Weekly Threat Landscape Digest – Week 11

1. Microsoft Security Updates – March 2025

Microsoft has released its March 2025 Patch Tuesday updates, addressing 57 vulnerabilities, including six actively exploited zero-day flaws and one publicly disclosed zero-day vulnerability. These vulnerabilities impact Windows operating systems, Microsoft Office, and system drivers, posing a significant risk of Remote Code Execution (RCE), privilege escalation, and information disclosure.

Notable Zero-Day Vulnerabilities

• Windows Fast FAT File System Driver RCE (CVE-2025-24985)
  • Attackers can execute malicious code by tricking users into opening specially crafted VHD files.
  • Impact: Remote Code Execution (RCE).
• Windows Win32 Kernel Subsystem Privilege Escalation (CVE-2025-24983)
  • Exploits a race condition in the Win32 kernel, allowing local attackers to gain SYSTEM privileges.
  • Impact: Privilege escalation.
• Windows NTFS Information Disclosure (CVE-2025-24984 & CVE-2025-24991)

Attackers can read portions of heap memory by exploiting physical access vulnerabilities using malicious USB devices or VHD file mounts.

• Impact: Information leakage.

• Windows NTFS Remote Code Execution (CVE-2025-24993)
  • Caused by a heap-based buffer overflow in NTFS, enabling attackers to execute arbitrary code.
  • Impact: Remote Code Execution (RCE).
• Microsoft Management Console Security Feature Bypass (CVE-2025-26633)
  • Allows attackers to bypass security features using malicious .msc files.
  • Exploited via phishing or social engineering attacks.
  • Impact: Security bypass.
• Microsoft Access Remote Code Execution (CVE-2025-26630)
  • A use-after-free vulnerability in Microsoft Office Access, exploited by tricking users into opening malicious .accdb files.
  • Impact: Remote Code Execution (RCE).

Mitigation & Recommendations

• Apply the March 2025 Microsoft security patches immediately.
• Block suspicious VHD file executions and restrict USB access to prevent NTFS-based exploits.
• Educate employees about phishing attacks involving .msc and .accdb files.
• Enable security monitoring tools to detect and prevent exploitation attempts.

Reference

https://msrc.microsoft.com/update-guide/releaseNote/2025-Mar

2. Ivanti Security Updates – March 2025

Ivanti has released security updates addressing vulnerabilities in Ivanti Secure Access Client (ISAC) and Ivanti Neurons for MDM (N-MDM). These vulnerabilities allow privilege escalation, unauthorized access, and potential system compromise.

Ivanti Secure Access Client (ISAC) – CVE-2025-22454

• Vulnerability Type: Insufficiently restrictive permissions
• Severity: High (CVSS Score: 7.8)
• Impact: 
  • Enables local authenticated attackers to escalate privileges.
  • Allows execution of code with higher privileges, modification of system settings, or unauthorized access to sensitive data.
• CWE: CWE-732 (Incorrect Permission Assignment for Critical Resource)

Ivanti Neurons for MDM (N-MDM)

• Vulnerability Type: Improper check for dropped privileges
• Severity: Medium (CVSS Score: 6.7)
• Impact: 
  • Remote authenticated attackers with admin privileges may retain their session despite privilege changes.
  • May lead to unauthorized access or manipulation of system settings.
• CWE: CWE-273 (Improper Check for Dropped Privileges)

Affected Systems

Ivanti Secure Access Client (ISAC)

• Impacted Product: Secure Access Client (Windows only)
• Affected Versions: 22.7R3 and prior
• Resolved Versions: 22.7R4, 22.8R1
• Patch Availability: Available via Ivanti Download Portal (Login Required)

Ivanti Neurons for MDM (N-MDM)

• Impacted Product: Ivanti Neurons for MDM
• Affected Versions: R110 and prior
• Resolved Version: R112 (Cloud service automatically updated as of 24-Feb-2025)

Mitigation & Recommendations

• Download and install the fixed versions of Ivanti Secure Access Client and Ivanti Neurons for MDM.
• Restrict local and remote access to affected systems until patches are applied.
• Monitor system logs for unusual activity or unauthorized privilege escalations.

Reference

• https://forums.ivanti.com/s/article/March-Security-Advisory-Ivanti-Secure-Access-Client-ISAC-CVE-2025-22454?language=en_US 
• https://forums.ivanti.com/s/article/Security-Advisory-March-2025-Ivanti-Neurons-for-MDM-NMDM?language=en_US 

3. Cisco Security Updates – March 2025

Cisco has released security updates addressing multiple vulnerabilities in IOS XR Software, which impacts ASR 9000 series routers and other network infrastructure products. These vulnerabilities pose risks such as remote code execution, privilege escalation, denial-of-service (DoS), and access control bypasses.

