Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label CVE. Show all posts
Microsoft
Critical Flaws Critical security flaw CVE CVEs CVSS Cyber Security Fortinet Ivanti Ivanti security flaws Microsoft

December Patch Tuesday Brings Critical Microsoft, Notepad++, Fortinet, and Ivanti Security Fixes

 


While December's Patch Tuesday gave us a lighter release than normal, it arrived with several urgent vulnerabilities that need attention immediately. In all, Microsoft released 57 CVE patches to finish out 2025, including one flaw already under active exploitation and two others that were publicly disclosed. Notably, critical security updates also came from Notepad++, Ivanti, and Fortinet this cycle, making it particularly important for system administrators and enterprise security teams alike. 

The most critical of Microsoft's disclosures this month is CVE-2025-62221, a Windows Cloud Files Mini Filter Driver bug rated 7.8 on the CVSS scale. It allows for privilege escalation: an attacker who has code execution rights can leverage the bug to escalate to full system-level access. Researchers say this kind of bug is exploited on a regular basis in real-world intrusions, and "patching ASAP" is critical. Microsoft hasn't disclosed yet which threat actors are actively exploiting this flaw; however, experts explain that bugs like these "tend to pop up in almost every big compromise and are often used as stepping stones to further breach". 

Another two disclosures from Microsoft were CVE-2025-54100 in PowerShell and CVE-2025-64671, impacting GitHub Copilot for JetBrains. Although these are not confirmed to be exploited, they were publicly disclosed ahead of patching. Graded at 8.4, the Copilot vulnerability would have allowed for remote code execution via malicious cross-prompt injection, provided a user is tricked into opening untrusted files or connecting to compromised servers. Security researchers expect more vulnerabilities of this type to emerge as AI-integrated development tools expand in usage. 

But one of the more ominous developments outside Microsoft belongs to Notepad++. The popular open-source editor pushed out version 8.8.9 to patch a weakness in the way updates were checked for authenticity. Attackers were managing to intercept network traffic from the WinGUp update client, then redirecting users to rogue servers, where malicious files were downloaded instead of legitimate updates. There are reports that threat groups in China were actively testing and exploiting this vulnerability. Indeed, according to the maintainer, "Due to the improper update integrity validation, an adversary was able to manipulate the download"; therefore, users should upgrade as soon as possible. 

Fortinet also patched two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, in FortiOS and several related products. The bugs enable hackers to bypass FortiCloud SSO authentication using crafted SAML messages, which only works if SSO has been enabled. Administrators are advised to disable the feature until they can upgrade to patched builds to avoid unauthorized access. Rounding out the disclosures, Ivanti released a fix for CVE-2025-10573, a severe cross-site scripting vulnerability in its Endpoint Manager. The bug allows an attacker to register fake endpoints and inject malicious JavaScript into the administrator dashboard. Viewed, this could serve an attacker full control over the session without credentials. There has been no observed exploitation so far, but researchers warn that it is likely attackers will reverse engineer the fix soon, making for a deployment environment of haste.
Read more »
cybersecurity risks
Apache Apache Vulnerability Critical security flaw CVE CVE vulnerability CVEs Cyber Attacks cybersecurity risks

Critical CVE-2025-66516 Exposes Apache Tika to XXE Attacks Across Core and Parser Modules

 

A newly disclosed vulnerability in Apache Tika has had the cybersecurity community seriously concerned because researchers have confirmed that it holds a maximum CVSS severity score of 10.0. Labeled as CVE-2025-66516, the vulnerability facilitates XXE attacks and may allow attackers to gain access to internal systems along with sensitive data by taking advantage of how Tika processes certain PDF files. 

Apache Tika is an open-source, highly-used framework for extracting text, metadata, and structured content from a wide array of file formats. It is commonly used within enterprise workflows including compliance systems, document ingestion pipelines, Elasticsearch and Apache Solr indexing, search engines, and automated content scanning processes. Because of its broad use, any severe issue within the platform has wide-ranging consequences.  

According to the advisory for the project, the vulnerability exists in several modules, such as tika-core, tika-parsers, and the tika-pdf-module, on different versions, from 1.13 to 3.2.1. The issue allows an attacker to embed malicious XFA -- a technology that enables XML Forms Architecture -- content inside PDF files. Upon processing, Tika may execute unwanted calls to embedded external XML entities, thus providing a way to fetch restricted files or gain access to internal resources.  

The advisory points out that CVE-2025-66516 concerns an issue that was previously disclosed as CVE-2025-54988, but its scope is considerably broader. Whereas the initial advisory indicated the bug was limited to the PDF parser, subsequent analysis indicated that the root cause of the bug-and therefore the fix-represented in tika-core, not solely its parser component. Consequently, any organization that has patched only the parser without updating tika-core to version 3.2.2 or newer remains vulnerable. 

Researchers also provided some clarification to note that earlier 1.x releases contained the vulnerable PDF parser in the tika-parsers module, so the number of affected systems is higher than initial reporting indicated. 

XXE vulnerabilities arise when software processes XML input without required restrictions, permitting an attacker to use external entities (these are references that can point to either remote URLs or local files). Successfully exploited, this can lead to unauthorized access, SSRF, disclosure of confidential files, or even an escalation of this attack chain into broader compromise. 

Project maintainers strongly recommend immediate updates for all deployments. As no temporary configuration workaround has been confirmed, one can only install patched versions.
Read more »
Mobile Spyware
Android Smartphone CVE CVE exploits CVE vulnerability CVEs Cyber Security Exploits Landfall mobile security measures Mobile Spyware

Samsung Zero-Day Exploit “Landfall” Targeted Galaxy Devices Before April Patch

 

A recently disclosed zero-day vulnerability affecting several of Samsung’s flagship smartphones has raised renewed concerns around mobile device security. Researchers from Palo Alto Networks’ Unit 42 revealed that attackers had been exploiting a flaw in Samsung’s image processing library, tracked as CVE-2025-21042, for months before a security fix was released. The vulnerability, which the researchers named “Landfall,” allowed threat actors to compromise devices using weaponized image files without requiring any interaction from the victim. 

The flaw impacted premium Samsung models across the Galaxy S22, S23, and S24 generations as well as the Galaxy Z Fold 4 and Galaxy Z Flip 4. Unit 42 found that attackers could embed malicious data into DNG image files, disguising them with .jpeg extensions to appear legitimate and avoid suspicion. These files could be delivered through everyday communication channels such as WhatsApp, where users are accustomed to receiving shared photos. Because the exploit required no clicks and relied solely on the image being processed, even careful users were at risk. 

