Weekly Threat Landscape Digest – Week 41

This week’s threat landscape (Week 41) reflects a surge in targeted exploitation of critical infrastructure software and cloud-based platforms, underscoring how attackers are refining both speed and precision in their operations. Threat actors are increasingly leveraging chained vulnerabilities, living-off-the-land techniques, and legitimate administrative tools to evade detection and escalate privileges. Several campaigns observed this week demonstrate a growing emphasis on data exfiltration and ransomware deployment following initial access, particularly through compromised VPNs, misconfigured cloud assets, and unpatched middleware. For defenders, the focus should remain on rapid patch management, network segmentation, and continuous anomaly detection across hybrid environments. Reinforcing endpoint telemetry, identity governance, and threat intelligence correlation remains critical to maintaining visibility and preventing lateral movement in an increasingly complex threat ecosystem.

  1. Critical Exploited RCE Vulnerability in Oracle E-Business Suite

Oracle has published an emergency Security Alert for CVE-2025-61882, a Critical (CVSS 9.8) unauthenticated remote code execution (RCE) vulnerability in Oracle E-Business Suite (EBS) — Concurrent Processing / BI Publisher Integration. The flaw is exploitable over HTTP(S) without credentials and is reported to be actively exploited in the wild. Public reporting connects the issue to recent extortion activity claiming exfiltration of EBS data, including claims by ransomware groups. Organizations running affected EBS versions should treat this as an active threat and take immediate remediation and hunting actions.

Vulnerability details
CVE: CVE-2025-61882
Severity: Critical (CVSS 3.1: 9.8)
Affected component: Oracle Concurrent Processing (BI Publisher Integration) in Oracle E-Business Suite
Affected versions: Oracle E-Business Suite 12.2.3 – 12.2.14
Attack vector / exploitability: Remote, unauthenticated HTTP(S) requests — trivial to exploit in many deployments
Impact: Full compromise of the vulnerable EBS component with potential pivot to other EBS modules and internal networks; possible data exfiltration and extortion

Observed activity / indicators
• Reports of extortion emails and alleged proof-of-exfiltration tied to Cl0p-like activity.
• Network indicators observed in some reports: 200[.]107[.]207[.]26, 185[.]181[.]60[.]11 (suspected GET/POST activity).
• Shell/command patterns observed in exploitation attempts (e.g., reverse shell payloads).
• Publicly observed artifact hashes linked to exploit proof-of-concept packages — organizations should compare these hashes against local detections.

Immediate actions / mitigation

  1. Patch now: Apply Oracle’s Security Alert patch for CVE-2025-61882 immediately.
  2. Isolate exposed instances: If you cannot patch immediately, block HTTP(S) access to EBS application endpoints from untrusted networks at firewall, WAF, and load-balancer layers; restrict access to trusted VPN/management IP ranges only.
  3. Hunt for compromise: Search for the noted IPs, suspicious HTTP GET/POST activity, reverse shell commands, and any dropped exploit artifacts or unusual files. Preserve forensic evidence if compromise is suspected.
  4. Assume data exfiltration if compromised: If indicators of compromise are found, isolate hosts, preserve logs and disk images, and proceed under the assumption that sensitive data may have been exfiltrated.
  5. Enhance monitoring: Increase alerting for unexpected outbound connections from EBS servers, unusual process execution, and suspicious web requests to application endpoints.

Reference
https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

  1. Security Updates – Mozilla Firefox

Mozilla has released security updates addressing multiple high-severity vulnerabilities in Firefox that could allow attackers to escape sandbox restrictions or execute arbitrary code on affected systems. These flaws impact core browser components and may be exploited through malicious web content to compromise system security.

Vulnerability Details
CVE-2025-11152 – Integer overflow in the Graphics: Canvas2D component allowing sandbox escape. Successful exploitation could enable attackers to gain access outside the sandbox environment and compromise system integrity.
CVE-2025-11153 – JIT miscompilation in the JavaScript Engine: JIT component. The flaw may allow execution of arbitrary code under certain conditions.

Fixed Version
• Mozilla Firefox 143.0.3

Recommended Actions

  • Apply the latest Firefox update (version 143.0.3 or later) immediately.
  • Restart browsers after patching to ensure all components are updated.
  • Review enterprise browser management policies to enforce automatic updates.
  • Monitor for any unusual web or process behavior indicating potential exploitation attempts.

Reference
https://www.mozilla.org/en-US/security/advisories/mfsa2025-80/

  1. Critical Remote Code Execution Vulnerability in Redis

The Redis security team has issued an urgent patch for CVE-2025-49844, a Critical (CVSS 10.0) remote code execution (RCE) vulnerability affecting all Redis versions. The flaw, dubbed “RediShell” by Wiz researchers, originates from a 13-year-old use-after-free vulnerability in the Redis Lua scripting engine, which is enabled by default. Successful exploitation allows authenticated attackers to escape the Lua sandbox, execute arbitrary code, and gain full control of the host system.

Given Redis’ extensive use in enterprise and cloud environments—alongside over 330,000 internet-exposed instances (including more than 60,000 without authentication)—the likelihood of exploitation is extremely high. Immediate patching and isolation of Redis instances are strongly advised.

