Weekly Threat Landscape Digest – Week 47

1.Actively Exploited Vulnerability in Fortinet FortiWeb (CVE-2025-64446)

A critical zero-day path traversal vulnerability in Fortinet FortiWeb (CVE-2025-64446, CVSS 9.1) is being actively exploited in the wild. The flaw allows unauthenticated remote attackers to bypass authentication on the FortiWeb management interface and execute administrative actions, including creating new administrator accounts and taking full control of the WAF. A public proof-of-concept (PoC) exploit is already available, significantly increasing exploitation risk.

Vulnerability Details – CVE-2025-64446

• Type: Relative path traversal / path confusion in FortiWeb GUI component
• Attack Vector: Specially crafted HTTP/HTTPS POST requests to manipulated API paths
• Authentication: Not required (unauthenticated attacker)

Affected Versions & Fixed Releases

• FortiWeb 8.0: 8.0.0 – 8.0.1 → Upgrade to 8.0.2 or later
• FortiWeb 7.6: 7.6.0 – 7.6.4 → Upgrade to 7.6.5 or later
• FortiWeb 7.4: 7.4.0 – 7.4.9 → Upgrade to 7.4.10 or later
• FortiWeb 7.2: 7.2.0 – 7.2.11 → Upgrade to 7.2.12 or later
• FortiWeb 7.0: 7.0.0 – 7.0.11 → Upgrade to 7.0.12 or later

Impact
Exploitation may result in:

• Complete takeover of the FortiWeb management interface
• Addition of rogue admin users and backdoor access
• Tampering with WAF policies, virtual servers, and security profiles
• Disabling or weakening protections, enabling further attacks on protected web applications

Recommended Actions

1. Immediate Patching
   • Upgrade all affected FortiWeb instances to the fixed versions listed above as a priority.
2. Lock Down Management Access (If Patching Is Delayed)
   • Disable HTTP/HTTPS access on any Internet-facing FortiWeb management interfaces.
   • Restrict management access to trusted internal networks/VPN only.
3. Log & Configuration Review
   • Review FortiWeb system logs for:
     • Unexpected admin logins or new administrator accounts
     • Suspicious configuration changes or policy modifications
   • Validate current admin account list and remove any unknown accounts.
4. Network Hardening
   • Ensure FortiWeb management is segmented from untrusted networks.
   • Enforce MFA and strong authentication controls for administrative access.

References

• htts://fortiguard.fortinet.com/psirt/FG-IR-25-910

2. Critical Vulnerability in pgAdmin (CVE-2025-12762 – RCE)
   A critical remote code execution (RCE) vulnerability affects all pgAdmin versions up to 9.9. The flaw allows attackers to execute arbitrary system commands during PostgreSQL restore operations when pgAdmin is running in server mode. Additional vulnerabilities include Windows command injection, LDAP injection, and TLS certificate verification bypass issues.

Key Vulnerabilities

• CVE-2025-12762 – RCE in PLAIN-format Restore (CVSS 9.1)
  • Triggered by malicious PostgreSQL dump files
  • Leads to arbitrary system command execution
• CVE-2025-12763 – Windows Command Injection
  • Allows execution of arbitrary Windows commands
• CVE-2025-12764 – LDAP Injection
  • Exploitable via manipulated LDAP fields
• CVE-2025-12765 – TLS Certificate Verification Bypass
  • Allows attackers to bypass LDAP TLS checks

Affected Versions

• pgAdmin ≤ 9.9

Fixed Version

• pgAdmin 9.10

Recommended Actions

• Upgrade immediately to pgAdmin 9.10 or the latest version
• Validate PostgreSQL dump files before restoring
• Review LDAP authentication settings for misuse
• Audit logs for suspicious restore operations or command execution attempts

Reference
https://www.pgadmin.org/news/

3. Critical SQL Injection Vulnerability in Zoho Analytics On-Premise (CVE-2025-8324)
   A critical unauthenticated SQL injection vulnerability (CVE-2025-8324, CVSS 9.8) affects Zoho Analytics On-Premise builds below 6170. The flaw allows remote attackers to execute arbitrary SQL queries without authentication, leading to potential account compromise, sensitive data exposure, or full database access.

