Weekly Threat Landscape Digest – Week 14

1. Critical Zero-Day in Ivanti Products (CVE-2025-22457)

A critical stack-based buffer overflow vulnerability (CVE-2025-22457) has been disclosed in multiple Ivanti products, including Ivanti Connect Secure (ICS), Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways. The vulnerability allows unauthenticated remote attackers to execute arbitrary code. Active exploitation has been confirmed in the wild.

Key Details:

• CVE ID: CVE-2025-22457
• Severity: CVSS 9.0 (Critical)
• Vulnerability Type: Stack-based Buffer Overflow
• Exploitation in the Wild: Confirmed
• Impact: Remote Code Execution, Malware Deployment, Log Manipulation

Attack Chain:

1. Exploitation of buffer overflow in /home/bin/web
2. Deployment of TRAILBLAZE (a Base64-encoded dropper)
3. Loading of BRUSHFIRE (passive backdoor) into memory
4. Encrypted shellcode execution using SSL hooks
5. Log tampering and file hiding via SPAWNSLOTH, SPAWNSNARE, and SPAWNWAVE

Affected Versions:

• Ivanti Connect Secure: ≤ 22.7R2.5
• Pulse Connect Secure (EoS): ≤ 9.1R18.9
• Ivanti Policy Secure: ≤ 22.7R1.3
• ZTA Gateways: ≤ 22.8R2

Fixed Versions:

• Ivanti Connect Secure: 22.7R2.6
• Ivanti Policy Secure: 22.7R1.4 (April 21, 2025)
• ZTA Gateways: 22.8R2.2 (April 19, 2025)

Recommendations:

• Apply the latest security patches without delay
• If indicators of compromise are detected, perform a full factory reset before updating
• Conduct in-depth log analysis for signs of SPAWN-related activity
• Deploy EDR solutions to monitor suspicious processes
• Subscribe to Ivanti’s advisory portal for ongoing updates

References:
https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-PolicySecure-ZTA-Gateways-CVE-2025-22457?language=en_US
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability 

2. Vulnerability in WinRAR (CVE-2025-31334)

A medium-severity vulnerability has been identified in WinRAR, allowing attackers to bypass the Windows Mark-of-the-Web (MotW) security mechanism and execute arbitrary code without user warnings. The flaw is actively being analyzed due to its exploitation potential through symbolic links in .rar archives.

Key Details:

• CVE ID: CVE-2025-31334
• Severity: CVSS 6.8 (Medium)
• Vulnerability Type: Symlink handling bypass
• Impact: Arbitrary Code Execution, Malware Installation, Data Theft, System Damage
• Attack Vector: Malicious .rar files distributed via email, websites, or file-sharing platforms

Attack Method:
Crafted .rar files include symbolic links pointing to executables. When extracted and opened using a vulnerable version of WinRAR, these executables are run without triggering the Windows security prompt, bypassing MotW protections.

Affected Versions:

• WinRAR versions prior to 7.11

Fixed Version:

• WinRAR 7.11 and later

Recommendations:

• Immediately update WinRAR to version 7.11 or higher
• Avoid opening .rar files from unknown or untrusted sources
• Monitor for suspicious file extraction and execution behavior in endpoint systems

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-31334

3. Critical Vulnerability in Moxa Routers and Appliances (CVE-2025-0415)

A critical vulnerability (CVE-2025-0415) affecting multiple Moxa secure routers and network appliances has been identified. The flaw resides in the web interface’s NTP settings and allows authenticated attackers with admin privileges to execute arbitrary system commands. Exploitation could lead to full device compromise.

Key Details:

• CVE ID: CVE-2025-0415
• Severity: CVSSv4 9.2 (Critical)
• Vulnerability Type: Command Injection via Web Interface (NTP settings)
• Impact: Full system control, data theft, network pivoting, DoS
• Access Requirement: Authenticated admin access

Affected Products (Firmware ≤ vulnerable version):

• EDF-G1002-BP (3.14)
• EDR-810 (5.12.39)
• EDR-8010 (3.14)
• EDR-G9004 (3.14)
• EDR-G9010 (3.14)
• NAT-102 (3.15)
• OnCell G4302-LTE4 (3.14)
• TN-4900 (3.14)

Mitigation:

• Upgrade firmware to the latest versions provided by Moxa.
• For certain models (e.g., EDR-G9004, G9010, TN-4900), contact Moxa Technical Support for patched firmware.
• Apply strict access controls and monitor admin login attempts.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-0415

4. Security Updates – Jenkins Core and Plugins (Multiple CVEs)

Jenkins has released a security advisory addressing multiple vulnerabilities affecting its core and various plugins. These include missing permission checks, sandbox bypasses, CSRF issues, and the insecure handling of secrets and API keys. The most critical issue involves arbitrary code execution via the Templating Engine Plugin.

