Weekly Threat Landscape Digest – Week 17

1. Security Updates – GitLab CE and EE (CVE-2025-1763, CVE-2025-2443, CVE-2025-1908, CVE-2025-0639, CVE-2024-12244)

GitLab has released critical security updates for its Community Edition (CE) and Enterprise Edition (EE) addressing multiple vulnerabilities that could lead to account takeover, information disclosure, and denial-of-service (DoS) conditions. Organizations using vulnerable versions are advised to upgrade immediately to prevent potential exploitation.

Key Details:

• CVE-2025-1763 / CVE-2025-2443 – XSS in Maven Dependency Proxy
  → CVSS Score: 8.7 (High)
  → Malicious scripts can be injected via the Maven Dependency Proxy, bypassing browser content security policies.
  → Impact: Credential theft, session hijacking, and privilege escalation.
• CVE-2025-1908 – Network Error Logging (NEL) Header Injection
  → CVSS Score: 7.7 (High)
  → Attackers can inject custom NEL headers to track user behavior.
  → Impact: User tracking, account compromise through exposure of browsing metadata.
• CVE-2025-0639 – Denial-of-Service via Issue Preview
  → Severity: Medium
  → Exploits GitLab’s issue preview functionality to cause service disruptions.
  → Impact: Platform downtime or degraded performance.
• CVE-2024-12244 – Unauthorized Access to Branch Names
  → Access control issue reveals branch names even when repository assets are restricted.
  → Impact: Information disclosure of internal development branches.

Affected Versions:

• GitLab CE/EE versions prior to:
  • 17.11.1
  • 17.10.5
  • 17.9.7

Recommendations:

• Upgrade immediately to the patched versions (17.11.1, 17.10.5, or 17.9.7).
• Conduct an audit of repository permissions and access controls.
• Monitor application logs for unusual access or script injection attempts.
• Enforce secure development and code review practices to reduce XSS risk.

Reference:

• https://about.gitlab.com/releases/2025/04/23/patch-release-gitlab-17-11-1-released/

2. Denial-of-Service Vulnerability in SonicWall SonicOS SSLVPN (CVE-2025-32818)

A high-severity vulnerability (CVE-2025-32818) has been identified in SonicWall SonicOS SSLVPN Virtual Office interface, impacting multiple Gen7 and TZ80 firewall platforms. The flaw allows a remote, unauthenticated attacker to crash the firewall by triggering a null pointer dereference, resulting in a Denial-of-Service (DoS) condition. There are no available workarounds, and immediate firmware upgrades are strongly recommended.

Key Details:

• Vulnerability ID: CVE-2025-32818
• CVSS v3 Score: 7.5 (High)
• Vector: Remote, unauthenticated
• Vulnerability Type: Null Pointer Dereference (CWE-476)
• Impact: Firewall crash leading to service disruption

Affected Versions:

• Gen7 NSv and Gen7 Firewalls (TZ270, TZ370, TZ470, TZ570, TZ670, NSa series, NSsp series) running SonicOS versions 7.1.1-7040 through 7.1.3-7015
• TZ80 running version 8.0.0-8037 and earlier

Fixed Versions:

• SonicOS version 7.2.0-7015 and later for Gen7 devices
• Version 8.0.1-8017 and later for TZ80

Recommendations:

• Upgrade SonicWall devices to the latest patched firmware versions.
• Continuously monitor systems for signs of service interruption or unexpected behavior.
• Restrict public access to the SSLVPN interface until the upgrade is applied.
• Implement robust firewall rules to limit exposure where possible.

Reference:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0009

3. Chrome OS Security Updates – Critical Vulnerabilities Resolved in Stable and LTS Channels

Google has released critical security updates for ChromeOS, addressing multiple vulnerabilities across both the Stable and Long Term Support (LTS) channels. The most severe of these—CVE-2025-3066—is a use-after-free flaw in Site Isolation, which could lead to arbitrary code execution and compromise of browser security.

Key Details:

• CVE-2025-3066 (High): Use-after-free in Site Isolation; enables arbitrary code execution or browser compromise.
• CVE-2025-3069 (Medium): Inappropriate implementation in Extensions.
• CVE-2025-3070 (Medium): Insufficient validation of untrusted input in Extensions.
• CVE-2025-3071, CVE-2025-3073, CVE-2025-3074 (Low): Flaws in Navigations, Autofill, and Downloads respectively.
• CVE-2024-11477 and CVE-2024-26921: Addressed in LTS Channel; includes high-severity security fixes.

Impact:

• Arbitrary code execution (via use-after-free)
• Browser sandbox compromise
• Potential for privilege escalation or information disclosure through browser components

Fixed Versions:

• Stable Channel: ChromeOS version 16209.50.0 (Browser version 135.0.7049.104)
• LTS Channel: ChromeOS version 126.0.6478.270 (Platform version 15886.95.0)

Recommendations:

• Immediately update all ChromeOS and ChromeOS Flex devices to the patched versions.
• Monitor system logs and audit extension behavior for signs of exploitation.
• Disable or restrict suspicious extensions until the system is fully patched.

References:

• https://chromereleases.googleblog.com/2025/04/stable-channel-update-forchromeos_17.html
• https://chromereleases.googleblog.com/2025/04/long-term-support-channel-updatefor.html

4. Multiple Vulnerabilities in Zyxel USG FLEX H Series Firewalls

Zyxel has released patches for two security vulnerabilities in its USG FLEX H series firewalls that could allow authenticated users to escalate privileges or manipulate system configurations. These flaws—CVE-2025-1731 and CVE-2025-1732—stem from insecure permission settings and privilege management mechanisms.

Key Details:

• CVE-2025-1731 – Incorrect Permission Assignment
  • CVSS Score: 7.8 (High)
  • Description: An authenticated attacker with low privileges can exploit PostgreSQL command permissions to gain shell access.
  • Attack Vector: Exploitable when the session of an admin user is still active and not properly terminated.
• CVE-2025-1732 – Improper Privilege Management
  • CVSS Score: 6.7 (Medium)
  • Description: Privileged users can upload crafted configuration files during recovery to escalate access.
  • Attack Vector: Local, authenticated user—limited to administrator-level accounts.