High Severity Vulnerabilities

• CVE-2025-20209: IKEv2 DoS Vulnerability 
  • Exploiting this vulnerability in Cisco IOS XR Software can lead to service disruption.
• CVE-2025-20141: DoS Vulnerability in Cisco IOS XR Release 7.9.2 
  • Impacts system stability and availability.
• CVE-2025-20143: Secure Boot Bypass 
  • Allows attackers to load untrusted firmware.
• CVE-2025-20146: Layer 3 Multicast DoS in ASR 9000 Series Routers 
  • Can cause network instability.
• CVE-2025-20142: IPv4 Unicast Packets DoS in ASR 9000 Series Routers 
  • Impacts network availability.
• CVE-2025-20138: CLI Privilege Escalation 
  • Potentially allows attackers to gain administrative access.
• CVE-2025-20177: Image Verification Bypass 
  • Enables unauthorized modifications to system images.
• CVE-2025-20169 & CVE-2025-20170: SNMP DoS Vulnerabilities 
  • Affect Cisco IOS, IOS XE, and IOS XR Software, compromising network monitoring capabilities.

Medium Severity Vulnerabilities

• CVE-2025-20144: Hybrid Access Control List Bypass in Cisco IOS XR Software 
  • May allow unauthorized traffic flow.
• CVE-2025-20145: Access Control List (ACL) Bypass 
  • Weakens network security policies.
• CVE-2025-20115: BGP Confederation DoS 
  • Disrupts routing operations.

Mitigation & Recommendations

• Apply Cisco security patches for affected devices immediately.
• Monitor network logs and system behavior for any anomalies related to these vulnerabilities.
• Regularly update software and firmware to prevent exploitation of known vulnerabilities.

Reference

• https://sec.cloudapps.cisco.com/security/center/publicationListing.x

4. Fortinet Security Updates – March 2025

Multiple high-severity vulnerabilities in Fortinet products, potentially allowing unauthorized access, code execution, information disclosure, and privilege escalation.

High-Severity Vulnerabilities

1. CVE-2023-48790 – FortiNDR Cross-Site Request Forgery (CSRF)
   • Impact: Allows a remote unauthenticated attacker to perform unauthorized actions via crafted HTTP GET requests.
2. CVE-2023-40723 – FortiSIEM Sensitive Information Disclosure
   • Impact: An attacker with access to the agent’s authorization header can extract database credentials via crafted API requests.
3. CVE-2024-45328 – FortiSandbox Incorrect Authorization
   • Impact: A low-privileged administrator can execute elevated CLI commands via the GUI console menu, leading to privilege escalation.
4. CVE-2024-55590 – FortiIsolator OS Command Injection
   • Impact: Allows an authenticated attacker with read-only admin permissions to execute unauthorized OS commands via CLI.
5. CVE-2024-45324 – FortiOS, FortiProxy, FortiPAM, FortiSRA, FortiWeb Format String Vulnerability
   • Impact: A privileged attacker can execute remote code via specially crafted HTTP or HTTPS commands.
6. CVE-2024-52961 – FortiSandbox OS Command Injection
   • Impact: An authenticated attacker with read-only access can execute unauthorized commands via crafted requests.
7. CVE-2024-54027 – FortiSandbox Hard-Coded Cryptographic Key
   • Impact: Allows super-admin users with CLI access to extract sensitive data using a hard-coded cryptographic key.
8. CVE-2023-37933 – FortiADC Cross-Site Scripting (XSS)
   • Impact: An authenticated attacker can perform XSS attacks via crafted HTTP/HTTPS requests, potentially leading to session hijacking or data theft.

Mitigation & Recommendations

• Apply Fortinet security updates immediately to patch the affected products.
• Monitor system activity logs for suspicious behavior or unauthorized access attempts.
• Restrict privileged access to prevent exploitation of high-severity vulnerabilities.

Reference

• https://fortiguard.fortinet.com/psirt/FG-IR-23-353
• https://fortiguard.fortinet.com/psirt/FG-IR-23-117
• https://fortiguard.fortinet.com/psirt/FG-IR-24-261
• https://fortiguard.fortinet.com/psirt/FG-IR-24-178
• https://fortiguard.fortinet.com/psirt/FG-IR-24-325
• https://fortiguard.fortinet.com/psirt/FG-IR-24-306
• https://fortiguard.fortinet.com/psirt/FG-IR-24-327
• https://fortiguard.fortinet.com/psirt/FG-IR-23-216

5. GitLab Security Updates – March 2025

GitLab has issued a critical security patch for Community Edition (CE) and Enterprise Edition (EE), addressing multiple vulnerabilities. These include critical authentication bypasses and remote code execution (RCE) risks related to ruby-saml and graphql third-party libraries.

Key Vulnerabilities Addressed

1. Critical Vulnerabilities

• CVE-2025-25291 & CVE-2025-25292 – ruby-saml Authentication Bypass 
  • Impact: Allows an attacker with a valid signed SAML document to impersonate another user.
• CVE-2025-27407 – GraphQL Remote Code Execution (RCE) 
  • Impact: Exploitation could lead to RCE through malicious project transfers.

2. Other Vulnerabilities

• Denial of Service (DoS) due to inefficient processing of untrusted input.
• Credentials Disclosure during repository mirroring failures.
• Approval Rules DoS Vulnerability caused by unbounded fields.
• Low-severity vulnerabilities, such as shell code injection in Google integrations and improper permissions for guest users.