Key Details:

• CVE IDs: CVE-2025-31720 to CVE-2025-31728
• Severity: Ranges from Medium (CVSS 5.5) to High (CVSS 8.8)
• Impact: Arbitrary Code Execution, Data Exposure, CSRF Exploitation, Unauthorized Access

Highlighted Vulnerabilities:
– CVE-2025-31720 / CVE-2025-31721: Improper permission checks in agent configuration (Jenkins ≤ 2.503 / LTS ≤ 2.492.2).
– CVE-2025-31722: Sandbox bypass in Templating Engine Plugin (≤ 2.5.3) allowing arbitrary code execution.
– CVE-2025-31723: CSRF vulnerability in Simple Queue Plugin (≤ 1.4.6).
– CVE-2025-31724 to CVE-2025-31728: API keys and credentials stored in plaintext across multiple plugins, some without available fixes.

Recommendations:

• Update Jenkins core to 2.504 or LTS 2.492.3
• Update the following plugins:
  • Templating Engine Plugin to 2.5.4
  • Simple Queue Plugin to 1.4.7
  • Cadence vManager Plugin to 4.0.1-286.v9e25a_740b_a_48
• Rotate any stored API keys or passwords
• Disable or remove plugins with no available security fixes

Reference:
https://www.jenkins.io/security/advisory/2025-04-02/

5. Security Updates – Google Chrome (CVE-2025-3066 to CVE-2025-3074)

Google has released security updates for Chrome across all platforms (Windows, macOS, Linux, iOS, Android) to address multiple vulnerabilities. These issues may lead to arbitrary code execution, information disclosure, security bypass, or denial-of-service if exploited.

Key Details:

• CVE IDs: CVE-2025-3066 to CVE-2025-3074
• Severity: High (CVE-2025-3066), others Medium and Low
• Impact: Code Execution, Security Bypass, DoS, Info Disclosure
• High-Risk Flaw: CVE-2025-3066 – Use-after-free in Navigations

Affected Features:
– Custom Tabs
– Intents
– Extensions
– Autofill
– Downloads

Fixed Versions:
– Chrome 135.0.7049.52 (Linux)
– Chrome 135.0.7049.41/42 (Windows/Mac)
– Chrome 135.0.7049.53 (iOS)
– Chrome 135.0.7049.38 (Android)

Recommendations:

• Update Chrome to the latest available version immediately
• Enable automatic updates across user systems
• Monitor systems for outdated browser versions

References:
https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/

6. Critical Apache Parquet RCE Vulnerability (CVE-2025-30065)

A critical remote code execution (RCE) vulnerability (CVE-2025-30065) has been discovered in the Apache Parquet Java library. The flaw, rated CVSS 10.0, allows attackers to execute arbitrary code via unsafe deserialization in the parquet-avro module. It affects all versions through 1.15.0 and requires no user interaction or authentication.

Key Details:

• CVE ID: CVE-2025-30065
• Severity: CVSS 10.0 (Critical)
• Vulnerability Type: Deserialization of Untrusted Data (CWE-502)
• Impact: Remote Code Execution, System Takeover, Data Tampering
• Exploit Requirements: Malicious Parquet file; no user interaction needed
• Affected: Apache Parquet Java ≤ 1.15.0 (including parquet-avro module)

Attack Vector:
Exploitation occurs when a specially crafted Parquet file is processed, triggering insecure class loading during Avro schema parsing.

Risk to Ecosystem:
Widespread across big data systems like Hadoop, Spark, Flink, and cloud platforms such as AWS, Azure, and GCP. Used by companies like Netflix, Uber, Airbnb, and LinkedIn.

Potential Impact:
– Full system compromise
– Data exfiltration or tampering
– Ransomware deployment
– Operational disruption

Remediation:

• Upgrade Apache Parquet Java library to version 1.15.1
• Validate Parquet files from external sources
• Enhance monitoring for file parsing systems
• Review data workflows for exposure points

References:
https://www.openwall.com/lists/oss-security/2025/04/01/1
https://cybersecuritynews.com/critical-apache-parquet-rce-vulnerability/

7. Security Updates – MongoDB (CVE-2025-3083, CVE-2025-3084, CVE-2025-3085)

MongoDB has disclosed three security vulnerabilities affecting multiple server versions, exposing deployments to unauthenticated denial-of-service attacks, query crashes, and TLS authentication bypass.