Key Details

• CVE-2025-8324 – Unauthenticated SQL Injection (CVSS 9.8)
• Attack Vector: Network-based, no authentication required
• Root Cause: Improper filter configuration
• Impact:
  • Extraction of sensitive user data
  • Unauthorized account access
  • Full control over backend database

Affected Versions

• Zoho Analytics On-Premise < Build 6170

Fixed Version

• Build 6171

Recommended Actions

Immediately upgrade to Zoho Analytics On-Premise Build 6171

Review authentication logs for unusual access attempts

Implement strict network segmentation for analytics servers

Apply least-privilege access controls for database accounts

Reference
https://www.zoho.com/analytics/onpremise/CVE-2025-8324.html

4. Critical Authentication Bypass in ASUS DSL Routers (CVE-2025-59367)
   A critical authentication bypass vulnerability (CVE-2025-59367, CVSSv4 9.3) affects multiple ASUS DSL router models. The flaw allows remote attackers to access the router’s management interface without valid credentials, leading to full administrative takeover. Devices exposed to the internet are at highest risk.

Key Details

CVE-2025-59367 – Authentication Bypass (Critical)

Exploitable remotely over the internet

Access gained without username/password

Impact includes:

Full router admin control

Traffic interception or redirection

Configuration tampering

Malware installation on the router

Compromise of all connected devices

Affected Models

ASUS DSL-AC51

ASUS DSL-N16

ASUS DSL-AC750

Fixed Firmware Version

1.1.2.3_1010 or later

Recommended Actions

Update all affected ASUS DSL routers to firmware 1.1.2.3_1010+ immediately

Disable external (WAN-side) management access

Restrict router administration to internal trusted networks

Monitor for unusual DNS redirects, unknown admin logins, or config changes

Reference
https://www.cve.org/CVERecord?id=CVE-2025-59367

5. Security Updates – NVIDIA Isaac-GR00T (CVE-2025-33183 & CVE-2025-33184)
   NVIDIA has released security updates addressing multiple high-severity code injection vulnerabilities affecting NVIDIA Isaac-GR00T. These flaws reside in Python components and may allow attackers to execute arbitrary code, escalate privileges, and access or tamper with sensitive data.

Key Vulnerabilities

CVE-2025-33183 / CVE-2025-33184 – Code Injection (CVSS 7.8, High)

Improper input handling in Python components

Exploitation may result in:

Arbitrary code execution

Privilege escalation

Information disclosure

Data manipulation or corruption

Affected Products

NVIDIA Isaac-GR00T N1.5

All platforms

Affected Versions: All versions without code commit 7f53666

Fixed Version

Any Isaac-GR00T code branch including commit 7f53666

Recommended Actions

Update Isaac-GR00T to the latest version containing commit 7f53666

Review Python-based automation or integrations for unexpected behavior

Restrict system permissions for processes using Isaac-GR00T

Monitor logs for suspicious code execution or privilege elevation attempts

Reference
https://nvidia.custhelp.com/app/answers/detail/a_id/5725

6. Security Updates – NetScaler ADC & Gateway (CVE-2025-12101)
   A medium-severity Cross-Site Scripting (XSS) vulnerability (CVE-2025-12101, CVSS 5.9) affects NetScaler ADC and NetScaler Gateway. When configured in specific Gateway or AAA authentication modes, attackers may inject malicious JavaScript into a user’s browser, leading to session hijacking or credential theft.

Key Details
• CVE-2025-12101 – Cross-Site Scripting (XSS)
• CWE-79: Improper Neutralization of Input
• CVSS v4.0 Score: 5.9 (Medium)

Impact Includes
• Execution of arbitrary JavaScript code
• Session hijacking
• Credential theft
• Redirection to malicious websites

Preconditions for Exploitation
The appliance must be configured as one of the following:

Gateway Mode:
• VPN Virtual Server
• ICA Proxy
• CVPN
• RDP Proxy

Or configured as:
• AAA Virtual Server (Authentication Server)

Affected Versions
• 14.1 before 14.1-56.73
• 13.1 before 13.1-60.32
• 13.1-FIPS / 13.1-NDcPP before 13.1-37.250
• 12.1-FIPS / 12.1-NDcPP before 12.1-55.333
• Versions 12.1 and 13.0 are End-of-Life (EOL)

Fixed Versions
• 14.1-56.73 and later
• 13.1-60.32 and later
• 13.1-37.250 and later (FIPS/NDcPP)
• 12.1-55.333 and later (FIPS/NDcPP)

Recommended Actions
• Upgrade NetScaler ADC & Gateway to the fixed versions immediately
• Disable unnecessary Gateway/AAA modes
• Apply strict input validation or WAF rules
• Monitor for suspicious authentication or browser redirects

Reference
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX695486

7. Security Updates – GitLab Community Edition (CE) and Enterprise Edition (EE)
   GitLab has released critical and medium-severity security updates for GitLab CE and EE. The patched versions (18.5.2, 18.4.4, 18.3.6) fix multiple vulnerabilities including XSS, authorization bypass, information disclosure, access control issues, prompt injection, and denial of service.