Fixed Versions

• GitLab CE/EE: Versions 17.9.2, 17.8.5, and 17.7.7

Recommendations

• Upgrade GitLab CE/EE to the latest patched versions immediately.
• Apply the mitigation steps if an immediate upgrade is not possible.
• Monitor authentication logs for unusual activity related to SAML or GraphQL transactions.

Reference

• https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/

6. NVIDIA Riva Security Update – March 2025

NVIDIA has released a security update for NVIDIA Riva, addressing multiple vulnerabilities that could lead to improper access control, privilege escalation, data tampering, denial of service (DoS), and information disclosure.

Key Vulnerabilities

1. CVE-2025-23242 – Improper Access Control

• Severity: High (CVSS Score: 7.3)
• Impact: 
  • Privilege escalation
  • Data tampering
  • Denial of service (DoS)
  • Information disclosure
• CWE: CWE-284 (Improper Access Control)

2. CVE-2025-23243 – Improper Access Control

• Severity: High (CVSS Score: 6.5)
• Impact: 
  • Data tampering
  • Denial of service (DoS)
• CWE: CWE-284 (Improper Access Control)

Affected Products

• Product: NVIDIA Riva
• Platform: Linux
• Affected Versions: All versions up to and including 2.18.0
• Fixed Version: 2.19.0

Recommendations

• Upgrade NVIDIA Riva to version 2.19.0, which contains the security patches for both vulnerabilities.
• Monitor system logs for signs of unauthorized access or unexpected data modifications.
• Restrict access to NVIDIA Riva services where possible to reduce the risk of exploitation.

Reference

• https://nvidia.custhelp.com/app/answers/detail/a_id/5625

7. Adobe Security Updates – March 2025

Adobe has released critical security updates addressing multiple vulnerabilities in Acrobat Reader, Substance 3D Suite, Illustrator, and InDesign. These flaws could allow attackers to execute arbitrary code, leading to potential system compromise.

Key Vulnerabilities

1. Adobe Acrobat and Reader

• Use After Free (CVE-2025-27174, CVE-2025-27159, CVE-2025-27160)
• Access of Uninitialized Pointer (CVE-2025-27158, CVE-2025-27162)
• Out-of-bounds Read (CVE-2025-27161, CVE-2025-24431, CVE-2025-27163, CVE-2025-27164)
• Impact: Arbitrary code execution, memory leaks

2. Adobe Substance 3D Suite

• Heap-based Buffer Overflow (CVE-2025-24439, CVE-2025-24443)
• Out-of-bounds Write (CVE-2025-24440, CVE-2025-24441, CVE-2025-24442, CVE-2025-24444, CVE-2025-24445)
• Impact: Arbitrary code execution

3. Adobe Illustrator

• Untrusted Search Path (CVE-2025-27167)
• Stack-based Buffer Overflow (CVE-2025-27168)
• Out-of-bounds Write (CVE-2025-27169)
• NULL Pointer Dereference (CVE-2025-27170)
• Impact: Code execution, information disclosure, denial of service

4. Adobe InDesign

• Out-of-bounds Write (CVE-2025-24452, CVE-2025-27166, CVE-2025-27175, CVE-2025-27178)
• Heap-based Buffer Overflow (CVE-2025-24453, CVE-2025-27171, CVE-2025-27177)
• NULL Pointer Dereference (CVE-2025-27176, CVE-2025-27179)
• Impact: Arbitrary code execution, memory leaks, application denial-of-service

Affected Versions

• Acrobat DC and Reader DC (25.001.20428 and earlier)
• Acrobat 2024 (24.001.30225 and earlier)
• Acrobat 2020 (20.005.30748 and earlier)
• Adobe Illustrator 2025 (29.2.1 and earlier)
• Adobe Substance 3D Sampler (4.5.2 and earlier)
• Adobe Substance 3D Painter (10.1.2 and earlier)
• Adobe Substance 3D Modeler (1.15 and earlier)
• Adobe Substance 3D Designer (14.1 and earlier)
• Adobe InDesign (ID20.1 and earlier, ID19.5.2 and earlier)

Recommendations

• Apply security patches immediately to mitigate the risk of exploitation.
• Restrict execution of untrusted files from unknown sources.
• Enable security features in Adobe applications to prevent exploitation.
• Monitor security logs for any suspicious activity.

Reference

• https://helpx.adobe.com/security/Home.html

8. Apple Critical Security Updates – March 2025

Apple has released a critical security update for a zero-day vulnerability (CVE-2025-24201) in WebKit, actively exploited in targeted attacks.