Impact:

• Unauthorized shell access to the underlying OS
• Escalation from admin interface to full system control
• Configuration tampering and potential security policy evasion

Affected Versions:

• USG FLEX H Series running uOS V1.20 to V1.31

Fixed Version:

• uOS V1.32 (resolves both CVEs)

Recommendations:

• Upgrade all USG FLEX H firewalls to uOS V1.32 or later immediately.
• Terminate all idle or stale admin sessions after use.
• Monitor admin login behavior and audit configuration changes.

Reference:

• https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisoryfor-incorrect-permission-assignment-and-improper-privilege-managementvulnerabilities-in-usg-flex-h-series-firewalls-04-22-2025

5. Critical RCE in Cisco Products via Erlang/OTP SSH (CVE-2025-32433)

A critical unauthenticated remote code execution (RCE) vulnerability in the Erlang/OTP SSH implementation—CVE-2025-32433—affects multiple Cisco products including orchestration tools, routers, and video conferencing solutions. This vulnerability enables attackers to execute arbitrary code without authentication, posing a severe risk to infrastructure using Erlang/OTP-based SSH services.

Key Details:

• CVE ID: CVE-2025-32433
• CVSS Score: 10.0 (Critical)
• Vulnerability Type: Unauthenticated Remote Code Execution
• Attack Vector: Exploitable via SSH during message authentication
• Impact: Full device compromise, arbitrary code execution, infrastructure takeover
• Exploit: Public proof-of-concept (PoC) code is available

Confirmed Affected Cisco Products:

• ConfD / ConfD Basic
  • Cisco Bug ID: CSCwo83759
  • Fixed Release: Expected May 2025
• Network Services Orchestrator (NSO)
  • Cisco Bug ID: CSCwo83796
  • Fixed Release: Expected May 2025

Cisco Products Under Investigation:

• Network Management: Cyber Vision, Smart PHY, VTS, NSO
• Routing/Switching: ASR 5000, Catalyst Center (DNA Center), RV Series Routers
• TelePresence/Video: Expressway, VCS
• Virtual Infrastructure: VIM, Ultra Cloud Core components

Recommendations:

• Patch Immediately: Apply Cisco patches once available via official channels
• Asset Discovery: Identify systems using Erlang/OTP with exposed SSH
• Limit Exposure: Use ACLs and network segmentation to restrict SSH access
• Monitor for Exploits: Deploy IDS/IPS to watch for abnormal SSH behavior
• Stay Informed: Monitor Cisco advisories for updated product impact lists

Reference:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy 

6. Critical Vulnerabilities in IBM Power HMC (CVE-2025-1950 & CVE-2025-1951)

IBM has disclosed two critical vulnerabilities in its Power Hardware Management Console (HMC) that could allow local attackers to escalate privileges and gain unauthorized access. These vulnerabilities affect both x86 and PowerPC (ppc) HMC systems running specific versions.

Key Details:

• CVE-2025-1950
  • Severity: Critical
  • CVSS Score: 9.3
  • Impact: Incorrect permission settings for environment variables enable privilege escalation. Local users can exploit untrusted library loading to execute commands with elevated privileges.
• CVE-2025-1951
  • Severity: High
  • CVSS Score: 8.4
  • Impact: Execution of commands with unnecessary privileges allows further escalation by local users.

Affected Versions:

• HMC V10.2.1030.0
• HMC V10.3.1050.0

Fixed Versions:

• Power HMC x86:
  • V10.2.1040.0 SP3 → APAR: MB04482 → Fix: MF71717
  • V10.3.1060.0 SP1 → APAR: MB04484 → Fix: MF71719
• Power HMC ppc:
  • V10.2.1040.0 SP3 → APAR: MB04483 → Fix: MF71718
  • V10.3.1060.0 SP1 → APAR: MB04485 → Fix: MF71720

Recommendations:

• Update all IBM Power HMC systems to the latest patched version.
• Validate that the correct APARs and fix levels are applied according to the system architecture (x86 or ppc).
• Conduct local user access audits to ensure no unauthorized access has occurred.
• Monitor logs for abnormal privileged activity.

References:

• https://www.ibm.com/support/pages/node/7231507
• https://www.ibm.com/support/pages/node/7231389

7. High-Severity Vulnerabilities in NVIDIA NeMo Framework (CVE-2025-23249, CVE-2025-23250, CVE-2025-23251)

NVIDIA has released a security update to patch three high-severity vulnerabilities in its NeMo Framework. If exploited, these flaws could lead to remote code execution, arbitrary file manipulation, and compromise of data integrity across multiple platforms.

Key Details:

• CVE-2025-23249
  • Issue: Deserialization of untrusted data
  • Impact: May allow remote code execution and unauthorized data manipulation
  • CVSS Score: 7.6 (High)
• CVE-2025-23250
  • Issue: Improper restriction of pathnames to a directory
  • Impact: Enables arbitrary file writing, which can lead to unauthorized code execution
  • CVSS Score: 7.6 (High)
• CVE-2025-23251
  • Issue: Improper control over dynamic code generation
  • Impact: May allow execution of malicious code and data tampering
  • CVSS Score: 7.6 (High)

Affected Platforms:

• Windows
• Linux
• macOS

Affected Versions:

• NVIDIA NeMo Framework versions prior to 25.02

Fixed Version:

• 25.02 or later

Recommendations:

• Upgrade to NVIDIA NeMo Framework version 25.02 or newer immediately
• Review access logs and system behavior for signs of unauthorized access or file changes
• Apply application-level input validation to prevent deserialization attacks
• Restrict directory access and file write permissions wherever possible

Reference:

• https://nvidia.custhelp.com/app/answers/detail/a_id/5641

8. Critical Vulnerabilities in HPE Telco Unified OSS Console (CVE-2025-24813, CVE-2025-29774, CVE-2025-29775, CVE-2024-38827, CVE-2025-27152)

Hewlett Packard Enterprise (HPE) has released a security bulletin addressing several critical vulnerabilities in its Telco Unified OSS Console (UOCAM) software, affecting versions prior to v3.1.15. These flaws can be exploited through local and remote vectors and may result in remote code execution, confidentiality breaches, SSRF, and DoS attacks.