Key Vulnerabilities

• CVE-2025-11224
  Severity: High (CVSS 7.7)
  Description: Stored XSS vulnerability in the Kubernetes proxy component allowing arbitrary JavaScript execution by authenticated users.
• CVE-2025-11865
  Severity: Medium (CVSS 6.5)
  Description: Incorrect authorization in GitLab Duo workflows allowing a user to remove another user’s Duo flows.
• CVE-2025-2615
  Severity: Medium (CVSS 4.3)
  Description: GraphQL subscription flaw allowing blocked users to access sensitive data via WebSocket connections (information disclosure).
• CVE-2025-7000
  Severity: Medium (CVSS 4.3)
  Description: Access control issue allowing unauthorized users to view confidential branch names through linked merge requests.
• CVE-2025-6945
  Severity: Low (CVSS 3.5)
  Description: Prompt injection in GitLab Duo review enabling data leakage from confidential issues via malicious merge request comments.
• CVE-2025-11990
  Severity: Low (CVSS 3.1)
  Description: Client-side path traversal exposing CSRF tokens due to weak redirect handling and improper validation in branch name references.
• CVE-2025-6171
  Severity: Low (CVSS 3.1)
  Description: Information disclosure in the packages API allowing limited-access users to view branch names and pipeline details.
• CVE-2025-7736
  Severity: Low (CVSS 3.1)
  Description: Improper access control in GitLab Pages allowing authenticated users to bypass page restrictions via OAuth.
• CVE-2025-12983
  Severity: Low (CVSS 3.1)
  Description: DoS vulnerability in markdown processing allowing resource exhaustion with crafted nested formatting.

Fixed Versions
• GitLab 18.5.2
• GitLab 18.4.4
• GitLab 18.3.6

Recommended Actions
• Upgrade GitLab CE/EE to the latest fixed version immediately
• Review Kubernetes proxy logs for suspicious XSS attempts
• Audit repository, GraphQL, and Pages access for anomalies
• Enforce strict access controls on merge requests and branch visibility
• Restrict GitLab Duo usage to validated users only

Reference
https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/

8. Atlassian November 2025 Security Updates
   Atlassian disclosed 39 vulnerabilities across Bitbucket, Confluence, Jira Software, and Jira Service Management, including 5 Critical and 34 High-severity issues. Flaws include RCE, SSRF, DoS, improper authorization, path traversal, and broken authentication.

Affected Products
• Bitbucket DC/Server
• Confluence DC/Server
• Jira Software DC/Server
• Jira Service Management DC/Server

Critical Vulnerabilities (CVSS 9.3–10)
• CVE-2024-38999 – RCE (Critical 10.0)
• CVE-2016-1000027 – Critical 9.8
• CVE-2023-42282 – SSRF (Critical 9.8)
• CVE-2023-45133 – Critical 9.3

High-Severity Vulnerabilities (Examples)
• Improper Authorization
• Multiple DoS flaws
• Path Traversal
• Cryptographic Failures
• Prototype Pollution
• Broken Authentication

Fixed Versions
• Bitbucket: 10.0.2, 8.19.25 (LTS), 9.4.13
• Confluence: 10.1.1, 10.0.2–10.0.3, 9.2.7–9.2.10, 8.5.25–8.5.28
• Jira Software: 11.2.0, 10.7.3–10.7.4, 10.3.10–10.3.13, 9.12.26–9.12.29
• Jira Service Management: 11.2.0, 10.7.3–10.7.4, 10.3.10–10.3.13, 5.12.26–5.12.29

Recommended Actions
• Apply Atlassian patches immediately
• Prioritize upgrades for internet-facing systems
• Monitor for RCE/SSRF exploitation attempts

Reference
https://confluence.atlassian.com/security/security-bulletin-november-18-2025-1671463469.html

9. High-Severity Vulnerability in GitHub Enterprise Server (CVE-2025-11892)
   A DOM-based Cross-Site Scripting (XSS) vulnerability in GitHub Enterprise Server allows attackers to execute malicious scripts via the Issues search label filter. If a sudo-privileged user clicks a crafted link, attackers may perform actions requiring elevated permissions.

