211.   

Please address these vulnerabilities immediately because exploitation of one access point could allow for lateral movement to other areas of the network.   

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-42509 (CVSS score: 9.8)
  • CVE-2024-47460 (CVSS score: 9.0)
• Severity: Critical
• Affected Devices: Please see the “Immediate Action” section for list of specific devices 

IMMEDIATE ACTION 

• Patch Affected Devices: Update devices to the following software versions or newer to mitigate the risks associated with these vulnerabilities. 
  • AOS-10.7.x.x: Update to version 10.7.0.0 or later
  • AOS-10.4.x.x: Update to version 10.4.1.5 or later
  • Instant AOS-8.12.x.x: Update to version 8.12.0.3 or above
  • Instant AOS-8.10.x.x: Update to version 8.10.0.14 or above
• Implement Temporary Workarounds: Workarounds for these flaws in cases where software updates cannot be immediately installed are listed below.
  • Restrict/block access to UDP 8211 from all untrusted networks
  • Restrict access to the CLI and web-based management interfaces by placing them on a dedicated layer 2 segment or VLAN; also control access with firewall policies at layer 3 or above 

There is a recently discovered, severe vulnerability that is affecting a group of Cisco Ultra-Reliable Backhaul (URWB) access points and clients. This exploit allows attackers to execute commands with admin privileges which could lead to full network compromise, data theft, and even ransomware.  

This vulnerability is due to a lack of input validation in the web-based management interface of the affected devices. Unauthenticated attackers could exploit this vulnerability by performing a command injection that does not require any user interaction. This involves sending malicious HTTP requests to the interface. Such an attack vector puts an entire network and its data at serious risk. 

At this time, Cisco’s Incident Response Team is not aware of any attacks that have successfully exploited this vulnerability. However, we highly recommend taking the immediate action steps that are listed below so you can be proactive in safeguarding you and your clients’ organizations.

QUICK POINTS  

• Vulnerability ID: CVE-2024-20418 (CVSS score: 10.0)
• Severity: Critical
• Affected Devices:
  • Catalyst IW9165D Heavy Duty Access Points
  • Catalyst IW9165E Rugged Access Points and Wireless Clients
  • Catalyst IW9167E Heavy Duty Access Points
  • Note: The above devices are only vulnerable if they have the URWB operating mode enabled (please see “Immediate Action” section for steps to determine the mode running) 

IMMEDIATE ACTION  

• Audit Devices: To determine if the URWB operating mode is enabled, check to see if the “show mpls-config" CLI command is available. If command is not available, URWB operating mode is disabled.
• Patch Affected Devices: Upgrade the affected access points and clients to version 17.15.1 or later  
• Note: No workarounds or secondary mitigations are officially endorsed by Cisco at this time. It is crucial that devices are updated to patch this vulnerability. 

A critical vulnerability was recently identified in Synology NAS devices. This vulnerability was discovered at Pwn2Own Ireland 2024 and allows zero-click exploitation, meaning attackers can gain remote code execution (RCE) as root without any user interaction.  

Attackers can exploit this zero-click flaw to gain complete control over affected devices, manipulate or steal data, and use these devices as launch points to access other parts of the network. This vulnerability has a very high potential of being abused by attackers since there is no need for user interaction for exploitation, stressing the urgency of immediate updates to these devices.

There has yet to be a proof-of-concept (PoC) released for this vulnerability, but due to this being demonstrated at the Pwn2Own event, we expect one to be released soon. Once released, this again adds to the high potential of this being exploited in the wild by attackers.  