Vulnerability Details
CVE ID: CVE-2025-49844
Severity: Critical (CVSS 10.0)
Component: Lua scripting engine in Redis
Impact: Authenticated attackers can execute arbitrary code by manipulating the garbage collector to trigger a use-after-free vulnerability.
Affected Versions: All Redis releases prior to the fixed versions below.
Fixed Releases:

  • Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+
  • Redis OSS/CE/Stack: OSS/CE 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+, Stack 7.4.0-v7+, 7.2.0-v19+

Mitigation Guidance

  1. Apply Security Patches Immediately
    • Upgrade Redis to the latest fixed version corresponding to your deployment type.
    • Prioritize patching of all internet-facing or public Redis instances.
  2. Restrict Access
    • Enable authentication for all Redis instances.
    • Restrict Redis network access to trusted IPs or internal networks only.
    • Enforce firewall or VPC rules to prevent unauthorized external connections.
  3. Monitor and Harden
    • Continuously monitor Redis logs for abnormal Lua script executions.
    • Disable the Lua engine if not required.
    • Employ intrusion detection systems (IDS) to flag suspicious memory operations or remote commands.

Reference
https://redis.io/blog/security-advisory-cve-2025-49844/

  1. Security Updates – Google Chrome

Google has released multiple security updates for Google Chrome across Windows, macOS, Linux, Android, and iOS platforms. The most severe vulnerabilities could enable remote code execution (RCE), data corruption, or sensitive information disclosure, making it critical for all users and organizations to apply the latest updates immediately.

Vulnerability Details
CVE-2025-11458 – Heap buffer overflow in the Sync component, which could lead to remote code execution or memory corruption.
CVE-2025-11460 – Use-after-free in Storage, allowing exploitation of freed memory for arbitrary code execution or privilege escalation.
CVE-2025-11211 – Out-of-bounds read in WebCodecs, potentially exposing sensitive data or causing denial of service (DoS).

Fixed Versions
Stable Channel Update for Desktop:

  • Chrome 141.0.7390.65/.66 for Windows and Mac
  • Chrome 141.0.7390.65 for Linux
    Chrome 141.0.7390.70 for Android
    Extended Stable Updates for Desktop:
  • Chrome 140.0.7339.240 for Windows and Mac
    Chrome 141.0.7390.69 for iOS

Recommended Actions

  1. Update Immediately – Upgrade Google Chrome to the latest version available for your operating system.
  2. Enable Automatic Updates – Ensure Chrome’s automatic update mechanism is enabled to prevent delayed patching.
  3. Restart After Update – Relaunch Chrome after updating to complete the patch process.
  4. Monitor for Exploitation – SOC teams should monitor for suspicious browser behavior or unauthorized sync operations.

Reference
https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/

  1. Critical Vulnerability in AWS ClientVPN macOS Client

Amazon Web Services (AWS) has released an urgent fix addressing CVE-2025-11462, a Critical (CVSS 9.3) local privilege escalation (LPE) vulnerability affecting the AWS Client VPN macOS client. The flaw allows a non-admin user to gain root-level execution privileges through log file manipulation, posing a severe risk to affected systems.

Vulnerability Details
CVE ID: CVE-2025-11462
Severity: Critical (CVSS 9.3)
Affected Software: AWS Client VPN macOS Client versions 1.3.2 – 5.2.0
Unaffected Platforms: Windows and Linux clients are not impacted.
Root Cause: Improper validation of log file destinations during log rotation. Attackers could exploit this by creating a symlink from a client log file to a privileged location (e.g., /etc/crontab), leading to arbitrary file writes and root-level code execution.
Fixed Version: AWS Client VPN Client 5.2.1

Recommended Actions

  1. Immediate Patch Deployment – Upgrade all macOS systems running the AWS Client VPN Client to version 5.2.1 or later.
  2. Restrict Permissions – Limit write permissions to sensitive directories and review log rotation configurations.
  3. Monitor Activity – Inspect macOS systems for unauthorized modifications to privileged files (e.g., crontab, /etc/sudoers).
  4. User Awareness – Inform end users and administrators to apply updates from official AWS sources only.

Reference
https://aws.amazon.com/security/security-bulletins/AWS-2025-020/

  1. Remote Code Execution (RCE) Vulnerability in OpenSSH

A remote code execution (RCE) vulnerability has been identified in OpenSSH’s ProxyCommand feature, tracked as CVE-2025-61984. The flaw arises from improper handling of control characters (such as $, [, or newline) within SSH usernames, which can be exploited to execute unintended commands under certain shell configurations.

While the vulnerability is rated Low (CVSS 3.6), the presence of a public proof-of-concept (PoC) and its potential to execute arbitrary code through shell command injection makes it a concern for environments using custom ProxyCommand configurations or permissive shells like Bash, csh, and fish.

Vulnerability Details
CVE ID: CVE-2025-61984
Severity: Low (CVSS 3.6)
Component: ProxyCommand feature in OpenSSH
Impact: Remote Code Execution (RCE) under specific configurations
Attack Vector: Crafted SSH usernames containing control characters may trigger malformed exec directives, allowing injection of additional commands during session initiation.
Affected Versions: OpenSSH versions prior to 10.1
Fixed Version: OpenSSH 10.1 and later

Recommended Actions

  1. Upgrade Immediately – Update OpenSSH to version 10.1 or later to eliminate this vulnerability.
  2. Harden Configurations – Avoid using %r in ProxyCommand directives or sanitize all input variables referencing usernames.
  3. Restrict User Input – Enforce strict validation on SSH usernames and disable custom ProxyCommand settings if unnecessary.
  4. Monitor for Exploitation – Watch for unusual SSH connection attempts or malformed usernames in system logs.

Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-61984

  1. Critical Authentication Bypass in WordPress Spirit Framework Plugin

A critical authentication bypass vulnerability has been identified in the Spirit Framework plugin for WordPress, tracked as CVE-2025-6388 with a CVSS score of 9.8 (Critical). This flaw allows attackers to bypass login authentication using only a valid username, leading to full account compromise and privilege escalation to administrator level.