Key Details:

• CVE-2025-3083 (CVSS 7.5) – Unauthenticated DoS via malformed wire protocol messages
  – Impact: Crashes the mongos router, disrupting cluster operations
  – No authentication required
• CVE-2025-3084 (CVSS 6.5) – Crashes via invalid explain query parameters
  – Impact: Router crash through malicious queries or misconfigured applications
  – Affects versions including MongoDB 8.0.x < 8.0.4
• CVE-2025-3085 (CVSS 8.1) – TLS certificate revocation bypass
  – Impact: Accepts revoked intermediate certificates in MONGODB-X509 configurations
  – Risk: Unauthorized access in secured environments

Affected Versions:

• MongoDB 5.0.x < 5.0.31
• MongoDB 6.0.x < 6.0.20
• MongoDB 7.0.x < 7.0.16
• MongoDB 8.0.x < 8.0.4

Recommendations:

• Apply the latest MongoDB patches for all affected branches
• Validate TLS configurations and certificate revocation lists
• Monitor logs for signs of malformed queries or certificate misuse

References:
https://jira.mongodb.org/browse/SERVER-103152
https://jira.mongodb.org/browse/SERVER-103153
https://jira.mongodb.org/browse/SERVER-95445

8. VMware Aria Operations Local Privilege Escalation (CVE-2025-22231)

VMware has disclosed a high-severity local privilege escalation vulnerability (CVE-2025-22231) in its Aria Operations platform, affecting VMware Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure. Exploitation allows attackers with admin access to execute commands as root.

Key Details:

• CVE ID: CVE-2025-22231
• Severity: CVSS 7.8 (High)
• Vulnerability Type: Improper Privilege Containment
• Impact: Root-level access and full system compromise
• Exploit Prerequisite: Requires local administrative access (e.g., via phishing or credential theft)

Affected Products:
– VMware Aria Operations (8.x)
– VMware Cloud Foundation (5.x, 4.x)
– VMware Telco Cloud Platform (5.x, 4.x, 3.x)
– VMware Telco Cloud Infrastructure (3.x, 2.x)

Fixed Versions:
– Aria Operations: 8.18 HF 5
– Telco Cloud Platform & Infrastructure: 8.18 HF 5
– Cloud Foundation: Patch guidance provided in VMware KB

Recommendations:

• Apply the latest security patches as per VMware’s response matrix
• Review admin account access for unusual activity
• Strengthen privilege management and monitor for local privilege escalations

Reference:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25541 

9. Security Updates – Apple Zero-Day Vulnerabilities (CVE-2025-24085, CVE-2025-24200, CVE-2025-24201)

Apple has released urgent security updates addressing three zero-day vulnerabilities actively exploited in the wild. The flaws affect multiple components including Core Media, Accessibility, and WebKit, and impact older and newer iOS, iPadOS, and macOS devices.

Key Details:

• CVE-2025-24085 (CVSS 7.3) – Use-after-free in Core Media enabling privilege escalation
• CVE-2025-24200 (CVSS 4.6) – Authorization bypass in Accessibility, allowing USB Restricted Mode to be disabled on locked devices
• CVE-2025-24201 (CVSS 8.8) – Out-of-bounds write in WebKit leading to sandbox escape via malicious web content

Impact:
– Arbitrary Code Execution
– Privilege Escalation
– Unauthorized Device Access

Fixed Versions:
– iOS/iPadOS: 15.8.4, 16.7.11, 17.7.6, 18.4
– macOS: Ventura 13.7.5, Sonoma 14.7.5, Sequoia 15.4
– Safari: 18.4
– tvOS: 18.4
– watchOS: 11.4
– visionOS: 2.4
– Xcode: 16.3

Affected Devices Include:
– iPhone 6s to iPhone X, iPad Air 2 through iPad Pro 13-inch, iPod touch (7th gen), Apple Watch Series 6+, Apple TV HD/4K, Apple Vision Pro

Recommendations:

• Apply all available Apple security updates immediately
• Review mobile device policies for legacy device usage
• Monitor endpoints for signs of exploitation targeting vulnerable components

Reference:
https://support.apple.com/en-ae/100100

10. Exploited Critical Vulnerabilities in Cisco Smart Licensing Utility (CVE-2024-20439 & CVE-2024-20440)

Cisco has disclosed multiple critical vulnerabilities in its Smart Licensing Utility (CSLU) that allow an unauthenticated, remote attacker to gain administrative access or obtain sensitive information. These vulnerabilities are actively exploited as of March 2025, with threat actors using botnets to scan for exposed instances.

