Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label CVEs. Show all posts
Data Theft
CISA CISA advisory CVE CVE exploits CVEs Cyber Attacks Cyber Exploits Cyber flaws Cyber Vulnerabilities Data protection data security Data Theft

CISA Urges Immediate Patching of Critical SysAid Vulnerabilities Amid Active Exploits

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about two high-risk vulnerabilities in SysAid’s IT service management (ITSM) platform that are being actively exploited by attackers. These security flaws, identified as CVE-2025-2775 and CVE-2025-2776, can enable unauthorized actors to hijack administrator accounts without requiring credentials. 

Discovered in December 2024 by researchers at watchTowr Labs, the two vulnerabilities stem from XML External Entity (XXE) injection issues. SysAid addressed these weaknesses in March 2025 through version 24.4.60 of its On-Premises software. However, the urgency escalated when proof-of-concept code demonstrating how to exploit the flaws was published just a month later, highlighting how easily bad actors could access sensitive files on affected systems. 

Although CISA has not provided technical specifics about the ongoing attacks, it added the vulnerabilities to its Known Exploited Vulnerabilities Catalog. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by August 12. CISA also strongly recommends that organizations in the private sector act swiftly to apply the necessary updates, regardless of the directive’s federal scope. 

“These vulnerabilities are commonly exploited by malicious cyber actors and present serious threats to government systems,” CISA stated in its warning. SysAid’s On-Prem solution is deployed on an organization’s internal infrastructure, allowing IT departments to manage help desk tickets, assets, and other services. According to monitoring from Shadowserver, several dozen SysAid installations remain accessible online, particularly in North America and Europe, potentially increasing exposure to these attacks. 

Although CISA has not linked these specific flaws to ransomware campaigns, the SysAid platform was previously exploited in 2023 by the FIN11 cybercrime group, which used another vulnerability (CVE-2023-47246) to distribute Clop ransomware in zero-day attacks. Responding to the alert, SysAid reaffirmed its commitment to cybersecurity. “We’ve taken swift action to resolve these vulnerabilities through security patches and shared the relevant information with CISA,” a company spokesperson said. “We urge all customers to ensure their systems are fully up to date.” 

SysAid serves a global clientele of over 5,000 organizations and 10 million users across 140 countries. Its user base spans from startups to major enterprises, including recognized brands like Coca-Cola, IKEA, Honda, Xerox, Michelin, and Motorola.
Read more »
Malwares
CVE CVE exploits CVE vulnerability CVEs Cyber Attacks Cyber Threat Intelligence Google GSMA GTIG Hacker attack Malware Attack Malwares

Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day

 

Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) have uncovered a series of attacks targeting outdated SonicWall Secure Mobile Access (SMA) devices, which are widely used to manage secure remote access in enterprise environments. 

These appliances, although no longer supported with updates, remain in operation at many organizations, making them attractive to cybercriminals. The hacking group behind these intrusions has been named UNC6148 by Google. Despite being end-of-life, the devices still sit on the edge of sensitive networks, and their continued use has led to increased risk exposure. 

GTIG is urging all organizations that rely on these SMA appliances to examine them for signs of compromise. They recommend that firms collect complete disk images for forensic analysis, as the attackers are believed to be using rootkit-level tools to hide their tracks, potentially tampering with system logs. Assistance from SonicWall may be necessary for acquiring these disk images from physical devices. There is currently limited clarity around the technical specifics of these breaches. 

The attackers are leveraging leaked administrator credentials to gain access, though it remains unknown how those credentials were originally obtained. It’s also unclear what software vulnerabilities are being exploited to establish deeper control. One major obstacle to understanding the attacks is a custom backdoor malware called Overstep, which is capable of selectively deleting system logs to obscure its presence and activity. 

Security researchers believe the attackers might be using a zero-day vulnerability, or possibly exploiting known flaws like CVE-2021-20038 (a memory corruption bug enabling remote code execution), CVE-2024-38475 (a path traversal issue in Apache that exposes sensitive database files), or CVE-2021-20035 and CVE-2021-20039 (authenticated RCE vulnerabilities previously seen in the wild). There’s also mention of CVE-2025-32819, which could allow credential reset attacks through file deletion. 