Once installed, spyware leveraging Landfall could obtain access to sensitive data stored on the device, including photos, contacts, and location information. It was also capable of recording audio and collecting call logs, giving attackers broad surveillance capabilities. The targeting appeared focused primarily on users in the Middle East, with infections detected in countries such as Iraq, Iran, Turkey, and Morocco. Samsung was first alerted to the exploit in September 2024 and issued a patch in April, closing the zero-day vulnerability across affected devices.  

The seriousness of the flaw prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to place CVE-2025-21042 in its Known Exploited Vulnerabilities catalog, a list reserved for security issues actively abused in attacks. Federal agencies have been instructed to ensure that any vulnerable Samsung devices under their management are updated no later than December 1st, reflecting the urgency of mitigation efforts.  

For consumers, the incident underscores the importance of maintaining strong cybersecurity habits on mobile devices. Regularly updating the operating system is one of the most effective defenses against emerging exploits, as patches often include protections for newly discovered vulnerabilities. Users are also encouraged to be cautious regarding unsolicited content, including media files sent from unknown contacts, and to avoid clicking links or downloading attachments they cannot verify. 

Security experts additionally recommend using reputable mobile security tools alongside Google Play Protect to strengthen device defenses. Many modern Android antivirus apps offer supplementary safeguards such as phishing alerts, VPN access, and warnings about malicious websites. 

Zero-day attacks remain an unavoidable challenge in the smartphone landscape, as cybercriminals continually look for undiscovered flaws to exploit. But with proactive device updates and careful online behavior, users can significantly reduce their exposure to threats like Landfall and help ensure their personal data remains secure.
Read more »
cybersecurity vulnerability
Critical Exploits Critical Vulnerability CVE CVE exploits CVE vulnerability CVEs Cyber Security cybersecurity vulnerability

New runC Vulnerabilities Expose Docker and Kubernetes Environments to Potential Host Breakouts

 

Three newly uncovered vulnerabilities in the runC container runtime have raised significant concerns for organizations relying on Docker, Kubernetes, and other container-based systems. The flaws, identified as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were disclosed by SUSE engineer and Open Container Initiative board member Aleksa Sarai. Because runC serves as the core OCI reference implementation responsible for creating container processes, configuring namespaces, managing mounts, and orchestrating cgroups, weaknesses at this level have broad consequences for modern cloud and DevOps infrastructure. 

The issues stem from the way runC handles several low-level operations, which attackers could manipulate to escape the container boundary and obtain root-level write access on the underlying host system. All three vulnerabilities allow adversaries to redirect or tamper with mount operations or trigger writes to sensitive files, ultimately undoing the isolation that containers are designed to enforce. CVE-2025-31133 involves a flaw where runC attempts to “mask” system files by bind-mounting /dev/null. If an attacker replaces /dev/null with a symlink during initialization, runC can end up mounting an attacker-chosen location read-write inside the container, enabling potential writes to the /proc filesystem and allowing escape. 

CVE-2025-52565 presents a related problem involving races and symlink redirection. The bind mount intended for /dev/console can be manipulated so that runC unknowingly mounts an unintended target before full protections are in place. This again opens a window for writes to critical procfs entries, providing an attacker with a pathway out of the container. The third flaw, CVE-2025-52881, highlights how runC may be tricked into performing writes to /proc that get redirected to files controlled by the attacker. This behavior could bypass certain Linux Security Module relabel protections and turn routine runC operations into dangerous arbitrary writes, including to sensitive files such as /proc/sysrq-trigger. 

Two of the vulnerabilities—CVE-2025-31133 and CVE-2025-52881—affect all versions of runC, while CVE-2025-52565 impacts versions from 1.0.0-rc3 onward. Patches have been issued in runC versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later. Security researchers at Sysdig noted that exploiting these flaws requires attackers to start containers with custom mount configurations, a condition that could be met via malicious Dockerfiles or harmful pre-built images. So far, there is no evidence of active exploitation, but the potential severity has prompted urgent guidance. Detection efforts should focus on monitoring suspicious symlink activity, according to Sysdig’s advisory. 

The runC team has also emphasized enabling user namespaces for all containers while avoiding mappings that equate the host’s root user with the container’s root. Doing so limits the scope of accessible files because user namespace restrictions prevent host-level file access. Security teams are further encouraged to adopt rootless containers where possible to minimize the blast radius of any successful attack. Even though traditional container isolation provides significant security benefits, these findings underscore the importance of layered defenses and continuous monitoring in containerized environments, especially as threat actors increasingly look for weaknesses at the infrastructure level.
Read more »
cybersecurity research
Akira Akira Ransomware Arctic Wolf Arctic Wolf security research CVE CVEs Cyber Attacks Cyber Security Ransomware Attacks cybersecurity research

Akira Ransomware Bypasses MFA in Ongoing Attacks on SonicWall SSL VPN Devices

 

The Akira ransomware group continues to evolve its attacks on SonicWall SSL VPN devices, with researchers warning that the threat actors are managing to log into accounts even when one-time password (OTP) multi-factor authentication (MFA) is enabled. Cybersecurity firm Arctic Wolf reported that attackers appear to be exploiting previously stolen OTP seeds or a similar method to bypass MFA, though the exact technique remains unclear. 

Earlier this year, Akira was observed exploiting SonicWall SSL VPN devices to breach corporate networks. Initially, researchers suspected a zero-day vulnerability was involved. However, SonicWall later attributed the incidents to an improper access control flaw identified as CVE-2024-40766, disclosed in September 2024. The flaw had been patched in August 2024, but attackers continued to exploit stolen credentials from compromised devices even after updates were applied. SonicWall advised administrators to reset all VPN credentials and update to the latest SonicOS firmware.  

The latest Arctic Wolf findings reveal a persistent campaign in which multiple OTP challenges were triggered before successful logins, implying that attackers may be generating valid OTP tokens using previously harvested OTP seeds. The company confirmed that these logins were linked to devices affected by CVE-2024-40766, suggesting that stolen credentials remain a key entry point.

In a related investigation, Google’s Threat Intelligence Group (GTIG) observed a similar campaign in July, where a financially motivated group known as UNC6148 deployed the OVERSTEP rootkit on SonicWall SMA 100 series appliances. GTIG assessed that the attackers were using stolen one-time password seeds from earlier zero-day intrusions, allowing continued access even after organizations patched their systems. 