The vulnerability affects websites running Spirit Framework version 1.2.14 and earlier. Security researchers have confirmed active exploitation, with multiple attack attempts observed targeting vulnerable WordPress sites.

Vulnerability Details
CVE ID: CVE-2025-6388
Severity: Critical (CVSS 9.8)
Vulnerability Type: Authentication Bypass due to improper identity validation in the custom_actions() function.
Affected Versions: Spirit Framework ≤ 1.2.14
Fixed Version: 1.2.15 or later
Impact:

  • Unauthorized login using only a valid username
  • Full account takeover, including administrator accounts
  • Privilege escalation enabling complete control of the WordPress site

Exploitation Status
Active Exploitation Confirmed: Wordfence has detected and blocked over 20 attacks within 24 hours of disclosure.
• Attackers are using automated scripts to hijack accounts and maintain persistence through backdoor plugins and admin user creation.

Recommended Actions

  1. Immediate Update: Upgrade the Spirit Framework plugin to version 1.2.15 or later.
  2. Account Review: Check for unauthorized administrative users and reset passwords for all WordPress accounts.
  3. Log Monitoring: Inspect access logs for suspicious login attempts or plugin modification activity.
  4. Apply Web Application Firewall (WAF): Use WAF protection (e.g., Wordfence, Cloudflare) to block exploitation attempts.

Reference
https://themespirit.com/talemy-changelog/

  1. Critical Vulnerability in Broadcom AION Business Rules Expert

A critical remote code execution (RCE) vulnerability has been identified in Broadcom AION Business Rules Expert r11.0 for Linux (build 202). The flaw originates from the use of an outdated and vulnerable Apache Struts 1.0.2 library bundled within the product. Successful exploitation could allow remote attackers to execute arbitrary code, bypass authentication, or cause denial of service (DoS) on affected systems.

This vulnerability, tracked as CVE-2012-0391, carries a CVSS v3.1 score of 9.8 (Critical) and poses a severe threat to confidentiality, integrity, and availability.

Vulnerability Details
Vulnerability Type: Remote Code Execution in Apache Struts
CVE ID: CVE-2012-0391
Severity: Critical (CVSS 9.8)
Component: Apache Struts 1.0.2 (embedded in AION Business Rules Expert r11.0 build 202)
Attack Vector: Network (Remotely exploitable)
Impact:

  • Complete system compromise
  • Authentication bypass
  • Denial of service (DoS) conditions

Affected Versions
• AION Business Rules Expert r11.0 for Linux — Build 202 and earlier

Fixed Version
AION Business Rules Expert r11.0 Build 203 (LU18356)

Recommended Actions

  1. Immediate Upgrade: Update to Build 203 (LU18356) or later to remediate the vulnerability.
  2. Network Restriction: Limit external access to affected AION instances until the patch is applied.
  3. Monitor for Exploitation: Inspect network traffic for suspicious HTTP requests targeting Struts components.
  4. Apply Compensating Controls: Use a web application firewall (WAF) to detect and block known Struts exploit patterns.

Reference
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36192 

  1. Privilege Escalation Vulnerability in Zabbix Agent for Windows

A high-severity local privilege escalation vulnerability has been identified in Zabbix Agent and Agent2 for Windows, tracked as CVE-2025-27237. The flaw allows a local attacker with limited user rights to escalate privileges to SYSTEM level, potentially gaining full control over the affected host system.

The issue arises from improper loading of the OpenSSL configuration file, which is located in a directory writable by non-administrative users. By modifying or replacing this configuration file, an attacker can force the service to load a malicious DLL, which is then executed with elevated permissions upon service restart.

Vulnerability Details
CVE ID: CVE-2025-27237
Severity: High (CVSS v4.0 Score: 7.3)
Vulnerability Type: Local Privilege Escalation (Improper file handling and DLL loading)
Impact:

  • Execution of arbitrary code with SYSTEM privileges
  • Full control of the Windows operating system
  • Potential for persistence, data theft, or further lateral movement

Affected Versions
• Zabbix Agent/Agent2 6.0.0 – 6.0.40
• Zabbix Agent/Agent2 7.0.0 – 7.0.17
• Zabbix Agent/Agent2 7.2.0 – 7.2.11
• Zabbix Agent/Agent2 7.4.0 – 7.4.1

Fixed Versions
• 6.0.41
• 7.0.18
• 7.2.12
• 7.4.2

Recommended Actions

  1. Upgrade Immediately: Update Zabbix Agent and Agent2 to the latest fixed versions listed above.
  2. Restrict File Permissions: Limit write access to configuration directories and ensure only administrative users can modify OpenSSL-related files.
  3. Monitor for Abuse: Review system logs and service restart events for suspicious activity or unauthorized modifications.
  4. Apply Endpoint Protection: Deploy EDR/AV rules to detect unexpected DLL execution from non-standard directories.

Reference
https://support.zabbix.com/browse/ZBX-27061

  1. Security Updates – Samsung Mobile (October 2025 SMR)

Samsung has released its October 2025 Security Maintenance Release (SMR-OCT-2025) to address multiple vulnerabilities impacting its flagship mobile devices. The update includes patches from the Google Android Security Bulletin – October 2025 and additional Samsung Vulnerabilities and Exposures (SVE) fixes that target both system-level and application-specific flaws.

The vulnerabilities addressed could allow privilege escalation, arbitrary code execution, and sensitive data exposure, affecting a wide range of Samsung devices running Android 13 through 16, as well as Galaxy Watch (Android 14) models.

