Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label CVE vulnerability. Show all posts
Malwares
CVE CVE exploits CVE vulnerability CVEs Cyber Attacks Cyber Threat Intelligence Google GSMA GTIG Hacker attack Malware Attack Malwares

Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day

 

Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) have uncovered a series of attacks targeting outdated SonicWall Secure Mobile Access (SMA) devices, which are widely used to manage secure remote access in enterprise environments. 

These appliances, although no longer supported with updates, remain in operation at many organizations, making them attractive to cybercriminals. The hacking group behind these intrusions has been named UNC6148 by Google. Despite being end-of-life, the devices still sit on the edge of sensitive networks, and their continued use has led to increased risk exposure. 

GTIG is urging all organizations that rely on these SMA appliances to examine them for signs of compromise. They recommend that firms collect complete disk images for forensic analysis, as the attackers are believed to be using rootkit-level tools to hide their tracks, potentially tampering with system logs. Assistance from SonicWall may be necessary for acquiring these disk images from physical devices. There is currently limited clarity around the technical specifics of these breaches. 

The attackers are leveraging leaked administrator credentials to gain access, though it remains unknown how those credentials were originally obtained. It’s also unclear what software vulnerabilities are being exploited to establish deeper control. One major obstacle to understanding the attacks is a custom backdoor malware called Overstep, which is capable of selectively deleting system logs to obscure its presence and activity. 

Security researchers believe the attackers might be using a zero-day vulnerability, or possibly exploiting known flaws like CVE-2021-20038 (a memory corruption bug enabling remote code execution), CVE-2024-38475 (a path traversal issue in Apache that exposes sensitive database files), or CVE-2021-20035 and CVE-2021-20039 (authenticated RCE vulnerabilities previously seen in the wild). There’s also mention of CVE-2025-32819, which could allow credential reset attacks through file deletion. 

GTIG, along with Mandiant and SonicWall’s internal response team, has not confirmed exactly how the attackers managed to deploy a reverse shell—something that should not be technically possible under normal device configurations. This shell provides a web-based interface that facilitates the installation of Overstep and potentially gives attackers full control over the compromised appliance. 

The motivations behind these breaches are still unclear. Since Overstep deletes key logs, detecting an infection is particularly difficult. However, Google has shared indicators of compromise to help organizations determine if they have been affected. Security teams are strongly advised to investigate the presence of these indicators and consider retiring unsupported hardware from critical infrastructure as part of a proactive defense strategy.
Read more »
Remote Code Execution
Authentication Bypass CVE CVE exploits CVE vulnerability CVEs Cyber Security cybersecurity vulnerabilities Endpoint patch fixes Remote Code Execution

Trend Micro Patches Critical Remote Code Execution and Authentication Bypass Flaws in Apex Central and PolicyServer

Trend Micro has rolled out essential security updates to address a series of high-impact vulnerabilities discovered in two of its enterprise security solutions: Apex Central and the Endpoint Encryption (TMEE) PolicyServer. These newly disclosed issues, which include critical remote code execution (RCE) and authentication bypass bugs, could allow attackers to compromise systems without needing login credentials. 

Although there have been no confirmed cases of exploitation so far, Trend Micro strongly recommends immediate patching to mitigate any potential threats. The vulnerabilities are especially concerning for organizations operating in sensitive sectors, where data privacy and regulatory compliance are paramount. 

The Endpoint Encryption PolicyServer is a key management solution used to centrally control full disk and media encryption across Windows-based systems. Following the recent update, four critical issues in this product were fixed. Among them is CVE-2025-49212, a remote code execution bug that stems from insecure deserialization within PolicyValue Table Serialization Binder class. This flaw enables threat actors to run code with SYSTEM-level privileges without any authentication. 

Another serious issue, CVE-2025-49213, was found in the PolicyServerWindowsService class, also involving unsafe deserialization. This vulnerability similarly allows arbitrary code execution without requiring user credentials. An additional bug, CVE-2025-49216, enables attackers to bypass authentication entirely due to faulty logic in the DbAppDomain service. Lastly, CVE-2025-49217 presents another RCE risk, though slightly more complex to exploit, allowing code execution via the ValidateToken method. 

While Trend Micro categorized all four as critical, third-party advisory firm ZDI classified CVE-2025-49217 as high-severity. Besides these, the latest PolicyServer release also fixes multiple other high-severity vulnerabilities, such as SQL injection and privilege escalation flaws. The update applies to version 6.0.0.4013 (Patch 1 Update 6), and all earlier versions are affected. Notably, there are no workarounds available, making the patch essential for risk mitigation. 