Once Akira gained access to networks, the attackers moved rapidly, often initiating internal scans within minutes. According to Arctic Wolf, they used Impacket SMB session requests, Remote Desktop Protocol (RDP) logins, and Active Directory enumeration tools like dsquery, SharpShares, and BloodHound to expand their reach. A major focus was on Veeam Backup & Replication servers, where a custom PowerShell script extracted and decrypted stored MSSQL and PostgreSQL credentials. 

To disable endpoint protection, Akira affiliates executed a Bring-Your-Own-Vulnerable-Driver (BYOVD) attack, using Microsoft’s legitimate consent.exe executable to sideload malicious DLLs that deployed vulnerable drivers such as rwdrv.sys and churchill_driver.sys. These drivers were then used to terminate security processes, enabling the ransomware to encrypt systems undetected. 

The report notes that some compromised systems were running SonicOS 7.3.0, the very version recommended by SonicWall to mitigate such attacks. Security experts urge all administrators to reset VPN credentials and review access logs on any devices that previously used vulnerable firmware, as threat actors may still exploit stolen data to infiltrate networks.
Read more »
Vulnerabilities and Exploits
Authentication cloud environment CVE Microsfot Entra ID Microsoft Azure Vulnerabilities and Exploits

Researcher Finds Entra ID Weakness That Could Have Granted Global Admin Access




Two critical weaknesses recently came to light in Microsoft’s Entra ID platform could have given attackers unprecedented control over nearly every Azure cloud customer. The flaws were discovered and reported responsibly, allowing Microsoft to release fixes before attackers were able to exploit them.

Entra ID, previously known as Azure Active Directory, is the identity management system that controls how users log in, what resources they can reach, and who has administrator rights. It is a core service for businesses worldwide, which means any failure in its security could ripple across countless organizations at once.

Dutch security researcher Dirk-jan Mollema, who specializes in cloud identity security, identified the flaws while preparing material for a cybersecurity conference. What he found was alarming: the two vulnerabilities, when combined, created a path for attackers to impersonate users and escalate privileges to the highest level, effectively granting full control of customer environments.

The first weakness involved so-called “Actor Tokens,” a type of authentication token issued by an old Microsoft system known as Access Control Service. These tokens carried unusual privileges that, on their own, posed little risk but became dangerous when chained with a second issue. That second vulnerability was buried in Azure Active Directory Graph, a legacy interface used to access Microsoft 365 data. Unlike its modern replacement, Microsoft Graph, the older system did not properly check which tenant— a customer’s isolated cloud environment was sending a request. By combining the two flaws, attackers could trick the system into accepting tokens from outside tenants, opening the door to total compromise.

With administrator-level access, attackers would have been able to add new privileged accounts, alter security settings, and access sensitive information. Experts warned that such attacks could bypass common safeguards like multifactor authentication and leave minimal traces in activity logs, making them particularly dangerous.

Mollema disclosed his findings to Microsoft on July 14. The company began work the same day, deployed a fix globally within days, and later introduced additional protections. A vulnerability identifier (CVE) was issued in September, and Microsoft confirmed that no evidence of exploitation was found during its investigation.

Security researchers have compared the potential fallout to past incidents where authentication weaknesses enabled large-scale breaches. While the flaws in Entra ID never reached that point, the discovery illustrates how overlooked legacy systems can undermine modern security frameworks.

Microsoft has since retired the affected components and emphasized its commitment to phasing out outdated protocols. For organizations using Entra ID, the incident highlights the need to remain alert to vendor advisories, apply updates quickly, and watch for unusual activity in administrative accounts.

The vulnerabilities may now be closed, but they reveal how hidden dependencies in cloud infrastructure can become high-risk targets. As cloud identity systems continue to expand, the security community will likely scrutinize them even more closely for weaknesses of this scale.


Read more »
remote code execution Veeam
Backup CVE CVE exploits CVE vulnerability Cyber Security Domain Flaws Ransomware Gangs Ransomwares remote code execution Veeam

Veeam Fixes Critical Remote Code Execution Bug in Backup & Replication Software

 

Veeam has issued new security patches to address multiple vulnerabilities in its Backup & Replication (VBR) software, including a severe remote code execution (RCE) flaw. Identified as CVE-2025-23121, this particular vulnerability was uncovered by researchers from watchTowr and CodeWhite and impacts only installations that are connected to a domain. 

According to Veeam’s advisory released on Tuesday, the vulnerability can be exploited by any authenticated domain user to execute code remotely on the backup server. The flaw requires minimal attack complexity and affects versions of Veeam Backup & Replication 12 and later. The issue has been resolved in version 12.3.2.3617, made available earlier today. 

Although the vulnerability is confined to domain-joined setups, it poses a significant risk due to the ease with which domain users can leverage it. Alarmingly, many organizations have connected their backup servers to Windows domains, going against Veeam’s own security recommendations. These guidelines suggest using a separate Active Directory Forest for backups and enforcing two-factor authentication on administrative accounts to reduce exposure. 

This is not the first time a serious RCE flaw has been found in Veeam’s software. In March 2025, another vulnerability (CVE-2025-23120) was patched that similarly affected domain-joined installations. Earlier, in September 2024, another VBR vulnerability (CVE-2024-40711) was exploited in the wild, eventually being used to deliver the Frag ransomware. That same flaw was later linked to Akira and Fog ransomware attacks starting in October. Cybercriminals have increasingly targeted Veeam Backup & Replication servers as part of their ransomware campaigns. 

These systems often store critical backups, making them ideal targets for attackers looking to maximize damage. Ransomware operators frequently aim to disable these systems before launching full-scale attacks, making recovery more difficult for the victim. Historically, ransomware groups such as Cuba, as well as financially motivated actors like FIN7—known for collaborating with major ransomware operations like REvil, Maze, Conti, and BlackBasta—have been seen exploiting VBR vulnerabilities. 

With over 550,000 organizations relying on Veeam’s solutions globally, including the majority of Fortune 500 companies and most of the Global 2000, the potential impact of such flaws is significant. These repeated discoveries of critical vulnerabilities highlight the urgent need for enterprises to follow recommended configurations and keep their backup software up to date.
Read more »
Data Theft
CISA CISA advisory CVE CVE exploits CVEs Cyber Attacks Cyber Exploits Cyber flaws Cyber Vulnerabilities Data protection data security Data Theft

CISA Urges Immediate Patching of Critical SysAid Vulnerabilities Amid Active Exploits

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about two high-risk vulnerabilities in SysAid’s IT service management (ITSM) platform that are being actively exploited by attackers. These security flaws, identified as CVE-2025-2775 and CVE-2025-2776, can enable unauthorized actors to hijack administrator accounts without requiring credentials. 

Discovered in December 2024 by researchers at watchTowr Labs, the two vulnerabilities stem from XML External Entity (XXE) injection issues. SysAid addressed these weaknesses in March 2025 through version 24.4.60 of its On-Premises software. However, the urgency escalated when proof-of-concept code demonstrating how to exploit the flaws was published just a month later, highlighting how easily bad actors could access sensitive files on affected systems. 

Although CISA has not provided technical specifics about the ongoing attacks, it added the vulnerabilities to its Known Exploited Vulnerabilities Catalog. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by August 12. CISA also strongly recommends that organizations in the private sector act swiftly to apply the necessary updates, regardless of the directive’s federal scope. 

“These vulnerabilities are commonly exploited by malicious cyber actors and present serious threats to government systems,” CISA stated in its warning. SysAid’s On-Prem solution is deployed on an organization’s internal infrastructure, allowing IT departments to manage help desk tickets, assets, and other services. According to monitoring from Shadowserver, several dozen SysAid installations remain accessible online, particularly in North America and Europe, potentially increasing exposure to these attacks. 

Although CISA has not linked these specific flaws to ransomware campaigns, the SysAid platform was previously exploited in 2023 by the FIN11 cybercrime group, which used another vulnerability (CVE-2023-47246) to distribute Clop ransomware in zero-day attacks. Responding to the alert, SysAid reaffirmed its commitment to cybersecurity. “We’ve taken swift action to resolve these vulnerabilities through security patches and shared the relevant information with CISA,” a company spokesperson said. “We urge all customers to ensure their systems are fully up to date.” 

SysAid serves a global clientele of over 5,000 organizations and 10 million users across 140 countries. Its user base spans from startups to major enterprises, including recognized brands like Coca-Cola, IKEA, Honda, Xerox, Michelin, and Motorola.
Read more »
Malwares
CVE CVE exploits CVE vulnerability CVEs Cyber Attacks Cyber Threat Intelligence Google GSMA GTIG Hacker attack Malware Attack Malwares

Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day

 

Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) have uncovered a series of attacks targeting outdated SonicWall Secure Mobile Access (SMA) devices, which are widely used to manage secure remote access in enterprise environments. 

These appliances, although no longer supported with updates, remain in operation at many organizations, making them attractive to cybercriminals. The hacking group behind these intrusions has been named UNC6148 by Google. Despite being end-of-life, the devices still sit on the edge of sensitive networks, and their continued use has led to increased risk exposure. 

GTIG is urging all organizations that rely on these SMA appliances to examine them for signs of compromise. They recommend that firms collect complete disk images for forensic analysis, as the attackers are believed to be using rootkit-level tools to hide their tracks, potentially tampering with system logs. Assistance from SonicWall may be necessary for acquiring these disk images from physical devices. There is currently limited clarity around the technical specifics of these breaches. 

The attackers are leveraging leaked administrator credentials to gain access, though it remains unknown how those credentials were originally obtained. It’s also unclear what software vulnerabilities are being exploited to establish deeper control. One major obstacle to understanding the attacks is a custom backdoor malware called Overstep, which is capable of selectively deleting system logs to obscure its presence and activity. 

Security researchers believe the attackers might be using a zero-day vulnerability, or possibly exploiting known flaws like CVE-2021-20038 (a memory corruption bug enabling remote code execution), CVE-2024-38475 (a path traversal issue in Apache that exposes sensitive database files), or CVE-2021-20035 and CVE-2021-20039 (authenticated RCE vulnerabilities previously seen in the wild). There’s also mention of CVE-2025-32819, which could allow credential reset attacks through file deletion. 

GTIG, along with Mandiant and SonicWall’s internal response team, has not confirmed exactly how the attackers managed to deploy a reverse shell—something that should not be technically possible under normal device configurations. This shell provides a web-based interface that facilitates the installation of Overstep and potentially gives attackers full control over the compromised appliance. 

The motivations behind these breaches are still unclear. Since Overstep deletes key logs, detecting an infection is particularly difficult. However, Google has shared indicators of compromise to help organizations determine if they have been affected. Security teams are strongly advised to investigate the presence of these indicators and consider retiring unsupported hardware from critical infrastructure as part of a proactive defense strategy.
Read more »
Remote Code Execution
Authentication Bypass CVE CVE exploits CVE vulnerability CVEs Cyber Security cybersecurity vulnerabilities Endpoint patch fixes Remote Code Execution

Trend Micro Patches Critical Remote Code Execution and Authentication Bypass Flaws in Apex Central and PolicyServer

Trend Micro has rolled out essential security updates to address a series of high-impact vulnerabilities discovered in two of its enterprise security solutions: Apex Central and the Endpoint Encryption (TMEE) PolicyServer. These newly disclosed issues, which include critical remote code execution (RCE) and authentication bypass bugs, could allow attackers to compromise systems without needing login credentials. 

Although there have been no confirmed cases of exploitation so far, Trend Micro strongly recommends immediate patching to mitigate any potential threats. The vulnerabilities are especially concerning for organizations operating in sensitive sectors, where data privacy and regulatory compliance are paramount. 

The Endpoint Encryption PolicyServer is a key management solution used to centrally control full disk and media encryption across Windows-based systems. Following the recent update, four critical issues in this product were fixed. Among them is CVE-2025-49212, a remote code execution bug that stems from insecure deserialization within PolicyValue Table Serialization Binder class. This flaw enables threat actors to run code with SYSTEM-level privileges without any authentication. 

Another serious issue, CVE-2025-49213, was found in the PolicyServerWindowsService class, also involving unsafe deserialization. This vulnerability similarly allows arbitrary code execution without requiring user credentials. An additional bug, CVE-2025-49216, enables attackers to bypass authentication entirely due to faulty logic in the DbAppDomain service. Lastly, CVE-2025-49217 presents another RCE risk, though slightly more complex to exploit, allowing code execution via the ValidateToken method. 

While Trend Micro categorized all four as critical, third-party advisory firm ZDI classified CVE-2025-49217 as high-severity. Besides these, the latest PolicyServer release also fixes multiple other high-severity vulnerabilities, such as SQL injection and privilege escalation flaws. The update applies to version 6.0.0.4013 (Patch 1 Update 6), and all earlier versions are affected. Notably, there are no workarounds available, making the patch essential for risk mitigation. 

Trend Micro also addressed separate issues in Apex Central, the company’s centralized console for managing its security tools. Two pre-authentication RCE vulnerabilities—CVE-2025-49219 and CVE-2025-49220—were identified and patched. Both flaws are caused by insecure deserialization and could allow attackers to execute code remotely as NETWORK SERVICE without authentication. 

These Apex Central vulnerabilities were resolved in Patch B7007 for the 2019 on-premise version. Customers using Apex Central as a Service will receive fixes automatically on the backend. 

Given the severity of these cybersecurity vulnerabilities, organizations using these Trend Micro products should prioritize updating their systems to maintain security and operational integrity.
Read more »
Google Chrome security
Chromium Browser CVE CVE vulnerability Data Breach Data Leak Data Safety User Data data security Google Chrome Google Chrome security

Zero-Day Flaw in Chrome and Chromium Puts Windows and Linux Users at Data Risk

 

A newly revealed zero-day vulnerability identified as CVE-2025-4664 has triggered serious concerns for billions of Google Chrome and Chromium users. Security experts have warned that this flaw, which affects both Windows and Linux platforms, could be exploited to leak sensitive cross-origin data such as OAuth tokens and session identifiers—all without requiring any user action.  

The vulnerability has been discovered within the Loader component of Chrome and Chromium browsers. It is linked to how these browsers interpret the Link HTTP header for sub-resource requests such as images or scripts. While most mainstream browsers follow strict guidelines for handling such requests, Chrome’s unique behavior stands out. It continues to respect the referrer-policy directive even when loading sub-resources, which can unintentionally expose sensitive information. 

This default behavior can be manipulated by attackers. A malicious site could inject a loose policy like “unsafe-url,” which then forces the browser to reveal complete URLs—including potentially sensitive credentials or session data—to third-party servers. This results in a severe breach of user privacy and circumvents traditional browser security measures. Cybersecurity firm Wazuh has stated that their Vulnerability Detection module can identify and address this specific flaw. 

The module leverages information from their Cyber Threat Intelligence (CTI) service to monitor browser versions and trigger alerts when vulnerable builds are detected. In controlled testing using Wazuh OVA 4.12.0, researchers were able to scan systems running Windows 11 and Debian 11 to determine if they were running affected versions of Chrome or Chromium. According to Wazuh’s platform, users can search for the vulnerability by querying CVE-2025-4664. If vulnerable software is found, the module changes the system status from “Active” to “Solved” after the necessary fixes are applied, helping administrators track progress in real time. 

In response to the discovery, Google has issued an emergency patch for Chrome users on Windows and Gentoo Linux. It is strongly recommended that users on these operating systems update their browsers immediately to avoid exposure. However, users on Debian 11 who rely on Chromium remain at risk, as no updated version has been released for that platform. All Chromium builds up to version 120.0.6099.224 are still considered vulnerable. Until a patch is available, security professionals advise uninstalling Chromium on affected Debian systems as a precautionary measure. 

While these immediate actions are important, experts caution that relying solely on browser updates is not a comprehensive defense. The broader cybersecurity strategy must include the use of endpoint protection platforms, anti-malware systems, and modern antivirus tools. These security layers can help detect and neutralize threats that slip past browser-based defenses and provide a stronger safety net for users and enterprises alike. 

As browser-based zero-day threats continue to emerge, users must remain vigilant. Rapid patching combined with proactive cybersecurity tools offers the best chance of mitigating risks and maintaining a secure browsing environment.
Read more »
Ransomwares
CVE CVEs Cyber Attacks Malware Attack Malwares Microsoft ransomware attacks Ransomware group Ransomwares

Windows CLFS Zero-Day CVE-2025-29824 Exploited by Ransomware Group Storm-2460

 

A newly disclosed Windows zero-day vulnerability, tracked as CVE-2025-29824, is being actively exploited in cyberattacks to deliver ransomware, Microsoft has warned. This flaw affects the Windows Common Log File System (CLFS) driver and enables local privilege escalation—a method often used by attackers after gaining initial access. 

Microsoft’s Threat Intelligence and Security Response teams revealed that the bug is classified as a “use-after-free” vulnerability with a severity score of 7.8. While attackers need to compromise a system before they can exploit this flaw, it remains highly valuable in ransomware operations. Cybercriminals often rely on these types of vulnerabilities to turn a limited foothold into full administrative control across networks. 

The cybercrime group currently leveraging this zero-day is known as Storm-2460. Microsoft reports that the group is using the exploit to deploy a custom backdoor named PipeMagic, which in turn facilitates the installation of RansomEXX ransomware—a variant not commonly observed but still capable of serious disruption. So far, Storm-2460 has targeted organizations in industries such as IT, finance, and retail, with victims located in countries including the United States, Spain, Saudi Arabia, and Venezuela. 

Microsoft emphasized that the number of known cases remains small, but the sophistication of the exploit is concerning. This attack is notable for being part of a “post-compromise” campaign, meaning the attacker already has a presence within the system before using the flaw. These types of exploits are frequently used to escalate privileges and move laterally within a network, eventually leading to broader ransomware deployment. Microsoft issued a security advisory for CVE-2025-29824 on April 8 and urged organizations to install updates immediately. Failure to do so could leave critical systems vulnerable to privilege escalation and full network compromise. 

To mitigate risk, Microsoft advises businesses to prioritize patch management, restrict unnecessary administrative privileges, and closely monitor for unusual behavior across endpoints. Cybersecurity teams are also encouraged to review logs for any indicators of compromise related to PipeMagic or RansomEXX. As ransomware tactics continue to evolve, the exploitation of vulnerabilities like CVE-2025-29824 reinforces the need for proactive defense strategies and rapid incident response protocols.
Read more »
MIME
CVE CVE exploits CVEs Cyber Security Hacking WhatsApp Malwares Meta Meta Platforms MIME

WhatsApp Windows Vulnerability CVE-2025-30401 Could Let Hackers Deliver Malware via Fake Images

 

Meta has issued a high-priority warning about a critical vulnerability in the Windows version of WhatsApp, tracked as CVE-2025-30401, which could be exploited to deliver malware under the guise of image files. This flaw affects WhatsApp versions prior to 2.2450.6 and could expose users to phishing, ransomware, or remote code execution attacks. The issue lies in how WhatsApp handles file attachments on Windows. 

The platform displays files based on their MIME type but opens them according to the true file extension. This inconsistency creates a dangerous opportunity for hackers: they can disguise executable files as harmless-looking images like .jpeg files. When a user manually opens the file within WhatsApp, they could unknowingly launch a .exe file containing malicious code. Meta’s disclosure arrives just as new data from online bank Revolut reveals that WhatsApp was the source of one in five online scams in the UK during 2024, with scam attempts growing by 67% between June and December. 

Cybersecurity experts warn that WhatsApp’s broad reach and user familiarity make it a prime target for exploitation. Adam Pilton, senior cybersecurity consultant at CyberSmart, cautioned that this vulnerability is especially dangerous in group chats. “If a cybercriminal shares the malicious file in a trusted group or through a mutual contact, anyone in that group might unknowingly execute malware just by opening what looks like a regular image,” he explained. 

Martin Kraemer, a security awareness advocate at KnowBe4, highlighted the platform’s deep integration into daily routines—from casual chats to job applications. “WhatsApp’s widespread use means users have developed a level of trust and automation that attackers exploit. This vulnerability must not be underestimated,” Kraemer said. Until users update to the latest version, experts urge WhatsApp users to treat the app like email—avoid opening unexpected attachments, especially from unknown senders or new contacts. 

The good news is that Meta has already issued a fix, and updating the app resolves the vulnerability. Pilton emphasized the importance of patch management, noting, “Cybercriminals will always seek to exploit software flaws, and providers will keep issuing patches. Keeping your software updated is the simplest and most effective protection.” For now, users should update WhatsApp for Windows immediately to mitigate the risk posed by CVE-2025-30401 and remain cautious with all incoming files.
Read more »
Hackers
CVE CVEs Cybersecurity Dark Web Data Breach Data Leak data security FortiGate devices Hackers

Hackers Leak 15,000 FortiGate Device Configs, IPs, and VPN Credentials

 

A newly identified hacking group, the Belsen Group, has leaked critical data from over 15,000 FortiGate devices on the dark web, making sensitive technical details freely available to cybercriminals. The leak includes configuration files, IP addresses, and VPN credentials, significantly increasing security risks for affected organizations. 

Emerging on cybercrime forums and social media just this month, the Belsen Group has been actively promoting itself. As part of its efforts, the group launched a Tor website where it released the stolen FortiGate data, seemingly as a way to establish its presence in the hacking community. In a post on an underground forum, the group claimed responsibility for breaching both government and private-sector systems, highlighting this operation as its first major attack. 

The exposed data is structured within a 1.6 GB archive, organized by country. Each country’s folder contains multiple subfolders corresponding to specific FortiGate device IP addresses. Inside, configuration files such as configuration.conf store FortiGate system settings, while vpn-passwords.txt holds various credentials, some of which remain in plaintext. 

Cybersecurity researcher Kevin Beaumont examined the leak and confirmed that these files include firewall rules, private keys, and other highly sensitive details that could be exploited by attackers. Further analysis suggests that the breach is linked to a known vulnerability from 2022—CVE-2022-40684—which was actively exploited before Fortinet released a security patch. 

According to Beaumont, evidence from a forensic investigation into a compromised device revealed that this zero-day vulnerability provided attackers with initial access. The stolen data appears to have been gathered in October 2022, around the same time this exploit was widely used. Fortinet had previously warned that CVE-2022-40684 was being leveraged by attackers to extract system configurations and create unauthorized super-admin accounts under the name fortigate-tech-support. 

Reports from the German news site Heise further confirm that the leaked data originates from devices running FortiOS firmware versions 7.0.0-7.0.6 or 7.2.0-7.2.2. The fact that FortiOS 7.2.2 was specifically released to address this vulnerability raises questions about whether some systems remained compromised even after the fix was made available. 

Although the leaked files were collected over two years ago, they still pose a significant threat. Configuration details, firewall rules, and login credentials could still be exploited if they were not updated after the original breach. Given the scale of the leak, cybersecurity experts strongly recommend that administrators review their FortiGate device settings, update passwords, and ensure that no outdated configurations remain in use.
Read more »
Hackers
CVE CVE exploits CVE vulnerability Cyber Security data security Data Theft Hacker attack Hackers

Hackers Exploit ThinkPHP and ownCloud Vulnerabilities from 2022 and 2023

 

Hackers are increasingly exploiting outdated security flaws in poorly maintained systems, with vulnerabilities from 2022 and 2023 seeing a surge in attacks. According to threat intelligence platform GreyNoise, malicious actors are actively targeting CVE-2022-47945 and CVE-2023-49103, affecting the ThinkPHP Framework and the open-source ownCloud file-sharing solution. 

Both vulnerabilities are critical, allowing attackers to execute arbitrary commands or steal sensitive data, such as admin credentials and license keys. CVE-2022-47945 is a local file inclusion (LFI) flaw in ThinkPHP versions before 6.0.14. If the language pack feature is enabled, unauthenticated attackers can remotely execute operating system commands. 

Akamai reported that Chinese threat groups have exploited this flaw since late 2023, and GreyNoise recently detected 572 unique IPs actively attacking vulnerable systems. Despite having a low Exploit Prediction Scoring System (EPSS) rating of just 7% and not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVE-2022-47945 remains under heavy assault. 

The second vulnerability, CVE-2023-49103, impacts ownCloud’s file-sharing software. It stems from a third-party library that leaks PHP environment details through a public URL. After its disclosure in November 2023, hackers began exploiting the flaw to steal sensitive data. A year later, it was named one of the FBI, CISA, and NSA’s top 15 most exploited vulnerabilities. 

Even though a patch was released over two years ago, many ownCloud systems remain unpatched and exposed. GreyNoise recently observed malicious activity from 484 unique IPs targeting this vulnerability. To defend against these active threats, users are strongly advised to upgrade to ThinkPHP 6.0.14 or later and ownCloud GraphAPI 0.3.1 or newer. 

Taking vulnerable systems offline or placing them behind a firewall can significantly reduce the attack surface and prevent exploitation. As hackers continue to leverage older, unpatched vulnerabilities, staying vigilant with timely updates and robust security practices remains crucial in protecting critical systems and sensitive data.
Read more »
Spam
critical vulnerabilities CVE CVE vulnerability CVEs Cyber Security Plugin Flaws plugin security Plugins RCE Spam

Critical Vulnerabilities in CleanTalk WordPress Plugin Put 200,000 Websites at Risk

 

Defiant has raised alarms about two significant vulnerabilities affecting CleanTalk’s anti-spam WordPress plugin, which could enable attackers to execute arbitrary code remotely without requiring authentication. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, are classified with a high severity score of 9.8 on the CVSS scale. They impact the “Spam protection, Anti-Spam, FireWall by CleanTalk” plugin, which boasts over 200,000 active installations on WordPress sites globally. 