GTIG, along with Mandiant and SonicWall’s internal response team, has not confirmed exactly how the attackers managed to deploy a reverse shell—something that should not be technically possible under normal device configurations. This shell provides a web-based interface that facilitates the installation of Overstep and potentially gives attackers full control over the compromised appliance. 

The motivations behind these breaches are still unclear. Since Overstep deletes key logs, detecting an infection is particularly difficult. However, Google has shared indicators of compromise to help organizations determine if they have been affected. Security teams are strongly advised to investigate the presence of these indicators and consider retiring unsupported hardware from critical infrastructure as part of a proactive defense strategy.
Read more »
Remote Code Execution
Authentication Bypass CVE CVE exploits CVE vulnerability CVEs Cyber Security cybersecurity vulnerabilities Endpoint patch fixes Remote Code Execution

Trend Micro Patches Critical Remote Code Execution and Authentication Bypass Flaws in Apex Central and PolicyServer

Trend Micro has rolled out essential security updates to address a series of high-impact vulnerabilities discovered in two of its enterprise security solutions: Apex Central and the Endpoint Encryption (TMEE) PolicyServer. These newly disclosed issues, which include critical remote code execution (RCE) and authentication bypass bugs, could allow attackers to compromise systems without needing login credentials. 

Although there have been no confirmed cases of exploitation so far, Trend Micro strongly recommends immediate patching to mitigate any potential threats. The vulnerabilities are especially concerning for organizations operating in sensitive sectors, where data privacy and regulatory compliance are paramount. 

The Endpoint Encryption PolicyServer is a key management solution used to centrally control full disk and media encryption across Windows-based systems. Following the recent update, four critical issues in this product were fixed. Among them is CVE-2025-49212, a remote code execution bug that stems from insecure deserialization within PolicyValue Table Serialization Binder class. This flaw enables threat actors to run code with SYSTEM-level privileges without any authentication. 

Another serious issue, CVE-2025-49213, was found in the PolicyServerWindowsService class, also involving unsafe deserialization. This vulnerability similarly allows arbitrary code execution without requiring user credentials. An additional bug, CVE-2025-49216, enables attackers to bypass authentication entirely due to faulty logic in the DbAppDomain service. Lastly, CVE-2025-49217 presents another RCE risk, though slightly more complex to exploit, allowing code execution via the ValidateToken method. 

While Trend Micro categorized all four as critical, third-party advisory firm ZDI classified CVE-2025-49217 as high-severity. Besides these, the latest PolicyServer release also fixes multiple other high-severity vulnerabilities, such as SQL injection and privilege escalation flaws. The update applies to version 6.0.0.4013 (Patch 1 Update 6), and all earlier versions are affected. Notably, there are no workarounds available, making the patch essential for risk mitigation. 

Trend Micro also addressed separate issues in Apex Central, the company’s centralized console for managing its security tools. Two pre-authentication RCE vulnerabilities—CVE-2025-49219 and CVE-2025-49220—were identified and patched. Both flaws are caused by insecure deserialization and could allow attackers to execute code remotely as NETWORK SERVICE without authentication. 

These Apex Central vulnerabilities were resolved in Patch B7007 for the 2019 on-premise version. Customers using Apex Central as a Service will receive fixes automatically on the backend. 

Given the severity of these cybersecurity vulnerabilities, organizations using these Trend Micro products should prioritize updating their systems to maintain security and operational integrity.
Read more »
Ransomwares
CVE CVEs Cyber Attacks Malware Attack Malwares Microsoft ransomware attacks Ransomware group Ransomwares

Windows CLFS Zero-Day CVE-2025-29824 Exploited by Ransomware Group Storm-2460

 

A newly disclosed Windows zero-day vulnerability, tracked as CVE-2025-29824, is being actively exploited in cyberattacks to deliver ransomware, Microsoft has warned. This flaw affects the Windows Common Log File System (CLFS) driver and enables local privilege escalation—a method often used by attackers after gaining initial access. 