Vulnerability Highlights
Google Security Fixes
High-severity vulnerabilities resolved include:
CVE-2025-22420, CVE-2025-32328, CVE-2025-32329, CVE-2025-48570, CVE-2025-48572, CVE-2025-48573, CVE-2025-48580, CVE-2025-48591, CVE-2025-48584, CVE-2025-48536, CVE-2025-48555, CVE-2025-48607, CVE-2025-47354, and CVE-2025-47351.

Samsung Vulnerabilities and Exposures (SVE)
In addition to Google’s patches, Samsung addressed over 20 device-specific vulnerabilities, including:
SVE-2024-1838 (CVE-2025-21044)Fingerprint Trustlet: High – Out-of-bounds write enabling privileged memory access.
SVE-2025-0021 (CVE-2025-21045)Galaxy Watch: Moderate – Insecure storage of sensitive data.
SVE-2025-0465 (CVE-2025-21046)Samsung DeX: Moderate – Improper access control exposing recent app list.
SVE-2025-0903 (CVE-2025-21050)Contacts: High – Input validation flaw enabling cross-user data access.
SVE-2025-1526 (CVE-2025-21048)Knox Enterprise: High – Path traversal vulnerability leading to arbitrary code execution.
SVE-2025-1845 (CVE-2025-21055)libimagecodec.quram.so: High – Out-of-bounds read/write allowing potential remote memory access.

Potential Impact
Exploitation of these vulnerabilities could lead to:
Privilege Escalation – Attacker gains SYSTEM-level access.
Arbitrary Code Execution – Exploitation via path traversal or image decoding flaws.
Sensitive Data Exposure – Leakage across user profiles or apps.
Information Disclosure – Due to insecure data storage or improper access control.

Affected Products
• Samsung flagship smartphones and tablets (Android 13–16)
• Galaxy Watch devices running Android 14

Recommended Actions

  1. Apply Updates Immediately: Install the October 2025 SMR via device settings (Settings → Software Update → Download and Install).
  2. Enable Automatic Updates: Ensure future SMRs are installed promptly to maintain device protection.
  3. Monitor for Exploitation Indicators: Review device behavior and logs for unauthorized access or system anomalies.

Reference
https://security.samsungmobile.com/securityUpdate.smsb

  1. Security Updates – Elastic Kibana and Elasticsearch

Elastic has released multiple security updates to address five vulnerabilities impacting Kibana and Elasticsearch components. The vulnerabilities include three high-severity Cross-Site Scripting (XSS) flaws and two medium-severity information disclosure issues.

The most severe vulnerability, CVE-2025-25009 (CVSS 8.7 – High), allows attackers to execute arbitrary JavaScript code within Kibana by uploading crafted files. Exploitation could result in persistent XSS, session hijacking, or data theft.

Unpatched environments, especially those with Kibana exposed to untrusted users, face an elevated risk of compromise. Elastic urges administrators to upgrade all affected instances immediately.

Vulnerability Details
CVE-2025-25009 – Kibana (Case File Upload)

  • Type: Stored XSS
  • Severity: High (CVSS 8.7)
  • Impact: Remote code execution, session hijacking
  • Fixed Versions: 8.18.8, 8.19.5, 9.0.8, 9.1.5
  • CVE-2025-25017 – Kibana (Vega Visualization)
  • Type: Stored XSS
  • Severity: High (CVSS 8.2)
  • Impact: Arbitrary JavaScript injection via visualization input
  • Fixed Versions: 8.18.8, 8.19.5, 9.0.8, 9.1.5
  • CVE-2025-25018 – Kibana (Fleet & Integrations)
  • Type: Stored XSS
  • Severity: High (CVSS 8.7)
  • Impact: Privilege escalation and dashboard compromise
  • Fixed Versions: 8.18.8, 8.19.5, 9.0.8, 9.1.5
  • CVE-2025-37727 – Elasticsearch (Audit Logging)
  • Type: Information Disclosure
  • Severity: Medium (CVSS 5.3)
  • Impact: Potential exposure of sensitive data in logs
  • Fixed Versions: 8.18.8, 8.19.5, 9.0.8, 9.1.5
  • CVE-2025-37728 – Kibana (CrowdStrike Connector)
  • Type: Credential Leakage
  • Severity: Medium (CVSS 5.4)
  • Impact: Credential cross-access between workspaces
  • Fixed Versions: 8.18.8, 8.19.5, 9.0.8, 9.1.5

Recommended Actions

  1. Immediate Patching: Upgrade Kibana and Elasticsearch to the latest fixed versions (8.18.8, 8.19.5, 9.0.8, or 9.1.5).
  2. Restrict Access: Limit Kibana dashboard exposure to internal or authenticated users only.
  3. Audit Logs: Review for suspicious uploads or unauthorized visualizations indicating XSS attempts.
  4. Harden Configurations: Enable input sanitization and apply security headers to reduce XSS exposure.

Reference
https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-and-9-1-5-security-update-esa2025-20/382449

  1. Denial-of-Service Vulnerability in HAProxy

A high-severity Denial-of-Service (DoS) vulnerability has been disclosed and remediated by HAProxy Technologies, impacting multiple product lines including HAProxy Community Edition, Enterprise Edition, ALOHA appliances, and Kubernetes Ingress Controllers.

The vulnerability, tracked as CVE-2025-11230 (CVSS 7.5), arises from Inefficient Algorithm Complexity (CWE-407) within the mjson library used by HAProxy for JSON parsing. When HAProxy processes specially crafted JSON requests containing extremely large numerical values, it triggers excessive computation cycles, causing the watchdog process to terminate the service—resulting in DoS conditions.