Trend Micro also addressed separate issues in Apex Central, the company’s centralized console for managing its security tools. Two pre-authentication RCE vulnerabilities—CVE-2025-49219 and CVE-2025-49220—were identified and patched. Both flaws are caused by insecure deserialization and could allow attackers to execute code remotely as NETWORK SERVICE without authentication. 

These Apex Central vulnerabilities were resolved in Patch B7007 for the 2019 on-premise version. Customers using Apex Central as a Service will receive fixes automatically on the backend. 

Given the severity of these cybersecurity vulnerabilities, organizations using these Trend Micro products should prioritize updating their systems to maintain security and operational integrity.
Read more »
Google Chrome security
Chromium Browser CVE CVE vulnerability Data Breach Data Leak Data Safety User Data data security Google Chrome Google Chrome security

Zero-Day Flaw in Chrome and Chromium Puts Windows and Linux Users at Data Risk

 

A newly revealed zero-day vulnerability identified as CVE-2025-4664 has triggered serious concerns for billions of Google Chrome and Chromium users. Security experts have warned that this flaw, which affects both Windows and Linux platforms, could be exploited to leak sensitive cross-origin data such as OAuth tokens and session identifiers—all without requiring any user action.  

The vulnerability has been discovered within the Loader component of Chrome and Chromium browsers. It is linked to how these browsers interpret the Link HTTP header for sub-resource requests such as images or scripts. While most mainstream browsers follow strict guidelines for handling such requests, Chrome’s unique behavior stands out. It continues to respect the referrer-policy directive even when loading sub-resources, which can unintentionally expose sensitive information. 

This default behavior can be manipulated by attackers. A malicious site could inject a loose policy like “unsafe-url,” which then forces the browser to reveal complete URLs—including potentially sensitive credentials or session data—to third-party servers. This results in a severe breach of user privacy and circumvents traditional browser security measures. Cybersecurity firm Wazuh has stated that their Vulnerability Detection module can identify and address this specific flaw. 

The module leverages information from their Cyber Threat Intelligence (CTI) service to monitor browser versions and trigger alerts when vulnerable builds are detected. In controlled testing using Wazuh OVA 4.12.0, researchers were able to scan systems running Windows 11 and Debian 11 to determine if they were running affected versions of Chrome or Chromium. According to Wazuh’s platform, users can search for the vulnerability by querying CVE-2025-4664. If vulnerable software is found, the module changes the system status from “Active” to “Solved” after the necessary fixes are applied, helping administrators track progress in real time. 

In response to the discovery, Google has issued an emergency patch for Chrome users on Windows and Gentoo Linux. It is strongly recommended that users on these operating systems update their browsers immediately to avoid exposure. However, users on Debian 11 who rely on Chromium remain at risk, as no updated version has been released for that platform. All Chromium builds up to version 120.0.6099.224 are still considered vulnerable. Until a patch is available, security professionals advise uninstalling Chromium on affected Debian systems as a precautionary measure. 

While these immediate actions are important, experts caution that relying solely on browser updates is not a comprehensive defense. The broader cybersecurity strategy must include the use of endpoint protection platforms, anti-malware systems, and modern antivirus tools. These security layers can help detect and neutralize threats that slip past browser-based defenses and provide a stronger safety net for users and enterprises alike. 

As browser-based zero-day threats continue to emerge, users must remain vigilant. Rapid patching combined with proactive cybersecurity tools offers the best chance of mitigating risks and maintaining a secure browsing environment.
Read more »
Exploitation
backdoor vulnerability Cisco Cisco Security CVE exploits CVE vulnerability Cyber Security Exploitation

Cisco CVE-2024-20439: Exploitation Attempts Target Smart Licensing Utility Backdoor

 

A critical vulnerability tracked as CVE-2024-20439 has placed Cisco’s Smart Licensing Utility (CSLU) in the spotlight after cybersecurity researchers observed active exploitation attempts. The flaw, which involves an undocumented static administrative credential, could allow unauthenticated attackers to remotely access affected systems. While it’s still unclear whether the vulnerability has been weaponized in ransomware attacks, security experts have noted suspicious botnet activity linked to it since early January, with a significant surge in mid-March. 