Vulnerability Details

• CVE ID: CVE-2025-24201
• Component: WebKit browser engine
• Type: Out-of-bounds write
• Impact: Sandbox escape, allowing unauthorized actions
• Exploitation: Actively exploited in the wild

Affected Devices

• iPhones: iPhone XS and later
• iPads: iPad Pro (13-inch, 12.9-inch 3rd gen+), iPad Pro (11-inch 1st gen+), iPad Air (3rd gen+), iPad (7th gen+), iPad mini (5th gen+)
• Macs: macOS Sequoia, Ventura, Sonoma
• Apple Vision Pro

Updated Versions

• iOS & iPadOS: 18.3.2
• macOS: Sequoia 15.3.2
• Safari: 18.3.1
• visionOS: 2.3.2

Recommendations

• Update immediately to the latest version.
• Enable automatic updates for timely security patches.
• Restrict access to unpatched devices in corporate environments.

Reference

https://support.apple.com/en-us/100100

9. Credential Leakage Vulnerability in Axios HTTP Client

A newly identified vulnerability (CVE-2025-27152) in the widely used JavaScript HTTP client library, Axios, poses significant security risks. This flaw can lead to credential leakage and Server-Side Request Forgery (SSRF) attacks.

Vulnerability Details

• CVE ID: CVE-2025-27152
• Severity: High (CVSSv4 Score: 7.7)
• Impact: Credential leakage, SSRF attacks, unauthorized access
• Exploitability: Attackers can exploit Axios’s handling of absolute URLs to bypass security controls and redirect requests.

Affected Versions

• Vulnerable: All Axios versions up to and including 1.7.9
• Fixed Version: Axios 1.8.2

Impact

1. Credential Leakage: Hardcoded authentication headers or tokens may be sent to unintended endpoints, leading to unauthorized access.
2. SSRF Attacks: Attackers can craft requests that access internal resources, exposing sensitive data.
3. Wide Attack Surface: With over 251 million monthly downloads, the risk is substantial.

Recommendations

• Upgrade Axios to version 1.8.2 or later immediately.
• Review applications using Axios to ensure proper URL validation.
• Monitor network logs for signs of unauthorized requests.

Reference

https://github.com/axios/axios/releases/tag/v1.8.2

10. Security Updates – SAP (March 2025)

SAP has released its monthly Security Patch Day updates, addressing 21 new security vulnerabilities and updates to 3 previously released security notes. These vulnerabilities impact multiple SAP products and could lead to unauthorized access, authentication bypass, and information disclosure.

High-Severity Vulnerabilities

• CVE-2025-27434: Cross-Site Scripting (XSS) in SAP Commerce (Swagger UI) – CVSS 8.8
• CVE-2025-26661: Missing Authorization Check in SAP NetWeaver (ABAP Class Builder) – CVSS 8.8
• CVE-2024-38286: Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud – CVSS 8.6

Updates to Previously Released Notes

• CVE-2025-24876: Authentication bypass in SAP Approuter (Updated from February 2025) – CVSS 8.1
• CVE-2024-39592: Missing Authorization Check in SAP PDCE (Updated from July 2024) – CVSS 7.7

Recommendations

• Apply the latest SAP security patches immediately to prevent exploitation.
• Restrict unauthorized access by reviewing user privileges.
• Monitor system logs for any unauthorized activities.

Reference

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/march2025.html

11. Google Chrome Security Updates – March 2025

Google has released a security update for Chrome Stable and Extended Stable channels, addressing multiple high and medium-severity vulnerabilities. These flaws could allow attackers to execute arbitrary code, escalate privileges, or cause denial of service (DoS).

High-Severity Vulnerabilities

• CVE-2025-1920 & CVE-2025-2135: Type confusion in V8
• CVE-TBD: Out-of-bounds write in GPU

Medium-Severity Vulnerabilities

• CVE-2025-2136: Use-after-free in Inspector
• CVE-2025-2137: Out-of-bounds read in V8

Fixed Versions

• Stable Channel Update: 
  • Chrome 134.0.6998.88/.89 for Windows, Mac
  • Chrome 134.0.6998.88 for Linux
• Extended Stable Channel Update: 
  • Chrome 134.0.6998.89 for Windows, Mac

Recommendations

• Update Google Chrome to the latest version immediately.
• Enable automatic updates to ensure continuous protection.
• Monitor for exploitation using security tools.

References

https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html
https://chromereleases.googleblog.com/

12. Critical Remote Code Execution Vulnerability in Veritas InfoScale – March 2025

A critical vulnerability (CVE-2025-27816) has been identified in Veritas Arctera InfoScale, allowing remote code execution (RCE) due to insecure deserialization in the Windows Plugin_Host service. This flaw could enable attackers to gain full control of affected systems.

Vulnerability Details

• CVE ID: CVE-2025-27816
• CVSS Score: 9.8 (Critical)
• Affected Component: Plugin_Host service
• Affected Versions: 
  • Arctera InfoScale Enterprise for Windows: Versions 7.0 to 8.0.2
  • Earlier unsupported versions may also be vulnerable.

Impact

• Remote attackers can execute arbitrary code by sending specially crafted messages to the vulnerable service.
• Potential consequences: 
  • Full system compromise
  • Malware installation
  • Data theft
  • Disruption of operations

Mitigation & Recommendations

• Disable the Plugin_Host Service: 
  • Stop the Veritas Plug-in Host Service (Plugin_Host) and set its startup type to Disabled.
• Use Manual DR Configuration: 
  • Follow Veritas’ manual DR setup guide to avoid the vulnerable component.
• Monitor Veritas Security Advisories for patches and apply updates as soon as they become available.