Vulnerability Details
CVE ID: CVE-2025-11230
Severity: High (CVSS 7.5)
Vulnerability Type: Inefficient Algorithm Complexity (CWE-407)
Impact: Attackers can repeatedly send crafted JSON payloads to cause service unavailability by exhausting HAProxy’s processing resources.
Root Cause: Unoptimized handling of large numerical values during JSON parsing in functions like json_query(), jwt_header_query(), and jwt_payload_query().

Affected Products and Fixed Versions
HAProxy Community Edition:

  • Affected Branches: 2.4, 2.6, 2.8, 3.0, 3.1, 3.2
  • Fixed Versions: 2.4.30, 2.6.23, 2.8.16, 3.0.12, 3.1.9, 3.2.6
  • HAProxy Enterprise:
  • Affected: hapee-2.4r1 → hapee-3.1r1
  • Fixed Versions: hapee-2.4r1-lb-1.0.0-294.1446, hapee-2.6r1-lb-1.0.0-301.1704, hapee-2.8r1-lb-1.0.0-327.1146, hapee-3.0r1-lb-1.0.0-346.795, hapee-3.1r1-lb-1.0.0-349.585
  • HAProxy ALOHA Appliance:
  • Affected Versions: 14.5, 15.5, 16.5, 17.0
  • Fixed Versions: 14.5.33, 15.5.28, 16.5.19, 17.0.7
  • HAProxy Kubernetes Ingress Controller:
  • Affected: All versions
  • Fixed Version: v3.1.12
  • HAProxy Enterprise Kubernetes Ingress Controller:
  • Affected: All versions
  • Fixed Versions: v1.9.14-ee7, v1.11.12-ee10, v3.0.15-ee4

Recommended Actions

  1. Upgrade Immediately: Apply the fixed versions listed above for your HAProxy deployment.
  2. Restrict Access: Limit exposure of HAProxy interfaces to trusted networks only.
  3. Monitor for Abnormal Requests: Review logs for unusually large numeric inputs in JSON requests.
  4. Implement Rate Limiting: Apply rate limiting and request validation at the proxy layer to prevent repeated exploit attempts.

Reference
https://www.haproxy.com/blog/october-2025-cve-2025-11230-haproxy-mjson-library-denial-of-service-vulnerability 

  1. Security Updates – QNAP Products

QNAP Systems, Inc. has released critical security updates addressing multiple vulnerabilities impacting two of its widely used utilities — NetBak Replicator and Qsync Central.
The most severe flaws, rated up to CVSS 8.6 (High), could allow attackers to execute arbitrary code, disrupt NAS functionality, or exfiltrate sensitive data from affected systems.

These vulnerabilities affect both local and remote attack vectors, making immediate patching essential for maintaining the integrity and availability of QNAP NAS environments.

Vulnerability Details
CVE-2025-57714 – Code Execution in NetBak Replicator

  • Type: Unquoted Search Path or Element
  • Severity: High (CVSS 8.6)
  • Impact: Local attackers could inject and execute malicious code by placing rogue executables in search paths referenced by the software.
  • CVE-2025-44012 – Resource Allocation Without Limits or Throttling
  • Severity: High
  • Impact: Authenticated attackers could monopolize resources, preventing access by other processes or applications, leading to performance degradation.
  • CVE-2025-47210 – NULL Pointer Dereference
  • Severity: Medium
  • Impact: Enables attackers with account access to trigger a Denial-of-Service (DoS) attack, crashing targeted processes.
  • CVE-2025-52867 – Uncontrolled Resource Consumption
  • Severity: Medium
  • Impact: Exploitation may result in excessive CPU or memory usage, leading to service unavailability.
  • CVE-2025-53595 & CVE-2025-54153 – SQL Injection
  • Severity: High
  • Impact: Attackers with valid user accounts can inject malicious SQL queries, enabling unauthorized command execution or database compromise.

Affected Products and Fixed Versions
NetBak Replicator 4.5.x → Fixed in 4.5.15.0807 and later
Qsync Central 5.0.0 → Fixed in 5.0.0.2 (2025/07/31) and later

Recommended Actions

  1. Upgrade Immediately:
    • Update NetBak Replicator and Qsync Central to their latest fixed versions or newer.
  2. Restrict Access:
    • Limit NAS access to trusted networks and enforce strong account authentication.
  3. Monitor Logs:
    • Check for abnormal activity such as failed logins, SQL errors, or unexpected process restarts.
  4. Backup Regularly:
    • Maintain secure, offline backups to ensure rapid recovery from potential exploitation.

Reference
https://www.qnap.com/en/security-advisory/qsa-25-39
https://www.qnap.com/en/security-advisory/qsa-25-35

  1. Critical Vulnerabilities in Nagios Log Server

Two severe vulnerabilities have been discovered in Nagios Log Server, both of which can be exploited by any authenticated user, including those with low privileges. These flaws — CVE-2025-44823 and CVE-2025-44824 — enable attackers to disclose administrative API keys and disrupt core log processing services, respectively. Working proof-of-concept (PoC) exploits are publicly available, making this a critical threat for production environments.

Nagios has released version 2024R1.3.2, which resolves both vulnerabilities. All users are urged to apply updates immediately.

