Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Vulnerabilities and Exploits. Show all posts
Vulnerability
cyber attack React2Shell Vulnerabilities and Exploits Vulnerability

React2Shell Exploited Within Hours as Firms Rush to Patch

 

Two hacking groups linked to China have started exploiting a major security flaw in React Server Components (RSC) only hours after the vulnerability became public. 

The flaw, tracked as CVE-2025-55182 and widely called React2Shell, allows attackers to gain unauthenticated remote code execution, potentially giving them full control over vulnerable servers. 

The security bug has a maximum CVSS score of 10.0, which represents the highest level of severity. It has been fixed in React versions 19.0.1, 19.1.2 and 19.2.1, and developers are being urged to update immediately. According to a report shared by Amazon Web Services, two China-nexus groups named Earth Lamia and Jackpot Panda were seen attempting to exploit the flaw through AWS honeypot systems. 

AWS said the activity was coming from infrastructure previously tied to state-linked cyber actors. Earth Lamia has previously targeted organizations across financial services, logistics, retail, IT, universities and government sectors across Latin America, the Middle East and Southeast Asia. 

Jackpot Panda has mainly focused on sectors connected to online gambling in East and Southeast Asia and has used supply chain attacks to gain access. The group was tied to the 2022 compromise of the Comm100 chat application and has used trojanized installers to spread malware. 

AWS also noted that attackers have been exploiting the React vulnerability alongside older bugs, including flaws in NUUO camera systems. Early attacks have attempted to run discovery commands, create files and read sensitive information from servers. 

Security researchers say the trend shows how fast attackers now operate: they monitor new vulnerability announcements and add exploits to their scanning tools immediately to increase their chances of finding unpatched systems. 

A brief global outage at Cloudflare this week added to industry concern. Cloudflare confirmed that a change to its Web Application Firewall, introduced to help protect customers from the newly disclosed React flaw, caused disruption that led many websites to return “500 Internal Server Error” messages. 

The company stressed that the outage was not the result of a cyberattack. The scale of the React vulnerability is a major concern because millions of websites rely on React and Next.js, including large brands such as Airbnb and Netflix. 

Security researchers estimate that about 39 percent of cloud environments contain vulnerable React components. A working proof-of-concept exploit is already available on GitHub, raising fears of mass exploitation. Experts warn that even projects that do not intentionally use server-side functions may still be exposed because the affected components can remain enabled by default. 

Cybersecurity firms and cloud providers are urging organizations to take action immediately: 


  1. Apply official patches for React, Next.js and related RSC frameworks.
  2. Enable updated Web Application Firewall rules from providers including AWS, Cloudflare, Google Cloud, Akamai and Vercel.
  3. Review logs for signs of compromise, including suspicious file creation, attempts to read sensitive data or reconnaissance behavior.

Although widespread exploitation has not yet been confirmed publicly, experts warn that attackers are already scanning the internet at scale. 
Read more »
Vulnerabilities and Exploits
AI Cloud Data Next.js React Server Vulnerabilities and Exploits

Critical Vulnerabilities Found in React Server Components and Next.js


Open in the wild flaw

The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog after exploitation in the wild.

The flaw CVE-2025-55182 (CVSS score: 10.0) or React2Shell hints towards a remote code execution (RCE) that can be triggered by an illicit threat actor without needing any setup. 

Remote code execution 

According to the CISA advisory, "Meta React Server Components contains a remote coThe incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groupsde execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints."

The problem comes from unsafe deserialization in the library's Flight protocol, which React uses to communicate between a client and server. It results in a case where an unauthorised, remote hacker can deploy arbitrary commands on the server by sending specially tailored HTTP requests. The conversion of text into objects is considered a dangerous class of software vulnerability. 

About the flaw

 "The React2Shell vulnerability resides in the react-server package, specifically in how it parses object references during deserialization," said Martin Zugec, technical solutions director at Bitdefender.

The incident surfaced when Amazon said it found attack attempts from infrastructure related to Chinese hacking groups such as Jackpot Panda and Earth Lamia. "Within hours of the public disclosure of CVE-2025-55182 (React2Shell) on December 3, 2025, Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda," AWS said.

Attack tactic 

Few attacks deployed cryptocurrency miners and ran "cheap math" PowerShell commands for successful exploitation. After that, it dropped in-memory downloaders capable of taking out extra payload from a remote server.

According to Censys, an attack surface management platform, 2.15 million cases of internet-facing services may be affected by this flaw. This includes leaked web services via React Server Components and leaked cases of frameworks like RedwoodSDK, React Router, Waku, and Next.js.

According to data shared by attack surface management platform Censys, there are about 2.15 million instances of internet-facing services that may be affected by this vulnerability. This comprises exposed web services using React Server Components and exposed instances of frameworks such as Next.js, Waku, React Router, and RedwoodSDK.


Read more »
Zero Day
CVE exploits LNKs Microsoft Vulnerabilities and Exploits Windows Zero Day

Microsoft Quietly Changes Windows Shortcut Handling After Dangerous Zero-day Abuse

 



Microsoft has changed how Windows displays information inside shortcut files after researchers confirmed that multiple hacking groups were exploiting a long-standing weakness in Windows Shell Link (.lnk) files to spread malware in real attacks.

The vulnerability, CVE-2025-9491, pertains to how Windows accesses and displays the "Target" field of a shortcut file. The attackers found that they could fill the Target field with big sets of blank spaces, followed by malicious commands. When a user looks at a file's properties, Windows only displays the first part of that field. The malicious command remains hidden behind whitespace, making the shortcut seem innocuous.

These types of shortcuts are usually distributed inside ZIP folders or other similar archives, since many email services block .lnk files outright. The attack relies on persuasion: Victims must willingly open the shortcut for the malware to gain an entry point on the system. When opened, the hidden command can install additional tools or create persistence.


Active Exploitation by Multiple Threat Groups

Trend Micro researchers documented in early 2025 that this trick was already being used broadly. Several state-backed groups and financially motivated actors had adopted the method to deliver a range of malware families, from remote access trojans to banking trojans. Later, Arctic Wolf Labs also observed attempts to use the same technique against diplomats in parts of Europe, where attackers used the disguised shortcut files to drop remote access malware.

The campaigns followed a familiar pattern. Victims received a compressed folder containing what looked like a legitimate document or utility. Inside sat a shortcut that looked ordinary but actually executed a concealed command once it was opened.


Microsoft introduces a quiet mitigation

Although Microsoft first said the bug did not meet the criteria for out-of-band servicing because it required user interaction, the company nonetheless issued a silent fix via standard Windows patching. With the patches in place, Windows now displays the full Target field in a shortcut's properties window instead of truncating the display after about 260 characters.

This adjustment does not automatically remove malicious arguments inside a shortcut, nor does it pop up with a special warning when an unusually long command is present. It merely provides full visibility to users, which may make suspicious content more easily identifiable for the more cautious users.