Key Vulnerabilities:

• CVE-2025-24813
  • Severity: Critical (CVSS 9.8)
  • Impact: Remote Code Execution (RCE)
• CVE-2025-29774
  • Severity: Critical (CVSS 9.1)
  • Impact: Confidentiality and Integrity Compromise
• CVE-2025-29775
  • Severity: Critical (CVSS 9.1)
  • Impact: Confidentiality and Integrity Compromise
• CVE-2024-38827
  • Severity: Medium (CVSS 4.8)
  • Impact: Server-Side Request Forgery (SSRF), limited data exposure
• CVE-2025-27152
  • Severity: Medium (CVSS 5.3)
  • Impact: Information Disclosure

Affected Product:

• HPE Telco Unified OSS Console (UOCAM) – versions prior to 3.1.15

Fixed Version:

• v3.1.15 and later

Recommendations:

• Upgrade to HPE Telco UOCAM v3.1.15 or later immediately
• Review current deployment logs for unusual access patterns or potential compromise
• Restrict network access to the management console wherever possible
• Implement web application firewalls (WAF) and validate inputs to reduce RCE/SSRF attack vectors

Reference:

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04850en_us&docLocale=en_US 

9. High-Severity Vulnerability in Greenshift WordPress Plugin (CVE-2025-3616)

A high-severity vulnerability has been identified in the Greenshift – Animation and Page Builder Blocks WordPress plugin that allows authenticated users—even those with low privileges—to upload arbitrary files, including malicious PHP scripts. This flaw can lead to remote code execution (RCE) and full website compromise.

Vulnerability Details:

• CVE ID: CVE-2025-3616
• CVSS Score: 8.8 (High)
• Function Affected: gspb_make_proxy_api_request() introduced in version 11.4
• Attack Mechanism:
  Attackers can bypass MIME type checks and upload webshells to a publicly accessible directory (/wp-content/uploads/api_upload/). Once uploaded, these scripts can be executed remotely to gain unauthorized control.

Potential Impact:

• Complete website takeover and admin access
• Unauthorized file upload and remote code execution
• Data theft, site defacement, malware injection
• Persistent backdoors and privilege escalation

Affected Versions:

• Greenshift versions 11.4 to 11.4.5

Fixed Version:

• Greenshift version 11.4.6 or later

Recommendations:

• Update the plugin to version 11.4.6 or higher immediately
• Audit WordPress installation for unauthorized file uploads or modified content
• Apply a Web Application Firewall (WAF) to block malicious file uploads
• Monitor server logs for unusual file access under the api_upload directory

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2025-3616

10. High-Severity Vulnerability in WinZip (CVE-2025-33028)

A high-severity vulnerability has been discovered in WinZip that allows attackers to silently execute malicious code when users extract files from internet-downloaded archives. The flaw results from WinZip failing to propagate the Mark-of-the-Web (MotW) tag, enabling attackers to bypass Windows security prompts.

Vulnerability Details:

• CVE ID: CVE-2025-33028
• CVSS v3.0 Score: 7.8 (High)
• Attack Vector: Files extracted using WinZip from downloaded archives do not retain the MotW tag, allowing them to execute without any warning.

Potential Impact:

• Arbitrary Code Execution: Malicious executables can run without user consent
• Privilege Escalation: Code executes with user-level privileges
• Information Disclosure: Risk of sensitive data exposure or theft
• Bypass of Windows Protections: Security warnings and SmartScreen are skipped

Affected Versions:

• WinZip (Windows 64-bit) versions up to 76.9

Mitigation and Recommendations:

• Avoid extracting untrusted archives using WinZip
• Use alternative archive tools like Windows’ built-in extractor which correctly enforces MotW
• Deploy endpoint protection capable of detecting malicious scripts or macros
• User Awareness: Educate users on the risks of opening files from unknown or untrusted sources
• Patch Monitoring: Track official updates from WinZip and apply any forthcoming fixes promptly

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2025-33028

11. Stored Cross-Site Scripting (XSS) Vulnerability in TP-Link Routers (CVE-2025-25427)

A high-severity stored Cross-Site Scripting (XSS) vulnerability has been discovered in the web interface of TP-Link WR841N routers. This flaw allows remote attackers on the same network to inject JavaScript payloads via the UPnP port mapping description, which can execute in the browser of an admin accessing the affected page.

Vulnerability Details:

• CVE ID: CVE-2025-25427
• CVSS v4.0 Score: 8.6 (High)
• Affected Devices:
  • TP-Link WR841N versions v14, v14.6, v14.8 (Firmware Build ≤ 241230 Rel. 50788n)
• Attack Vector:
  • Remote attacker on the same network injects JavaScript through the upnp.htm interface
  • Executes when admin loads the page, leading to XSS exploitation

Potential Impact:

• Credential Theft: Admin session hijack or password theft
• Router Misconfiguration: DNS hijacking or unauthorized rule changes
• Persistent Access: Attacker may gain control over router settings or compromise user devices behind the router

Mitigation and Recommendations:

• Update Firmware: Upgrade to Build 250328 Rel.49245n or newer
• Download Official Patch: Available on TP-Link’s support portal
• Change Admin Password: Post-upgrade, immediately rotate admin credentials
• Limit Access: Restrict local access to the router management interface via strong passwords or MAC filtering

Reference:

• https://www.tp-link.com/us/support/faq/4415/

12. Security Updates for GitHub Enterprise Server (CVE-2025-3509, CVE-2025-3124, CVE-2025-3246)

GitHub has released security updates to address multiple high-severity vulnerabilities in GitHub Enterprise Server (GHES), including Remote Code Execution (RCE), information disclosure, and Cross-Site Scripting (XSS) issues. These flaws affect various versions from 3.13.x through 3.16.1, and organizations are urged to patch immediately.