The vulnerability, according to Cisco, cannot be exploited unless the CSLU is actively running—a saving grace for systems not using the utility frequently. However, many organizations rely on the CSLU to manage licenses for Cisco products without requiring constant connectivity to Cisco’s cloud-based Smart Software Manager. This increases the risk of exposure for unpatched systems. Johannes Ullrich, Dean of Research at the SANS Technology Institute, highlighted that the vulnerability effectively acts as a backdoor. 

In fact, he noted that Cisco has a history of embedding static credentials in several of its products. Ullrich’s observation aligns with earlier research by Nicholas Starke, who published a detailed technical analysis of the flaw, including the decoded hardcoded password, just weeks after Cisco issued its patch. This disclosure made it easier for potential attackers to identify and exploit vulnerable systems. In addition to CVE-2024-20439, Cisco addressed another critical flaw, CVE-2024-20440, which allows unauthenticated attackers to extract sensitive data from exposed devices, including API credentials. 

This vulnerability also affects the CSLU and can be exploited by sending specially crafted HTTP requests to a target system. Like the first flaw, it is only active when the CSLU application is running. Researchers have now detected attackers chaining both vulnerabilities to maximize impact. According to Ullrich, scans and probes originating from a small botnet are testing for exposure to these flaws. Although Cisco’s Product Security Incident Response Team (PSIRT) maintains that there’s no confirmed evidence of these flaws being exploited in the wild, the published credentials and recent scan activity suggest otherwise. 

These types of vulnerabilities raise larger concerns about the use of hardcoded credentials in critical infrastructure. Cisco has faced similar issues in the past with other software products, including IOS XE, DNA Center, and Emergency Responder. 

As always, the best defense is prompt patching. Cisco released security updates in September to address both flaws, and organizations running CSLU should immediately apply them. Additionally, any instance of the CSLU running unnecessarily should be disabled to reduce the attack surface. With exploit attempts on the rise and technical details now public, delaying mitigation could have serious consequences.
Read more »
Hackers
CVE CVE exploits CVE vulnerability Cyber Security data security Data Theft Hacker attack Hackers

Hackers Exploit ThinkPHP and ownCloud Vulnerabilities from 2022 and 2023

 

Hackers are increasingly exploiting outdated security flaws in poorly maintained systems, with vulnerabilities from 2022 and 2023 seeing a surge in attacks. According to threat intelligence platform GreyNoise, malicious actors are actively targeting CVE-2022-47945 and CVE-2023-49103, affecting the ThinkPHP Framework and the open-source ownCloud file-sharing solution. 

Both vulnerabilities are critical, allowing attackers to execute arbitrary commands or steal sensitive data, such as admin credentials and license keys. CVE-2022-47945 is a local file inclusion (LFI) flaw in ThinkPHP versions before 6.0.14. If the language pack feature is enabled, unauthenticated attackers can remotely execute operating system commands. 

Akamai reported that Chinese threat groups have exploited this flaw since late 2023, and GreyNoise recently detected 572 unique IPs actively attacking vulnerable systems. Despite having a low Exploit Prediction Scoring System (EPSS) rating of just 7% and not being listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, CVE-2022-47945 remains under heavy assault. 

The second vulnerability, CVE-2023-49103, impacts ownCloud’s file-sharing software. It stems from a third-party library that leaks PHP environment details through a public URL. After its disclosure in November 2023, hackers began exploiting the flaw to steal sensitive data. A year later, it was named one of the FBI, CISA, and NSA’s top 15 most exploited vulnerabilities. 

Even though a patch was released over two years ago, many ownCloud systems remain unpatched and exposed. GreyNoise recently observed malicious activity from 484 unique IPs targeting this vulnerability. To defend against these active threats, users are strongly advised to upgrade to ThinkPHP 6.0.14 or later and ownCloud GraphAPI 0.3.1 or newer. 

Taking vulnerable systems offline or placing them behind a firewall can significantly reduce the attack surface and prevent exploitation. As hackers continue to leverage older, unpatched vulnerabilities, staying vigilant with timely updates and robust security practices remains crucial in protecting critical systems and sensitive data.
Read more »
RCE
Aviatrix critical vulnerabilities CVE exploits CVE vulnerability Cyber Security Data Exfiltration data security RCE

Critical Command Injection Vulnerability Found in Aviatrix Network Controller (CVE-2024-50603)

 


Jakub Korepta, Principal Security Consultant at Securing, has discovered a critical command injection vulnerability in the Aviatrix Network Controller, identified as CVE-2024-50603. This flaw, impacting versions 7.x through 7.2.4820, has been assigned the highest possible CVSS severity score of 10.0. It allows unauthenticated attackers to remotely execute arbitrary code, posing a severe threat to enterprises utilizing Aviatrix’s cloud networking solutions.