QUICK POINTS 

• Vulnerability: CVE-2024-10443 (no CVSS score has been assigned to this vulnerability at the time of this email)
• Severity: Critical
• Affected Systems: Please see “Immediate Action” section for specifics
  
  

IMMEDIATE ACTION 

• Patch Updates: Ensure immediate application of Synology’s patches for affected software. Please note that these updates are not automatically applied:
  • BeePhotos for BeeStation
    • OS 1.1 - upgrade to 1.1.0-10053 or above
    • OS 1.2 - upgrade to 1.0.2-10026 or above
  • DSM 7.2
    • Synology Photos 1.7 - upgrade to 1.7.0-0795 or above
    • Synology Photos 1.6 - upgrade to 1.6.2-0720 or above 

There are two recently uncovered security vulnerabilities found in Google Chrome. Left unchecked, these vulnerabilities could lead to data breaches, account theft, and even system compromise.  

The first vulnerability, tracked as CVE-2024-10487, has been identified as an out-of-bounds write issue in the Dawn implementation within Chrome, which is a cross-platform implementation of the WebGPU standard. This vulnerability can lead to attackers being able to execute arbitrary code on machines. The second vulnerability, tracked as CVE-2024-10488, involves a high critical use-after-free bug which could lead to privilege escalation and remote code execution.  

 Although it is still unclear as to whether the recent Chrome vulnerabilities have been exploited in the wild or not, it is best to update chrome immediately. 

QUICK POINTS  

• Vulnerability IDs:
  • CVE-2024-10487 (CVSS score: 8.8) - Out of Bounds Access
  • CVE-2024-10488 (CVSS score: 8.8) - Use After Free Vulnerability
• Severity: High
• Affected Versions: Google Chrome versions in Windows, macOS, and Linux (see version numbers below) 

IMMEDIATE ACTION  

• Patch Affected Devices: Update Chrome immediately to versions:
  • Windows and macOS: 130.0.6723.91/.92
  • Linux: 130.0.6723.91 

There is a critical zero-day vulnerability recently identified in QNAP NAS devices, specifically within the Hybrid Backup Sync (HBS 3) application. Threat actors can abuse this exploit to gain access to sensitive data and take control of data backups, putting your company in danger of ransomware attacks. 

The vulnerability enables attackers to execute arbitrary commands remotely, potentially leading to unauthorized access and control over sensitive data stored on NAS devices. The exploit leverages a command injection with only a single directive to gain administrative level access.  

This flaw was demonstrated at the Pwn2Own Ireland 2024 event but has not been disclosed publicly. QNAP has issued a patch to their HBS 3 devices to address the flaw. Due to the simplicity of the exploit, as well as the potential danger of the attack, we are advising administrators to update any affected environments immediately.

QUICK POINTS 

• Vulnerability ID: CVE-2024-50388 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: QNAP NAS devices running HBS 3 Hybrid Backup Sync version 25.1.x 

IMMEDIATE ACTION 

• Update HBS 3: QNAP has released a patch (HBS 3 version 25.1.1.673) to address this vulnerability. We recommend updating all affected devices immediately.
• Enhanced Monitoring: Implement monitoring for unusual command executions or unauthorized access attempts on all QNAP NAS devices. 

There is a newly discovered critical vulnerability in Fortinet’s FortiManager, which is currently being exploited in active zero-day attacks. This flaw allows attackers to gain unauthorized access to vulnerable on-prem and cloud-based Fortinet systems, putting your clients' networks at serious risk of compromise. 

This vulnerability, CVE-2024-47575, allows attackers to exploit Fortinet devices remotely via an authentication bypass in the FortiManager FGFM API. Once this API is bypassed, attackers can view firewall config files, steal passwords, and alter device configurations and eventually take full control of the device. They can then gain further access to all other networks also managed by an organization’s FortiManager.  

This vulnerability poses an extremely high risk for organizations using FortiManager to manage their FortiGate deployments. This flaw is extremely easy to exploit and is already being utilized in the wild, allowing for threat actors to traverse to networks “downstream” that are managed by the device. We are recommending teams address this immediately to protect their networks and their clients’ networks.  