Reference

https://www.veritas.com/content/support/en_US/security/ARC25-002

13. Remote Code Execution (RCE) Vulnerability in python-json-logger – March 2025

A critical vulnerability (CVE-2025-27607) has been identified in python-json-logger, a widely used Python logging library. The vulnerability allows Remote Code Execution (RCE) via dependency hijacking, affecting organizations using the library in Python 3.13.x environments.

Vulnerability Details

• CVE ID: CVE-2025-27607
• Vulnerability Type: RCE via Dependency Hijacking
• Affected Versions: python-json-logger 3.2.0 to 3.2.1
• Affected Environments: Python 3.13.x with [dev] optional dependencies installed
• CVSS Score: 8.8 (High)
• Attack Vector: Network
• Exploit Availability: Proof of Concept (PoC) available
• Vulnerability Period: December 30, 2024 – March 4, 2025
• Fixed Versions: python-json-logger 3.3.0 and later

Potential Impact

• Remote Code Execution (RCE): Could allow full system compromise.
• Mass Exploitation Risk: Over 46 million downloads per month, making widespread attacks possible.
• Supply Chain Attack Vector: Affects developers and enterprises relying on python-json-logger.
• Data Breach & Malware Injection: Attackers could exfiltrate sensitive data and inject malicious code.

Mitigation & Recommendations

• Update immediately to python-json-logger 3.3.0 or later.
• Rebuild and redeploy affected environments to eliminate any injected malicious code.
• Audit third-party dependencies regularly and apply security patches.

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-27607

14. Exploited Vulnerability in Edimax IC-7100 IP Camera – March 2025

A critical command injection vulnerability (CVE-2025-1316) has been identified in the Edimax IC-7100 IP camera. This vulnerability is currently being exploited by botnet malware, allowing remote attackers to take full control of affected devices.

Vulnerability Details

• CVE ID: CVE-2025-1316
• CVSS Score: 9.3 (Critical)
• Vulnerability Type: OS Command Injection
• Impact: Remote Code Execution (RCE)
• Exploitability: Actively exploited in the wild

The vulnerability exists due to improper neutralization of incoming requests, allowing remote attackers to inject and execute arbitrary system commands.
Compromised devices are being leveraged by botnets for:

• Distributed Denial of Service (DDoS) attacks
• Proxying malicious traffic
• Pivoting to other network devices

Affected Product

• Edimax IC-7100 IP Camera
• End-of-life product – No further updates or patches available

Mitigation & Recommendations

• Take devices offline immediately and replace them with supported models.
• Isolate vulnerable devices behind firewalls and separate them from business networks.
• Use secure remote access methods such as VPNs for accessing devices.
• Monitor for compromise indicators, including performance degradation, overheating, unusual network activity, or unexpected configuration changes.

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-1316

15. Multiple Vulnerabilities in Apache Traffic Server – March 2025

Apache Traffic Server has released security updates to address multiple vulnerabilities affecting various versions of its web proxy cache. These vulnerabilities pose significant risks, including request smuggling, improper access control, and potential denial-of-service (DoS) conditions.

Vulnerability Details

1. CVE-2024-38311: Request Smuggling via Pipelining after Chunked Message Body
   • Cause: Improper input validation.
   • Impact: Attackers can manipulate network traffic and gain unauthorized access to sensitive information.
2. CVE-2024-56195: Improper Access Control in Intercept Plugins
   • Cause: Lack of proper access controls.
   • Impact: Attackers can intercept and modify network traffic, leading to data breaches.
3. CVE-2024-56196: Improper Access Control in ACLs (Access Control Lists)
   • Cause: Weak ACL implementation.
   • Impact: Attackers could bypass access control restrictions.
4. CVE-2024-56202: Expect Header Field Exploit
   • Cause: Misuse of the Expect header field.
   • Impact: Could lead to Denial-of-Service (DoS) attacks.

Affected Versions

• Apache Traffic Server 9.0.0 – 9.2.8 (CVE-2024-38311, CVE-2024-56195, CVE-2024-56202)
• Apache Traffic Server 10.0.0 – 10.0.3 (CVE-2024-38311, CVE-2024-56195, CVE-2024-56196, CVE-2024-56202)

Fixed Versions

• Apache Traffic Server 9.2.9
• Apache Traffic Server 10.0.4

Mitigation & Recommendations

• Update affected Apache Traffic Server versions to the latest fixed releases.
• Monitor network traffic for signs of request smuggling or unusual packet flows.
• Restrict access to critical services using properly configured ACLs.
• Implement strict input validation to prevent exploitation of request smuggling vulnerabilities.

Reference

https://lists.apache.org/thread/btofzws2yqskk2n7f01r3l1819x01023

16. High-Severity Vulnerability in QNAP Helpdesk – March 2025

A security vulnerability (CVE-2024-50394) has been identified in QNAP’s Helpdesk application. Improper certificate validation in Helpdesk version 3.3.x allows remote attackers to compromise system security. This flaw could be exploited for man-in-the-middle (MITM) attacks, data interception, and manipulation of system communications.