The flaws pose a significant risk by allowing remote attackers to install and activate arbitrary plugins, including potentially vulnerable ones that can then be exploited for remote code execution (RCE). According to Defiant, the first vulnerability, CVE-2024-10542, involves an authorization bypass issue. This weakness exists in a function responsible for handling remote calls and plugin installations, where token-based authorization is used to secure these actions. 

However, two related functions intended to verify the originating IP address and domain name are vulnerable to exploitation. Attackers can manipulate these checks through IP and DNS spoofing, enabling them to specify an IP address or subdomain under their control. This bypasses the plugin’s authorization process, allowing the attacker to carry out actions such as installing, activating, deactivating, or uninstalling plugins without proper permissions. The vulnerability was discovered in late October and was addressed with the release of version 6.44 of the plugin on November 1. 

However, this update inadvertently introduced another vulnerability, CVE-2024-10781, which provided attackers with an alternative method of bypassing token authorization. CVE-2024-10781 arises from a flaw in how the plugin processes tokens for authorization. Specifically, if a website has not configured an API key in the plugin, attackers can use a token that matches an empty hash value to authenticate themselves. This effectively nullifies the intended security measures and allows attackers to install and activate arbitrary plugins, which can then be exploited for malicious purposes, such as executing remote code. 

The CleanTalk development team addressed this second vulnerability with the release of version 6.45 on November 14, which contains fixes for both CVE-2024-10542 and CVE-2024-10781. Despite the availability of this updated version, data from WordPress indicates that as of November 26, approximately half of the plugin’s active installations are still running outdated and vulnerable versions. This exposes a significant number of websites to potential exploitation. The risks associated with these vulnerabilities are considerable, as attackers could gain complete control over affected websites by leveraging these flaws. This includes the ability to install additional plugins, some of which may themselves contain vulnerabilities that could be exploited for further malicious activities. 

Website administrators using the CleanTalk anti-spam plugin are strongly urged to update to version 6.45 or later as soon as possible. Keeping plugins up to date is a critical step in maintaining the security of WordPress websites. By applying the latest updates, administrators can protect their sites against known vulnerabilities and reduce the risk of being targeted by cyberattacks. In addition to updating plugins, security experts recommend implementing additional security measures, such as monitoring for unauthorized changes, using a robust firewall, and conducting regular security audits. 

These practices can help ensure that websites remain secure against evolving threats. By addressing these vulnerabilities and staying proactive about updates, WordPress site owners can safeguard their online presence and protect the sensitive data entrusted to their platforms.
Read more »
Routers
CVE CVEs Cyber Security Cyber Vulnerabilities D-Link EOL firmware NAS Router vulnerability Routers

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.
Read more »
SQL
2FA CVE CVE vulnerability CVEs Cyber Security E-Commerce Websites Patchstack PII Plugin Plugin Flaws SQL

Critical Vulnerability in TI WooCommerce Wishlist Plugin Exposes 100K+ Sites to SQL Attacks

 

A critical vulnerability in the widely-used TI WooCommerce Wishlist plugin has been discovered, affecting over 100,000 WordPress sites. The flaw, labeled CVE-2024-43917, allows unauthenticated users to execute arbitrary SQL queries, potentially taking over the entire website. With a severity score of 9.3, the vulnerability stems from a SQL injection flaw in the plugin’s code, which lets attackers manipulate the website’s database. This could result in data breaches, defacement, or a full takeover of the site. As of now, the plugin remains unpatched in its latest version, 2.8.2, leaving site administrators vulnerable. 

Cybersecurity experts, including Ananda Dhakal from Patchstack, have highlighted the urgency of addressing this flaw. Dhakal has released technical details of the vulnerability to warn administrators of the potential risk and has recommended immediate actions for website owners. To mitigate the risk of an attack, website owners using the TI WooCommerce Wishlist plugin are urged to deactivate and delete the plugin as soon as possible. Until the plugin is patched, leaving it active can expose websites to unauthorized access and malicious data manipulation. If a website is compromised through this flaw, attackers could gain access to sensitive information, including customer details, order histories, and payment data. 

This could lead to unauthorized financial transactions, stolen identities, and significant reputational damage to the business. Preventing such attacks requires several steps beyond removing the vulnerable plugin. Website administrators should maintain an updated security system, including regular patching of plugins, themes, and the WordPress core itself. Using a Web Application Firewall (WAF) can help detect and block SQL injection attempts before they reach the website. It’s also advisable to back up databases regularly and ensure that backups are stored in secure, off-site locations. Other methods of safeguarding include limiting access to sensitive data and implementing proper data encryption, particularly for personally identifiable information (PII). 

Website administrators should also audit user roles and permissions to ensure that unauthorized users do not have access to critical parts of the site. Implementing two-factor authentication (2FA) for site logins can add an extra layer of protection against unauthorized access. The repercussions of failing to address this vulnerability could be severe. Aside from the immediate risk of site takeovers or data breaches, businesses could face financial loss, including costly recovery processes and potential fines for not adequately protecting user data. Furthermore, compromised sites could suffer from prolonged downtime, leading to lost revenue and a decrease in user trust. Rebuilding a website and restoring customer confidence after a breach can be both time-consuming and costly, impacting long-term growth and sustainability.  

In conclusion, to safeguard against the CVE-2024-43917 vulnerability, it is critical for website owners to deactivate the TI WooCommerce Wishlist plugin until a patch is released. Administrators should remain vigilant by implementing strong security practices and regularly auditing their sites for vulnerabilities. The consequences of neglecting these steps could lead to serious financial and reputational damage, as well as the potential for legal consequences in cases of compromised customer data. Proactive protection is essential to maintaining business continuity in the face of ever-evolving cybersecurity threats.
Read more »
Fortra
CVE CVE vulnerability CVEs Cyber Security Cyber Vulnerabilities cybersecurity research Fortra

New Windows Vulnerability CVE-2024-6768 Triggers Blue Screen of Death on All Versions of Windows 10 and 11

 

A recently uncovered Windows vulnerability, known as CVE-2024-6768, has raised alarm among cybersecurity experts due to its potential to cause widespread disruption by triggering the dreaded blue screen of death (BSOD) on a range of Windows operating systems. Discovered by cybersecurity researchers from Fortra, this vulnerability impacts all versions of Windows 10 and Windows 11, as well as Windows Server 2022, even if they have received the latest security patches. 