Vulnerability Details

  1. CVE-2025-44823 – API Key Disclosure & User Enumeration
    • Severity: Critical (CVSS 9.9)
    • Impact: Remote attackers with any valid API token can enumerate all users and retrieve plaintext administrative API keys.
    • Description: A flawed API endpoint (get_users) exposes full user inventories, including plaintext admin credentials.
    • Risk: Enables privilege escalation and complete system compromise through token reuse.
    • Exploit Status: Public PoC available; exploitation requires only a valid API token.
  2. CVE-2025-44824 – Elasticsearch Subsystem Shutdown
    • Severity: High (CVSS 8.5)
    • Impact: Allows authenticated users to issue API commands that shut down the internal Elasticsearch service, halting log ingestion, alerting, and searches.
    • Description: Improper authorization checks permit low-privilege users to disable Elasticsearch, causing a denial-of-service (DoS).
    • Risk: Immediate and total loss of log visibility and monitoring capability.

Affected Versions
• All Nagios Log Server versions prior to 2024R1.3.2

Fixed Version
2024R1.3.2 and later

Recommended Actions

  1. Apply Patches Immediately: Upgrade all Nagios Log Server deployments to version 2024R1.3.2 or newer.
  2. Revoke and Rotate API Keys: Replace all API keys post-update to invalidate potentially compromised tokens.
  3. Restrict Access: Limit API access to trusted internal networks and disable unused tokens.
  4. Monitor for Exploitation: Review audit logs for unusual API activity, particularly get_users or Elasticsearch stop requests.
  5. Network Segmentation: Isolate Nagios Log Server from external-facing systems to minimize exposure.

Reference
https://www.nagios.com/changelog/#log-server

  1. Security Updates – NVIDIA

NVIDIA has released security updates to remediate multiple vulnerabilities in the Dynamic Licensing Service (DLS) component of the NVIDIA License System, affecting all appliance platforms.
These flaws range from information disclosure to denial-of-service (DoS) and unauthorized action execution, potentially impacting system stability and confidentiality.

Vulnerability Details
CVE-2025-23293 – Unauthenticated Access Leading to Command Execution

  • Severity: High (CVSS 8.7)
  • Impact: Denial of Service
  • Description: An unauthenticated user may access sensitive information within the DLS component. Successful exploitation can lead to command execution and potential service disruption.
  • CVE-2025-23292 – SQL Injection in DLS
  • Severity: Medium (CVSS 4.6)
  • Impact: Partial Denial of Service
  • Description: A SQL injection flaw allows attackers to perform unauthorized actions through maliciously crafted database queries, potentially affecting DLS operations.
  • CVE-2025-23291 – Unauthorized Action & Information Disclosure
  • Severity: Low (CVSS 2.4)
  • Impact: Information Disclosure
  • Description: This vulnerability could enable attackers to trigger unauthorized actions and leak sensitive data from affected NVIDIA License System instances.

Affected Versions
• All versions prior to DLS v3.5.1
• All versions prior to DLS v3.1.7

Fixed Versions
DLS v3.5.1 and DLS v3.1.7, or later

Recommended Actions

  1. Update Immediately: Apply the latest NVIDIA DLS updates to version 3.5.1 or 3.1.7, depending on your deployment.
  2. Restrict Access: Limit external access to the NVIDIA License System to trusted networks only.
  3. Monitor Logs: Regularly review logs for signs of abnormal access or database interaction attempts.
  4. Harden Configurations: Enforce secure database connections and disable unnecessary administrative interfaces.
  5. Validate Inputs: Implement strict input validation to minimize risk from injection attacks.

Reference
https://nvidia.custhelp.com/app/answers/detail/a_id/5705

  1. High Severity Security Vulnerability in HP Sure Start IFD Protection

A high-severity vulnerability has been identified in the Intel Flash Descriptor (IFD) protection mechanism implemented by HP Sure Start across several HP business products.
This flaw, tracked as CVE-2023-6215, may enable attackers to bypass BIOS security controls, execute arbitrary code, or gain persistent control of affected systems, compromising the device at the firmware level.

HP has released BIOS firmware updates (SoftPaqs) to address this vulnerability. Immediate patching is strongly advised for business notebooks, desktops, and retail point-of-sale (POS) systems.

Vulnerability Details
CVE-2023-6215 – IFD Protection Bypass in HP Sure Start

  • Severity: High (CVSS v4.0 Score: 7.2)
  • Component: HP Sure Start firmware (Intel Flash Descriptor protection module)
  • Affected Systems: Business Notebook PCs, Business Desktop PCs, and Retail Point-of-Sale Systems
  • Description: A flaw in the Intel Flash Descriptor protection implementation allows attackers to modify firmware regions normally restricted by Sure Start protections.
  • Impact:
    • Bypass of BIOS-level security controls
    • Firmware tampering and persistent compromise before OS boot
    • Loss of system integrity and hardware trust chain
    • Possible privilege escalation and sensitive data disclosure

Mitigation and Recommendations

  1. Apply BIOS Firmware Updates:
    • Install the latest SoftPaq BIOS updates provided by HP for your specific platform.
    • Updates are available through HP Customer Support and the HP Security Bulletin (HPSBHF04061).
  2. Verify Firmware Integrity:
    • Use HP’s validation tools or built-in Sure Start capabilities to confirm the authenticity of BIOS firmware.
  3. Restrict Physical Access:
    • Limit system access to authorized personnel to prevent local firmware modification.
  4. Enable Secure Boot and TPM:
    • Maintain Secure Boot and Trusted Platform Module (TPM) configurations to ensure device trustworthiness.
  5. Continuous Monitoring:
    • Include firmware-level integrity checks in enterprise endpoint monitoring strategies.