The root of this vulnerability lies in improper input handling within the Aviatrix Controller's API. While certain input parameters are sanitized using functions like escapeshellarg, others—most notably the cloud_type parameter in the list_flightpath_destination_instances action—remain unprotected. This oversight permits attackers to inject malicious commands into API requests, leading to remote code execution (RCE).

Jakub Korepta demonstrated this flaw by crafting a malicious HTTP request that redirected sensitive system files to an attacker-controlled server. By appending harmful commands to the vulnerable parameter, attackers can gain unauthorized access and execute arbitrary code on the targeted system.


In a proof-of-concept attack, Korepta successfully extracted the contents of the /etc/passwd file, highlighting the potential for data theft. However, the threat extends beyond data exfiltration. Exploiting this vulnerability could allow attackers to:
  • Execute Remote Code: Attackers can run commands with full system privileges, gaining complete control over the Aviatrix Controller.
  • Steal or Manipulate Data: Sensitive data stored on the system can be accessed, stolen, or altered.
  • Compromise Entire Networks: Successful exploitation could lead to lateral movement within enterprise networks, escalating the attack's impact.

Research uncovered 681 publicly exposed Aviatrix Controllers accessible via the Shodan search engine. These exposed systems significantly increase the risk, providing attackers with easily identifiable targets for exploitation.

Aviatrix has responded promptly by releasing version 7.2.4996, which addresses this vulnerability through enhanced input sanitization. This update effectively neutralizes the identified risk. All users are strongly urged to upgrade to this patched version immediately to secure their systems and prevent exploitation. Failure to apply this update leaves systems vulnerable to severe attacks.

Recommended actions for organizations include:
  • Immediate Patch Deployment: Upgrade to version 7.2.4996 or later to eliminate the vulnerability.
  • Network Access Controls: Restrict public access to Aviatrix Controllers and enforce strict network segmentation.
  • Continuous Monitoring: Implement robust monitoring systems to detect unauthorized activity or anomalies.

Lessons in Proactive Security

This incident underscores the critical need for proactive cybersecurity measures and routine software updates. Even advanced networking solutions can be compromised if proper input validation and security controls are neglected. Organizations must remain vigilant, ensuring that both internal systems and third-party solutions adhere to stringent security standards.

The discovery of CVE-2024-50603 serves as a stark reminder of how overlooked vulnerabilities can escalate into significant threats. Timely updates and consistent security practices are vital to protecting enterprise networks from evolving cyber risks.
Read more »
Spam
critical vulnerabilities CVE CVE vulnerability CVEs Cyber Security Plugin Flaws plugin security Plugins RCE Spam

Critical Vulnerabilities in CleanTalk WordPress Plugin Put 200,000 Websites at Risk

 

Defiant has raised alarms about two significant vulnerabilities affecting CleanTalk’s anti-spam WordPress plugin, which could enable attackers to execute arbitrary code remotely without requiring authentication. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, are classified with a high severity score of 9.8 on the CVSS scale. They impact the “Spam protection, Anti-Spam, FireWall by CleanTalk” plugin, which boasts over 200,000 active installations on WordPress sites globally. 

The flaws pose a significant risk by allowing remote attackers to install and activate arbitrary plugins, including potentially vulnerable ones that can then be exploited for remote code execution (RCE). According to Defiant, the first vulnerability, CVE-2024-10542, involves an authorization bypass issue. This weakness exists in a function responsible for handling remote calls and plugin installations, where token-based authorization is used to secure these actions. 

However, two related functions intended to verify the originating IP address and domain name are vulnerable to exploitation. Attackers can manipulate these checks through IP and DNS spoofing, enabling them to specify an IP address or subdomain under their control. This bypasses the plugin’s authorization process, allowing the attacker to carry out actions such as installing, activating, deactivating, or uninstalling plugins without proper permissions. The vulnerability was discovered in late October and was addressed with the release of version 6.44 of the plugin on November 1. 