Vulnerability Details

• CVE ID: CVE-2024-50394
• Severity: High (CVSS Score: 7.7)
• Vulnerability Type: Improper certificate validation
• Impact: 
  • Attackers can intercept sensitive data.
  • Possible execution of MITM attacks to manipulate system communications.
  • Unauthorized access to affected devices.

Affected Versions

• QNAP Helpdesk version 3.3.x

Fixed Version

• Helpdesk 3.3.3 and later

Mitigation & Recommendations

• Upgrade Helpdesk to version 3.3.3 or later to mitigate risks.
• Restrict external access to the Helpdesk application if updates cannot be applied immediately.
• Monitor network traffic for suspicious connections and signs of MITM attacks.
• Implement strong authentication and encryption for sensitive communications.

Reference

https://www.qnap.com/en/security-advisory/qsa-25-05

17. Critical Vulnerability in Drupal AI Module – March 2025

A critical vulnerability has been identified in the Drupal AI Automators module, a submodule of the AI (Artificial Intelligence) project. The flaw allows attackers to execute remote code on affected systems by injecting arbitrary commands into shell execution processes.

Vulnerability Details

• CVE ID: SA-CONTRIB-2025-021
• Severity: Critical (Remote Code Execution – RCE)
• Vulnerability Type: Improper input sanitization leading to arbitrary command injection
• Impact: 
  • Remote Code Execution (RCE) on the host system.
  • Unauthorized access, data modification, and potential server takeover.
  • Full compromise of affected Drupal sites.

Affected Configurations

• Sites using AI Automators submodule with optional Automator Types enabled.
• Drupal AI module versions prior to 1.0.5.

Fixed Version

• AI module version 1.0.5 or later

Mitigation & Recommendations

• Upgrade the AI module to version 1.0.5 or later immediately.
• Disable the AI Automators submodule if an upgrade is not immediately possible.
• Restrict user input validation for automator fields to prevent injection attacks.
• Monitor web server logs for unusual command execution patterns.

Reference

https://www.drupal.org/sa-contrib-2025-021

18. Critical Vulnerabilities in DrayTek Vigor Routers – March 2025

Security researchers have identified multiple critical vulnerabilities in DrayTek Vigor routers, commonly used in SOHO (Small Office/Home Office) environments. These flaws could enable arbitrary code execution, denial-of-service (DoS) attacks, and unauthorized access, potentially leading to network compromise and data breaches. Some vulnerabilities have a CVSS score of 9.8, indicating extreme severity.

Key Vulnerabilities

1. CVE-2024-41335 (CVSS 7.5) – Timing Attack via Non-Constant Time Password Comparison
   • Attackers can deduce passwords by analyzing response times.
2. CVE-2024-41336 (CVSS 7.5) – Insecure Password Storage
   • Passwords stored in plaintext, making them easily accessible to attackers.
3. Predictable 2FA Code Generation
   • 2FA codes for WAN login are based on boot time, making them predictable and bypassable.
4. CVE-2024-41338 (CVSS 7.5) – DHCP Server NULL Pointer Dereference
   • Crafted DHCP requests can crash the DHCP server, causing network outages.
5. CVE-2024-41339 (CVSS 9.8) – Undocumented Kernel Module Installation via CGI Endpoint
   • Attackers can upload malicious kernel modules via an exposed CGI endpoint.
6. CVE-2024-41340 (CVSS 8.4) – APP Enforcement Signature Update Vulnerability
   • Attackers can install malicious kernel modules via signature updates.
7. CVE-2024-41334 (CVSS 9.8) – Missing SSL Certificate Validation in APP Enforcement
   • Attackers can use non-official servers to install malicious updates.
8. CVE-2024-51138 (CVSS 9.8) – TR069 STUN Server Buffer Overflow
   • Remote attackers can execute arbitrary code via a stack-based buffer overflow.
9. CVE-2024-51139 (CVSS 9.8) – CGI POST Integer Overflow
   • Heap overflows can be exploited for system takeover.

Affected Products

• Vigor165/166: 4.2.7+
• Vigor2860/2862/2925/2926: 3.9.8+ or 3.9.9.5+
• Vigor2865/2866/2927 (LTE/5G): 4.4.5.3+
• Vigor2962/3910: 4.3.2.8+ or 4.4.3.1+
• Vigor3912: 4.3.6.1+

References

https://www.draytek.com/about/security-advisory/denial-of-service,-information-disclosure,-and-code-execution-vulnerabilities

https://www.draytek.com/about/security-advisory/buffer-overflow-vulnerabilities-(cve-2024-51138-cve-2024-51139

19. Silk Typhoon – Targeting the IT Supply Chain

Silk Typhoon, a Chinese espionage group, has recently shifted tactics, focusing on IT supply chain attacks by compromising remote management tools and cloud applications. Although Microsoft cloud services have not been directly targeted, the group exploits unpatched applications to gain initial access, steal credentials, and escalate privileges in victim organizations.

Key Observations

1. Supply Chain Attacks
   • Silk Typhoon has been observed abusing stolen API keys and privileged access management (PAM) credentials.
   • Attackers compromised cloud app providers and data management companies, infiltrating downstream customer environments.
   • Primary victims: State and local governments, IT service providers, and MSPs.
2. Password Spray & Credential Abuse
   • Conducts password spray attacks and uses leaked credentials from public repositories (e.g., GitHub).
   • Exploits poor password hygiene to gain initial access.
   • Demonstrates extensive reconnaissance efforts before launching attacks.

Tactics, Techniques, and Procedures (TTPs)

1. Initial Access

• Exploiting Zero-Day Vulnerabilities: 
  • Recently exploited Ivanti Pulse Connect VPN (CVE-2025-0282).
  • Targets remote monitoring & identity management solutions.
• Compromised Credentials: 
  • Focuses on privileged access management (PAM) and cloud admin accounts.

2. Lateral Movement

• Targeting Entra Connect (formerly AADConnect) to escalate privileges and access both on-premises and cloud environments.
• Dumping Active Directory to harvest credentials.
• Manipulating OAuth applications & service principals to exfiltrate Microsoft 365 data (email, OneDrive, SharePoint).

3. Covert Infrastructure

• Uses compromised Zyxel routers, Cyberoam appliances, and QNAP devices to obfuscate malicious activities.
• Leverages short-term VPS servers for operations.

Historical Zero-Day Exploits Used by Silk Typhoon

1. GlobalProtect Gateway (Palo Alto Networks) – CVE-2024-3400
2. Citrix NetScaler ADC & Gateway – CVE-2023-3519
3. Microsoft Exchange (ProxyLogon) – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065

Mitigation Measures

1. Patch Public-Facing Services: 
2. Secure Identities & Credentials: 
3. Harden Cloud Security Controls: 

References

• Microsoft Blog: https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/

20. Cybercriminals Exploit DeepSeek AI Hype to Spread Malware via X
    Cybercriminals are leveraging the popularity of DeepSeek AI to distribute malware through fraudulent websites and social media campaigns. The operation uses geofencing, compromised business accounts, and bot networks to amplify reach and evade detection, accumulating over 1.2 million views on X.

Key Tactics Used

• Fraudulent Websites – Attackers created deceptive domains like deepseek-pc-ai[.]com to mimic the official DeepSeek AI website.
• Geofencing – Tailors content based on visitors’ locations to refine tactics and reduce detection.
• Compromised Social Media Accounts – Attackers hijacked an Australian company’s X account to spread malicious links.
• Bot Network Amplification – Fake accounts boosted malicious posts, creating artificial engagement.

Malware Delivery & Impact

• Users downloading the fake DeepSeek client receive a trojanized installer.
• Malware uses Inno Setup to deliver Base64-encoded PowerShell scripts.
• Activates Windows SSH service, allowing remote unauthorized access.

Mitigation Recommendations

• Verify URLs before downloading AI software – Ensure domain names are legitimate.
• Use comprehensive security solutions like Kaspersky Premium to detect malicious sites.
• Keep software updated to patch vulnerabilities exploited by attackers.

Reference:
https://fintechnews.africa/44863/fintech-south-africa/cybercriminals-exploit-deepseek-ai-malware/

21. Strela Stealer Targeting European Countries

Strela Stealer is an advanced infostealer that exfiltrates email credentials from Mozilla Thunderbird and Microsoft Outlook. Active since 2022, it primarily targets Germany, Italy, Spain, and Ukraine through large-scale phishing campaigns.

Key Findings

• Delivery Method: Delivered via phishing emails disguised as invoices, containing a ZIP archive with a JScript loader.
• Geofencing Tactics: Malware verifies system locale before execution, ensuring only targeted European countries are infected.
• Evasion Techniques: 
  • Uses obfuscated scripts and multi-layered encryption to evade detection.
  • Employs control-flow flattening and redundant arithmetic operations to hinder analysis.
  • Utilizes fibers and FLS manipulation to mislead security tools.

Attack Execution

1. Initial Execution: 
   • The JScript loader downloads and executes a DLL from a C2 server without writing it to disk.
   • Displays a decoy PDF to reduce suspicion.
2. Second Stage: 
   • The obfuscated DLL allocates memory, decrypts the final payload, and executes it.
3. Final Stage – Credential Theft: 
   • Extracts Thunderbird credentials from key4.db and logins.json.
   • Steals Outlook credentials from Windows registry keys.
   • Gathers system information and exfiltrates it to the C2 server.

Mitigation Recommendations

• Block C2 domains and monitor network traffic for suspicious connections.
• Implement email filtering to detect phishing attempts.
• Use endpoint protection with advanced behavioral analysis.
• Ensure software is up to date to reduce vulnerability exploitation risks.

Reference:

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive-into-strela-stealer-and-how-it-targets-european-countries/

22. AI-Assisted Fake GitHub Repositories Distributing SmartLoader & LummaStealer

Cybercriminals are using fake GitHub repositories to distribute SmartLoader, which then delivers LummaStealer and other malware. These repositories mimic legitimate tools (e.g., game cheats, cracked software, cryptocurrency utilities) and leverage AI-generated content to appear trustworthy.

• Malware Delivery Tactics
  • Fake GitHub repositories contain AI-generated README files with structured content and links to malicious ZIP files.
  • Victims are tricked into downloading ZIP files containing SmartLoader, which deploys LummaStealer.
• SmartLoader to LummaStealer Execution
  • ZIP file contains an obfuscated Lua script executed by luajit.exe.
  • SmartLoader downloads and runs LummaStealer, which steals credentials, cryptocurrency wallets, and 2FA data.
  • Uses misnamed AutoIT interpreters and browser debugging techniques to evade detection.
• Evasion & Obfuscation Techniques
  • Uses obfuscated scripts and structured AI-generated content to evade security detection.
  • Stores malicious files in the Releases section of GitHub instead of standard file attachments.
  • Deploys encrypted payloads and sandbox evasion techniques.

Indicators of Compromise (IoCs)

• C2 Server: pasteflawwed[.]world
• Malicious ZIP Files: 
  • l.txt → search.exe
  • lmd.txt → debug.lua

Reference:

https://www.trendmicro.com/en_us/research/25/c/ai-assisted-fake-github-repositories.html 

23. Chinese Cyberespionage Group Deploys Custom Backdoors on Juniper Routers

The UNC3886 threat actor, a Chinese cyberespionage group, has been targeting end-of-life Juniper MX Series routers used by enterprises and ISPs. They bypass Junos OS file integrity protections to deploy custom TINYSHELL-based backdoors, gaining long-term access to compromised networks.

Key Findings

• Targeted Devices & Initial Access
  • Attackers exploited outdated Juniper routers running end-of-life hardware/software.
  • Used stolen credentials and targeted network authentication services like TACACS+ to gain privileged access.
• File Integrity Bypass & Malware Deployment
  • Used process injection techniques to bypass Junos OS veriexec protections.
  • Injected malicious shellcode into trusted processes (e.g., cat utility).
  • Deployed custom variants of TINYSHELL disguised as legitimate Junos OS processes (lmpad, appid, jdosd).
• Custom Backdoors & C2 Communications
  • Logging evasion: Malware disables router logs before establishing a remote session.
  • Persistent network access: Attackers used Operational Relay Box (ORB) networks to route traffic via compromised devices.
  • Network packet sniffing: Some variants monitor traffic, waiting for a “magic packet” to activate.
• Highly Customized Variants of TINYSHELL
  • Lmpad – Disables logging, encrypts shell traffic, and allows router config backup.
  • Appid – Connects to hardcoded C2 servers in an active backdoor mode.
  • Irad – Packet sniffer that activates upon receiving a specific ICMP packet.
  • Jdosd – Binds to UDP port 33512, encrypting traffic using RC4 encryption.
  • Oemd – Uses AES-encrypted TCP communication with a hardcoded C2 server.

Reference:

https://www.csoonline.com/article/3844122/chinese-cyberespionage-group-deploys-custom-backdoors-on-juniper-routers.html 

24. Desert Dexter Malware Campaign Targeting MENA Region

The Desert Dexter threat actor has been conducting a malicious campaign since September 2024, targeting individuals and organizations across the Middle East and North Africa (MENA). The campaign leverages social media (Facebook, Telegram) to distribute AsyncRAT, a malware variant used for stealing sensitive data, including cryptocurrency wallet information.

Attack Methodology

Initial Infection

• Fake news ads and geopolitical reports lure users on Facebook and Telegram.
• Malicious files are hosted on file-sharing services or Telegram channels disguised as legitimate media outlets.

Malware Delivery

• Victims download RAR archives containing BAT/JS files that trigger PowerShell scripts to execute AsyncRAT.
• PowerShell scripts terminate security processes, modify registry keys, and establish persistence.

Malware Capabilities

• Steals system data (hardware IDs, IPs, AV software) and sends it to an attacker-controlled Telegram bot.
• Extracts credentials from cryptocurrency wallets like MetaMask, Binance Wallet, and Ledger Live.
• Keylogging to capture keystrokes and active processes.

Persistence & Evasion

• Modifies registry keys to execute at startup.
• Injects code into .NET processes using a custom reflective loader to evade detection.

Network Infrastructure

• Uses Dynamic DNS (DDNS) with VPN IPs for obfuscation.
• Semantically similar domains used for malware delivery and command & control (C2).

Mitigation & Recommendations

Enhance Social Media Vigilance

• Educate users on risks associated with clicking on links from fake geopolitical news sources.
• Implement strict policies for social media access on corporate devices.

Strengthen Endpoint Security

• Deploy EDR solutions to detect/block malicious scripts (PowerShell, Batch files).
• Update AV software to detect AsyncRAT variants.

Reference:

https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/desert-dexter-attacks-on-middle-eastern-countries