Key Details
• CVE-2025-11892
• CVSS 8.6 (High)
• Type: DOM-based XSS
• Flaw in Issues search label filter allows injection of malicious scripts
• Can lead to:
• Privilege escalation
• Unauthorized workflow triggering
• Modification of repository settings

Affected Versions
• Versions prior to:
• 3.18.1
• 3.17.7
• 3.16.10
• 3.15.14
• 3.14.19

Fixed Versions
• 3.18.1 and later
• 3.17.7 and later
• 3.16.10 and later
• 3.15.14 and later
• 3.14.19 and later

Recommended Actions
• Apply GitHub’s mitigation or upgrade to the fixed versions immediately
• Warn admin/sudo users to avoid clicking untrusted GitHub links
• Review workflow change logs for unauthorized actions

Reference
https://www.cve.org/cverecord?id=CVE-2025-11892

10. Actively Exploited Vulnerability in Google Chrome
    Google released a security update addressing two high-severity vulnerabilities in the Chrome V8 JavaScript engine. One of these flaws is actively exploited in the wild, making immediate updates critical.

Key Vulnerabilities
• CVE-2025-13223 – Type Confusion (V8)
• Severity: High
• Status: Exploited in the wild

• CVE-2025-13224 – Type Confusion (V8)
  • Severity: High
  • Status: Patched, no known exploitation

Impact
• Browser compromise via malicious JavaScript
• Possible code execution
• Increased risk due to wide Chrome usage in enterprises

Fixed Versions
• Windows: 142.0.7444.175 / .176
• Mac: 142.0.7444.176
• Linux: 142.0.7444.175

Recommended Actions
• Update Google Chrome immediately to the latest fixed version
• Enable auto-updates across all endpoints
• Monitor for unusual browser crashes or exploit attempts

Reference
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html?m=1

11. Security Updates – Fortinet Products
    Fortinet released security updates for FortiWeb, FortiVoice, and FortiClient for Windows. One FortiWeb vulnerability (CVE-2025-58034) is actively exploited, requiring urgent patching.

FortiWeb – OS Command Injection (Actively Exploited)
• CVE-2025-58034 – Medium (CVSS 6.7)
• Authenticated attacker can execute unauthorized OS commands
• Actively exploited in the wild
• Affected Versions → Fixed Versions:
• 8.0.0–8.0.1 → 8.0.2+
• 7.6.0–7.6.5 → 7.6.6+
• 7.4.0–7.4.10 → 7.4.11+
• 7.2.0–7.2.11 → 7.2.12+
• 7.0.0–7.0.11 → 7.0.12+

FortiVoice – SQL Injection
• CVE-2025-58692 – High (CVSS 7.7)
• Authenticated attacker can perform SQL injection and run unauthorized queries
• Affected Versions → Fixed Versions:
• 7.2.0–7.2.2 → 7.2.3+
• 7.0.0–7.0.7 → 7.0.8+

FortiClient (Windows) – Heap-Based Buffer Overflow
• CVE-2025-46373 – High (CVSS 7.1)
• Heap overflow in fortips driver; requires authenticated IPSec user
• May lead to arbitrary code execution
• Affected Versions → Fixed Versions:
• 7.4.0–7.4.3 → 7.4.4+
• 7.2.0–7.2.8 → 7.2.9+

FortiClient (Windows) – Arbitrary Memory Write
• CVE-2025-47761 – High
• Exposed IOCTL calls allow authenticated local users to write arbitrary memory
• Requires active IPSec VPN session
• Affected Versions → Fixed Versions:
• 7.4.0–7.4.3 → 7.4.4+
• 7.2.0–7.2.9 → 7.2.10+

Recommended Actions
• Update all affected FortiWeb, FortiVoice, and FortiClient versions
• Prioritize FortiWeb patches due to active exploitation
• Restrict admin access to trusted networks
• Review logs for suspicious CLI or HTTP activity

References
• https://www.fortiguard.com/psirt/FG-IR-25-666
• https://www.fortiguard.com/psirt/FG-IR-25-125
• https://www.fortiguard.com/psirt/FG-IR-25-112
• https://fortiguard.fortinet.com/psirt/FG-IR-25-513

12. Critical Vulnerabilities in SolarWinds Serv-U
    SolarWinds released Serv-U version 15.5.3 addressing three Critical (CVSS 9.1) vulnerabilities that may allow Remote Code Execution (RCE) when an attacker already has administrative privileges. A compromised admin account can fully control Serv-U environments.