Microsoft’s Threat Intelligence and Security Response teams revealed that the bug is classified as a “use-after-free” vulnerability with a severity score of 7.8. While attackers need to compromise a system before they can exploit this flaw, it remains highly valuable in ransomware operations. Cybercriminals often rely on these types of vulnerabilities to turn a limited foothold into full administrative control across networks. 

The cybercrime group currently leveraging this zero-day is known as Storm-2460. Microsoft reports that the group is using the exploit to deploy a custom backdoor named PipeMagic, which in turn facilitates the installation of RansomEXX ransomware—a variant not commonly observed but still capable of serious disruption. So far, Storm-2460 has targeted organizations in industries such as IT, finance, and retail, with victims located in countries including the United States, Spain, Saudi Arabia, and Venezuela. 

Microsoft emphasized that the number of known cases remains small, but the sophistication of the exploit is concerning. This attack is notable for being part of a “post-compromise” campaign, meaning the attacker already has a presence within the system before using the flaw. These types of exploits are frequently used to escalate privileges and move laterally within a network, eventually leading to broader ransomware deployment. Microsoft issued a security advisory for CVE-2025-29824 on April 8 and urged organizations to install updates immediately. Failure to do so could leave critical systems vulnerable to privilege escalation and full network compromise. 

To mitigate risk, Microsoft advises businesses to prioritize patch management, restrict unnecessary administrative privileges, and closely monitor for unusual behavior across endpoints. Cybersecurity teams are also encouraged to review logs for any indicators of compromise related to PipeMagic or RansomEXX. As ransomware tactics continue to evolve, the exploitation of vulnerabilities like CVE-2025-29824 reinforces the need for proactive defense strategies and rapid incident response protocols.
Read more »
MIME
CVE CVE exploits CVEs Cyber Security Hacking WhatsApp Malwares Meta Meta Platforms MIME

WhatsApp Windows Vulnerability CVE-2025-30401 Could Let Hackers Deliver Malware via Fake Images

 

Meta has issued a high-priority warning about a critical vulnerability in the Windows version of WhatsApp, tracked as CVE-2025-30401, which could be exploited to deliver malware under the guise of image files. This flaw affects WhatsApp versions prior to 2.2450.6 and could expose users to phishing, ransomware, or remote code execution attacks. The issue lies in how WhatsApp handles file attachments on Windows. 

The platform displays files based on their MIME type but opens them according to the true file extension. This inconsistency creates a dangerous opportunity for hackers: they can disguise executable files as harmless-looking images like .jpeg files. When a user manually opens the file within WhatsApp, they could unknowingly launch a .exe file containing malicious code. Meta’s disclosure arrives just as new data from online bank Revolut reveals that WhatsApp was the source of one in five online scams in the UK during 2024, with scam attempts growing by 67% between June and December. 

Cybersecurity experts warn that WhatsApp’s broad reach and user familiarity make it a prime target for exploitation. Adam Pilton, senior cybersecurity consultant at CyberSmart, cautioned that this vulnerability is especially dangerous in group chats. “If a cybercriminal shares the malicious file in a trusted group or through a mutual contact, anyone in that group might unknowingly execute malware just by opening what looks like a regular image,” he explained. 

Martin Kraemer, a security awareness advocate at KnowBe4, highlighted the platform’s deep integration into daily routines—from casual chats to job applications. “WhatsApp’s widespread use means users have developed a level of trust and automation that attackers exploit. This vulnerability must not be underestimated,” Kraemer said. Until users update to the latest version, experts urge WhatsApp users to treat the app like email—avoid opening unexpected attachments, especially from unknown senders or new contacts. 

The good news is that Meta has already issued a fix, and updating the app resolves the vulnerability. Pilton emphasized the importance of patch management, noting, “Cybercriminals will always seek to exploit software flaws, and providers will keep issuing patches. Keeping your software updated is the simplest and most effective protection.” For now, users should update WhatsApp for Windows immediately to mitigate the risk posed by CVE-2025-30401 and remain cautious with all incoming files.
Read more »
Hackers
CVE CVEs Cybersecurity Dark Web Data Breach Data Leak data security FortiGate devices Hackers

Hackers Leak 15,000 FortiGate Device Configs, IPs, and VPN Credentials

 

A newly identified hacking group, the Belsen Group, has leaked critical data from over 15,000 FortiGate devices on the dark web, making sensitive technical details freely available to cybercriminals. The leak includes configuration files, IP addresses, and VPN credentials, significantly increasing security risks for affected organizations. 

Emerging on cybercrime forums and social media just this month, the Belsen Group has been actively promoting itself. As part of its efforts, the group launched a Tor website where it released the stolen FortiGate data, seemingly as a way to establish its presence in the hacking community. In a post on an underground forum, the group claimed responsibility for breaching both government and private-sector systems, highlighting this operation as its first major attack. 

The exposed data is structured within a 1.6 GB archive, organized by country. Each country’s folder contains multiple subfolders corresponding to specific FortiGate device IP addresses. Inside, configuration files such as configuration.conf store FortiGate system settings, while vpn-passwords.txt holds various credentials, some of which remain in plaintext. 

Cybersecurity researcher Kevin Beaumont examined the leak and confirmed that these files include firewall rules, private keys, and other highly sensitive details that could be exploited by attackers. Further analysis suggests that the breach is linked to a known vulnerability from 2022—CVE-2022-40684—which was actively exploited before Fortinet released a security patch. 

According to Beaumont, evidence from a forensic investigation into a compromised device revealed that this zero-day vulnerability provided attackers with initial access. The stolen data appears to have been gathered in October 2022, around the same time this exploit was widely used. Fortinet had previously warned that CVE-2022-40684 was being leveraged by attackers to extract system configurations and create unauthorized super-admin accounts under the name fortigate-tech-support. 

Reports from the German news site Heise further confirm that the leaked data originates from devices running FortiOS firmware versions 7.0.0-7.0.6 or 7.2.0-7.2.2. The fact that FortiOS 7.2.2 was specifically released to address this vulnerability raises questions about whether some systems remained compromised even after the fix was made available. 

Although the leaked files were collected over two years ago, they still pose a significant threat. Configuration details, firewall rules, and login credentials could still be exploited if they were not updated after the original breach. Given the scale of the leak, cybersecurity experts strongly recommend that administrators review their FortiGate device settings, update passwords, and ensure that no outdated configurations remain in use.
Read more »
Spam
critical vulnerabilities CVE CVE vulnerability CVEs Cyber Security Plugin Flaws plugin security Plugins RCE Spam

Critical Vulnerabilities in CleanTalk WordPress Plugin Put 200,000 Websites at Risk

 

Defiant has raised alarms about two significant vulnerabilities affecting CleanTalk’s anti-spam WordPress plugin, which could enable attackers to execute arbitrary code remotely without requiring authentication. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, are classified with a high severity score of 9.8 on the CVSS scale. They impact the “Spam protection, Anti-Spam, FireWall by CleanTalk” plugin, which boasts over 200,000 active installations on WordPress sites globally. 

The flaws pose a significant risk by allowing remote attackers to install and activate arbitrary plugins, including potentially vulnerable ones that can then be exploited for remote code execution (RCE). According to Defiant, the first vulnerability, CVE-2024-10542, involves an authorization bypass issue. This weakness exists in a function responsible for handling remote calls and plugin installations, where token-based authorization is used to secure these actions. 

However, two related functions intended to verify the originating IP address and domain name are vulnerable to exploitation. Attackers can manipulate these checks through IP and DNS spoofing, enabling them to specify an IP address or subdomain under their control. This bypasses the plugin’s authorization process, allowing the attacker to carry out actions such as installing, activating, deactivating, or uninstalling plugins without proper permissions. The vulnerability was discovered in late October and was addressed with the release of version 6.44 of the plugin on November 1. 

However, this update inadvertently introduced another vulnerability, CVE-2024-10781, which provided attackers with an alternative method of bypassing token authorization. CVE-2024-10781 arises from a flaw in how the plugin processes tokens for authorization. Specifically, if a website has not configured an API key in the plugin, attackers can use a token that matches an empty hash value to authenticate themselves. This effectively nullifies the intended security measures and allows attackers to install and activate arbitrary plugins, which can then be exploited for malicious purposes, such as executing remote code. 

The CleanTalk development team addressed this second vulnerability with the release of version 6.45 on November 14, which contains fixes for both CVE-2024-10542 and CVE-2024-10781. Despite the availability of this updated version, data from WordPress indicates that as of November 26, approximately half of the plugin’s active installations are still running outdated and vulnerable versions. This exposes a significant number of websites to potential exploitation. The risks associated with these vulnerabilities are considerable, as attackers could gain complete control over affected websites by leveraging these flaws. This includes the ability to install additional plugins, some of which may themselves contain vulnerabilities that could be exploited for further malicious activities. 

Website administrators using the CleanTalk anti-spam plugin are strongly urged to update to version 6.45 or later as soon as possible. Keeping plugins up to date is a critical step in maintaining the security of WordPress websites. By applying the latest updates, administrators can protect their sites against known vulnerabilities and reduce the risk of being targeted by cyberattacks. In addition to updating plugins, security experts recommend implementing additional security measures, such as monitoring for unauthorized changes, using a robust firewall, and conducting regular security audits. 

These practices can help ensure that websites remain secure against evolving threats. By addressing these vulnerabilities and staying proactive about updates, WordPress site owners can safeguard their online presence and protect the sensitive data entrusted to their platforms.
Read more »
Routers
CVE CVEs Cyber Security Cyber Vulnerabilities D-Link EOL firmware NAS Router vulnerability Routers

D-Link Urges Replacement of End-of-Life VPN Routers Amid Critical Security Vulnerability

 

D-Link has issued a strong warning to its customers, advising them to replace certain end-of-life (EoL) VPN router models immediately. This follows the discovery of a critical unauthenticated remote code execution (RCE) vulnerability that will not be addressed with security patches for the affected devices. The vulnerability was reported to D-Link by security researcher “delsploit,” although technical details have been withheld to prevent widespread exploitation. The flaw impacts all hardware and firmware versions of the DSR-150, DSR-150N, DSR-250, and DSR-250N models, particularly firmware versions 3.13 to 3.17B901C. 

These routers, which have been popular among home offices and small businesses worldwide, officially reached their end-of-service (EoS) status on May 1, 2024. D-Link’s advisory makes it clear that no further security updates will be issued for these devices. Customers are strongly encouraged to replace the affected models to avoid potential risks. For users who continue using these devices despite the warnings, D-Link suggests downloading the latest available firmware from their legacy website. 

However, it is important to note that even the most up-to-date firmware will not protect the routers from the RCE vulnerability. The company also cautions against using third-party open-firmware solutions, as these are unsupported and will void any product warranties. D-Link’s policy not to provide security fixes for EoL devices reflects a broader strategy within the networking hardware industry. The company cites factors such as evolving technologies, market demands, and product lifecycle maturity as reasons for discontinuing support for older models. The issue with D-Link routers is not an isolated case. 

Earlier this month, researcher “Netsecfish” revealed CVE-2024-10914, a command injection flaw affecting thousands of EoL D-Link NAS devices. Similarly, three critical vulnerabilities were recently disclosed in the D-Link DSL6740C modem. In both instances, the company chose not to release updates despite evidence of active exploitation attempts. The growing trend of security risks in EoL networking hardware highlights the importance of timely device replacement. 

As D-Link warns, continued use of unsupported routers not only puts connected devices at risk but may also leave sensitive data vulnerable to exploitation. By replacing outdated equipment with modern, supported alternatives, users can ensure stronger protection against emerging cybersecurity threats.
Read more »
Subscribe to: Posts (Atom)