Reference
https://support.hp.com/us-en/document/ish_13064666-13064688-16/hpsbhf04061

  1. Actively Exploited Vulnerability in Zimbra Collaboration Suite (ZCS)

A zero-day vulnerability in the Zimbra Collaboration Suite (ZCS) Classic Web Client—tracked as CVE-2025-27915—is being actively exploited in the wild. This flaw allows attackers to execute arbitrary JavaScript in user sessions through malicious ICS (calendar invitation) files, enabling session hijacking, data theft, and potential lateral movement within organizations.

Vulnerability Overview
CVE ID: CVE-2025-27915
Type: Cross-Site Scripting (XSS)
Severity: Critical (Active Exploitation)
Affected Component: ZCS Classic Web Client
Affected Versions:

  • Zimbra Collaboration Suite (ZCS) 9.0, 10.0, and 10.1
    Fixed Versions:
  • ZCS 9.0.0 Patch 46 or later
  • ZCS 10.0.15 or later
  • ZCS 10.1.9 or later

Technical Details
The vulnerability arises from insufficient sanitization of HTML content embedded in ICS calendar files. Attackers can craft malicious ICS entries with embedded JavaScript in the ontoggle attribute, which executes automatically when the user opens or previews the calendar invitation in the Classic Web Client.
Once triggered, the script executes within the victim’s session, allowing attackers to:

  • Steal credentials and session cookies
  • Access emails, shared folders, and distribution lists
  • Perform unauthorized actions on behalf of the victim
  • Establish persistence for long-term espionage or organizational compromise

Impact

  • Credential Theft: Attackers gain direct access to email and authentication data.
  • Data Exfiltration: Sensitive business communications can be exfiltrated silently.
  • Lateral Movement: Compromised accounts may be leveraged to pivot internally.
  • Persistence: Malicious filters and forwarding rules can enable prolonged access.

Recommended Actions

  1. Apply Security Patches Immediately:
    • Upgrade Zimbra servers to the fixed versions (9.0.0 Patch 46, 10.0.15, or 10.1.9).
  2. Monitor for Exploitation Indicators:
    • Review mail logs for suspicious ICS file attachments and unauthorized rule creation.
  3. Enhance Email Filtering:
    • Block or quarantine calendar invitations (.ics) from untrusted or external senders.
  4. User Awareness:
    • Educate users to avoid opening unexpected ICS files or calendar invites.
  5. Threat Hunting:
    • Look for abnormal authentication events or access from unusual IPs post-exploitation.
  6. Restrict Webmail Access:
    • Limit Classic Web Client exposure to internal networks when possible.

Reference
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2025-27915

  1. Security Updates – CrowdStrike Falcon Sensor for Windows

CrowdStrike has released security updates addressing two medium-severity vulnerabilities in the Falcon Sensor for Windows, which could allow attackers with existing local code execution privileges to delete arbitrary files on the affected host. Although exploitation requires prior system access, successful abuse of these flaws may cause system instability or sensor malfunction.

No active exploitation has been observed in the wild. Fixes are now available in Falcon Sensor version 7.29 and in hotfix updates for earlier releases (7.16, 7.24–7.28).

Vulnerability Details
CVE-2025-42701 – Race Condition (TOCTOU)

  • Type: Time-of-check Time-of-use (TOCTOU)
  • CWE: 367 – Race Condition
  • CAPEC: 27 – Symbolic Link Exploitation
  • CVSS v3.1 Score: 5.6 (Medium)
  • Impact: Enables attackers with local execution privileges to exploit a race condition, deleting arbitrary files via a symbolic link attack during file operations.
  • CVE-2025-42706 – Logic Error in Origin Validation
  • Type: Logic Error
  • CWE: 346 – Origin Validation Error
  • CAPEC: 473 – Signature Spoof
  • CVSS v3.1 Score: 6.5 (Medium)
  • Impact: A logic flaw in validation checks allows attackers with local privileges to delete arbitrary files, impacting operating system or Falcon sensor stability.

Affected Versions
• 7.28.20006 and earlier
• 7.27.19907
• 7.26.19811 / 7.26.19809
• 7.25.19706
• 7.24.19607 and earlier
• 7.16.18635 and earlier (Windows 7 / 2008 R2)

Fixed Versions
• 7.28.20008 and later
• 7.27.19909
• 7.26.19813
• 7.25.19707
• 7.24.19608
• 7.16.18637 (Windows 7 / 2008 R2 only)

Unaffected Products
• Falcon Sensor for macOS
• Falcon Sensor for Linux
• Falcon Sensor for Legacy Windows

Recommended Actions

  1. Update Immediately: Upgrade all Falcon Sensor for Windows installations to the latest version (7.29 or applicable hotfix).
  2. Restrict Local Privileges: Limit local administrative access to reduce the potential for exploitation.
  3. Monitor for Unusual File Deletion Activity: Review endpoint and Falcon console logs for signs of file tampering or deletion.
  4. Apply Hotfixes: For environments unable to upgrade immediately, apply the provided hotfix versions corresponding to your release.
  5. Validate Sensor Health: After update, confirm Falcon Sensor functionality and connectivity.

Reference
https://www.crowdstrike.com/en-us/security-advisories/issues-affecting-crowdstrikefalcon-sensor-for-windows/

 

  1. Security Incident – Red Hat Consulting GitLab Instance

Red Hat has disclosed a security incident involving unauthorized access to a GitLab instance used internally by the Red Hat Consulting team. The affected system was utilized for collaboration on specific client engagements and has since been isolated and secured.