The flaw lies within the common log file system (CLFS) driver, which, when improperly validated, can result in a system crash by initiating the KeBugCheckEx function, causing the infamous BSOD. The vulnerability is significant because it can be exploited by a user with no administrative privileges. By using a specially crafted file, a malicious actor can crash the system, leading to potential data loss and disruption of services. Although the attack vector is local rather than remote, the ease with which the vulnerability can be exploited raises concerns about its potential impact. The vulnerability is graded as medium risk due to the requirement for local access, but the consequences of exploitation—especially in environments with multiple users—are severe. 

The discovery of CVE-2024-6768 dates back to December 2023, when Fortra initially reported the issue to Microsoft, providing a proof-of-concept (PoC) exploit. Despite Fortra’s efforts to demonstrate the vulnerability across various systems, including those with the latest security updates, Microsoft was unable to reproduce the flaw and therefore did not prioritize a fix. Fortra continued to provide evidence, including screenshots, videos, and memory dumps, but Microsoft remained unresponsive, ultimately closing the case in February 2024. In June 2024, frustrated by the lack of progress, Fortra announced its intention to pursue a Common Vulnerabilities and Exposures (CVE) designation and publish its findings. 

The vulnerability was officially cataloged as CVE-2024-6768 in July 2024, and Fortra planned to release its research publicly in August 2024. The report highlights the vulnerability’s potential to be exploited by low-privileged users to crash systems, which could be particularly damaging in multi-user environments or where system stability is crucial. Microsoft, for its part, has downplayed the severity of the issue, stating that the vulnerability does not meet its criteria for immediate servicing. The company noted that an attacker would need to have already gained code execution capabilities on the target machine and that the vulnerability does not grant elevated permissions. 

However, the lack of a workaround or mitigation has left many organizations concerned about the potential impact of this flaw. While the average Windows user may not be significantly affected by CVE-2024-6768, the vulnerability poses a serious risk to businesses and organizations that rely on stable and secure systems. The possibility of a low-privileged user crashing a system without warning could lead to significant operational disruptions, especially in environments where uptime is critical. For these organizations, the absence of a timely fix from Microsoft is a cause for concern, and they may need to take additional precautions to safeguard their systems. 

In conclusion, the discovery of CVE-2024-6768 underscores the ongoing challenges in maintaining the security and stability of widely used operating systems. As Microsoft considers whether to release a fix, the vulnerability serves as a reminder of the importance of proactive cybersecurity measures and the need for organizations to remain vigilant in the face of evolving threats.
Read more »
Vulnerabilities and Exploits
Clock PoC CloudFlare CVE Cyberattacks CyberCrime Cybersecurity CyberThreat Vulnerabilities and Exploits

Breaking Down the Clock PoC Exploits Utilized by Hackers Within 22 Minutes

 


It has been shown that threat actors are swift in weaponizing available proof-of-concept (PoC) exploits in real attacks, often within 22 minutes of publicly releasing these exploits. In that regard, Cloudflare has published its annual Application Security report for 2024, which covers the period between May 2023 and March 2024 and identifies emerging threat trends. It has been observed that Cloudflare, which currently processes an average of 57 million requests per second of HTTP traffic, continues to experience an increase in scanning for CVEs, followed by command injection attacks and attempts to weaponize available proofs-of-concept. 

Attackers may exploit a new vulnerability in as little as 22 minutes after the release of a proof-of-concept (PoC), depending on the vulnerability. It has been found that between May 2023 and May 2024, Cloudflare will receive 37,000 threats, which is the most significant number since May 2023. According to Cloudflare's Application Security Report for 2024, hackers are becoming more sophisticated in their search for previously unknown software vulnerabilities, also known as CVEs. They take immediate action when they find them, identifying how to exploit them and attempting to inject commands into them to execute attacks as soon as possible. 

Several CVE vulnerabilities have recently been revealed as vulnerabilities, but hackers have already been able to exploit them within 22 minutes of their disclosure. It was reported in the open-source community that CVE-2024-27198, a vulnerability in JetBrains TeamCity, was exploited by hackers. As a result of the evaluated period, the most targeted vulnerabilities were CVE-2023-50164 and CVE-2022-33891 within Apache software, CVE-2023-29298, CVE-2023-38203, and CVE-2023-26360 within Coldfusion software, and CVE-2023-35082 within Mobile Iron software. CVE-2024-27198 is a characteristic example of how weaponization is developing at an extremely fast rate since it is a vulnerability in JetBrains TeamCity that allows authentication bypass. 

During a recent incident, Cloudflare picked up on the fact that an attacker deployed a PoC-based exploit 22 minutes after it had been published, giving defenders very little time to remediate the attack. There can only be one way of combating this speed, according to the internet firm, and that is through the use of artificial intelligence (AI) to rapidly come up with effective detection rules. As DDoS attacks continue to dominate the security threat landscape, targeted CVE exploits are becoming a greater concern as well in the coming years.

Over a third of all traffic is automated today, and there is a possibility that up to 93% of it is malicious. Approximately 60% of all web traffic now comes from APIs, but only a quarter of companies know which API endpoints they have. Moreover, enterprise websites typically have 47 third-party integrations that are part of their platform. Cloudflare has also been able to gather some valuable information from the study, which is that in the case of API security, companies are still relying on outdated, traditional methods of providing API security. 

In the case of traditional web application firewall (WAF) rules, a negative security model is typically used in the design of those rules. It is assumed that the vast majority of web traffic will be benign in this scenario. Several companies utilize a positive API security model, where strictly defined rules dictate the web traffic that is allowed, while all other access is denied. Cloudflare's network currently processes 57 million HTTP requests per second, reflecting a 23.9% year-over-year increase. The company blocks 209 billion cyber threats daily, which is an 86.6% increase compared to the previous year. These statistics underscore the rapid evolution of the threat landscape. 

According to Cloudflare's report covering Q2 2023 to Q1 2024, there has been a noticeable rise in application layer traffic mitigation, growing from 6% to 6.8%, with peaks reaching up to 12% during significant attacks. The primary contributors to this mitigation are Web Application Firewalls (WAF) and bot mitigations, followed by HTTP DDoS rules. There is an increasing trend in zero-day exploits and Common Vulnerabilities and Exposures (CVE) exploitation, with some exploits being utilized within minutes of their disclosure. 

Distributed Denial of Service (DDoS) attacks remain the most prevalent threat, accounting for 37.1% of mitigated traffic. In the first quarter of 2024 alone, Cloudflare mitigated 4.5 million unique DDoS attacks, marking a 32% increase from 2023. The motivations behind these attacks range from financial gains to political statements.
Read more »
Subscribe to: Comments (Atom)