CVE-2025-40547 – Logic Abuse RCE
• Severity: 9.1 (Critical)
• Logic flaw enabling arbitrary code execution
• Requires administrative privileges

CVE-2025-40548 – Broken Access Control RCE
• Severity: 9.1 (Critical)
• Missing validation allows unauthorized code execution
• Requires admin-level access

CVE-2025-40549 – Path Restriction Bypass
• Severity: 9.1 (Critical)
• Allows bypassing directory path restrictions and executing code
• Requires administrative rights

Additional Security Enhancements
• Stronger password protection
• Improved IP filtering
• HSTS enforcement and stronger HTTP headers
• Enhanced SSH key support

Fixed Version
• Serv-U 15.5.3

Recommended Actions
• Upgrade to Serv-U 15.5.3 immediately
• Review admin accounts for compromise indicators
• Enforce MFA and strong access controls

Reference
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-3_release_notes.htm

13. Critical Access Control Vulnerability in Verve Asset Manager
    A critical incorrect-authorization vulnerability (CVE-2025-11862) affects Verve Asset Manager, allowing read-only users to read, modify, or delete user accounts through the platform’s API. This can lead to unauthorized user management and privilege escalation in OT environments.

Key Details
• CVE-2025-11862
• Type: Incorrect Authorization (CWE-863)
• CVSS v3.1 Score: 9.9 (Critical)
• CVSS v4.0 Score: 8.4 (High)
• Impact:
• Read-only users can modify or delete user accounts
• Potential privilege escalation
• Risk to OT asset management and security operations

Affected Versions
• Verve Asset Manager 1.33 to 1.41.3

Fixed Versions
• 1.41.4 and 1.42

Recommended Actions
• Upgrade to patched versions immediately
• Review API access logs for suspicious user-management activity
• Restrict API access to trusted networks
• Enforce strong role-based access controls

Reference
https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1759.html

14. Critical Vulnerabilities in GIC Lynx+ Gateway
    Multiple critical vulnerabilities affect GIC Lynx+ Gateway devices (R08, V03, V05, V18). These include weak authentication, missing authentication in critical functions, and cleartext transmission of sensitive data. Remote, unauthenticated attackers may gain device access, retrieve configuration data, or reset the device, leading to operational disruption.

CVE-2025-55034 – Weak Password Requirements
• CVSS v3: 8.2 (High), CVSS v4: 8.8
• Weak password complexity allows brute-force attacks
• May lead to unauthorized access to the device interface

CVE-2025-58083 – Missing Authentication for Critical Function
• CVSS v3: 10.0 (Critical), CVSS v4: 9.2
• No authentication required for device-reset functionality
• Remote attacker can reset device and disrupt industrial operations

CVE-2025-59780 – Missing Authentication for Sensitive Information
• CVSS v3: 7.5 (High), CVSS v4: 8.7
• Sensitive GET requests exposed without authentication
• Attackers can retrieve configuration and operational details

CVE-2025-62765 – Cleartext Transmission of Sensitive Data
• CVSS v3: 7.5 (High), CVSS v4: 8.7
• Credentials and configuration sent in cleartext
• Network attacker can intercept usernames, passwords, and settings

Affected Products
• Lynx+ Gateway R08
• Lynx+ Gateway V03
• Lynx+ Gateway V05
• Lynx+ Gateway V18

Recommended Actions
• Contact GIC for official patches and updates
• Segment devices using industrial DMZs
• Restrict access with firewall rules and ACLs
• Disable unnecessary services and ports
• Use VPN-based remote access with MFA

Reference
https://www.cisa.gov/news-events/ics-advisories/icsa-25-317-08

15. Critical Vulnerability in W3 Total Cache

A critical unauthenticated command-injection vulnerability (CVE-2025-9501, CVSS 9.0) affects the W3 Total Cache WordPress plugin. Attackers can execute arbitrary PHP code by submitting a malicious comment on websites running vulnerable versions.

Vulnerability Summary

• CVE-2025-9501 — Critical (CVSS 9.0)
• Root cause: improper input handling in the _parse_dynamic_mfunc function
• Attack method: posting a crafted comment triggers execution of injected PHP
• No authentication or privileges required
• Exploitation allows full site compromise, data theft, privilege escalation, malware deployment, or defacement

Affected Versions

• W3 Total Cache versions below 2.8.13

Fixed Version

• Update to W3 Total Cache 2.8.13 or later

Recommended Actions

• Apply the latest plugin update immediately
• Review WordPress logs and comments for suspicious activity
• Ensure file integrity monitoring and WAF rules are active
• Remove or disable unused plugins to reduce attack surface

Reference

https://www.cve.org/CVERecord?id=CVE-2025-9501

16. Critical Vulnerabilities in IBM AIX and VIOS
    Multiple critical vulnerabilities in IBM AIX and VIOS allow remote command execution, unauthorized access to sensitive information, and file manipulation. Several flaws impact core NIM components, exposing systems to full compromise.

Vulnerability Summary
• CVE-2025-36251 – RCE via nimsh (CVSS 9.6 Critical)
– Improper SSL/TLS process controls in nimsh allow remote execution of arbitrary commands.
– Extends attack vectors previously addressed in CVE-2024-56347.