Vulnerability Details:

1. CVE-2025-3509 – Pre-Receive Hook RCE
   • Severity: High
   • Impact: Admins or users with repository modification rights can execute arbitrary code through pre-receive hooks, especially during hot patching operations.
2. CVE-2025-3124 – Unauthorized Repository Name Disclosure
   • Severity: Medium
   • Impact: Unauthorized users may view private repository names via the GitHub Advanced Security Overview filter due to insufficient authorization enforcement.
3. CVE-2025-3246 – Markdown XSS via Math Blocks
   • Severity: High
   • Impact: Attackers can inject HTML/CSS into LaTeX-style math blocks, resulting in stored XSS triggered when privileged users access or render the content.

Affected Versions:

• 3.13.0 – 3.13.13 → Fixed in 3.13.14
• 3.14.0 – 3.14.10 → Fixed in 3.14.11
• 3.15.0 – 3.15.5 → Fixed in 3.15.6
• 3.16.0 – 3.16.1 → Fixed in 3.16.2

Recommendations:

• Upgrade GHES to the latest patched versions (3.13.14+, 3.14.11+, 3.15.6+, 3.16.2+)
• Disable unused pre-receive hooks and monitor access logs for suspicious activity
• Implement strict markdown sanitization policies in rendered documentation

Reference:

• https://docs.github.com/en/[email protected]/admin/release-notes#3.16.2

13. Critical Vulnerability in InstaWP Connect WordPress Plugin (CVE-2025-2636)

A critical unauthenticated Local File Inclusion (LFI) vulnerability has been discovered in the InstaWP Connect WordPress plugin, which is widely used for staging and migrating WordPress websites. The flaw allows attackers to execute arbitrary PHP files on the server, potentially leading to full website compromise.

Vulnerability Details:

• CVE ID: CVE-2025-2636
• CVSS Score: 9.8 (Critical)
• Type: Local PHP File Inclusion (Unauthenticated)
• Affected Parameter: instawp-databasemanager
• Impact:
  • Arbitrary file inclusion and execution on the server
  • Remote code execution and site takeover
  • Access control bypass
  • Theft of sensitive data and user credentials
  • Upload and execution of malicious payloads disguised as media files (e.g., image files)

Affected Versions:

• All versions up to 0.1.0.85

Fixed Version:

• InstaWP Connect v0.1.0.86 or later

Recommendations:

• Update immediately to version 0.1.0.86 or newer
• Perform a full audit of the affected WordPress site for unauthorized files or suspicious activity
• Enable Web Application Firewall (WAF) to prevent file inclusion attacks
• Monitor access logs for signs of exploitation attempts using the affected parameter

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2025-2636

14. Critical Remote Code Execution Vulnerability in PyTorch (CVE-2025-32434)

A critical Remote Code Execution (RCE) vulnerability has been discovered in PyTorch, a widely adopted open-source deep learning framework. The flaw resides in the torch.load() function—even when the weights_only=True flag is used—which was previously considered safe against deserialization attacks.

Vulnerability Details:

• CVE ID: CVE-2025-32434
• CVSS Score: 9.3 (Critical)
• Impact:
  • Arbitrary command execution on the host system
  • Potential data exfiltration and AI model compromise
  • Lateral movement within enterprise or cloud-based ML environments

Affected Versions:

• PyTorch versions ≤ 2.5.1

Fixed Version:

• PyTorch 2.6.0 or later

Recommendations:

• Upgrade immediately to PyTorch 2.6.0 or later
• Avoid using torch.load() on untrusted models or weights—even with weights_only=True
• Audit your ML environments and logs for unusual behavior or commands executed by PyTorch services
• Isolate ML training/inference pipelines to limit exposure

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2025-32434

15. Critical Vulnerability in ASUS Routers (CVE-2025-2492)

A critical remote code execution vulnerability has been identified in ASUS router firmware versions that support the AiCloud feature. Tracked as CVE-2025-2492, the vulnerability allows remote, unauthenticated attackers to execute unauthorized functions on affected routers through specially crafted requests due to improper authentication validation.

Vulnerability Details:

• CVE ID: CVE-2025-2492
• CVSS v4 Score: 9.2 (Critical)
• Affected Component: AiCloud (ASUS cloud-based remote access)
• Impact:
  • Remote execution of router functions
  • Network compromise
  • Device exposure
  • Risk of recruitment into DDoS botnets

Affected Firmware Versions:

• ASUS firmware series:
  • 3.0.0.4_382
  • 3.0.0.4_386
  • 3.0.0.4_388
  • 3.0.0.6_102

Recommendations:

• Upgrade Firmware:
  • Immediately apply the latest security firmware available on the official ASUS support page.
• Disable High-Risk Services (if update is not possible):
  • AiCloud
  • Remote WAN access
  • Port forwarding, DDNS, VPN, DMZ, FTP
• Enhance Router Security:
  • Use complex router admin passwords
  • Routinely review router security configurations

Reference:

• https://www.asus.com/content/asus-product-security-advisory/

16. Security Updates – Atlassian (Multiple CVEs)

Atlassian has released security updates addressing multiple high-severity vulnerabilities across its suite of enterprise tools including Bamboo, Confluence, Jira, and Jira Service Management. These issues stem from outdated dependencies and affect both Long-Term Support (LTS) and current versions, posing risks such as Denial-of-Service (DoS) and XML External Entity (XXE) Injection attacks.