QUICK POINTS: 

• Vulnerability ID: CVE-2024-47575 (CVSS score: 9.8) 
• Severity: Critical 
• Affected Devices: Please see “Immediate Action Section” for update versions for all product versions

IMMEDIATE ACTION: 

• Apply the latest patches: Ensure that all FortiManager devices are updated immediately with their latest versions listed below: 
  • FortiManager 6.2 ---> upgrade to 6.2.13 or above
  • FortiManager 6.4 ---> upgrade to 6.4.15 or above
  • FortiManager 7.0 ---> upgrade to 7.0.13 or above
  • FortiManager 7.2 ---> upgrade to 7.2.8 or above
  • FortiManager 7.4 ---> upgrade to 7.4.5 or above 
  • FortiManager 7.6 ---> upgrade to 7.6.1 or above
  • FortiManager Cloud 6.4 ---> migrate to Fixed Release
  • FortiManager Cloud 7.0 ---> upgrade to 7.0.13 or above
  • FortiManager Cloud 7.2 ---> upgrade to 7.2.8 or above
  • FortiManager Cloud 7.4 ---> upgrade to 7.4.5 or above
  • FortiManager Cloud 7.6 ---> not affected
• Use temporary workarounds: If you are unable to install the latest updates, Fortinet has advised using these workarounds in which you can get a guide on how to implement them on their advisory page:
  • Utilize the set fgfm-deny-unknown enable command to prevent devices with unknown serial numbers from registering to the FortiManager
  • When creating the SSL tunnel and authenticating FortiGate devices with FortiManager, create a custom certificate 
  • Create an allowlist of IP addresses for FortiGate devices that are allowed to connect to FortiManager
• Check for Indicators of Compromise (IOC): Even if the FortiManager is NOT connected to the internet, check for these specific IOCs found on Fortinet’s advisory page
  • If IOCs are found on devices, start the Incident Response Plan and Procedures 

There is a recently uncovered set of Palo Alto Networks vulnerabilities affecting PAN-OS Firewall Expedition. The exploits are currently being chained together to allow hackers to hijack networks and steal private data.  

This dangerous attack chain, with the most critical of the vulnerabilities being CVE-2024-9463, allows an attacker to read Expedition database contents via an unauthenticated command injection.  This is leveraged with CVE-2024-9466, gives the threat actor the ability to see usernames, passwords, and even API keys in clear text.

Palo Alto Networks is reporting that proof of concepts exists for this attack making it even more dangerous and likely to be utilized to take control of networks. Palo Alto has released a patch to address this issue, and we are advising organizations to update immediately.

QUICK POINTS 

• Vulnerability IDs:
  • CVE-2024-9463 (CVSS score: 9.9) - Command Injection
  • CVE-2024-9464 (CVSS score: 9.3) - Command Injection
  • CVE-2024-9465 (CVSS score: 9.2) - SQL Injection
  • CVE-2024-9466 (CVSS score: 8.2) - Cleartext Storage
  • CVE-2024-9467 (CVSS score: 7.0) - XSS Vulnerability
• Severity: Critical
• Affected Devices: Palo Alto PAN-OS Firewalls 

IMMEDIATE ACTION 

• Patch affected devices: Upgrade Palo Alto Networks Expedition to version 1.2.96 or later 
• Implement workarounds: Mitigations in case you cannot upgrade right away:
  • Restrict access to expedition to only authorized users
  • Shut down Expedition until upgraded 

There is a newly released and dangerous exploit targeting a vulnerability in Windows servers and systems. This exploit, known as the “WinReg” NTLM relay attack, allows attackers to bypass normal authentication and take full control of a Windows domain and its critical data.

This vulnerability stems from a fallback mechanism in the Windows Registry (WinReg) implementation. Specifically, how Microsoft’s Remote Registry client handles the RPC (Remote Procedure Call) authentication when fallback mechanisms are put into action which makes SMB transport unavailable. When this happens, an attacker could relay the NTLM authentication to Active Directory Certificate Services (ADCS) and obtain a user certificate and from there, gain authentication and takeover the domain.  