Key Details:

• CVE-2024-20439: Static administrative credential vulnerability allowing remote login with default credentials
• CVE-2024-20440: Excessive verbosity in debug logs enables retrieval of API credentials via crafted HTTP requests
• CVSS Score: 9.8 (Critical)
• Exploitation Scope: Requires CSLU to be actively running
• Affected Versions: CSLU 2.0.0, 2.1.0, and 2.2.0 (patched in September 2024); CSLU 2.3.0 is not vulnerable

Recommendations:

• Upgrade Cisco Smart Licensing Utility to the fixed software release (migrate CSLU 2.0.0, 2.1.0, or 2.2.0 to the fixed release; use version 2.3.0)
• If CSLU is not required, disable the service to prevent exploitation

Reference:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sacslu-7gHMzWmw

11. SMS Phishing Campaign – Fake Unpaid Toll Message Attack

A large-scale phishing campaign is targeting mobile users with fake unpaid toll notifications, using advanced social engineering and infrastructure to steal login credentials. The operation is powered by the “Lucid” Phishing-as-a-Service (PhaaS) platform and has been linked to tens of thousands of malicious domains.

Key Details:

• Attack Vector: SMS messages claiming unpaid toll violations
• Initial Method: No links included; users are instructed to reply to the message
• Follow-Up: Attackers send phishing links mimicking local toll agency websites
• Target: Victims across various countries; infrastructure primarily hosted in China
• Impact: Stolen credentials sold on dark markets; bypasses traditional detection
• Success Rate: ~5%—higher than typical email-based phishing campaigns

Threat Infrastructure:
– Supported by “Lucid” PhaaS platform
– Dynamic phishing pages based on user IP and device (iOS/Android)
– Blocks security researchers via geofencing and URL filtering
– Resilient to takedown attempts, with new domains provisioned rapidly

Related Services in Use:
– Lighthouse, Darcula, EvilProxy, W3II

Recommendations:

• Users should avoid responding to unsolicited toll messages
• Confirm violation claims directly via official toll websites or apps
• Organizations should educate users on advanced phishing tactics

Reference:
https://cybersecuritynews.com/beware-of-fake-unpaid-toll-message-attack/

12. Tax-Themed Phishing Campaigns Steal Credentials and Deploy Malware

Microsoft has reported multiple phishing campaigns leveraging tax-related lures to steal credentials and deliver malware. These attacks target U.S. and European organizations and utilize PhaaS platforms, remote access trojans, and QR code-based delivery methods to evade detection.

Key Details:

• Attack Theme: Tax-related phishing emails, PDFs, and QR codes
• Delivery Methods: URL shorteners, malicious attachments, open redirects, and QR codes
• PhaaS Platforms: RaccoonO365, used to host phishing infrastructure
• Malware Delivered: Remcos RAT, Latrodectus, AHKBot, GuLoader, BRc4

Attack Techniques:
– Emails with fake DocuSign-themed PDF links redirecting to malware
– Conditional payloads based on victim IP or device fingerprint
– QR codes leading to fake Microsoft 365 login pages
– Excel macro-based downloads executing AutoHotKey scripts (AHKBot)
– GuLoader dropping .bat files and installing Remcos

Targeted Sectors:
– Over 2,300 U.S. organizations, especially in IT, engineering, and consulting

Recommendations:

• Use phishing-resistant MFA (e.g., FIDO2 security keys)
• Block known malicious domains and URL shorteners
• Educate users to avoid scanning QR codes from untrusted emails
• Monitor for suspicious PDF/Excel attachments with embedded links or macros

References:
https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
https://cybermaterial.com/tax-phishing-campaigns-steal-credentials/

13. Oracle Reports Data Breach Involving Legacy Gen 1 Servers

Oracle has confirmed a data breach affecting its older Gen 1 servers, exposing approximately 6 million records including usernames, hashed passwords, SSO/LDAP credentials, and Java Key Store (JKS) files. The attacker, “rose87168,” exploited a 2020 Java vulnerability to deploy malware and access Oracle’s Identity Manager (IDM) database.