Key Vulnerabilities and Affected Products:

1. Bamboo Data Center and Server
   • CVE-2024-57699 – Denial of Service via json-smart dependency
   • Severity: 7.5 (High)
   • Affected Versions: 10.2.0–10.2.2, 10.1.0–10.1.1, 10.0.0–10.0.3, 9.6.0–9.6.10
   • Fixed Versions: 10.2.3 (LTS), 9.6.11+
2. Confluence Data Center and Server
   • CVE-2025-24970 – DoS via netty-handler
   • CVE-2019-10172 – XXE via jackson-mapper-asl
   • Severity: 7.5 (High)
   • Affected Versions: Various 9.3.1–8.2.3 (incl. LTS)
   • Fixed Versions: 9.4.0, 9.2.3 (LTS), 8.5.21 (LTS)
3. Jira Data Center and Server
   • CVE-2021-33813 – XXE Injection
   • CVE-2024-57699 – DoS via json-smart
   • Severity: 7.7 and 7.5 (High)
   • Affected Versions: 10.5.0, 10.4.0–9.12.19
   • Fixed Versions: 10.5.1, 10.3.5 (LTS), 9.12.22 (LTS)
4. Jira Service Management Data Center and Server
   • CVE-2021-33813 – XXE Injection
   • CVE-2024-57699 – DoS via json-smart
   • Severity: 7.7 and 7.5 (High)
   • Affected Versions: 10.5.0, 10.4.0–5.12.19
   • Fixed Versions: 10.5.1, 10.3.5 (LTS), 5.12.22 (LTS)

Recommendations:

• Patch Immediately: Upgrade all affected Atlassian products to the recommended fixed versions.
• Review Dependencies: Ensure third-party libraries such as json-smart and netty-handler are updated.
• Audit and Harden: Validate application configurations to mitigate risks from XML and JSON parsing issues.

Reference:
https://confluence.atlassian.com/security/security-bulletin-april-15-2025-1540723536.html 

17. Critical Vulnerability in Erlang/OTP SSH Server (CVE-2025-32433)

A critical remote code execution (RCE) vulnerability has been identified in the SSH server component of Erlang/OTP, which is widely used in telecommunications, real-time systems, and distributed platforms. This flaw allows unauthenticated attackers to execute arbitrary commands and gain full control of affected systems, posing a major risk to infrastructure that depends on Erlang for high availability.

Key Details:

• CVE ID: CVE-2025-32433
• CVSS Score: 10.0 (Critical)
• Vulnerability Type: Unauthenticated Remote Code Execution
• Root Cause: Improper handling of SSH messages during authentication
• Impact:
  • Full system compromise without valid credentials
  • Arbitrary command execution
  • Unauthorized access and lateral movement
  • High risk for telecom and distributed environments

Affected Versions:

• Erlang/OTP 27: All versions prior to 27.3.3
• Erlang/OTP 26: All versions prior to 26.2.5.11
• Erlang/OTP 25: All versions prior to 25.3.2.20

Fixed Versions:

• Erlang/OTP 27: 27.3.3
• Erlang/OTP 26: 26.2.5.11
• Erlang/OTP 25: 25.3.2.20

Recommendations:

• Patch immediately to the fixed versions
• Restrict external SSH access using firewalls or ACLs
• Enable logging and monitor SSH session activity
• Conduct a review of systems using Erlang for unauthorized access indicators

Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32433

18. Active Exploitation of SonicWall SMA 100 Series Vulnerability (CVE-2021-20035)

A command injection vulnerability in SonicWall Secure Mobile Access (SMA) 100 Series, tracked as CVE-2021-20035, is now under active exploitation. Although previously rated medium severity, recent exploitation has prompted a revision to high severity due to its real-world impact and inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Key Details:

• CVE ID: CVE-2021-20035
• CVSS Score: 7.2 (Revised from 5.5)
• Vulnerability Type: Authenticated Command Injection
• Impact:
  • Remote execution of arbitrary commands as the ‘nobody’ user
  • Potential lateral movement post-initial access
  • May be used in targeted intrusion campaigns
• Exploitation: Confirmed in the wild; no public IOCs disclosed yet

Affected Products:

• SonicWall SMA 200, 210, 400, 410, 500v (ESX, KVM, AWS, Azure)
• Firmware versions below:
  • 10.2.1.1-19sv
  • 10.2.0.8-37sv
  • 9.0.0.11-31sv

Fixed Versions:

• 10.2.1.1-19sv or later
• 10.2.0.8-37sv or later
• 9.0.0.11-31sv or later

Recommendations:

• Upgrade immediately to the latest available fixed firmware version
• Review audit logs for unusual activity via the management interface
• Restrict management access using ACLs or VPN-based access controls
• Monitor threat intelligence feeds for emerging IOCs related to this CVE

Reference: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0022

19. Active Exploitation of NTLM Hash Disclosure Vulnerability (CVE-2025-24054)

A high-severity spoofing vulnerability in Windows, CVE-2025-24054, is actively being exploited in the wild to harvest NTLMv2-SSP hashes through crafted .library-ms files. Despite a patch being released by Microsoft in March 2025, attackers quickly weaponized the vulnerability to launch malspam campaigns against organizations globally.

Key Details:

• CVE ID: CVE-2025-24054
• CVSS Score: Not officially published, but considered high-severity
• Vulnerability Type: NTLM Hash Disclosure via Spoofing
• Vector: Crafted .library-ms files triggering outbound SMB authentication
• Impact:
  • NTLMv2 hash leakage
  • Potential credential compromise
  • Further exploitation via brute-force or relay attacks
• User Interaction: Minimal (e.g., right-clicking or browsing a folder)

Observed Campaigns:

• NTLM Exploits Bomb Campaign (March 20-21, 2025):
  Distributed archive (xd.zip) via Dropbox containing:
  • xd.library-ms: Triggers CVE-2025-24054
  • xd.url, xd.website, xd.lnk: Used to provoke SMB authentication
• Unzipped .library-ms Email Campaign (March 25, 2025):
  Direct .library-ms files sent via email, no zip required for exploitation

Indicators of Compromise (IOCs):

• xd.library-ms: 7dd0131dd4660be562bc869675772e58a1e3ac8e
• xd.url: 76e93c97ffdb5adb509c966bca22e12c4508dcaa
• xd.website: 84132ae00239e15b50c1a20126000eed29388100
• xd.lnk: 5e42c6d12f6b51364b6bfb170f4306c5ce608b4f
• Archive Hash: 9ca72d969d7c5494a30e996324c6c0fcb72ae1ae
• Campaign Endpoints:
  • 159.196.128[.]120
  • 194.127.179[.]157

Recommendations:

• Apply the Microsoft patch for CVE-2025-24054 released on March 11, 2025
• Disable NTLM where possible and transition to Kerberos authentication
• Monitor network traffic for unusual SMB connections and authentication attempts
• Enforce SMB signing and use Extended Protection for Authentication (EPA)
• Block outbound SMB connections to prevent hash leakage over the network

Reference:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild

20. ConnectWise RAT Malware Campaign

A sophisticated malware campaign leveraging the ConnectWise remote access platform has been identified by ThreatMon researchers. This active campaign, ongoing as of April 2025, uses phishing emails and impersonation tactics—particularly impersonating the U.S. Social Security Administration (SSA)—to distribute a malicious executable disguised as a PDF document.