However, this update inadvertently introduced another vulnerability, CVE-2024-10781, which provided attackers with an alternative method of bypassing token authorization. CVE-2024-10781 arises from a flaw in how the plugin processes tokens for authorization. Specifically, if a website has not configured an API key in the plugin, attackers can use a token that matches an empty hash value to authenticate themselves. This effectively nullifies the intended security measures and allows attackers to install and activate arbitrary plugins, which can then be exploited for malicious purposes, such as executing remote code. 

The CleanTalk development team addressed this second vulnerability with the release of version 6.45 on November 14, which contains fixes for both CVE-2024-10542 and CVE-2024-10781. Despite the availability of this updated version, data from WordPress indicates that as of November 26, approximately half of the plugin’s active installations are still running outdated and vulnerable versions. This exposes a significant number of websites to potential exploitation. The risks associated with these vulnerabilities are considerable, as attackers could gain complete control over affected websites by leveraging these flaws. This includes the ability to install additional plugins, some of which may themselves contain vulnerabilities that could be exploited for further malicious activities. 

Website administrators using the CleanTalk anti-spam plugin are strongly urged to update to version 6.45 or later as soon as possible. Keeping plugins up to date is a critical step in maintaining the security of WordPress websites. By applying the latest updates, administrators can protect their sites against known vulnerabilities and reduce the risk of being targeted by cyberattacks. In addition to updating plugins, security experts recommend implementing additional security measures, such as monitoring for unauthorized changes, using a robust firewall, and conducting regular security audits. 

These practices can help ensure that websites remain secure against evolving threats. By addressing these vulnerabilities and staying proactive about updates, WordPress site owners can safeguard their online presence and protect the sensitive data entrusted to their platforms.
Read more »
Security Issues
CISO CVE vulnerability CVEs Cyber Security Hacking News Information Security IT Security Security Issues

Cisco Fixes Critical CVE-2024-20418 Vulnerability in Industrial Wireless Access Points

 

Cisco recently disclosed a critical security vulnerability, tracked as CVE-2024-20418, that affects specific Ultra-Reliable Wireless Backhaul (URWB) access points used in industrial settings. These URWB access points are essential for maintaining robust wireless networks in environments like manufacturing plants, transportation systems, and other infrastructure-intensive industries. The vulnerability allows remote, unauthenticated attackers to perform command injection attacks with root privileges by exploiting the device’s web-based management interface. 

This vulnerability results from inadequate validation of input data within Cisco’s Unified Industrial Wireless Software, specifically affecting the web management interface of URWB access points. By sending specially crafted HTTP requests, attackers could exploit this flaw to execute arbitrary commands with root-level access, potentially leading to unauthorized control over the device. This level of access could compromise critical network infrastructure, posing serious risks to businesses relying on URWB technology for uninterrupted connectivity. The vulnerability specifically impacts Cisco Catalyst models IW9165D, IW9165E, and IW9167E when URWB mode is enabled. 

For users concerned about their device’s security, Cisco advises checking vulnerability status by using the “show mpls-config” command in the command-line interface (CLI). If the command confirms URWB mode is active, the device may be vulnerable to potential attacks. Cisco’s Product Security Incident Response Team (PSIRT) has stated that it is not aware of any instances of this vulnerability being actively exploited in real-world scenarios. However, given the nature of this vulnerability, Cisco urges users to update their devices promptly to mitigate the risk. Currently, Cisco has not issued workarounds for this issue. 

As a result, companies relying on these models are advised to stay alert for firmware updates or patches that Cisco may release to resolve the vulnerability. The lack of a temporary fix underlines the importance of applying any future updates immediately, especially as remote exploitation could have significant consequences for the affected systems. For organizations using these Cisco models, securing network access and strengthening device-level defenses can be critical in mitigating potential risks. Limiting access to the web-based management interface, monitoring device activity, and conducting frequent security audits are some proactive steps administrators can take. These actions may help limit exposure while waiting for Cisco’s permanent fix. This incident serves as a reminder of the evolving threat landscape in industrial and operational technology environments. 

As organizations adopt more wireless technologies to improve operational efficiencies, the need for robust cybersecurity practices is crucial. Regularly updating network devices and addressing vulnerabilities promptly are fundamental to protecting systems from cyber threats. Cisco’s disclosure of CVE-2024-20418 underscores the vulnerabilities that even the most reliable industrial-grade devices can exhibit. It also highlights the critical importance of proactive device management and security measures in preventing unauthorized access. Industrial environments should consider this a timely reminder to prioritize cybersecurity protocols across all network-connected devices.
Read more »
Subscribe to: Posts (Atom)