Akamai researchers originally reported this issue in April and June of this year, but Microsoft disregarded this as a “documentation issue”.  During a recent security conference, these researchers released a proof-of-concept (PoC) leading to Microsoft releasing a patch as part of October’s patch Tuesday to address the exploit.  Due to this PoC and the ease of attack, we are recommending teams update immediately.

QUICK POINTS: 

• Vulnerability ID: CVE-2024-43532 (CVSS score: 8.8)
• Severity: Critical
• Affected Devices: All Windows server versions 2008 through 2022, also Windows 10 and Windows 11 

IMMEDIATE ACTION: 

• Immediately update all Windows systems: Microsoft has addressed this issue in their October Patch Tuesday update, so ensure all systems are updated with this monthly rollout
• Monitor systems for suspicious activity: It is recommended to use Event Tracing for Windows (ETW) to monitor for RPC calls, including ones related to the WinReg RPC interface 

There have been critical vulnerabilities recently discovered in the Optigo Networks ONS-S8 Switches, and widely deployed in industrial control systems and critical infrastructure.  This dangerous exploit gives attackers a direct path into the network, putting your sensitive data at risk of theft.

These vulnerabilities allow remote attackers to bypass authentication and execute code on the affected devices. Given the low complexity of these exploits, the risks are severe and could result in unauthorized access and complete device control.

While we have not seen these flaws being actively exploited, CISA is recommending configuration changes such as setting up VLAN and allow-listing specific devices for organizations to protect themselves.  Due to the severity of this vulnerability and how easy it is to perform, we recommend administrators take immediate action.

Key Points: 

• CVE-2024-41925 Remote Code Execution (CVSS score: 9.8)
• CVE-2024-45367 Authentication Bypass (CVSS score: 9.1)
• Severity: Critical
• Affected Devices: ONS-S8 Spectra Aggregation Switch with firmware versions 1.3.7 and earlier
• Patch Status: No patches currently available 

Immediate Actions: 

• Isolate ONS-S8 management traffic in a dedicated VLAN
• Implement router firewalls with device allow-listing for OneView
• Use a dedicated NIC for OT management and ensure connections are secured via VPN 

 Critical security vulnerabilities were recently discovered in HPE Aruba Networking’s access points. These flaws allow unauthenticated, remote attackers to gain total control of network devices which could lead to sensitive data loss or even ransomware. 

These vulnerabilities exist in HPE’s Command Line Interface service of its Aruba Access Points. Each vulnerability involves a remote attacker sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port 8211. This gives the attacker unauthenticated access and allows them to execute arbitrary code and take full control of vulnerable devices. 

HPE has provided necessary patches, as well as temporary workarounds for the affected devices that you can reference below. Due to the popularity of HPE products, we expect these vulnerabilities to be leveraged by attackers soon, making these updates a main priority for affected systems. 

QUICK POINTS:

• Vulnerability IDs:
  • CVE-2024-42505 (CVSS score: 9.8)
  • CVE-2024-42506 (CVSS score: 9.8)
  • CVE-2024-42507 (CVSS score: 9.8)
• Severity: Critical 
• Affected Devices: 
  • Instant AOS-8.12.0.1 and below
  • Instant AOS-8.10.0.13 and below
  • AOS-10.6.0.2 and below
  • AOS-10.4.1.3 and below 

IMMEDIATE ACTION: 

• Patch affected devices: Ensure that all HPE Aruba access points are updated with the latest security patches immediately.
  • HPE have made the latest security updates available here: HPE Networking Support Portal
• Implement workarounds: Administrators are also urged to implement these workarounds for more protection.
  • Instant AOS-8.x devices: enable “cluster-security” to block exploitation
  • AOS-10.x devices: block access to port UDP/8211 from all untrusted networks 

There are three zero-day vulnerabilities identified in Ivanti's Connect Secure Appliance (CSA) that are being used in a dangerous attack chain. Hackers are actively abusing these exploits in combination to take over networks and steal data.