• CVE-2025-36096 – Exposure of NIM Private Keys (CVSS 9.0 Critical)
  – NIM private keys are stored insecurely, enabling attackers to access or intercept them.
  – Could allow impersonation, interception of deployments, or long-term system access.
• CVE-2025-36250 – RCE via nimesis (CVSS 10.0 Critical)
  – Most severe vulnerability. Improper process controls allow full remote command execution.
  – Extends attack vectors from CVE-2024-56346.
• CVE-2025-36236 – Directory Traversal (CVSS 8.2 High)
  – Improper URL handling in NIM allows arbitrary file writes.
  – May result in privilege escalation or root-level system compromise.

Affected Products
• AIX 7.2
• AIX 7.3
• VIOS 3.1
• VIOS 4.1

Fixed Versions
• Refer to IBM advisory for fix packages and remediation steps.

Recommendation
• Apply IBM’s patches or mitigation guidance immediately.
• Restrict remote NIM service exposure and review access controls.
• Monitor for unauthorized NIM activity or unusual deployments.

Reference
https://www.ibm.com/support/pages/node/7251173

17. Multiple Vulnerabilities in Elastic Kibana
    Elastic has disclosed two vulnerabilities in Kibana that could enable DOM-based Cross-Site Scripting (XSS) and Server-Side Request Forgery (SSRF). These issues affect both Elastic Cloud and self-hosted deployments.

Vulnerability Summary
• CVE-2025-59840 – DOM-based XSS (CVSS 8.7 High)
– Caused by improper input sanitization in the Vega visualization engine.
– Allows arbitrary JavaScript execution in the user’s browser.
– Risks include session hijacking, data theft, or malicious script execution.

• CVE-2025-37734 – SSRF via Origin Validation Bypass (CVSS 4.3 Medium)
  – Origin validation flaw in the Observability AI Assistant.
  – Attackers can use forged Origin headers to force Kibana to send internal HTTP requests.
  – May expose internal services or sensitive system data.

Affected Versions
• All versions prior to:
– 8.19.7
– 9.1.7
– 9.2.1

Fixed Versions
• Kibana 8.19.7
• Kibana 9.1.7
• Kibana 9.2.1

Recommendation
• Update Kibana to the latest fixed version immediately.
• Restrict access to Kibana dashboards through network segmentation.
• Enable strict authentication controls for internal dashboards.

References
https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-9-2-1-security-update-esa-2025-25/383379
https://discuss.elastic.co/t/kibana-8-19-7-9-1-7-and-9-2-1-security-update-esa-2025-24/383381

18. New EVALUSION ClickFix Campaign Delivering Amatera Stealer and NetSupport RAT
    A newly observed malware campaign, tracked as EVALUSION, abuses ClickFix social-engineering techniques to deliver Amatera Stealer and NetSupport RAT.

Key Findings
• The campaign uses fake reCAPTCHA/Cloudflare verification pages that instruct victims to run a malicious command via the Windows Run dialog.
• The command triggers mshta.exe, which launches a PowerShell script to download a .NET loader from MediaFire.
• This loader drops the Amatera Stealer DLL, packed with PureCrypter, and injects it into MSBuild.exe.
• Amatera is the successor of ACR Stealer, now sold as a MaaS service for $199–$1,499.
• The stealer targets crypto-wallets, browsers, email clients, FTP clients, and messaging apps.
• It uses WoW64 SysCalls to bypass AV/EDR detection and user-mode hooking.
• After harvesting data, Amatera runs a PowerShell check — NetSupport RAT is only downloaded if the system has a domain or valuable files (e.g., crypto wallets).

Additional Related Campaigns
• Fake invoice emails with VBS attachments delivering XWorm.
• Compromised sites injecting JavaScript redirecting users to ClickFix pages delivering NetSupport RAT (SmartApeSG).
• Fake Booking.com sites showing CAPTCHA checks to run malicious PowerShell droppers.
• Internal email spoofing used for credential theft (invoices, RFQs, delivery notices).
• Phishing kits Cephas and Tycoon 2FA deploying obfuscated malicious login pages.
• Cephas uses invisible-character obfuscation to evade scanners and YARA rules.

Threat Impact
• Credential theft
• Crypto-wallet compromise
• Full system remote access via NetSupport RAT
• Evasion of common AV/EDR
• High-risk phishing distribution infrastructure

Recommendation
• Block mshta.exe and restrict PowerShell execution.
• Monitor for PowerShell commands triggered from Run dialog.
• Enforce browser isolation and strict email filtering.
• Implement phishing-resistant MFA.
• Monitor for MSBuild.exe abuse and PureCrypter indicators.