Key Threat Details:

• Campaign Vector:
  • Phishing emails and fake SSA-themed websites
  • Payload file: tax_details202504-pdf.Client.exe
• Execution Technique:
  • Uses Microsoft’s ClickOnce deployment technology
  • Employs process hollowing via dfsvc.exe
• Persistence Mechanism:
  • Registers as a Windows service
  • Modifies the registry for Safe Mode persistence
• Command & Control (C2):
  • Domain: admin.ratoscreenconne[.]com
  • IP: 45.81.23[.]35
• Capabilities:
  • Remote desktop access
  • Screen and video capture
  • Credential harvesting
  • Command execution
• Targeted Sectors:
  • Government agencies
  • Healthcare providers
  • Legal and insurance firms
  • Educational institutions

Indicators of Compromise (IOCs):

• IOC Repository:
  https://github.com/ThreatMon/ThreatMon-Reports-IOC/tree/main/ConnectWise

Recommendations:

• Deploy advanced email filtering and secure email gateways
• Conduct regular phishing awareness and simulation training
• Install and maintain Endpoint Detection and Response (EDR/XDR) tools
• Keep all systems, browsers, and applications up to date
• Enforce the principle of least privilege and implement MFA for remote and admin access
• Block known malicious IPs and domains using threat intel feeds

21. Malware Delivery via SourceForge Exploitation

Researchers have uncovered a sophisticated malware campaign in which threat actors are abusing SourceForge, a trusted software hosting platform, to distribute malicious files masquerading as legitimate Microsoft Office utilities. The campaign primarily targets Russian-speaking users by creating convincing project pages and download interfaces.

Key Threat Details:

• Exploited Platform: SourceForge (via sourceforge.io domain assignments)
• Malicious Project: officepackage
• Delivery Vector:
  • Fake project interface on officepackage.sourceforge.io
  • Redirects to legitimate-looking SourceForge download links
  • Delivers archive vinstaller.zip (~7MB)

Deception Techniques:

• Use of password-protected archives to bypass security scans
• Use of null-byte padding to inflate .msi installer file to 700MB for legitimacy
• Batch file (confvk) downloaded from GitHub retrieves archive password and performs:
  • Anti-analysis techniques
  • Checks for virtual environments and security tools

Persistence and Payload:

• Persistence Mechanisms:
  • Creation of Windows services
  • Registry changes
  • Scheduled tasks
• Final Payloads:
  • Cryptocurrency Miner
  • ClipBanker Trojan – Monitors clipboard to replace crypto wallet addresses with attacker-controlled ones

Indicators of Malicious Behavior:

• Unexpected downloads from *.sourceforge.io domains mimicking office utilities
• Presence of .msi installers with excessive file size despite minimal functionality
• Obfuscated Visual Basic scripts and batch files communicating with GitHub

Recommendations:

• Block suspicious SourceForge subdomains at the proxy/firewall level
• Alert users against downloading office utilities from unofficial sources
• Monitor for large .msi files and use of UnRAR.exe and .rar files in enterprise environments
• Detect use of clipboard manipulation and outbound connections to cryptocurrency services
• Scan endpoints for persistence via registry, services, and task scheduler

Source:
https://cybersecuritynews.com/attackers-exploits-sourceforge-software

22. “RustoBot” Botnet Exploiting TOTOLINK and DrayTek Router Vulnerabilities

A newly discovered botnet dubbed “RustoBot” is actively targeting known vulnerabilities in TOTOLINK and DrayTek networking devices. This malware stands out due to its implementation in the Rust programming language, offering cross-platform compatibility and obfuscation resilience. Upon successful exploitation, the infected routers are co-opted into a botnet capable of executing high-throughput DDoS attacks using multiple protocols.

Key Threat Details:

• Targeted Devices:
  • TOTOLINK Routers: N600R, A830R, A3100R, A950RG, A800R, A3000RU, A810R
  • DrayTek Routers: Vigor2960, Vigor300B (Firmware v1.5.1.4)
• Exploited CVEs (TOTOLINK):
  • CVE-2022-26186 to CVE-2022-26189
  • CVE-2022-26210
• Exploited CVE (DrayTek):
  • CVE-2024-12987

RustoBot Malware Characteristics:

• Language: Rust (multi-architecture support: arm5/6/7, mips, mpsl, x86)
• Distribution Methods: Malicious downloader scripts via wget and tftp
• Obfuscation: Uses XOR encryption and algorithmic confusion
• C2 Communication: DNS-over-HTTPS (DoH) for domain resolution, blending traffic with legitimate HTTPS
• Attack Capabilities: Launches DDoS attacks using Raw IP, TCP, and UDP based on C2 commands

Recommendations:

1. Patch Immediately: Update all affected TOTOLINK and DrayTek devices to the latest firmware versions.
2. Segment IoT Networks: Isolate routers and IoT equipment from sensitive internal infrastructure.
3. Block Malicious Traffic: Implement firewall rules to restrict access to known malicious IPs/domains linked with RustoBot.
4. Monitor for DoH Anomalies: Look for unexpected DNS-over-HTTPS traffic patterns that may indicate C2 activity.