Ivanti has advised of multiple CVEs, with the most dangerous being CVE-2024-8963, a path traversal bug with a severity score of 9.1.  Threat actors are combining these CVEs to abuse a path traversal weakness, only to follow this up with the ability to inject commands and then execute remote code.  This attack chain gives the attacker full access to the network with administrator level privileges.

Ivanti has acknowledged these zero-days and is offering updates to their Connect Secure Appliance to resolve this issue. The active abuse of these vulnerabilities emphasizes the importance for organizations to apply these patches immediately as we expect to see this attack chain to be abused for data theft or even ransomware.

QUICK POINTS: 

• Vulnerability IDs:  
  • CVE-2024-9379 (CVSS score: 6.5) - SQL Injection
  • CVE-2024-9380 (CVSS score: 7.2) - Remote Code Execution
  • CVE-2024-9381 (CVSS score: 7.2) - Path Traversal
  • CVE-2024-8963 (CVSS score: 9.1) - Path Traversal
• Severity: Critical
• Affected Product: Ivanti Connect Secure Appliance (CSA) 5.0.1 and earlier 
• Follow this link for Ivanti's security report for CVE-2024-9379/9380/9381
• Follow this link for Ivanti's security report for CVE-2024-8963

IMMEDIATE ACTION: 

• Update devices accordingly: Ensure any devices that run the Connect Secure Appliance software are up to date with the latest version
• Upgrade End-of-Life (EOL) devices: With the main devices being exploited being EOL, CSA 4.6 patch 518, admins are strongly advised to upgrade to the latest version, 5.0.2
• Review and monitor: Review appliances and devices for any indicators of compromise, specifically for any modified or newly added admin users 

There have been dangerous critical security flaws discovered in D-Link WiFi 6 routers. These five vulnerabilities include a hardcoded password flaw that could give hackers direct access to a network, leaving it vulnerable to data loss or even ransomware. 

D-Link has released news of five major exploits that are all considered critical.  Two of the more dangerous of these flaws are the remote code execution flaw, CVE-2024-45694, which allows attackers to execute code to take over the device remotely, and the hardcoded password issue, CVE-2024-45697, which provides unauthorized access by threat actors directly into the device. 

D-Link has provided patches to all impacted equipment and is recommending organizations patch immediately.  Due to the popularity of D-Link devices as well as the ease of execution of these threats, we expect to see this leveraged by hackers soon, making updating imperative.  

QUICK POINTS 

• Vulnerability IDs:  
  • RCE flaws
    • CVE-2024-45694 (CVSS score: 9.8)
    • CVE-2024-45695 (CVSS score: 9.8) 
  • Hardcoded Password issues 
    • CVE-2024-45696 (CVSS score: 8.8)
    • CVE-2024-45697 (CVSS score: 9.8)
    • CVE-2024-45698 (CVSS score: 8.8)
• Severity: Critical 
• Affected Devices: 
  • COVR-X1870 (non-US) firmware versions v1.02 and below
  • DIR-X4860 (worldwide) on v1.04B04_Hot-Fix and older
  • DIR-X5460 (worldwide) running firmware v1.11B01_Hot-Fix or older 

IMMEDIATE ACTION 

• Patch all affected D-Link WiFi 6 routers to the following recommended versions: 
  • v1.03B01 for COVR-X1870
  • v1.04B05 for DIR-X4860
  • DIR-X5460A1_V1.11B04 for DIR-X5460
• Audit and review network for potential exposure to this vulnerability

We are alerting you to two critical vulnerabilities found in SolarWinds' Access Rights Manager (ARM) software, a software used for Active Directory and Azure AD user provisioning. These vulnerabilities, when combined, could form an attack chain that would allow an attacker to go from no network access to gaining total control of a network. 