References

https://thehackernews.com/2025/11/new-evalusion-clickfix-campaign.html 

19. Sneaky 2FA Phishing Kit Adds BitB Pop-ups Mimicking Browser Address Bar
    A new evolution of the Sneaky 2FA Phishing-as-a-Service (PhaaS) kit incorporates Browser-in-the-Browser (BitB) pop-ups that imitate real browser login windows, significantly increasing the effectiveness of credential theft attacks.

Key Findings
• Sneaky 2FA now uses BitB fake authentication pop-ups that precisely mimic the Microsoft login window and display a legitimate-looking URL inside the pop-up.
• BitB uses HTML/CSS to simulate a real browser interface, hiding the true phishing URL.
• Victims landing on domains such as previewdoc[.]us see a Cloudflare Turnstile challenge first, then a Microsoft “Sign in” button.
• Clicking the button loads a fake Microsoft login form inside an embedded browser, capturing credentials and session data.
• Attackers deploy conditional loading to hide phishing pages from scanners and redirect non-targets.
• The Sneaky 2FA kit also disables browser developer tools, adds code obfuscation, and rotates domains rapidly to evade detection.

Advanced Bypass Techniques
• Attackers are also exploiting malicious browser extensions to hijack the WebAuthn process, enabling passkey bypass (“Passkey Pwned Attack”).
• The extension intercepts WebAuthn API calls and generates attacker-controlled key pairs.
• Private keys are stored locally and exfiltrated to attackers for later use.
• A downgrade technique is used by kits like Tycoon, forcing victims to choose less-secure authentication options that can be phished.

Threat Impact
• Credential theft (Microsoft Accounts)
• Full session/token hijacking
• 2FA / passkey bypass via WebAuthn manipulation
• Stealth phishing campaigns invisible to scanners
• High likelihood of account takeover (ATO)

Recommendations
• Enforce phishing-resistant MFA without weaker fallback options.
• Block unauthorized browser extensions via group policy.
• Use conditional access (device + location + risk-based login).
• Enable browser isolation and email link inspection.
• Warn users about BitB pop-ups and fake reCAPTCHA/Cloudflare pages.

Reference
https://thehackernews.com/2025/11/sneaky-2fa-phishing-kit-adds-bitb-pop.html

20. TamperedChef Malware Spreads via Fake Software Installers (Global Malvertising Campaign)
    A global malvertising campaign known as TamperedChef is distributing malware through fake installers spoofing popular software applications. The campaign relies heavily on social engineering, SEO poisoning, and malicious ads to lure users into downloading trojanized installers.

Key Findings
• TamperedChef uses fake software installers (PDF editors, utilities, manuals) to deliver a JavaScript-based backdoor.
• Attackers use malvertising, poisoned search results, and abused code-signing certificates from shell companies in the U.S., Panama, and Malaysia to appear legitimate.
• The campaign is linked to the broader EvilAI ecosystem, which uses AI-related lures for malware distribution.
• Code-signing certificates are rotated frequently, enabling continuous bypass of security checks.
• After installation, the fake installer drops an XML file that creates a scheduled task launching an obfuscated JavaScript backdoor.
• The malware sends machine metadata (session ID, machine ID, system info) via encrypted, Base64-encoded HTTPS to an external C2 server.

Malware Behavior
• Establishes persistence through scheduled tasks.
• Executes an obfuscated JavaScript backdoor.
• Exfiltrates system information to remote servers.
• Can facilitate advertising fraud or be sold as access to other cybercriminals.
• May be used to harvest sensitive data for monetization.

Targeting & Impact
• Most infections: U.S., followed by Israel, Spain, Germany, India, and Ireland.
• Highly affected sectors: healthcare, construction, and manufacturing.
• Users searching online for product manuals or specialized tools are particularly vulnerable.
• High risk of unauthorized remote access, data theft, malware deployment, and fraud.

Recommendations
• Block malvertising domains and enforce safe browsing filters.
• Disable installation of unsigned or newly-signed applications in enterprise environments.
• Implement application allow-listing and restrict PowerShell/JScript execution.
• Educate users on fake installers and SEO-poisoned download sites.
• Monitor scheduled tasks and unusual JavaScript executions.

Reference
https://thehackernews.com/2025/11/tamperedchef-malware-spreads-via-fake.html

21. Asus Routers Hacked in ‘WrtHug’ Campaign (Suspected Chinese ORB Operation)
    Researchers have uncovered a large-scale router compromise campaign called WrtHug, targeting tens of thousands of Asus routers globally, with a strong focus on Taiwan. The activity is suspected to support Chinese cyberespionage operations by building an Operational Relay Box (ORB) network using unpatched SOHO routers.