When questioned about the reason for the change, Microsoft repeated its long-held guidance: users shouldn't open files from unknown sources and should pay attention to its built-in security warnings.


Independent patch offers stricter safeguards

Because Microsoft's update is more a matter of visibility than enforcement, ACROS Security has issued an unofficial micropatch via its 0patch service. The update its team released limits the length of Target fields and pops up a warning before allowing a potentially suspicious shortcut to open. This more strict treatment, according to the group, would block the vast majority of malicious shortcuts seen in the wild.

This unofficial patch is now available to 0patch customers using various versions of Windows, including editions that are no longer officially supported.


How users can protect themselves

Users and organizations can minimize the risk by refraining from taking shortcuts coming from unfamiliar sources, especially those that are wrapped inside compressed folders. Security teams are encouraged to ensure Windows systems are fully updated, apply endpoint protection tools, and treat unsolicited attachments with care. Training users to inspect file properties and avoid launching unexpected shortcut files is also a top priority.

However, as the exploitation of CVE-2025-9491 continues to manifest in targeted attacks, the updated Windows behavior, user awareness, and security controls are layered together for the best defense for now. 

Read more »
Vulnerabilities and Exploits
AI API Business Security GitHub Tokens Vulnerabilities and Exploits

65% of Top AI Companies Leak Secrets on GitHub

 

Leading AI companies continue to face significant cybersecurity challenges, particularly in protecting sensitive information, as highlighted in recent research from Wiz. The study focused on the Forbes top 50 AI firms, revealing that 65% of them were found to be leaking verified secrets—such as API keys, tokens, and credentials—on public GitHub repositories. 

These leaks often occurred in places not easily accessible to standard security scanners, including deleted forks, developer repositories, and GitHub gists, indicating a deeper and more persistent problem than surface-level exposure. Wiz's approach to uncovering these leaks involved a framework called "Depth, Perimeter, and Coverage." Depth allowed researchers to look beyond just the main repositories, reaching into less visible parts of the codebase. 

Perimeter expanded the search to contributors and organization members, recognizing that individuals could inadvertently upload company-related secrets to their own public spaces. Coverage ensured that new types of secrets, such as those used by AI-specific platforms like Tavily, Langchain, Cohere, and Pinecone, were included in the scan, which many traditional tools overlook.

The findings show that despite being leaders in cutting-edge technology, these AI companies have not adequately addressed basic security hygiene. The researchers disclosed the discovered leaks to the affected organisations, but nearly half of these notifications either failed to reach the intended recipients, were ignored, or received no actionable response, underscoring the lack of dedicated channels for vulnerability disclosure.

Security Tips 

Wiz recommends several essential security measures for all organisations, regardless of size. First, deploying robust secret scanning should be a mandatory practice to proactively identify and remove sensitive information from codebases. Second, companies should prioritise the detection of their own unique secret formats, especially if they are new or specific to their operations. Engaging vendors and the open source community to support the detection of these formats is also advised.

Finally, establishing a clear and accessible disclosure protocol is crucial. Having a dedicated channel for reporting vulnerabilities and leaks enables faster remediation and better coordination between researchers and organisations, minimising potential damage from exposure. The research serves as a stark reminder that even the most advanced companies must not overlook fundamental cybersecurity practices to safeguard sensitive data and maintain trust in the rapidly evolving AI landscape.
Read more »
zero Day vulnerability
firmware Hardware router Vulnerabilities and Exploits WiFi zero Day vulnerability

Should You Still Trust Your Router? What Users Need to Know and How to Secure Home Wi-Fi today

 



Public discussion in the United States has intensified around one of the country’s most widely purchased home router brands after reports suggested that federal agencies are considering restrictions on future sales. The conversation stems from concerns about potential national security risks and the possibility of foreign influence in hardware design or data handling. While the company firmly denies these allegations, the ongoing scrutiny has encouraged many users to reassess the safety of their home Wi-Fi setup and understand how to better protect their networks.


Why the issue surfaced

The debate began when officials started examining whether equipment manufactured by the company could expose American networks to security risks. Investigators reportedly focused on the firm’s origins and questioned whether foreign jurisdictions could exert influence over product development or data processes.

The company has rejected these claims, saying its design, security functions, and oversight structures operate independently and that its leadership teams within the United States manage core product decisions. It maintains that no government has the ability to access or manipulate its systems.


Common router vulnerabilities users should understand

Even without the broader policy debate, home routers are frequently targeted by attackers, often through well-known weaknesses:

Hardware-level risks. In rare cases, security issues can originate in the physical components themselves. Malicious implants or flawed chips can give attackers a hidden entry point that is difficult for users to detect without specialized tools.

Unpatched security gaps. Zero-day vulnerabilities are flaws discovered by attackers before the manufacturer has prepared a fix. Some older or discontinued models may never receive patches, leaving users exposed for the long term.

Outdated firmware. Firmware updates serve the same purpose as software updates on phones and computers. Without them, routers miss critical security improvements and remain vulnerable to known exploits.

Botnets. Compromised routers are often absorbed into large collections of infected devices. These groups of hijacked systems are then directed to launch attacks, spread malware, or steal information.

Weak login credentials. Many intrusions occur simply because users keep the default administrator username and password. Attackers run automated tools that test the most common combinations in an attempt to break in.

Exposed remote settings. Some routers allow remote control panels to be accessed from outside the home network. If these remain active or are protected with simple passwords, attackers can quietly enter the system.

Outdated Wi-Fi encryption. Older wireless standards are easy for attackers to crack. Weak encryption allows outsiders to intercept traffic or join the network without permission.


How to strengthen your home network today

Any user can substantially improve their router’s security by following a few essential steps:

1. Change default passwords immediately. Use strong, unique credentials for both the router’s control panel and the Wi-Fi network.

2. Check for firmware updates regularly. Install every available update. If your device no longer receives support, replacement is advisable.

3. Enable the built-in firewall. It acts as the first barrier between your home network and outside threats.

4. Turn off remote management features. Only leave such functions active if you clearly understand them and require them.

5. Use modern Wi-Fi encryption. Choose WPA3 whenever your device supports it. If not, use the most up-to-date option available.

6. Consider a trusted VPN. It adds an extra layer of protection by encrypting your online activity.

7. Upgrade aging hardware. Older models often lack modern protections and may struggle to handle security patches or stable performance.


What users should do now

A potential restriction on any router brand is still under government review. For now, users should focus on ensuring their own devices are secured and updated. Strengthening home Wi-Fi settings, using current security practices, and replacing unsupported hardware will offer the most immediate protection while the situation continues to escalate. 