The first vulnerability used in this attack chain, CVE-2024-28990, is a hard-coded credential bypass issue. If exploited, this gives an attacker unauthorized access to SolarWinds devices. The second vulnerability in the chain, CVE-2024-28991, is a result of user-supplied data not being properly validated. Combined with the first vulnerability, an attacker can remotely execute malicious code, which could lead to data breaches and even ransomware attacks.  

Attack chains are dangerous because they demonstrate how a combination of smaller vulnerabilities can be exploited in sequence, leading to more critical breaches and attacks.  SolarWinds has released a patch to their Access Rights Manager to address issues and has advised users to update immediately. 

QUICK POINTS 

• Vulnerability IDs
  • CVE-2024-28990 (CVSS score: 9.8)
  • CVE-2024-28991 (CVSS score: 8.8)
• Severity: Critical
• Affected Devices: SolarWinds Access Rights Manager (ARM) 2024.3 and all previous versions 

IMMEDIATE ACTION 

• Ensure all instances of SolarWinds Access Rights Manager are updated to the latest version
  • Update to SolarWinds ARM 2024.3.1
• Review system access logs for any signs of suspicious activity 

 There is a critical vulnerability in Veeam Backup & Replication that is being actively used to take over networks and deliver dangerous malware.  Due to the severity of the attack and the importance of data backups, it is even more urgent for teams to update their Veeam Backup & Replication to the newest version immediately.

The exploit in Veeam Backup & Replication is a remote code execution (RCE) that bypasses authentication and gives attackers full access. Once authentication has been bypassed, hackers gain full access to all versions of the existing data backups, setting up ransomware scenarios. Organizations are already reporting incidents involving Akira and Fog ransomware being utilized to steal sensitive data and extort its owners.

While this CVE was first recognized by Veaam in late September, we are now seeing threat actors using the known proof of concept to attack organizations via ransomware at an escalated rate.

QUICK POINTS 

• Vulnerability ID: CVE-2024-40711(CVSS Score: 9.8)
• Severity: Critical
• Affected Versions: Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds 

IMMEDIATE ACTION 

• Patch any Veeam Backup & Replication to version 12.2.0.334
• Check for any suspicious access or abnormal behavior in Veeam environments
• No other workarounds suggested, and immediate updates are necessary 
• See Veeam Security Bulletin for further details.

There is a recent critical vulnerability found in Progress Software’s products. This vulnerability could allow remote, unauthenticated attackers to access your network and your company’s sensitive information.  

This vulnerability affects multiple Progress devices including its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor, both of which are used as load balancing solutions. This issue stems from improper input validation which may allow attackers to access the LoadMaster’s management interface and from there, execute arbitrary system commands on victims’ machines. 

Progress Software has released an add-on patch to address the issue for most affected versions. The only caveat is this add-on patch will not work on free versions of Load Master, so this vulnerability currently remains an issue on those machines. 

QUICK POINTS: 

• Vulnerability ID: CVE-2024-7591 (CVSS score: 10.0)
• Severity: Critical
• Affected Versions: LoadMaster versions 7.2.60.0 and all previous versions; MT Hypervisor versions 7.1.35.11 and all previous versions; branches such as Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) are all impacted 

IMMEDIATE ACTION: 

• Apply the add-on patch available from Progress Software’s support portal
• Checkout Progress’ post on basic security hardening techniques you should implement: LoadMaster Security Measures
• Monitor network activity for signs of exploitation using IDS/IPS systems 

Recent reports indicate threat actors are actively exploiting CVE-2024-20439, a critical vulnerability in the Cisco Smart Licensing Utility (CSLU). This flaw stems from an undocumented static user credential for an administrative account, allowing unauthenticated attackers to log in with admin privileges over the CSLU app’s API on unpatched systems.

What You Need to Know

• Affected Software: Vulnerable versions of the Windows-based Cisco Smart Licensing Utility, which helps admins manage licenses locally (rather than through Cisco’s cloud-based solution).
• Key Vulnerabilities:
  • CVE-2024-20439: Undocumented backdoor admin account that grants remote admin privileges.
  • CVE-2024-20440: Information disclosure bug enabling attackers to read log files containing sensitive data (e.g., API credentials).
• Exploitation Conditions: The CSLU app must be running; it doesn’t typically run in the background by default.
• Active Attacks: SANS Technology Institute researchers observe hackers chaining these two vulnerabilities in ongoing exploitation attempts. In addition, the same threat actor is probing other known security flaws, such as CVE-2024-0305 (affecting certain DVRs).

Recommended Actions

1. Apply Cisco Security Patches

• Install the September patch or later releases for CSLU to address CVE-2024-20439 and CVE-2024-20440.
• Check Cisco’s official advisory for detailed patch instructions.

2. Verify Configuration & Access

• Ensure the CSLU app does not inadvertently run in the background or remain exposed to the Internet.
• Limit API access to trusted networks and deploy robust authentication controls if remote management is necessary.

3. Monitor Logs & System Behavior

• Investigate logs for suspicious or unexpected admin login attempts.
• Watch for anomalies or repeated access failures that could indicate ongoing brute-force or backdoor exploitation attempts.

4. Stay Informed

• Follow updates from the Cisco Product Security Incident Response Team (PSIRT) and consider subscribing to relevant advisories.
• Track SANS Internet Storm Center or similar threat intelligence feeds for real-time reports of active exploit campaigns.

Additional Resources

• Cisco’s Security Advisory for CVE-2024-20439 & CVE-2024-20440

Cisco has historically removed other backdoor accounts from products such as DNA Center, IOS XE, WAAS, and Emergency Responder software—making it imperative to patch promptly and verify your network is adequately secured against known backdoor credentials.

Veeam has released security updates addressing 18 high and critical vulnerabilities in their products, including Veeam Backup & Replication (VBR), Service Provider Console, and Veeam One. Among the most severe is CVE-2024-40711, a critical remote code execution (RCE) flaw affecting VBR, with a CVSS score of 9.8. This vulnerability can be exploited without authentication and allows attackers to take over vulnerable systems.

VBR is essential for managing enterprise backup infrastructures, making it a high-value target for ransomware operators. Past attacks by groups such as the Cuba ransomware gang and FIN7—known for collaborating with ransomware groups like Conti, REvil, and Maze—have leveraged VBR vulnerabilities to steal backups for double extortion and delete or encrypt backup sets, leaving victims without recovery options.

The flaw affects Veeam Backup & Replication version 12.1.2.172 and all earlier versions in the 12.x branch. To mitigate this risk, users should update to VBR version 12.2.0.334 immediately.

We strongly urge all Veeam users to apply these critical patches as soon as possible to protect their backup infrastructure from potential exploitation.

For more information, visit the official Veeam security advisory.

There are two highly critical vulnerabilities found in Cisco’s Smart Licensing Utility software that is utilized in a variety of Cisco products. These vulnerabilities could allow unauthenticated, remote attackers to gain complete access to a network leading to possible theft of sensitive data. 

Cisco has disclosed that these vulnerabilities, CVE-2024-20439 and CVE-2024-20440 allow attackers to exploit a default, undocumented administrative account to gain unauthorized access to the system. This could pose a significant security risk to organizations using Cisco's Smart Licensing Utility, as it provides an attacker with the ability to execute arbitrary commands and elevate privileges.  

There is an increased danger with this threat as the Smart Licensing Utility is included as a feature of a large range of Cisco products including Cisco routers, switches, Next-Gen Firewall (NGFW) solutions, wireless controllers and the Cisco DNA Center.  Cisco has released fixes to address these vulnerabilities and is urging teams to update to the newest version of the software immediately.  

QUICK POINTS 

• Vulnerability IDs: CVE-2024-20439 (CVSS score: 9.8) and CVE-2024-20440 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: Cisco Smart License Utility versions 2.0.0, 2.1.0, and 2.2.0 and any Cisco product that utilizes this software
• Patch Status: All devices have the necessary patches to fix these vulnerabilities. They are listed below.  

IMMEDIATE ACTION 

• Update affected systems to the latest version as per Cisco’s advisory
  • Cisco Smart License Utility version 2.3.0
• Audit and update any Cisco devices/products as Smart Licensing Utility is used with many other Cisco products
• Review any potential exposure to this vulnerability 

There is a recent exploit affecting widely used Zyxel networking devices. This new attack requires no authentication and gives hackers complete access to a network and its data.  

This vulnerability affects various Zyxel business devices including routers and access points, which are commonly used in organizations. By abusing an input validation fault and sending a specially crafted cookie to the device, this exploit allows attackers the ability to run commands without any authentication.    

Zyxel has released security updates to address this exploit as well as a number of other vulnerabilities and are advising organizations to update immediately.  Due to the severity of the exploit and Zyxel’s widespread use, we expect to see this threat leveraged soon, so immediate updates are vital.

QUICK POINTS: 

• Vulnerability ID: CVE-2024-7261 (CVSS score: 9.8)
• Severity: Critical
• Affected Devices: NWA Series, NWA1123-AC PRO, NWA1123ACv3, WAC500, WAC500H, WAC Series, WAX Series, and WBE Series access point (AP) devices are all impacted
• Patch Status: All devices have the necessary patch to fix this vulnerability. They are listed below. 

IMMEDIATE ACTION: 

• Verify the version of firmware running on all Zyxel devices.
• Apply the latest Zyxel patches immediately:
• NWA Series – upgrade to 7.00 (ABYW.2) or later
• NWA1123-AC PRO – upgrade to 6.28 (ABHD.3) or later
• NWA1123ACv3, WAC500, WAC500H – upgrade to 6.70 (ABVT.5) or later
• WAC Series – upgrade to 6.28 (AAXH.3) or later
• WAX Series – upgrade to 7.00 (ACHF.2) or later
• WBE Series – upgrade to 7.00 (ACLE.2) or later 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability in the SolarWinds Web Help Desk product.   

Threat actors are leveraging the critical RCE (remote code execution) vulnerability in SolarWinds Web Help Desk, tracked as CVE-2024-28986.  This flaw involves Java deserialization, allowing attackers to execute commands on the host machine.  The vulnerability has a CVSS score of 9.8, indicating the significance of patching this vulnerability as soon as possible.  

What this means for you:

Attackers can use this vulnerability to execute arbitrary commands on the affected system, potentially gaining full control over it. With control over the system, attackers can access sensitive data leading to data breaches. But it doesn’t stop there.  Attackers with the system compromised can then expand to the network causing service disruptions.  

If you are using SolarWinds Web Help Desk it is absolutely critical that all installations are updated as described below. 

QUICK POINTS  

• Affected Product: SolarWinds Web Help Desk  
• Severity: Critical (CVSS v3 score 9.8)
• Exploitation: Although SolarWinds denies they have been able to confirm the unauthenticated instances of this exploit, they urge all affected users to patch out of an “abundance of caution”
• Patch Availability: Immediately upgrade your SolarWinds Web Help Desk installations to version 12.8.3, apply the provided hotfix – Web Help Desk 12.8.3 Hotfix 1 – and install it. 
   

IMMEDIATE ACTION  

• Patch Application: Apply the hotfix provided by SolarWinds to mitigate this vulnerability.  
• Monitor for IOCs: Continuously monitor for indicators of compromise related to this vulnerability (unauthorized access, unusual sign-on attempts, privilege account irregularities, unexpected software installations or updates).  
• Network Segmentation: Implement network segmentation to limit the potential impact of exploitation.
• Enhanced Monitoring: Monitor network traffic and system logs for unusual activity.