Source:
https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routedvia-routers

23. Renewed APT29 Phishing Campaign Targets European Diplomats via GRAPELOADER

APT29 (aka Midnight Blizzard / Cozy Bear), a Russia-linked APT group, has launched a new wave of phishing attacks targeting European Ministries of Foreign Affairs and diplomatic missions, continuing its use of the WINELOADER backdoor and now introducing a new initial-stage loader called GRAPELOADER.

The phishing campaign impersonates official government entities, sending emails themed around wine-tasting events with malicious links that deliver a ZIP archive. The embedded malware chain enables fingerprinting, persistence, and remote access.

Key Threat Components:

• Initial Access: Phishing emails from domains bakenhof[.]com and silry[.]com, containing links to wine.zip disguised as a wine-tasting invite.
• GRAPELOADER: Side-loaded via a trojanized PowerPoint executable (wine.exe), it ensures persistence and communicates with the C2 server via HTTPS POST.
• WINELOADER (New Variant): Delivered in later stages, features evolved anti-analysis and obfuscation techniques, DLL side-loading, and memory-only execution.
• Targets: Government entities across Europe and Middle Eastern embassies, with infection initiated via ophibre[.]com and bravecup[.]com C2 servers.
• Campaign Indicators:
  • Initial ZIP SHA256: 653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358
  • GRAPELOADER DLL SHA256: d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164
  • C2 Domains: ophibre[.]com, bravecup[.]com

Observed Techniques:

• Persistence: Via Windows registry Run keys.
• Anti-analysis: Custom string obfuscation, API unhooking, evasion via PAGE_NOACCESS, and junk code insertion.
• C2 Communication: Environment details sent with hardcoded campaign ID, awaiting second-stage payload via HTTPS.

Recommendations:

1. Block IOCs: Update firewalls and IDS/IPS with known malicious domains and hashes.
2. Harden Email Gateways: Implement advanced phishing protection and sandboxing for attachments.
3. Monitor for DLL Side-loading: Track abnormal PowerPoint executions and unknown DLL loads.
4. Review Diplomatic Targets: Conduct threat hunting within environments tied to government and foreign affairs agencies.

Source:
https://research.checkpoint.com/2025/apt29-phishing-campaign

24. Double-Edged Email Attack Steals Office365 Credentials and Delivers ConnectWise RAT

Security researchers at Cofense have identified a hybrid phishing campaign that simultaneously harvests Microsoft Office365 credentials and deploys malware via fake PDF downloads. This campaign uniquely blends credential phishing with malware distribution, increasing the likelihood of successful compromise.

Campaign Summary:

• Initial Lure: Victims receive emails disguised as urgent file deletion warnings from files.fm, a legitimate file-sharing platform.
• Two-Pronged Attack:
  • Option 1 – “Preview”: Redirects to a fraudulent Microsoft login page to steal Office365 credentials.
  • Option 2 – “Download”: Triggers the download of a malicious executable named SecuredOneDrive.ClientSetup.exe, deploying ConnectWise RAT.
• PDF Payload: The malicious PDF contains UI elements resembling legitimate preview/download buttons, each leading to different attack vectors.

Malware Analysis:

• Executable Payload: A trojanized version of ConnectWise Control, a legitimate remote access tool.
• Persistence Mechanism:
  • Creates Windows services with auto-start registry values.
  • Modifies HKEY_LOCAL_MACHINE registry path with Start = 0x2 to persist on reboot.
• C2 Communication: The malware communicates with the attacker via:
  • instance-i4zsy0relay.screenconnect.com:443
• Capabilities: Remote command execution, credential theft, lateral movement, and full system compromise.

Recommendations:

1. Block C2 Endpoint: instance-i4zsy0relay.screenconnect.com:443
2. Educate Users: Warn against previewing or downloading files from unsolicited file-sharing links.
3. Email Security Enhancements: Enable advanced phishing filters and attachment sandboxing.
4. Endpoint Monitoring: Detect unusual service creation and registry modifications tied to persistence mechanisms.
5. Credential Reset: Immediately reset Office365 passwords if phishing is suspected.

Source:
https://cybersecuritynews.com/new-double-edged-email-attack

25. AkiraBot Campaign Spams 80,000 Websites Using AI-Generated Messages & CAPTCHA Evasion

SentinelOne researchers have discovered a Python-based spam framework called AkiraBot, which has targeted over 400,000 websites, successfully spamming at least 80,000 since September 2024. The tool employs AI-generated content, CAPTCHA bypass, and network evasion techniques to promote fake SEO services under brands like “Akira” and “ServiceWrap.”

Campaign Highlights:

• Target: SMB websites (Shopify, Squarespace, etc.) using contact forms and chat widgets.
• Customization: Uses OpenAI API to analyze target site content (via BeautifulSoup) and generate spam messages tailored to site content, bypassing traditional spam filters.
• Infrastructure:
  • Built-in GUI for live operation monitoring.
  • Utilizes SmartProxy (residential, datacenter, mobile) with automatic proxy rotation.
  • Telegram bot support for remote operation control.

CAPTCHA Bypass Techniques:

• Employs external services such as Capsolver.
• Uses a “fingerprint server” to simulate human browser behavior.

Tactics & Techniques:

• Evasion: Distributes traffic using rotating IPs and proxy networks to avoid detection.
• Persistence: Custom threading and logging for bulk spam delivery.
• Real-time Command & Control: Telegram integration for control and metric viewing.

Response & Mitigation:

• OpenAI has disabled compromised API keys and is investigating associated activities.
• Recommendations:
  • Harden forms with advanced CAPTCHA systems and rate-limiting.
  • Block traffic from known spam proxies and residential proxy services.
  • Use behavioral analysis on form submissions to detect automation.
  • Disable contact forms or restrict them with client validation logic when unnecessary.

Source:
https://cybersecuritynews.com/akirabot-spammed-80000-websites

26. Waiting Thread Hijacking: A New Stealthy Code Injection Technique

Check Point Research has unveiled a stealthier variant of classic Thread Execution Hijacking, dubbed Waiting Thread Hijacking (WTH). This advanced process injection technique manipulates waiting threads (specifically those in a ThreadPool with the wait reason WrQueue) to execute malicious payloads without triggering common EDR detections associated with thread suspension, remote thread creation, or context switching.