Key Findings
• Researchers identified ~50,000 compromised Asus routers sharing a self-signed TLS certificate expiring in the year 2122, used for AiCloud services.
• Attackers likely used CVE-2023-39780, the same vulnerability seen in the earlier AyySSHush router botnet campaign.
• WrtHug infrastructure is consistent with ORB-building, a known technique used by Chinese state-linked threat actors to anonymize cyberespionage traffic.
• No routers inside mainland China (except Hong Kong) were found compromised, while Taiwan accounted for one-third to one-half of infections.
• Attackers ensure router functionality remains normal, making malicious relay traffic difficult to detect.
• Campaign shares similarities with the AyySSHush Asus router backdoor operation (2024), raising the possibility of a related or evolving campaign.

Why This Matters
• ORB networks allow threat actors to hide attacks behind compromised routers, making attribution and detection harder.
• Large-scale compromise of SOHO routers threatens enterprise networks because compromised routers relay espionage traffic that appears legitimate.
• Focus on Taiwan and Southeast Asia aligns with Chinese geopolitical and intelligence collection interests.

Impact
• Remote command execution and covert routing of malicious traffic.
• Routers transformed into stealth infrastructure for cyberespionage.
• Potential downstream impact on organizations connected through these routers.

Recommendations
• Update Asus router firmware immediately, especially for models affected by CVE-2023-39780.
• Disable remote management on SOHO routers.
• Replace end-of-life hardware; unsupported routers do not receive security patches.
• Enforce network segmentation to isolate SOHO devices.
• Monitor for anomalous outbound traffic patterns from router IPs.

Reference
https://www.bankinfosecurity.com/asus-routers-hacked-in-wrthug-campaign-a-30064

22. Cloudflare Outage – Global Service Disruption (18 November 2025)
    Cloudflare experienced a major global outage on 18 November 2025, resulting in widespread HTTP 5xx errors and service failures across multiple Cloudflare products. The outage was not caused by a cyberattack, but by an internal configuration error that led to the distribution of a corrupted Bot Management feature file.

What Happened
• At 11:20 UTC, Cloudflare’s core proxy (FL / FL2) began failing after loading an oversized “feature file” generated by the Bot Management system.
• A permissions change on a ClickHouse database caused duplicate entries in the feature file, doubling its size.
• The proxy software had a hard limit on the number of allowed features; exceeding the limit caused the system to panic and return 5xx errors.
• Because the file regenerated every 5 minutes, Cloudflare observed unstable cycles of recovery and failure, initially mistaken for a hyper-scale DDoS attack.
• All ClickHouse nodes eventually produced the bad file, resulting in full global impact.

Global Impact
• Core CDN & Security: HTTP 5xx errors for millions of users globally.
• Turnstile: Failed to load, causing login failures.
• Workers KV: Heavy 5xx errors; dependent services impacted.
• Dashboard: Users unable to log in due to Turnstile failure.
• Access: Authentication failures from 11:30–13:10 and 14:40–15:30.
• Email Security: Temporary loss of reputation source; minor accuracy reduction.
• Increased CDN latency due to debugging and observability systems consuming CPU.

Timeline Summary (UTC)
• 11:05 – Database permission change deployed.
• 11:20 – Outage begins; first network-wide 5xx errors.
• 11:32–13:05 – Initial incorrect assumption: Workers KV degradation / possible DDoS.
• 13:05 – Workers KV & Access bypass proxy → partial recovery.
• 13:37 – Teams focus on restoring last-known-good Bot Management file.
• 14:24 – Bad file propagation stopped.
• 14:30 – Major recovery; services return to near-normal.
• 17:06 – Full recovery; all services stable.

Root Cause
• A ClickHouse permissions update unintentionally exposed extra metadata.
• A query generating the Bot Management feature file did not filter by database → produced duplicate rows.
• File exceeded 200-feature limit → proxy panic → global 5xx errors.

Key Lessons & Remediation Steps
• Harden ingestion and validation for internal configuration files.
• Add global kill switches for high-impact modules.
• Improve failure handling for proxy modules (no crash-on-limit).
• Review observability tools to prevent CPU exhaustion during incidents.
• Strengthen processes for ClickHouse schema & permission changes.

Final Status
• Outage fully resolved at 17:06 UTC on 18 November 2025.
• Cloudflare confirmed no malicious activity was involved.
• Outage considered Cloudflare’s most severe since 2019.

Reference Links
https://blog.cloudflare.com/18-november-2025-outage/
https://www.khaleejtimes.com/business/tech/cloudflare-outage-internet-disrupted-x-down