Key Details:

• Initial Access: January 2025 (undetected until late February)
• Disclosed: March 20, 2025, via Breachforums
• Data Exfiltrated: Hashed passwords, SSO/LDAP credentials, JKS and JPS keys
• Exploit: Legacy Java vulnerability
• Ransom Demand: $20 million; attacker also sought zero-day exploit exchanges
• Validation: Researchers confirmed portions of leaked data as authentic
• System Impacted: Oracle Gen 1 legacy servers only

Company Response:

• Affected clients notified
• Gen 2 Oracle Cloud and primary infrastructure confirmed safe
• Advised credential resets, activity monitoring, and enhanced security measures
• Ongoing internal investigation with reinforced controls for legacy systems

Context:
This breach follows a recent, separate breach involving Oracle’s Cerner servers in its Health division. The incidents have raised questions about the security of Oracle’s legacy infrastructure.

Recommendations:

• Enterprises using legacy systems should assess exposure and migrate to secure platforms
• Review Identity Manager logs for unauthorized access
• Apply threat detection for JKS/LDAP usage anomalies

Reference:
https://gbhackers.com/oracle-reports-data-breach/

14. New Android Spyware Demands Password for Uninstallation

A newly identified Android spyware app is using advanced evasion tactics to avoid removal by requiring a password—set by the installer—to uninstall the app. This spyware abuses Android’s “overlay” and “device admin” permissions to hijack system functions and remain hidden from users.

Key Details:

• Persistence Technique: Prompts for a password during uninstallation attempts
• Camouflage: Disguised as “System Settings” with a default Android icon
• Stealth Features: Hides from the home screen and sends data (messages, photos, location) to a remote dashboard
• Installation Method: Typically installed via direct access to the phone; not available on official app stores

Technical Abuse:
– Uses overlay permission to block uninstallation with fake screens
– Gains device admin privileges to prevent removal
– Behaves like consumer-grade “stalkerware,” often misused for spying on partners or individuals

Removal Instructions:

1. Reboot to Safe Mode (hold power > long-press Power Off > confirm reboot)
2. Disable suspicious Device Admin apps in settings
3. Uninstall the spyware via app settings
4. Restart the device to exit safe mode and update passcodes

Recommendations:

• Avoid downloading apps from unofficial sources
• Regularly review app permissions and installed apps
• Report malicious spyware to local authorities if intent is criminal
• Educate users about risks associated with stalkerware

Reference:
https://gbhackers.com/new-android-spyware-tricks-users

15. Malicious PyPI Package “disgrasya” Targets WooCommerce with Carding Script

A malicious Python package named “disgrasya” was discovered on the PyPI repository, containing a fully automated carding script designed to validate stolen credit card data against real WooCommerce stores using CyberSource as the payment gateway. The package emulates customer behavior to bypass fraud detection.

Key Details:

• Package Name: disgrasya
• Target: WooCommerce sites using CyberSource
• Download Count: Over 34,860 before removal
• Malicious Since: Version 7.36.9 and onward
• Behavior: Mimics full checkout flow to validate stolen credit card data
• Exfiltration Endpoint: railgunmisaka.com

Attack Flow:

1. Extracts a product ID from the target store
2. Adds the product to cart using WooCommerce’s AJAX APIs
3. Captures CSRF and CyberSource tokens from checkout page
4. Submits stolen card data to attacker’s server for validation
5. Sends tokenized data to CyberSource endpoint to simulate payment

Risk Factors:
– Bypasses traditional fraud detection via realistic shopping simulation
– Randomized customer data used to avoid pattern detection
– Operates without disguise, focusing on mass deployment and effectiveness
– Highlights ongoing supply chain risks from public code repositories

Recommendations:

• E-commerce merchants should monitor checkout activity for unusual behavior patterns
• Audit PyPI dependencies in CI/CD pipelines
• Implement fraud detection tuned for behavioral analysis and token anomalies
• Block or monitor traffic to suspicious domains like railgunmisaka.com

Reference:
https://cybersecuritynews.com/malicious-pypi-package-with-fully-automated-carding-script/

16. RolandSkimmer: Malicious Browser Extensions Steal Credit Card Data via Chrome, Edge, and Firefox

A sophisticated new credit card skimming campaign dubbed RolandSkimmer is targeting users through malicious browser extensions on Chrome, Edge, and Firefox. The campaign primarily affects users in Bulgaria and leverages deceptive ZIP archives, advanced obfuscation, and persistent browser access to steal sensitive financial data.

Key Details:

• Attack Vector: ZIP archive (faktura_3716804.zip) containing malicious LNK shortcut
• Browsers Targeted: Chrome, Edge, Firefox
• Skimming Method: Malicious extensions with elevated permissions monitor form fields across websites
• Marker: Stolen data tagged with “Rol@and4You” for identification
• Persistence: Hidden folders, shortcut modifications, in-memory VBScript execution
• Control Servers: invsetmx[.]com, exmkleo[.]com, bg3dsec[.]com

Notable Techniques:
– Obfuscated VBScript embedded in disguised files (e.g., n.jpg)
– Dynamic payloads downloaded via MSXML HTTP requests
– Browser extensions impersonating legitimate tools (e.g., “Disable Content Security Policy”)
– Permissions include declarativeNetRequest, browsingData, tabs, storage

Impact:

• Full visibility into users’ online activity
• Stealthy theft of payment card data during checkout
• Cross-browser persistence without elevated privileges
• Potential for long-term financial fraud and account compromise

Recommendations:

• Block listed malicious C2 domains and monitor for indicators
• Restrict browser extension installations through enterprise policies
• Educate users on the risks of opening unsolicited ZIP/LNK files
• Audit browser extension permissions and remove suspicious entries

Reference:
https://cybersecuritynews.com/new-credit-card-skimming-attack/

17. Lucid PhaaS Campaign Targets 169 Global Entities via iMessage and RCS

A sophisticated phishing-as-a-service (PhaaS) platform named Lucid, operated by the XinXin group (aka Black Technology), has been used to target 169 organizations across 88 countries through smishing attacks delivered via iMessage and RCS. UAE-based services like UAE Pass, ICP, DU, Emirates NBD, and Aramex are among the targeted brands.

Key Details:

• Attack Vector: iMessage (using temporary Apple IDs) and Google RCS (with rotating domains)
• Targets: Government, banking, logistics, and telecom entities globally, including UAE organizations
• Payload: Customized phishing pages mimicking real services, equipped with IP filtering and time-limited URLs
• Goal: Theft of credit card data and PII through real-time phishing panels

Advanced Tactics:
– Domain and number rotation to evade filtering
– Two-way interaction via “Reply with Y” smishing bait
– Use of iPhone device farms and emulators for mass-scale message delivery
– Real-time victim monitoring via phishing dashboards

Overlapping Infrastructure:
Lucid is linked to other PhaaS kits like Darcula and Lighthouse, sharing templates, tactics, and infrastructure—highlighting an organized underground ecosystem. These platforms support rapid phishing site cloning, targeting multiple brands with minimal setup time.

Recommendations:

• Enforce filtering for iMessage and RCS via behavior-based threat detection
• Disable iMessage/RCS where unused in enterprise environments
• Educate users on recognizing smishing attempts and suspicious URLs
• Monitor and block domains using threat intel feeds and DNS filtering
• Apply MFA across financial and sensitive accounts, avoid OTP sharing

Reference:
https://catalyst.prodaft.com/public/report/lucid/overview

18. OpenVPN Flaw Allows Attackers to Crash Servers and Trigger DoS (CVE-2025-2704)

A newly patched vulnerability in OpenVPN (CVE-2025-2704) could allow attackers to crash VPN servers configured with –tls-crypt-v2, resulting in a denial-of-service (DoS) condition. The issue affects OpenVPN Server versions 2.6.1 to 2.6.13 and has been resolved in version 2.6.14.

Key Details:

• CVE ID: CVE-2025-2704
• Severity: Moderate (DoS)
• Vulnerable Versions: OpenVPN Server 2.6.1 to 2.6.13 (only with –tls-crypt-v2)
• Attack Vector: Valid client with tls-crypt-v2 key sends a mix of malformed and authenticated packets
• Impact: Server crash via ASSERT() failure; no data leakage or code execution
• OpenVPN Clients: Not affected

Root Cause:
Malformed packet injection during the TLS handshake causes the server to abort unexpectedly without compromising cryptographic integrity.

Fix and Response:

• Fixed Version: OpenVPN 2.6.14
• Additional Fixes: Linux DCO enhancements, MSI installer updates, and OpenSSL 3.4.1 integration
• Mitigation: Upgrade to 2.6.14 or temporarily disable –tls-crypt-v2 if update cannot be applied immediately

Recommendations:

• Upgrade OpenVPN servers to version 2.6.14
• Audit configurations using –tls-crypt-v2 for secure deployment
• Monitor for abrupt server terminations or authentication errors

Reference:
https://gbhackers.com/openvpn-flaw/