Read more »
Zero-Day Vulnerabilities
chain attacks Cyble report October cyber threats Ransomware Groups SaaS provider attacks software supply Vulnerabilities and Exploits Zero-Day Vulnerabilities

Software Supply Chain Attacks Surge to Record Highs in October, Driven by Zero-Day Flaws and Ransomware Groups

 

Software supply chain intrusions reached an unprecedented peak in October, surpassing previous monthly records by more than 30%, according to new research.

Cyble revealed in a blog post that threat actors on dark-web leak forums claimed 41 supply chain attacks in October—10 more than the earlier high recorded in April 2025. The report notes that supply chain incidents have more than doubled since April, with an average of 28 attacks per month, compared to the monthly average of 13 from early 2024 through March 2025. Cyble attributed the escalation to multiple factors.

The sharp rise has been fueled primarily by a “combination of critical and zero-day IT vulnerabilities and threat actors actively targeting SaaS and IT service providers,” Cyble wrote, adding that “the sustained increase suggests that the risk of supply chain attacks may remain elevated going forward.”

Additional contributors include cloud-security weaknesses and AI-powered phishing campaigns, with vishing also playing an important role in recent Scattered LAPSUS$ Hunters attacks on Salesforce environments.

All 24 industries monitored by Cyble experienced at least one supply chain breach this year, but IT and IT services firms were hit disproportionately. These organizations remain attractive to attackers due to their broad customer ecosystems and valuable access points. Cyble reported 107 supply chain attacks targeting IT companies so far this year—over three times more than those seen in financial services, transportation, technology, or government sectors.

Ransomware operations remain a major driver of this surge. Groups such as Qilin and Akira, which Cyble identified as the most active this year, have also carried out “an above-average share of supply chain attacks.”

Akira recently targeted a major open-source initiative, stealing 23GB of sensitive data including internal reports, confidential files, and issue-tracking information. Both Akira and Qilin have also compromised multiple IT providers serving high-risk verticals such as government, defense, intelligence, law enforcement, healthcare, energy, and finance. In one case, Qilin claimed to have obtained source code for proprietary tools used across public safety and security organizations.

Another Qilin incident involved breaching customers of a U.S. cybersecurity and cloud provider through “clear-text credentials stored in Word and Excel documents hosted on the company’s systems.”

A newer threat actor, Kyber, leaked more than 141GB of internal builds, databases, project files, and backups allegedly taken from a major U.S. aerospace and defense contractor specializing in communication and electronic warfare technologies.

Other notable October events included the Cl0p ransomware group's exploitation of Oracle E-Business Suite vulnerabilities and a breach involving Red Hat GitLab.

Cyble emphasized that mitigating supply chain threats is difficult because organizations inherently trust their vendors and partners. The firm stressed that security audits and third-party risk evaluations should become routine practice.

The researchers highlighted that the “most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process,” and advised that organizations thoroughly vet suppliers and enforce strong security requirements within contracts to strengthen third-party protection.
Read more »
Vulnerabilities and Exploits
CISA Linux Kernel Ransomware Campaign Vulnerabilities and Exploits

CISA Warns: Linux Kernel Flaw Actively Exploited in Ransomware Attacks

 

A critical Linux kernel vulnerability (CVE-2024-1086) is now actively exploited in ransomware attacks, according to a recent update from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). First publicly disclosed on January 31, 2024, this flaw stems from a decade-old code commit to the netfilter: nf_tables kernel component and was patched early in 2024. 

However, the exploit—which allows attackers with local access to escalate privileges and gain root control over affected systems—remains a severe threat for systems running kernel versions from 3.15 to 6.8-rc1, affecting prominent distributions like Debian, Ubuntu, Fedora, and Red Hat.

CISA’s latest advisory confirms the vulnerability is leveraged in live ransomware campaigns but doesn’t provide detailed incident counts or victim breakdowns. The agency added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024, mandating federal agencies patch by June 20, 2024 or implement mitigations. These mitigations include blocklisting ‘nf_tables’ if not in use, restricting user namespace access to shrink the attack surface, and optionally deploying the Linux Kernel Runtime Guard (LKRG)—though the latter may introduce instability.

Security experts and community commentators highlight both the significance and scope of the risk. The flaw enables threat actors to achieve root-level system takeover—compromising defenses, altering files, moving laterally within networks, and exfiltrating sensitive data. 

Its effects are especially critical in server and enterprise contexts (where vulnerable kernel versions are widely deployed) rather than typical desktop Linux environments. For context, a security researcher known as 'Notselwyn' published a proof-of-concept exploit in March 2024 that clearly demonstrates effective privilege escalation on kernel versions 5.14 through 6.6, broadening attack feasibility for cybercriminals.

Immutability in Linux distributions (such as ChromeOS, Fedora Kinoite) is noted as a partial defense, limiting exploit persistence but not fully mitigating in-memory or user-data targeting attacks. CISA stresses following vendor-specific instructions for mitigation and, where remedies are unavailable, discontinuing product use for guaranteed safety. 

Community debate also reflects persistent frustration at slow patch adoption and challenges in keeping kernels up to date across varied deployment environments. The ongoing exploitation—as confirmed by CISA—underscores the critical need for timely patching, rigorous access controls, and awareness of Linux privilege escalation risks in the face of escalating ransomware threats.
Read more »
WSUS exploit
CVE-2025-59287 Cybersecurity Microsoft patch failure Vulnerabilities and Exploits Windows Server Update Services vulnerability WSUS exploit

Attackers Exploit Critical Windows Server Update Services Flaw After Microsoft’s Patch Fails

 

Cybersecurity researchers have warned that attackers are actively exploiting a severe vulnerability in Windows Server Update Services (WSUS), even after Microsoft’s recent patch failed to fully fix the issue. The flaw, tracked as CVE-2025-59287, impacts WSUS versions dating back to 2012.

Microsoft rolled out an emergency out-of-band security update for the vulnerability on Thursday, following earlier attempts to address it. Despite this, several cybersecurity firms reported active exploitation by Friday. However, Microsoft has not yet officially confirmed these attacks.

This situation highlights how quickly both cyber defenders and adversaries respond to newly disclosed flaws. Within hours of Microsoft’s emergency patch release, researchers observed proof-of-concept exploits and live attacks targeting vulnerable servers.

“This vulnerability shows how simple and trivial exploitation is once an attack script is publicly available,” said John Hammond, principal security researcher at Huntress, in an interview with CyberScoop. “It’s always an attack of opportunity — just kind of spray-and-pray, and see whatever access a criminal can get their hands on.”

The Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply the latest patch and adhere to Microsoft’s mitigation steps.

A Microsoft spokesperson confirmed the re-release of the patch, explaining: “We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected.” Microsoft did not specify when or how it discovered that the previous patch was insufficient.

According to Shadowserver, over 2,800 instances of WSUS with open ports (8530 and 8531) are exposed to the internet — a necessary condition for exploitation. Approximately 28% of these vulnerable systems are located in the United States.

“Exploitation of this flaw is indiscriminate,” warned Ben Harris, founder and CEO of watchTowr. “If an unpatched Windows Server Update Services instance is online, at this stage it has likely already been compromised. This isn’t limited to low-risk environments — some of the affected entities are exactly the types of targets attackers prioritize.”

Huntress has observed five active attack cases linked to CVE-2025-59287. Hammond explained that these incidents mostly involve reconnaissance activities — such as environment mapping and data exfiltration — with no severe damage observed so far. However, he cautioned that WSUS operates with high-level privileges, meaning successful exploitation could fully compromise the affected server.

The risk, Hammond added, could escalate into supply chain attacks, where adversaries push malicious updates to connected systems. “Some potential supply-chain shenanigans just opening the door with this opportunity,” he said.

Experts from Palo Alto Networks’ Unit 42 echoed the concern. “By compromising this single server, an attacker can take over the entire patch distribution system,” said Justin Moore, senior manager of threat intel research at Unit 42. “With no authentication, they can gain system-level control and execute a devastating internal supply chain attack. They can push malware to every workstation and server in the organization, all disguised as a legitimate Microsoft update. This turns the trusted service into a weapon of mass distribution.”

Security researchers continue to emphasize that WSUS should never be exposed to the public internet, as attackers cannot exploit the flaw in instances that restrict external access.

Microsoft deprecated WSUS in September, stating that while it will still receive security support, it is no longer under active development or set to gain new features.
Read more »
Vulnerabilities and Exploits
CISA E-Business Suite Oracle SSR Flaw Vulnerabilities and Exploits

Critical Oracle Suite Flaw Actively Exploited; CISA Orders Urgent Patch

 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attackers are actively exploiting a critical server-side request forgery (SSRF) vulnerability, CVE-2025-61884, in Oracle E-Business Suite's Configurator runtime component. Federal agencies have been directed to patch this flaw by November 10, 2025, as it is now listed in CISA’s Known Exploited Vulnerabilities catalog.

CVE-2025-61884, which carries a severity rating of 7.5, allows attackers to gain unauthorized access to sensitive data or even full access to all Oracle Configurator data. The vulnerability was first disclosed by Oracle on October 11, 2025, but the company did not initially confirm exploitation, despite evidence that the exploit was leaked by threat actors ShinyHunters and Scattered Lapsus$ in July. The patch fixes the SSRF flaw by validating the "return_url" parameter provided by attackers, blocking malicious requests if validation fails.

In early October, cybersecurity firm Mandiant disclosed that the Clop ransomware group had been extorting organizations using Oracle E-Business Suite zero-day flaws. Oracle responded by stating that Clop had exploited vulnerabilities patched in July. On October 3, ShinyHunters leaked an exploit for Oracle EBS, which was later linked to Clop. Oracle then disclosed CVE-2025-61882, which was unrelated and was patched for August attacks that targeted the /OA_HTML/SyncServlet endpoint.

Investigations by CrowdStrike and Mandiant revealed two distinct campaigns: the July campaign exploited the SSRF flaw in /configurator/UiServlet (CVE-2025-61884), while the August campaign targeted the /OA_HTML/SyncServlet endpoint, now fixed under CVE-2025-61882. The ShinyHunters exploit leaked earlier targets the UiServlet SSRF chain, not the SyncServlet flaw.

There is confusion about why Oracle listed the ShinyHunters exploit as an indicator of compromise for CVE-2025-61882 instead of CVE-2025-61884, despite evidence pointing to the latter. Oracle has not responded to media inquiries regarding this discrepancy or the status of CVE-2025-61882 as exploited. This incident highlights the ongoing risk to organizations using Oracle E-Business Suite and underscores the urgency of timely patching and robust vulnerability management.
Read more »
Vulnerabilities and Exploits
ArcGIS Backdoor Attacks Flax Typhoon Geospatial Vulnerabilities and Exploits

Geospatial Tool Turned Into Stealthy Backdoor by Flax Typhoon

 

Chinese state-backed hacking group Flax Typhoon has been exploiting a feature within Esri’s ArcGIS software to maintain covert access to targeted systems for more than a year, according to new findings from ReliaQuest. The group, active since at least 2021 and known for espionage operations against entities in the U.S., Europe, and Taiwan, weaponized ArcGIS’s Server Object Extension (SOE) to transform the software into a webshell—essentially turning legitimate features into tools for persistent compromise.

Researchers found that the attackers targeted a public-facing ArcGIS server linked to a private backend server. By compromising the portal administrator credentials, they deployed a malicious extension that forced the system to create a hidden directory, which became their private command and control workspace. 

This extension included a hardcoded key, shielding their access from others while ensuring persistence. The hackers maintained this access long enough for the malicious file to become embedded in backup systems, effectively guaranteeing reinfection even if administrators restored the system from backups.

ReliaQuest described this as a particularly deceptive attack chain that allowed the group to mimic normal network activity, thereby bypassing typical detection mechanisms. Because the infected component was integrated into backup files, standard recovery protocols became a liability — a compromised backup meant a built-in reinfection vector. The tactic showcases Flax Typhoon’s hallmark strategy of exploiting trusted internal processes and tools rather than relying on advanced malware or sophisticated exploits.

This method is consistent with Flax Typhoon’s history of leveraging legitimate software components for espionage. Microsoft had previously documented the group’s capability to maintain long-term access to dozens of Taiwanese organizations using built-in Windows utilities and benign applications for stealth. The U.S. Treasury Department has sanctioned Integrity Technology Group, a Beijing-based company implicated in supporting Flax Typhoon’s operations, including managing infrastructure for a major botnet dismantled by the FBI.

ReliaQuest warned that the real danger extends beyond ArcGIS or Esri’s ecosystem — it highlights the inherent risks in enterprise software that depends on third-party extensions or backend access. The researchers called the case a “wake-up call,” urging organizations to treat every interface with backend connectivity as a high-risk access point, regardless of how routine or trusted it appears.
Read more »
Windows 10
Device Vulnerability Microsoft User Privacy Vulnerabilities and Exploits Windows 10

Windows 10 Support Termination Leaves Devices Vulnerable

 

Microsoft has officially ended support for Windows 10, marking a major shift impacting hundreds of millions of users worldwide. Released in 2015, the operating system will no longer receive free security updates, bug fixes, or technical assistance, leaving all devices running it vulnerable to exploitation. This decision mirrors previous end-of-life events such as Windows XP, which saw a surge in cyberattacks after losing support.

Rising security threats

Without updates, Windows 10 systems are expected to become prime targets for hackers. Thousands of vulnerabilities have already been documented in public databases like ExploitDB, and several critical flaws have been actively exploited. 

Among them are CVE-2025-29824, a “use-after-free” bug in the Common Log File System Driver with a CVSS score of 7.8; CVE-2025-24993, a heap-based buffer overflow in NTFS marked as “known exploited”; and CVE-2025-24984, leaking NTFS log data with the highest EPSS score of 13.87%. 

These vulnerabilities enable privilege escalation, code execution, or remote intrusion, many of which have been added to the U.S. CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling the seriousness of the risks.

Limited upgrade paths

Microsoft recommends that users migrate to Windows 11, which features modernized architecture and ongoing support. However, strict hardware requirements mean that roughly 200 million Windows 10 computers worldwide remain ineligible for the upgrade. 

For those unable to transition, Microsoft provides three main options: purchasing new hardware compatible with Windows 11, enrolling in a paid Extended Security Updates (ESU) program (offering patches for one extra year), or continuing to operate unsupported — a risky path exposing systems to severe cyber threats.

The support cutoff extends beyond the OS. Microsoft Office 2016 and 2019 have simultaneously reached end-of-life, leaving only newer versions like Office 2021 and LTSC operable but unsupported on Windows 10. Users are encouraged to switch to Microsoft 365 or move licenses to Windows 11 devices. Notably, support for Office LTSC 2021 ends in October 2026.

Data protection tips

Microsoft urges users to back up critical data and securely erase drives before recycling or reselling devices. Participating manufacturers and Microsoft itself offer trade-in or recycling programs to ensure data safety. As cyber risks amplify and hackers exploit obsolete systems, users still on Windows 10 face a critical choice — upgrade, pay for ESU, or risk exposure in an increasingly volatile digital landscape.
Read more »
zero-day
Clop Ransomware Extortion Campaign Oracle Vulnerabilities and Exploits zero-day

Clop Ransomware Exploits Oracle Zero-Day in Major Extortion Campaign

 

The Clop ransomware gang has orchestrated a massive extortion campaign targeting Oracle E-Business Suite customers by exploiting a critical zero-day vulnerability tracked as CVE-2025-61882. The vulnerability, which carries a CVSS score of 9.8, affects Oracle EBS versions 12.2.3 through 12.2.14 and allows unauthenticated remote code execution without requiring credentials.

Beginning September 29, 2025, Clop operatives sent high-volume extortion emails to executives at numerous organizations, claiming to have stolen sensitive data from their Oracle EBS environments. However, investigations by Google Threat Intelligence Group and Mandiant revealed that active exploitation began much earlier—as early as August 9, 2025, with suspicious activity dating back to July 10, 2025. This means attackers exploited the vulnerability weeks before Oracle released a patch on October 4, 2025.

The vulnerability affects the Concurrent Processing component's BI Publisher integration within Oracle EBS, allowing attackers to execute arbitrary code and gain complete control over compromised servers. Researchers identified multiple distinct exploitation chains targeting various EBS components, including UiServlet and SyncServlet modules. The most probable attack vector involved the SyncServlet module, where attackers injected malicious XSL files into databases via the XDO Template Manager to trigger remote code execution.

The campaign involved sophisticated multi-stage malware frameworks, including GOLDVEIN.JAVA downloader and the SAGE malware family. These tools closely resemble malware families deployed during Clop's previous Cleo software compromise in late 2024, strengthening attribution to the notorious cybercrime group. Attackers successfully exfiltrated significant amounts of data from impacted organizations, affecting dozens of victims according to current assessments.

Clop, also known as TA505 or FIN11, has been active since 2019 and maintains a track record of exploiting zero-day vulnerabilities in enterprise platforms. The group previously targeted Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, MOVEit Transfer, and Cleo file transfer systems. This latest campaign demonstrates Clop's continued focus on rapid zero-day exploitation of critical enterprise software for large-scale data extortion operations.

Oracle issued an emergency security alert on October 4, 2025, urging customers to apply the patch immediately. The FBI characterized the zero-day as "an emergency putting Oracle E-Business Suite environments at risk of full compromise". CISA added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog and issued urgent alerts regarding active exploitation for ransomware attacks worldwide.
Read more »
Vulnerabilities and Exploits
CISA Cisco Firewall Security Patch Shadowserver Vulnerabilities and Exploits

Cisco Firewall Vulnerabilities Leave 50,000 Devices Exposed Worldwide

 

Nearly 50,000 Cisco firewall devices worldwide are currently exposed to significant security risks following the disclosure of three critical vulnerabilities in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products.

Statistics from the Shadowserver Foundation have highlighted the scale of this problem, revealing that thousands of these devices remain directly accessible via the internet and have yet to receive urgent security patches. 

The vulnerabilities, which were publicly announced on September 25, prompted the Cybersecurity and Infrastructure Security Agency (CISA) to issue a rare emergency patching directive, reflecting the severity and potential impact of these flaws.

The United States leads in terms of exposure, with more than 19,000 vulnerable devices identified, outpacing every other country. The United Kingdom follows with over 2,700 exposed units, while Japan, Germany, and Russia also have substantial numbers. 

Across Europe, other countries report fewer than 1,000 vulnerable devices each, but the cumulative risk remains global in scope. Shadowserver’s ongoing data collection will track mitigation efforts over the coming weeks, providing insights into how organizations respond to these urgent warnings.

Central to the threat are two particular vulnerabilities, CVE-2025-20362 and CVE-2025-20333, which have already been exploited by a highly sophisticated threat actor. This campaign has successfully targeted and breached several federal agencies along with organizations worldwide.

The nature of these vulnerabilities makes them especially dangerous: both relate to improper validation of HTTPS requests by the affected Cisco firewalls. This weakness could allow attackers to submit malicious requests that effectively bypass authentication controls, leaving affected systems open to compromise.

Specifically, CVE-2025-20362 enables attackers to access restricted VPN-related URLs that should otherwise require strong authentication, while CVE-2025-20333 allows malicious actors to execute arbitrary code with root privileges, dramatically increasing the potential for damaging network intrusions. 

In light of these dangers, U.S. federal agencies have been given until the end of Thursday to confirm with CISA that all vulnerable devices have been patched or otherwise mitigated against potential exploitation.

The urgency surrounding these vulnerabilities is underscored by the demonstrated capability of attackers and the ongoing risks to national and organizational cybersecurity worldwide. As real-time data continues to be collected, the response from security teams will be crucial in minimizing exposure and preventing future incidents related to these Cisco firewall flaws.
Read more »
Zero-Click Exploit
cybersecurity threat Digital Espionage iOS Vulnerability Mobile Security Remote Code Execution Spyware Attack Vulnerabilities and Exploits vulnerability patch WhatsApp Security Zero-Click Exploit

Critical WhatsApp Zero Click Vulnerability Abused with DNG Payload

 


It has been reported that attackers are actively exploiting a recently discovered vulnerability in WhatsApp's iOS application as a part of a sophisticated cyber campaign that underscores how zero-day vulnerabilities are becoming weaponised in today's cyber warfare. With the zero-click exploit identified as CVE-2025-55177 with a CVSS score of 5.4, malicious actors can execute unauthorised content processing based on any URL on a victim's device without the need for user interaction whatsoever. 

A vulnerability referred to as CVE-2025-55177 provides threat actors with a way to manipulate WhatsApp's synchronization process, so they may force WhatsApp to process attacker-controlled content during device linking when they manipulate the WhatsApp synchronization process. 

Even though the vulnerability could have allowed crafted content to be injected or disrupted services, its real danger arose when it was combined with Apple's CVE-2025-43300, another security flaw that affects the ImageIO framework, which parses image files. In addition to this, there were also two other vulnerabilities in iOS and Mac OS that allowed out-of-bounds memory writing, which resulted in remote code execution across these systems. 

The combination of these weaknesses created a very powerful exploit chain that could deliver malicious images through the incoming message of a WhatsApp message, causing infection without the victim ever having to click, tap or interact with anything at all—a quintessential zero-click attack scenario. Investigators found that the targeting of the victims was intentional and highly selective. 

In the past, WhatsApp has confirmed that it has notified fewer than 200 people about potential threats in its apps, a number that is similar to earlier mercenary spyware operations targeting high-value users. Apple has also acknowledged active exploitation in the wild and has issued security advisories concurrently. 

Researchers from Amnesty International noted that, despite initial signs suggesting limited probing of Android devices, this campaign was mainly concerned with Apple's iOS and macOS ecosystems, and therefore was focused on those two ecosystems mainly. The implications are particularly severe for businesses.

Corporate executives, legal teams, and employees with privileged access to confidential intellectual property are at risk of being spied on or exfiltrated through using WhatsApp on their work devices, which represents a direct and potentially invisible entry point into corporate data systems. 

Cybersecurity and Infrastructure Security Agency (CISA) officials say that the vulnerability was caused by an "incomplete authorisation of linked device synchronisation messages" that existed in WhatsApp for iOS versions before version 2.25.2.173, WhatsApp Business for iOS versions of 2.25.1.78, and WhatsApp for Mac versions of 2.25.21.78. 

This flaw is believed to have been exploited by researchers as part of a complex exploit chain, which was created using the flaw in conjunction with a previously patched iOS vulnerability known as CVE-2025-43300, allowing for the delivery of spyware onto targeted devices. A U.S. government advisory has been issued urging federal employees to update their Apple devices immediately because the campaign has reportedly affected approximately 200 people. 

A new discovery adds to the growing body of evidence that advanced cyber threat actors increasingly rely on chaining multiple zero-day exploits to circumvent hardened defences and compromise remote devices. In 2024, Google's Threat Analysis Group reported 75 zero-day exploits that were actively exploited, a figure that reflects how the scale of these attacks is accelerating. 

This stealthy intrusion method continues to dominate as the year 2025 unfolds, resulting in nearly one-third of all recorded compromise attempts worldwide occurring this year. It is important for cybersecurity experts to remind us that the WhatsApp incident demonstrates once more the fragility of digital trust, even when it comes to encrypting platforms once considered to be secure. 

It has been uncovered that the attackers exploited a subtle logic flaw in WhatsApp’s device-linking system, allowing them to disguise malicious content to appear as if it was originating from the user’s own paired device, according to a technical analysis.

Through this vulnerability, a specially crafted Digital Negative (DNG) file could be delivered, which, once processed automatically by the application, could cause a series of memory corruption events that would result in remote code execution. Researchers at DarkNavyOrg have demonstrated the proof-of-concept in its fullest sense, showing how an automated script is capable of authenticating, generating the malicious DNG payload, and sending it to the intended victim without triggering any security alerts. 

In order to take advantage of the exploit, there are no visible warnings, notification pop-ups, or message notifications displayed on the user's screen. This allows attackers to gain access to messages, media, microphones, and cameras unrestrictedly, and even install spyware undetected. It has been reported to WhatsApp and Apple that the vulnerability has been found, and patches have been released to mitigate the risks. 

Despite this, security experts recommend that users install the latest updates immediately and be cautious when using unsolicited media files—even those seemingly sent by trusted contacts. In the meantime, organisations should ensure that endpoint monitoring is strengthened, that mobile device management controls are enforced, and that anomalous messaging behaviour is closely tracked until the remediation has been completed. 

There is a clear need for robust input validation, secure file handling protocols, and timely security updates to prevent silent but highly destructive attacks targeting mainstream communication platforms that can be carried out against mainstream communication platforms due to the incident. Cyber adversaries have, for a long time, been targeting companies such as WhatsApp, and WhatsApp is no exception. 

It is noteworthy that despite the platform's strong security framework and end-to-end encryption, threat actors are still hunting for new vulnerabilities to exploit. Although there are several different cyberattack types, security experts emphasise that zero-click exploits remain the most insidious, since they can compromise devices without the user having to do anything. 

V4WEB Cybersecurity founder, Riteh Bhatia, made an explanation for V4WEB's recent WhatsApp advisory, explaining that it pertains to one of these zero-click exploits--a method of attacking that does not require a victim to click, download, or applaud during the attack. Bhatia explained that, unlike phishing, where a user is required to click on a malicious link, zero-click attacks operate silently, working in the background. 

According to Bhatia, the attackers used a vulnerability in WhatsApp as well as a vulnerability in Apple's iOS to hack into targeted devices through a chain of vulnerabilities. He explained to Entrepreneur India that this process is known as chaining vulnerabilities. 

Chaining vulnerabilities allows one weakness to provide entry while the other provides control of the system as a whole. Further, Bharatia stressed that spyware deployed by these methods is capable of doing a wide range of invasive functions, such as reading messages, listening through the microphone, tracking location, and accessing the camera in real time, in addition to other invasive actions. 

As a warning sign, users might notice excessive battery drain, overheating, unusual data usage, or unexpected system crashes, all of which may indicate that the user's system is not performing optimally. Likewise, Anirudh Batra, a senior security researcher at CloudSEK, stated that zero-click vulnerabilities represent the "holy grail" for hackers, as they can be exploited seamlessly even on fully updated and ostensibly secure devices without any intervention from the target, and no action is necessary on their part.

If this vulnerability is exploited effectively, attackers will be able to have full control over the targeted devices, which will allow them to access sensitive data, monitor communications, and deploy additional malware, all without the appearance of any ill effect. As a result of this incident, it emphasises that security risks associated with complex file formats and cross-platform messaging apps persist, since flaws in file parsers continue to serve as common pathways for remote code execution.

There is a continuing investigation going on by DarkNavyOrg, including one looking into a Samsung vulnerability (CVE-2025-21043), which has been identified as a potential security concern. There was a warning from both WhatsApp and Apple that users should update their operating systems and applications immediately, and Meta confirmed that less than 200 users were notified of in-app threats. 

It has been reported that some journalists, activists, and other public figures have been targeted. Meta's spokesperson Emily Westcott stressed how important it is for users to keep their devices current and to enable WhatsApp's privacy and security features. Furthermore, Amnesty International has also noted possible Android infections and is currently conducting further investigation. 

In the past, similar spyware operations occurred, such as WhatsApp's lawsuit against Israel's NSO Group in 2019, which allegedly targeted 1,400 users with the Pegasus spyware, which later became famous for its role in global cyberespionage. While sanctions and international scrutiny have been applied to such surveillance operations, they continue to evolve, reflecting the persistent threat that advanced mobile exploits continue to pose. 

There is no doubt that the latest revelations are highlighting the need for individuals and organisations to prioritise proactive cyber security measures rather than reactive ones, as zero-click exploits are becoming more sophisticated, the traditional boundaries of digital security—once relying solely on the caution of users—are eroding rapidly. It has become increasingly important for organisations to keep constant vigilance, update their software quickly, and employ layered defence strategies to protect both their personal and business information. 

Organisations need to invest in threat intelligence solutions, continuous monitoring systems, and regular mobile security audits if they want to be on the lookout for potential threats early on. In order for individual users to reduce their exposure, they need to maintain the latest version of their devices and applications, enable built-in privacy protections, and avoid unnecessary third-party integrations. 

The WhatsApp exploit is an important reminder that even trusted, encrypted platforms may be compromised at some point. The cyber espionage industry is evolving into a silent and targeted operation, and digital trust must be reinforced through transparent processes, rapid patching, and global cooperation between tech companies and regulators. A strong defence against invisible intrusions still resides in awareness and timely action.
Read more »
Vulnerabilities and Exploits
ASLR NSDictionary Project Zero Security flaw Vulnerabilities and Exploits

Project Zero Exposes Apple ASLR Bypass via NSDictionary Serialization Flaw

 

Google Project Zero has uncovered a sophisticated technique for bypassing Address Space Layout Randomization (ASLR) protections on Apple devices, targeting a fundamental issue in Apple’s serialization framework. Security researcher Jann Horn described how deterministic behaviors in NSKeyedArchiver and NSKeyedUnarchiver could enable attackers to leak memory pointer values without exploiting conventional bugs or timing-based side channels.

The vulnerability centers on the interaction between singleton objects, pointer-based hash values, and serialization routines. Specifically, Horn identified that NSNull—a singleton object within Apple’s Core Foundation (CFNull)—exposes its memory address through its hash value. Because this object resides in a fixed location in the shared cache, it creates a reliable oracle for leaking memory addresses, defeating standard ASLR defenses.

Attackers can exploit this by crafting malicious serialized input which, when de-serialized and then re-serialized by a victim application, can allow inference of key memory locations. By leveraging the predictable hashing of NSNumber keys and understanding how NSDictionary structures its internal hash table based on prime-numbered bucket counts, an attacker controls where keys are placed during serialization. The relative position of the NSNull key reveals the outcome of hash_code % num_buckets, letting attackers deduce the memory address used by NSNull.

Scaling this approach involves using dictionaries with different prime-sized bucket counts, repeatedly measuring key placements, and applying the Extended Euclidean Algorithm. This enables precise reconstruction of the NSNull pointer address. Horn’s proof-of-concept demonstrated the feasibility, though no real-world application was found with this pattern in production services. The attacker’s tooling involved generating specialized serialized input and computing memory addresses after receiving the victim’s output.

Apple addressed the issue in its March 31, 2025 security updates. Horn cautioned against frameworks using raw memory addresses as hash values, especially when those addresses are static, and recommended strict allowlisting during deserialization, not returning re-serialized attacker input, and keeping outputs within trusted boundaries—aligning with broader best practices for deserialization risks.

Horn linked this exploit to earlier research on hash-based attacks, such as hashDoS, but highlighted that this method exploits hash order determinism for information leakage rather than denial-of-service. Ultimately, the finding broadens the understanding of how seemingly safe serialization behavior can be weaponized, and underscores the importance of robust serialization hygiene in software security.
Read more »
Vulnerabilities and Exploits
Akira Ransomware Arctic Wolf security research CVE-2024-40766 exploit Ransomware SonicWall SSL VPN vulnerability Vulnerabilities and Exploits

Akira Ransomware Breaches Networks in Under Four Hours via SonicWall VPN Exploit

 

Akira ransomware affiliates need less than four hours to breach organizations and launch attacks, according to researchers at Arctic Wolf. The group is exploiting stolen SonicWall SSL VPN credentials and has reportedly found ways to bypass multi-factor authentication (MFA).

Once inside, attackers quickly begin scanning networks to identify services and weak accounts. They leverage Impacket to establish SMB sessions, use RDP for lateral movement, and eventually target Domain Controllers, virtual machine storage, and backups. Additional accounts, including domain accounts, are created to install remote monitoring and management (RMM) tools and enable data theft. The process also includes establishing command-and-control channels, exfiltrating sensitive data, disabling legitimate RMM and EDR tools, deleting shadow copies and event logs, and using WinRAR with rclone or FileZilla for data transfers. The attack culminates with the deployment of Akira ransomware.

Akira activity has been rising since July 2025. Early reports suggested a SonicWall zero-day exploit, but investigations revealed attackers were abusing CVE-2024-40766, an improper access control flaw in SonicWall SonicOS management access and SSL VPN. Though SonicWall released a patch in August 2024, some organizations failed to reset SSL VPN passwords after upgrading from Gen 6 to Gen 7 firewalls, leaving them exposed.

Experts believe that attackers harvested privileged account credentials months earlier and are now reusing them against organizations that patched but never rotated passwords. Rapid7 also identified other weaknesses being exploited, including misconfigured SSLVPN Default User Group settings and the externally exposed Virtual Office Portal, which attackers use to configure OTP MFA on compromised accounts.

“In our investigation, we observed repeated malicious SSL VPN logins on accounts with OTP MFA enabled, ruling out scratch code usage in those cases. We also found no signs of malicious use of the compromised accounts prior to SSL VPN login (event ID 1080), nor did we observe unauthorized OTP unbinding events or other malicious configuration changes (event ID 1382) in the five days leading up to the intrusions,” Arctic Wolf researchers stated.

“Taken together, the evidence points to the use of valid credentials rather than modification of OTP configuration, though the exact method of authenticating against MFA-enabled accounts remains unclear.”

So far, victim organizations span multiple industries and sizes, indicating opportunistic targeting rather than focused campaigns. Researchers emphasize that the minimal time between breach and ransomware execution makes early detection and rapid response essential.

Defensive Measures

Arctic Wolf recommends organizations take the following steps:
  • Monitor or block logins originating from VPS hosting providers.
  • Watch for abnormal SMB and LDAP activity linked to Impacket and discovery tools.
  • Detect unusual execution of scanning and archival utilities on servers.
  • Leverage App Control for Business to restrict unauthorized remote tools and block execution from untrusted paths.
“If your SonicWall devices have previously run firmware versions vulnerable to CVE-2024-40766, we strongly recommend resetting all credentials stored on the firewall, including SSL VPN passwords and OTP MFA secrets,” Arctic Wolf advised. “This includes both local firewall accounts and LDAP-synchronised Active Directory accounts, especially where accounts have access to SSL VPN. Threat actors are abusing these credentials even when devices are fully patched, suggesting that credential theft may have occurred earlier in the lifecycle.”
Read more »
Vulnerabilities and Exploits
CISA KEV catalog Cyble vulnerabilities Ivanti Endpoint ransomware exploited vulnerabilities SolarWinds CVE-2025-26399 Vulnerabilities and Exploits

Cyble Flags 22 Vulnerabilities Under Active Exploitation, Including Ransomware Attacks

 



Cybersecurity researchers at Cyble have revealed 22 vulnerabilities currently being exploited by threat actors, with nine of them missing from the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

In its latest blog post, Cyble explained that twelve of the vulnerabilities were flagged by its honeypot sensors after detecting real-world attack attempts. Out of these twelve, only four are listed in CISA’s KEV catalog.

The report also highlights 10 vulnerabilities actively abused by ransomware groups. Interestingly, nine of those have already made it into CISA’s KEV catalog, with just one — CVE-2025-7771 in ThrottleStop.sys — standing out as an exception. This flaw has reportedly been exploited by the MedusaLocker ransomware group.

Adding to the urgency, SolarWinds today rolled out a hotfix addressing CVE-2025-26399 in SolarWinds Web Help Desk. The flaw bypasses patches for CVE-2024-28988, which itself was a patch bypass for CVE-2024-28986. Since CVE-2024-28986 is already part of the KEV catalog, experts warn the new 9.8 CVSS-rated vulnerability could quickly attract attention from attackers.

Cyble researchers documented 12 vulnerabilities under active attack, including:

  • CVE-2025-49493 – Akamai CloudTest (before version 60, 2025.06.02)

  • CVE-2025-5086 – DELMIA Apriso (Release 2020–2025), recently added as a rare ICS/OT flaw in the KEV catalog

  • CVE-2025-48827 – vBulletin 5.0.0–5.7.5 and 6.0.0–6.0.3 on PHP 8.1+

  • CVE-2025-45985 – Multiple Blink router models

  • CVE-2025-4427 – Ivanti Endpoint Manager Mobile up to 12.5.0.0 (in KEV catalog)

  • CVE-2025-4009 – Evertz SDVN 3080ipx-10G management interface

  • CVE-2025-32432 – Craft CMS 3.0.0-RC1 to <3.9.15, 4.0.0-RC1 to <4.14.15, 5.0.0-RC1 to <5.6.17

  • CVE-2025-31161 – CrushFTP 10 (before 10.8.4) and 11 (before 11.3.1), listed in KEV

  • CVE-2025-29306 – FoxCMS v1.2.5

  • CVE-2025-20188 – Cisco IOS XE Software for Wireless LAN Controllers

  • CVE-2025-47812 – Wing FTP Server (before 7.4.4), also in KEV

  • CVE-2025-54782 – NestJS versions 0.2.0 and below in @nestjs/devtools-integration

Cyble’s threat intelligence division also identified 10 vulnerabilities exploited by ransomware groups, tracked via open-source intelligence and internal monitoring. Notable cases include:

  • CVE-2025-53770 – Microsoft SharePoint Server, exploited by Storm-2603

  • CVE-2024-40766 – SonicWall SonicOS, targeted by Akira

  • CVE-2024-23692 – Rejetto HTTP File Server, targeted by an unknown group

  • CVE-2025-8088 – WinRAR for Windows, exploited by RomCom (Storm-0978 / Tropical Scorpius / UNC2596)

  • CVE-2025-29824 – Windows Common Log File System, abused by RansomExx (Storm-2460)

  • CVE-2025-31324 and CVE-2025-42999 – SAP NetWeaver Visual Composer Metadata Uploader, exploited in tandem by Scattered Spider

  • CVE-2023-46604 – Java OpenWire protocol marshaller, linked to Linux malware Drip Dropper

  • CVE-2025-24472 – FortiOS 7.0.0–7.0.16, FortiProxy 7.2.0–7.2.12 / 7.0.0–7.0.19, exploited by INC Ransom

According to Cyble, these vulnerabilities “should be high-priority fixes by security teams if they haven't been patched or mitigated already, and a risk-based vulnerability management program should be at the heart of every organization's cyber defenses.”

Read more »
Vulnerabilities and Exploits
Cloud Breach Cloud Misconfiguration Threat Landscape Vulnerabilities and Exploits

Misconfigurations Still Fuel Most Cloud Breaches in 2025

 

Cloud misconfigurations persist as the foremost driver of cloud breaches in 2025, revealing deep-seated challenges in both technological and operational practices across organizations. 

While cloud services promise remarkable agility and scale, the complexity of modern infrastructure and oversight failures continue to expose companies to widespread risks, often overshadowing technical advancements in security.

Roots of misconfigurations

At their core, cloud misconfigurations typically arise from the interplay of speed-driven development practices, insufficient cloud expertise, and gaps in secure deployment workflows. 

Developers and DevOps teams, pressured by tight release timelines, often prioritize functionality and rapid deployment over robust security—leading to frequent mistakes such as leaving storage buckets public, excessive user privileges, and open network ports. 

These errors are amplified by the sprawling nature of cloud environments, where hundreds of microservices and resources each require detailed security settings. The mere failure to reset default configurations provided by cloud vendors, designed for ease of use rather than security, opens the door to potential attacks if not properly hardened from the outset.

Security alert fatigue also impedes effective responses: cloud monitoring tools tend to flood teams with poorly categorized alerts lacking real-world context, causing crucial warnings to be overlooked amidst false positives. 

Compounding these issues is the persistent skill gap, as the rapid evolution of cloud technologies outpaces many professionals' ability to keep up—especially in areas requiring hybrid knowledge of architecture and security. Hardcoded secrets within application code further undermine defenses, making it easier for attackers to exfiltrate sensitive data.

Pathways to improvement

True progress lies in shifting from a reactive stance—where breaches are detected after the fact—to a proactive security-first approach integrated throughout development cycles. 

This means embedding security protocols at every step, continuously training staff on new cloud attack techniques, and leveraging advanced tools that understand context to reduce unnecessary alert volume. Organizations should also regularly audit permissions, segment networks, and rigorously manage all access credentials to mitigate both insider and external threats.

Ultimately, misconfigurations endure because cloud security is too often sidelined for speed, and technology alone cannot solve human and procedural failings. To tame this leading breach vector, organizations must treat security as inseparable from innovation—building robust, resilient frameworks that safeguard data as effectively as they enable growth.
Read more »
Subscribe to: Comments (Atom)