Key Highlights:

• Execution Without Suspend/Resume: WTH avoids SuspendThread / SetThreadContext, reducing detection risk.
• Hijacks Existing Waiting Threads: By replacing the return address on the stack of a thread in WrQueue state, WTH redirects execution to attacker-controlled shellcode.
• Persistence-Friendly: Once the thread resumes naturally, it runs the shellcode and can return to normal operation using a carefully crafted shellcode stub that preserves register and flag state.

How It Works:

1. Thread Selection: Enumerates process threads, identifying one waiting in WrQueue state.
2. Return Address Manipulation: Uses GetThreadContext to locate the return address and overwrites it with the address of the shellcode (injected via VirtualAllocEx + WriteProcessMemory).
3. Execution: When the thread naturally resumes, it jumps to the shellcode.
4. Return Stub: A custom stub saves all registers/flags, executes the implant, and jumps back to the original return address.

APIs & Access Used:

• NtQuerySystemInformation (SystemProcessInformation)
• GetThreadContext, VirtualAllocEx, WriteProcessMemory, VirtualProtectEx
• Access rights: PROCESS_VM_READ, PROCESS_VM_WRITE, THREAD_GET_CONTEXT

Obfuscation Enhancements:

• Split Execution: Each step (allocation, write, protection, pointer overwrite) can be performed in a separate process to avoid behavior-based detection.
• ETW & Kernel Callback Avoidance: No THREAD_SET_CONTEXT or new thread creation—common detection triggers are sidestepped.

Threat Landscape Impact:

• Bypasses Most EDRs Monitoring Context Manipulation
• Stealthy Execution: No uncommon API use; behaves like benign processes
• Applicable in Red Teaming for executing shellcode in high-integrity processes

Recommendations:

• Block remote memory writes where possible, especially when followed by VirtualProtectEx.
• Monitor memory regions being made executable post-write.
• Watch for stack manipulation patterns in processes with unexpected behavior.

Source:
https://research.checkpoint.com/2025/waiting-thread-hijacking

27. Malicious Python Packages Target BitcoinLib to Steal Wallet Data
    Cybersecurity researchers from ReversingLabs have identified two malicious Python packages on PyPI—bitcoinlibdbfix and bitcoinlib-dev—designed to compromise systems using the bitcoinlib cryptocurrency library. These packages pose as legitimate fixes but serve as part of a targeted supply chain attack, aiming to steal sensitive wallet data.

Key Highlights:

• Target: Developers and users of the bitcoinlib library, widely used for creating and managing crypto wallets and blockchain interaction.
• Attack Type: Supply chain attack via PyPI packages.
• Malicious Packages:
  • bitcoinlibdbfix
  • bitcoinlib-dev
• Attack Vector:
  Once installed, the packages remove the original clw CLI tool used by bitcoinlib and replace it with a symlink to a malicious executable, effectively hijacking wallet management operations.
• Impact:
  The fake clw tool enables persistent access and exfiltration of database files containing wallet private keys to attacker-controlled servers.

Risks:

• Theft of private keys and seed phrases.
• Persistent system compromise through CLI hijacking.
• Broader trust issues within the Python developer ecosystem, especially for crypto projects.

Recommendations:

• Audit Python packages for legitimacy before installation, especially for high-value applications like cryptocurrency.
• Monitor developer environments for unexpected changes in symbolic links or CLI tools.
• Remove and replace compromised packages, and rotate any exposed wallet credentials.
• Consider isolating development environments that interact with crypto wallet libraries.

Source:
https://cybersecuritynews.com/malicious-python-packages-attacking-popular-cryptocurrency-library

28. North Korean Hackers Use Python Scripts and Social Engineering in Targeted Campaign
    Elastic Security Labs has identified a sophisticated threat campaign operated by North Korean state-sponsored hackers, employing Python-based malware embedded in socially engineered lures. These campaigns are tailored to technical professionals—particularly developers—under the guise of job interview “coding challenges” or disguised legitimate tools, such as a PasswordManager app.

Key Highlights:

• Tactics: Social engineering through fake job interviews and Python apps.
• Payload: Custom Python malware hidden within seemingly harmless applications.
• Technique:
  • The malware is embedded in Python files such as __init__.py within popular modules (e.g., Pyperclip).
  • Contains ROT13-encoded and base64-obfuscated code to hide the payload.
  • Establishes Command & Control (C2) communication with the domain:
    https://akamaitechnologies[.]online (disguised to resemble Akamai services).
  • Uses OS fingerprinting, temporary file execution, and independent subprocess execution to maintain stealth.
• Execution Flow:
  • Decodes and executes embedded payload in memory.
  • Maintains persistence via retry loops and decodes/executed commands sent from the C2.
  • Commands delivered over HTTPS are base64-encoded and executed dynamically.

Malware Content:

• Application: “PasswordManager”
• Modules:
  • Pyperclip (backdoored)
  • Pyrebase
• Malicious Script: Hidden in __init__.py
• Payload Characteristics:
  • Encoded blob decoded into a full second-stage Python script.
  • Obfuscation: ROT13, base64, environment-specific logic.

Observed Tools in Related Campaigns:

• CovertCatch
• KandyKorn
  (Targeting crypto engineers and developers in earlier 2024–2025 waves.)

Risks:

• Remote Command Execution (RCE) on developer machines.
• Credential theft and long-term remote access.
• High success rate due to professional targeting and believable pretext.

Recommendations:

• Avoid running unknown Python scripts, even during job interviews or assessments.
• Use sandbox environments when evaluating untrusted code or applications.
• Monitor for suspicious subprocess executions or unusual outbound HTTPS connections.
• Conduct internal awareness training for developers and technical staff.
• Block access to known IOCs such as akamaitechnologies[.]online.

Source:
https://cybersecuritynews.com/north-korean-hackers-employs-social-engineering-tactics