Incident Overview
Red Hat detected unauthorized access to a private GitLab environment used by its consulting division. The threat actor accessed and copied data from the instance before being removed. Upon discovery, Red Hat initiated a comprehensive investigation, revoked all unauthorized access, and notified relevant authorities.

Current Status

  • The compromised environment has been isolated.
  • Access controls and hardening measures have been strengthened to prevent recurrence.
  • The investigation is ongoing to determine the full extent of the exposure.

Scope and Impact
Red Hat Products and Services:

  • No indication of impact on Red Hat’s core products, software supply chain, or official distribution channels.
  • Software downloads and updates from redhat.com remain secure.
  • Red Hat Consulting Customers:
  • The affected GitLab instance stored consulting engagement data, including project details, internal communications, and limited business contact information.
  • Impacted customers will be notified directly.
  • Other Red Hat Customers:
  • There is no evidence of impact on customers not engaged with Red Hat Consulting.
  • Unrelated Incident Clarification:
  • This event is not connected to the Red Hat OpenShift AI vulnerability (CVE-2025-10725) disclosed on October 1, 2025.

Next Steps and Recommendations

  1. Customer Notification: Red Hat is directly contacting affected consulting clients.
  2. Monitoring and Containment: Enhanced monitoring of internal collaboration environments is in place.
  3. Security Review: All GitLab environments are undergoing configuration and access audits.
  4. Customer Vigilance: Consulting customers are encouraged to review shared artifacts and report any anomalies to Red Hat Security Response.

Impact Summary
While there is no evidence of compromise to Red Hat’s core infrastructure, consulting clients may face potential exposure of non-production project data. Red Hat continues to coordinate with authorities and security partners.

Reference
Red Hat Official Blog: Security update – Incident related to Red Hat Consulting GitLab instance

  1. Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware
    Microsoft has attributed the exploitation of a critical zero-day vulnerability (CVE-2025-10035) in Fortra GoAnywhere MFT software to the threat actor Storm-1175, known for deploying Medusa ransomware. The exploited flaw — a critical deserialization vulnerability (CVSS 10.0) — enables unauthenticated command injection and remote code execution (RCE), allowing attackers to gain full control of the affected system.

Vulnerability Details
CVE ID: CVE-2025-10035
Severity: Critical (CVSS 10.0)
Type: Deserialization flaw enabling command injection
Affected Product: Fortra GoAnywhere MFT
Fixed Versions: 7.8.4 (Sustain Release 7.6.3 and later)
Impact: Remote code execution, lateral movement, and ransomware deployment

The flaw allows attackers to forge a valid license response signature, which triggers the deserialization of malicious objects. Once exploited, attackers can inject arbitrary commands and take control of vulnerable servers remotely.

Threat Actor Attribution

  • Actor: Storm-1175 (financially motivated group)
  • Affiliation: Linked to Medusa ransomware operations
  • Primary Tactics: Exploiting public-facing applications for initial access, deploying RMM tools (SimpleHelp, MeshAgent), and conducting C2 via Cloudflare tunnels.
  • Observed Exploitation: Microsoft detected exploitation in multiple organizations beginning September 11, 2025, with earlier activity confirmed by WatchTowr on September 10, 2025.

Attack Chain Summary

  1. Initial Access: Exploitation of CVE-2025-10035 via GoAnywhere MFT deserialization flaw.
  2. Persistence: Deployment of remote monitoring tools (SimpleHelp, MeshAgent) within MFT directories.
  3. Discovery: Execution of user, network, and system discovery commands.
  4. Lateral Movement: Use of mstsc.exe (Windows Remote Desktop Connection) for spreading across systems.
  5. Exfiltration: Use of Rclone for data exfiltration via Cloudflare-based C2 channels.
  6. Impact: Deployment of Medusa ransomware, encrypting systems and demanding ransom.

Risk and Impact
The vulnerability’s ease of exploitation and widespread GoAnywhere deployments have placed numerous enterprises at high risk. Attackers can achieve persistence, data theft, and network-wide ransomware propagation with minimal user interaction.

Microsoft’s Findings
Microsoft Threat Intelligence confirmed that Storm-1175 leveraged the vulnerability in targeted campaigns across sectors. The attacker’s tactics, techniques, and procedures (TTPs) align with previous Medusa ransomware activity, including C2 communication through legitimate infrastructure to evade detection.

WatchTowr Commentary
WatchTowr Labs criticized the delayed response from Fortra, highlighting that organizations were likely under attack for weeks before public disclosure:

“Organizations running GoAnywhere MFT have effectively been under silent assault since at least September 11,” said Benjamin Harris, CEO of WatchTowr. “Transparency and prompt communication from Fortra are critical for effective mitigation.”

Recommended Actions

  1. Patch Immediately: Upgrade GoAnywhere MFT to version 7.8.4 or Sustain 7.6.3 and above.
  2. Check for Compromise Indicators: Review logs for unauthorized file uploads, suspicious JSP files, or the presence of RMM tools (SimpleHelp, MeshAgent).
  3. Block Known C2 Channels: Restrict outbound Cloudflare tunnel traffic and monitor for Rclone usage.
  4. Harden Access Controls: Limit external exposure of GoAnywhere MFT to trusted networks only.
  5. Incident Response: If compromise is suspected, isolate affected systems, review persistence mechanisms, and follow ransomware containment protocols.
  6. Continuous Monitoring: Enable behavioral detection rules to identify post-exploitation activity and ransomware deployment attempts.

Reference
The Hacker News – Microsoft Links Storm-1175 to GoAnywhere Exploit Deploying Medusa Ransomware

  •  

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2025 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment