Weekly Threat Landscape Digest – Week 52

1. High-Severity Vulnerability in F5 NGINX Ingress Controller (CVE-2025-14727)

A high-severity vulnerability in F5 NGINX Ingress Controller could allow an authenticated user with ingress creation privileges to inject arbitrary NGINX configuration directives via insufficient validation of the nginx.org/rewrite-target annotation. Successful exploitation may lead to information disclosure, privilege escalation, or service disruption.

Technical Details

• CVE: CVE-2025-14727
• Severity: High (CVSS v4.0: 8.7)
• Root Cause: Improper validation of ingress annotations (nginx.org/rewrite-target)
• Attack Prerequisite: Authenticated access + permission to create/modify ingresses
• Potential Impact:
  • Arbitrary NGINX configuration injection
  • Sensitive information exposure
  • Privilege escalation within the application environment
  • Service disruption / downtime

Affected Versions

• NGINX Ingress Controller 5.x: 5.3.0

Fixed Versions

• NGINX Ingress Controller 5.x: 5.3.1 or later

Recommendations

• Upgrade immediately to 5.3.1+ (or vendor-recommended fixed release).
• Restrict ingress creation privileges (least privilege) to trusted admins only.
• Audit ingress objects for suspicious or unusual annotations (especially rewrite-related).
• Enable monitoring/alerting for unauthorized ingress changes and config reload events.
• If patching is delayed: apply F5 mitigation/workaround and increase monitoring until upgrade is complete.

References

• F5 Advisory: https://my.f5.com/manage/s/article/K000158176

 

2. Critical Remote Code Execution Vulnerability in n8n Workflow Automation Platform (CVE-2025-68613)

A critical Remote Code Execution (RCE) vulnerability has been disclosed in the n8n workflow automation platform. The flaw allows an authenticated user with low privileges (workflow creation or editing rights) to execute arbitrary operating system commands via expression injection in workflow definitions. Successful exploitation may result in full server compromise, exposure of sensitive data, manipulation or destruction of workflows, and lateral movement across connected systems.

Technical Details

• CVE: CVE-2025-68613
• Severity: Critical (CVSS: 9.9 / 10)
• Vulnerability Type: Remote Code Execution (RCE)
• Attack Vector: Authenticated
• Privileges Required: Low (workflow creation/edit permissions)
• User Interaction: Required
• Root Cause: Expression injection in workflow definitions
• Potential Impact:
  • Arbitrary OS command execution
  • Full server compromise
  • Unauthorized access to sensitive data
  • Workflow manipulation or destruction
  • Lateral movement across integrated infrastructure

Affected Versions

• n8n (npm): >= 0.211.0 and < 1.120.4

Fixed Versions

• 1.120.4
• 1.121.1
• 1.122.0

Recommendations

• Upgrade immediately to 1.120.4, 1.121.1, or 1.122.0.
• Restrict workflow creation and editing permissions to trusted users only (least privilege).
• Audit existing workflows for suspicious or malicious expressions.
• Monitor server and application logs for abnormal command execution or unauthorized workflow changes.
• Initiate incident response procedures if any indicators of compromise are detected.

References

• https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp

 

3. Critical Unauthenticated Compression Vulnerability in MongoDB Server (CVE-2025-14847)

A critical unauthenticated information disclosure vulnerability has been identified in MongoDB Server, allowing remote attackers to extract uninitialized heap memory without authentication. The issue resides in MongoDB’s zlib compression handling, potentially exposing sensitive in-memory data such as cached credentials, query contents, or other runtime artifacts. With a CVSS v4 score of 8.7, this vulnerability poses a serious risk to internet-exposed MongoDB deployments.

Technical Details

• CVE: CVE-2025-14847
• Severity: High
• CVSS v4: 8.7
• Attack Vector: Network
• Authentication Required: None
• Impact Type: Information Disclosure / Memory Leak
• Affected Component: MongoDB Server – zlib compression implementation
• Root Cause: Improper handling of compressed data leading to exposure of uninitialized heap memory

Potential Impact

• Leakage of sensitive in-memory data (e.g., credentials, queries, tokens)
• Exposure of internal database state and runtime artifacts
• Increased risk of follow-on attacks using disclosed information
• Elevated risk for publicly accessible MongoDB instances

Affected Versions

• MongoDB 8.2.0 – 8.2.3
• MongoDB 8.0.0 – 8.0.16
• MongoDB 7.0.0 – 7.0.26
• MongoDB 6.0.0 – 6.0.26
• MongoDB 5.0.0 – 5.0.31
• MongoDB 4.4.0 – 4.4.29
• All MongoDB Server v4.2 versions
• All MongoDB Server v4.0 versions
• All MongoDB Server v3.6 versions

Fixed Versions

• MongoDB 8.2.3
• MongoDB 8.0.17
• MongoDB 7.0.28
• MongoDB 6.0.27
• MongoDB 5.0.32
• MongoDB 4.4.30

Recommendations

• Upgrade immediately to the latest patched MongoDB version applicable to your deployment.
• Restrict network exposure of MongoDB servers (avoid direct internet access).
• Enforce authentication and TLS for all database connections.
• Monitor database and network logs for abnormal access patterns or unusual data leakage indicators.
• Review configurations to disable unnecessary compression features if not required and supported by policy.

References

• https://jira.mongodb.org/browse/SERVER-115508

 

4. Vulnerability in Apache Log4j Core Socket Appender (CVE-2025-68161)

A medium-severity vulnerability has been identified in Apache Log4j Core’s Socket Appender that could allow attackers to intercept or redirect sensitive log data due to missing TLS hostname verification. Even when hostname verification is explicitly enabled through configuration settings or system properties, affected versions fail to enforce this validation, potentially allowing connections to unintended or malicious log servers.

Vulnerability Details

• CVE ID: CVE-2025-68161
• Severity: Medium
• CVSS Score: 6.3
• Vulnerability Type: Missing TLS Hostname Verification
• Affected Component: Apache Log4j Core – Socket Appender
• The vulnerability exists in the Socket Appender component responsible for transmitting log data over TLS to remote logging servers. Improper hostname validation enables trusted connections to malicious endpoints.

Impact / Risk

• Man-in-the-Middle (MitM) attacks on log transmission
• Interception or redirection of sensitive log data
• Exposure of credentials, operational details, or user-related information
• Increased risk of follow-on attacks using leaked log intelligence

Affected Versions

• Apache Log4j Core (org.apache.logging.log4j:log4j-core) 2.0-beta9 to before 2.25.3

Fixed Version

• Apache Log4j Core 2.25.3 or later

Recommended Actions

• Upgrade Apache Log4j Core immediately to version 2.25.3 or later
• Review network-based logging configurations and restrict log traffic to trusted destinations
• Ensure secure TLS configurations and avoid transmitting logs over untrusted networks
• Monitor for abnormal log routing or unexpected remote logging endpoints

References
https://nvd.nist.gov/vuln/detail/CVE-2025-68161

 

5. Critical Buffer Overflow Vulnerability in Net-SNMP (CVE-2025-68615)

A critical buffer overflow vulnerability has been identified in Net-SNMP, a widely used open-source network monitoring and management suite. The flaw affects the snmptrapd daemon, which is responsible for receiving and processing SNMP trap messages. Successful exploitation could lead to service crashes and potential remote code execution, posing a serious risk to network monitoring infrastructure.

Vulnerability Details

• CVE ID: CVE-2025-68615
• Severity: Critical
• CVSS Score: 9.8
• Vulnerability Type: Buffer Overflow
• Affected Component: snmptrapd daemon
• Affected Software: Net-SNMP (all versions prior to patch)
• The vulnerability is triggered when snmptrapd processes a malformed SNMP trap packet. Due to improper bounds checking, crafted input can cause a buffer overflow, resulting in daemon crashes and potentially enabling arbitrary code execution.

Impact / Risk

• Remote denial-of-service (snmptrapd crash)
• Potential remote code execution
• Disruption of network monitoring and alerting operations
• Increased exposure of network management infrastructure

Fixed Versions

• Net-SNMP 5.9.5
• Net-SNMP 5.10.pre2

Recommended Actions

• Immediately upgrade Net-SNMP to version 5.9.5, 5.10.pre2, or later
• Restrict network access to SNMP services and limit exposure to trusted management networks
• Monitor logs for malformed SNMP trap activity or repeated snmptrapd crashes
• Apply network-level filtering to block untrusted SNMP traffic where possible

References
https://github.com/net-snmp/net-snmp/security/advisories/GHSA-4389-rwqf-q9gq

 

6. Multiple Vulnerabilities in Rockwell Automation Micro820, Micro850, and Micro870 Controllers

Multiple security vulnerabilities have been identified in Rockwell Automation Micro820, Micro850, and Micro870 programmable controllers that could allow attackers to trigger denial-of-service (DoS) conditions. Successful exploitation may cause controller faults, loss of responsiveness, and temporary operational outages, potentially impacting industrial control system availability.

Vulnerability Details

• CVE-2025-13823
  • CVSS v3.1: 6.5 (Medium)
  • CWE: CWE-1395 – Dependency on Vulnerable Third-Party Component
  • A flaw in the IPv6 stack may be triggered by malformed packets, causing the controller to enter a recoverable fault state.
• CVE-2025-13824
  • CVSS v3.1: 7.5 (High)
  • CWE: CWE-763 – Release of Invalid Pointer or Reference
  • Improper handling of malformed CIP packets can force the controller into a hard fault state, requiring a manual power cycle to restore functionality.

Impact / Risk

• Denial-of-service (DoS) conditions
• Controller fault or hard fault states
• Temporary loss of availability
• Operational disruption in industrial environments

Affected Products and Mitigations

• Micro850 / Micro870 (L50E / L70E):
  • Affected: V23.011 → Fixed in V23.012
• Micro850 / Micro870 (LC50 / LC70):
  • Affected: V12.013 and earlier
  • Mitigation: Migrate to L50E / L70E controllers running V23.012
• Micro820 (LC20):
  • Affected: V14.011 and earlier
  • Mitigation: Migrate to L20E controllers running V23.011

Recommended Actions

• Upgrade affected controllers to the latest supported firmware versions
• Disable unused network features such as IPv6 where operationally feasible
• Restrict controller exposure to trusted networks only
• Implement network segmentation and strict access controls
• Monitor for abnormal network traffic and unexpected controller fault states

References
https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-07

7. Actively Exploited Critical Vulnerability in WatchGuard Firebox

A critical out-of-bounds write vulnerability has been identified in the iked process of WatchGuard Fireware OS, affecting WatchGuard Firebox appliances. The flaw can be exploited by a remote, unauthenticated attacker during IKEv2 negotiations, allowing arbitrary code execution on vulnerable devices. WatchGuard has confirmed that this vulnerability is actively exploited in the wild, significantly increasing the risk to exposed environments.

The vulnerability primarily impacts Firebox devices configured for Mobile User VPN with IKEv2 or Branch Office VPNs using IKEv2, particularly when dynamic gateway peers are enabled.

Vulnerability Details

• CVE ID: CVE-2025-14733
• Severity: Critical
• CVSS v4.0 Score: 9.3
• Vulnerability Type: Out-of-Bounds Write
• Attack Vector: Remote
• Authentication Required: None
• Affected Component: Fireware OS – iked process
• Improper handling of certificate payloads during IKEv2 negotiations allows remote code execution.

Impact / Risk

• Remote unauthenticated code execution
• Full compromise of firewall appliances
• Exposure of VPN infrastructure
• Potential lateral movement within enterprise networks

Indicators of Attack (IoAs)
Known malicious IP addresses associated with exploitation attempts:

• 45.95.19[.]50
• 51.15.17[.]89
• 172.93.107[.]67
• 199.247.7[.]82

Affected and Fixed Versions

• Fireware OS 2025.1 → Fixed in 2025.1.4
• Fireware OS 12.x → Fixed in 12.11.6
• Fireware OS 12.5.x (T15 & T35 models) → Fixed in 12.5.15
• Fireware OS 12.3.1 (FIPS-certified) → Fixed in 12.3.1_Update4 (B728352)
• Fireware OS 11.x → End of Life (upgrade required)

Recommended Actions

• Upgrade immediately to the appropriate patched Fireware OS version
• If exploitation is suspected or confirmed:
  • Rotate all VPN pre-shared keys
  • Regenerate certificates
  • Reset locally stored credentials
• Restrict VPN exposure to trusted networks
• Monitor firewall and VPN logs for abnormal IKEv2 activity

References
https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2025-00027

 

8. Cross-Site Scripting (XSS) Vulnerability in Elastic Kibana

Elastic has disclosed a high-severity cross-site scripting (XSS) vulnerability affecting multiple versions of Kibana across the 7.x, 8.x, and 9.x release branches. The flaw exists within Kibana’s Vega visualization framework, where improper neutralization of user-supplied input during web page generation allows malicious scripts to be injected and executed in users’ browsers.

Successful exploitation requires authenticated access and could enable attackers to execute arbitrary JavaScript in the context of a victim’s session, potentially leading to credential theft, session hijacking, or unauthorized actions within Kibana.

Vulnerability Details

• CVE ID: CVE-2025-68385
• Elastic Advisory: ESA-2025-34
• Severity: High
• CVSS v3.1 Score: 7.2
• Vulnerability Type: Cross-Site Scripting (XSS)
• CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation
• Improper handling of user input in Vega visualizations allows authenticated users to embed malicious scripts, bypassing previous Vega XSS mitigations.

Affected Versions

• 7.x: All versions
• 8.x: 8.0.0 through 8.19.8
• 9.x:
  • 9.0.0 through 9.1.8
  • 9.2.0 through 9.2.2

Fixed Versions

• 8.19.9
• 9.1.9
• 9.2.3

Mitigations (If Immediate Upgrade Is Not Possible)

• Self-hosted deployments:
  • Set vis_type_vega.enabled: false in kibana.yml
• Elastic Cloud deployments:
  • Disable Vega by setting vis_type_vega.enabled: false in Kibana user settings
• Note: Disabling Vega will remove all Vega-based visualizations.

Recommended Actions

• Upgrade Kibana to the latest patched version immediately
• Apply Vega disablement mitigation where upgrades cannot be performed
• Monitor Kibana activity for suspicious visualization creation or modification
• Restrict access to visualization editing to trusted users only

References
https://discuss.elastic.co/t/kibana-8-19-9-9-1-9-and-9-2-3-security-update-esa-2025-34/384182

 

9. Critical Vulnerabilities in NVIDIA Isaac Launchable

NVIDIA has released a critical security update for NVIDIA Isaac Launchable, addressing multiple high-impact vulnerabilities that could be exploited by remote, unauthenticated attackers. Successful exploitation may result in arbitrary code execution, privilege escalation, denial-of-service conditions, information disclosure, and data tampering, posing significant risk to affected environments.

Vulnerability Details

• CVE-2025-33222
  • Severity: Critical
  • CVSS Score: 9.8
  • Issue: Hard-coded credential vulnerability
  • Impact: Code execution, privilege escalation, denial of service, data tampering
• CVE-2025-33223
  • Severity: Critical
  • CVSS Score: 9.8
  • Issue: Execution with unnecessary privileges
  • Impact: Code execution, privilege escalation, denial of service, information disclosure, data tampering
• CVE-2025-33224
  • Severity: Critical
  • CVSS Score: 9.8
  • Issue: Execution with unnecessary privileges
  • Impact: Code execution, privilege escalation, denial of service, information disclosure, data tampering

Affected Products

• NVIDIA Isaac Launchable
  • All platforms
  • All versions prior to 1.1

Fixed Version

• Isaac Launchable 1.1

Recommended Actions

• Upgrade NVIDIA Isaac Launchable to version 1.1 immediately
• Restrict access to affected systems until patching is completed
• Monitor for anomalous activity indicating privilege misuse or unauthorized code execution

References
https://nvidia.custhelp.com/app/answers/detail/a_id/5749

 

10. Multiple Vulnerabilities in HPE Unified OSS Console Assurance Monitoring

Hewlett Packard Enterprise (HPE) has released a security bulletin addressing multiple vulnerabilities in HPE Unified OSS Console Assurance Monitoring (UOCAM). The identified issues could allow remote attackers to perform URL redirection, arbitrary file creation or deletion, and trigger availability-impacting conditions, posing risk to affected monitoring environments.

Vulnerability Details

• CVE-2025-55752
  • Severity: High
  • CVSS v3.1 Score: 7.5
  • Attack Vector: Network
  • Privileges Required: Low
  • Issue: Remote URL injection and arbitrary file creation/deletion
  • Impact: Confidentiality, integrity, and availability compromise
• CVE-2025-61795
  • Severity: Medium
  • CVSS v3.1 Score: 5.3
  • Attack Vector: Network
  • Privileges Required: Low
  • Issue: Service instability / denial-of-service condition
  • Impact: Availability disruption

Affected Versions

• HPE Unified OSS Console (UOCAM): All versions prior to 3.1.19

Fixed Version

• HPE Unified OSS Console Assurance Monitoring (UOCAM) 3.1.19

Recommended Actions

• Upgrade HPE UOCAM to version 3.1.19 immediately
• Restrict access to the application to trusted administrative users
• Monitor for abnormal file operations or unexpected redirections

References
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04989en_us&docLocale=en_US

 

11. High-Severity OS Command Injection Vulnerability in systeminformation Node.js Library

A high-severity security vulnerability has been identified in the widely used systeminformation Node.js library, tracked as CVE-2025-68154. The flaw affects Windows-based environments and exposes applications to OS Command Injection, potentially leading to Remote Code Execution (RCE).

Due to the library’s widespread adoption—reportedly exceeding 16 million downloads per month—the potential impact is significant. Affected applications include monitoring dashboards, command-line utilities, APIs, and web applications that rely on systeminformation to retrieve filesystem and operating system metrics.

If successfully exploited, an attacker could execute arbitrary PowerShell commands with the privileges of the running Node.js process, resulting in full system compromise.

Vulnerability Details

• CVE ID: CVE-2025-68154
• Severity: High
• Vulnerability Type: OS Command Injection
• Affected Component: fsSize() function
• Affected Versions: systeminformation v5.27.13 and earlier
• Affected Platforms: Windows only
• Fixed Version: 5.27.14

Impacted Systems

• Applications running systeminformation on Windows that pass user-controlled input to fsSize(drive)
• Web applications, APIs, or CLI tools that accept drive letters from users
• Monitoring dashboards allowing users to specify drives for querying

Potential Attack Scenarios

• Remote Code Execution (RCE) with Node.js process privileges
• Data exfiltration through unauthorized file access
• Privilege escalation if Node.js runs with elevated permissions
• Lateral movement within internal networks
• Deployment of ransomware or additional malware

Recommended Actions

• Upgrade systeminformation to version 5.27.14 or later immediately
• Avoid passing user-controlled input directly into filesystem-related functions
• Review Node.js applications for improper input handling and privilege exposure

References
https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-wphjfx3q-84ch

 

12. Critical Vulnerability in Schneider Electric EcoStruxure Foxboro DCS Advisor

A critical security vulnerability has been identified affecting Schneider Electric EcoStruxure™ Foxboro DCS Advisor services due to an underlying flaw in Microsoft Windows Server Update Services (WSUS). The vulnerability could allow remote, unauthenticated attackers to execute arbitrary code with SYSTEM-level privileges, posing a serious risk to industrial control system (ICS) environments.

The issue originates from insecure deserialization within WSUS and directly impacts servers hosting Foxboro DCS Advisor services. Successful exploitation could lead to full system compromise, disruption of industrial operations, and loss of control system integrity.

Vulnerability Details

• CVE ID: CVE-2025-59287
• Severity: Critical
• CVSS v3.1 Score: 9.8
• CWE: CWE-502 – Deserialization of Untrusted Data
• Impact: Remote Code Execution, Privilege Escalation
• Attack Vector: Network
• Authentication Required: None

Affected Products

• Schneider Electric EcoStruxure™ Foxboro DCS Advisor

Potential Impact
Exploitation of this vulnerability may result in:

• Execution of arbitrary code with SYSTEM-level privileges
• Full compromise of monitoring, diagnostics, and advisory services
• Disruption or manipulation of industrial operations
• Increased risk to the confidentiality, integrity, and availability of control systems

Remediation and Mitigation

• Apply Microsoft Patch KB5070882
• Apply Microsoft Patch KB5070884
• Ensure all vendor-recommended security updates are deployed promptly
• Verify successful patch application across all affected systems
• Minimize network exposure of industrial control system assets
• Isolate control system networks from enterprise and external networks
• Restrict and secure remote access to control environments
• Enforce least-privilege access controls
• Monitor system logs for suspicious or unauthorized activity
• Conduct risk and impact assessments before deploying changes

References
https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-02

 

13. Critical Vulnerability in Apache Commons Text

A critical remote code execution vulnerability has been identified in Apache Commons Text, a widely used Java library for string manipulation and text interpolation. The vulnerability could be exploited when untrusted input is passed into the library’s text interpolation API, potentially allowing attackers to execute arbitrary code or access external resources.

The flaw affects Apache Commons Text versions prior to 1.10.0 and can lead to full system compromise if exploited in applications that process user-controlled input through the vulnerable interpolation functions.

Vulnerability Details

• CVE ID: CVE-2025-46295
• Severity: Critical
• CVSS Score: 9.8
• Vulnerability Type: Remote Code Execution
• Attack Vector: Network
• Authentication Required: None
• Affected Component: Apache Commons Text string interpolation API

Impact
Successful exploitation may allow an attacker to:

• Execute arbitrary commands on the affected system
• Access external or internal resources
• Compromise sensitive data processed by the application
• Gain full control of vulnerable servers running affected applications

Affected Versions

• Apache Commons Text versions prior to 1.10.0

Fixed Versions

• Apache Commons Text 1.10.0 or later
• FileMaker Server 22.0.4 (includes Apache Commons Text 1.14.0)

Recommendations

• Upgrade Apache Commons Text to version 1.10.0 or later immediately
• Update dependent applications and bundled products using vulnerable versions
• Review application code paths where user-controlled input is passed to text interpolation APIs
• Monitor systems for unusual command execution or outbound connections

References
https://www.tenable.com/cve/CVE-2025-46295

14. Privilege Escalation Vulnerability in Nagios XI

A high-severity local privilege escalation vulnerability has been identified in Nagios XI, which could allow attackers to execute arbitrary code with root privileges on affected systems. The issue stems from improper permission handling within Nagios XI maintenance scripts executed via sudo.

Nagios has released Nagios XI version 2026R1.1 to address this vulnerability. Systems running earlier versions are at risk of full system compromise if the flaw is successfully exploited.

Vulnerability Details

• CVE ID: CVE-2025-34288
• Severity: High
• CVSS Score: 8.6
• CWE: CWE-732 – Incorrect Permission Assignment for Critical Resource
• Vulnerability Type: Local Privilege Escalation

The vulnerability arises due to an unsafe interaction between sudo permissions and file permissions. A maintenance script that can be executed as root via sudo references an application file that is writable by lower-privileged users. This misconfiguration allows an attacker to modify the file and inject malicious code.

Impact
Successful exploitation may allow an attacker to:

• Execute arbitrary code with root-level privileges
• Bypass standard privilege boundaries
• Gain complete control of the affected system
• Compromise monitoring infrastructure and sensitive operational data

Affected Systems

• Nagios XI versions prior to 2026R1.1

Fixed Version

• Nagios XI 2026R1.1 or later

Recommendations

• Upgrade Nagios XI immediately to version 2026R1.1 or later
• Review sudo configurations and file permissions associated with Nagios scripts
• Restrict write permissions on application files to trusted users only
• Monitor systems for signs of privilege escalation or unauthorized file modifications

References
https://github.com/advisories/GHSA-2488-c4gj-6g77

 

15. Multiple Vulnerabilities in Foxit PDF Reader and Foxit PDF Editor

Multiple security vulnerabilities have been identified in Foxit PDF Reader and Foxit PDF Editor, which could allow attackers to perform privilege escalation, arbitrary code execution, memory corruption, or application crashes. The issues can be triggered locally through crafted PDF files, malicious installers, or insecure plugin installation mechanisms. Foxit has released security updates to address these risks, and immediate patching is strongly recommended.

Vulnerability Details

Uncontrolled Search Path Privilege Escalation

• CVE ID: CVE-2025-57779
• Severity: Important
• CVSS v3.1 Score: 8.8
• CWE: CWE-427 – Uncontrolled Search Path Element

This vulnerability occurs when Foxit applications are installed via the Microsoft Store. The installer incorrectly searches for msiexec.exe in the current working directory instead of the trusted system path. An attacker could place a malicious executable in the search path, leading to privilege escalation.

Multiple Use-After-Free Vulnerabilities

• CVE IDs: CVE-2025-58085, CVE-2025-59488, CVE-2025-66493, CVE-2025-66494, CVE-2025-66495
• Severity: Important
• CVSS v3.1 Score: 7.8
• CWE: CWE-416 – Use After Free

These flaws affect PDF parsing and handling of Barcode fields, Text Widget fields, AcroForms, and Annotation objects. Opening specially crafted PDF files may lead to arbitrary code execution.

Incorrect Permission Assignment – Local Privilege Escalation

• CVE ID: CVE-2025-13941
• Severity: Important
• CVSS v3.1 Score: 8.8
• CWE: CWE-732 – Incorrect Permission Assignment for Critical Resource

Weak file-system permissions during plugin installation could allow local attackers to tamper with plugin resources used by the update service, potentially leading to SYSTEM-level privilege escalation.

Out-of-Bounds Read Vulnerabilities

• CVE IDs: CVE-2025-66496, CVE-2025-66497, CVE-2025-66498
• Severity: Moderate
• CVSS v3.1 Score: 5.3
• CWE: CWE-125 – Out-of-Bounds Read

These issues arise when parsing malformed 3D PRC or U3D data embedded in PDFs, leading to memory corruption or application crashes.

Heap-Based Buffer Overflow (JBIG2 Parsing)

• CVE ID: CVE-2025-66499
• Severity: Important
• CVSS v3.1 Score: 7.8
• CWE: CWE-190 – Integer Overflow or Wraparound

A heap-based buffer overflow in JBIG2 parsing may allow arbitrary code execution when a malicious PDF is opened.

Affected Versions

• Foxit PDF Reader: 2025.2.1.33197 and earlier (Windows)
• Foxit PDF Editor:
  • 2025.2.1.33197 and earlier (all 2025.x)
  • 2024.4.1.27687 and earlier (all 2024.x)
  • 2023.3.0.23028 and earlier (all 2023.x)
  • 14.0.1.33197 and earlier
  • 13.2.1.23955 and earlier

Fixed Versions

• Foxit PDF Reader 2025.3
• Foxit PDF Editor 2025.3 / 14.0.2 / 13.2.2

Recommendations

• Update Foxit PDF Reader and Foxit PDF Editor to the latest fixed versions immediately
• Avoid opening PDF files from untrusted sources
• Restrict plugin installation permissions to trusted users
• Monitor endpoints for abnormal Foxit process behavior

References
https://www.foxit.com/support/security-bulletins.html

 

16. Active Exploitation of FortiOS SSL VPN 2FA Bypass Vulnerability

Fortinet has warned of active exploitation in the wild of a long-standing authentication bypass vulnerability affecting FortiOS SSL VPN, which allows users to authenticate without completing two-factor authentication (2FA) under specific configurations. Although originally disclosed in 2020, the vulnerability has resurfaced and is being actively abused by multiple threat actors.

Vulnerability Details

• CVE ID: CVE-2020-12812
• Severity: Medium
• CVSS Score: 5.2
• Vulnerability Type: Improper Authentication / 2FA Bypass
• Affected Component: FortiOS SSL VPN
• Attack Vector: Authenticated
• Privileges Required: Valid credentials
• User Interaction: None

The vulnerability arises from inconsistent case sensitivity handling of usernames between FortiGate local users and LDAP authentication. FortiGate treats usernames as case-sensitive, while LDAP directories do not. By changing the case of the username during login, attackers can bypass local user authentication checks and fall back to LDAP authentication—skipping enforced 2FA controls.

Conditions Required for Exploitation

The vulnerability can be triggered when all of the following conditions are present:

• Local user accounts on FortiGate are configured with 2FA
• Authentication type is set to remote (e.g., LDAP)
• The same users exist in LDAP and are members of at least one LDAP group
• The LDAP group is referenced in an authentication policy (Admin, SSL VPN, or IPsec VPN)

If these conditions are met, logging in with a differently cased username (e.g., JSmith instead of jsmith) may allow authentication without 2FA, even for administrative users.

Impact / Risk

• Bypass of two-factor authentication controls
• Unauthorized administrative or VPN access
• Compromise of perimeter security devices
• Increased risk of lateral movement into internal networks
• Potential full device and network compromise

Affected Versions

• FortiOS versions prior to:
  • 6.0.10
  • 6.2.4
  • 6.4.1

Mitigations / Remediation

• Upgrade to patched FortiOS versions immediately
• Enforce case-insensitive username matching using the appropriate command:

For older versions:

set username-case-sensitivity disable

For FortiOS 6.0.13, 6.2.10, 6.4.7, 7.0.1 and later:

set username-sensitivity disable

• Remove unnecessary secondary LDAP groups if not required
• Review logs for authentication events where 2FA was bypassed
• Reset credentials and rotate secrets if compromise is suspected
• Contact Fortinet Support if abnormal authentication behavior is detected

References
https://thehackernews.com/2025/12/fortinet-warns-of-active-exploitation.html

17. Webrat Malware Campaign Spreading via GitHub Fake Exploit Repositories

Security researchers have identified an ongoing malware campaign distributing the Webrat backdoor through malicious GitHub repositories masquerading as proof-of-concept (PoC) exploits for high-severity vulnerabilities. The campaign, active since at least September 2025, marks a shift in targeting—from gamers and piracy users to students and inexperienced cybersecurity professionals.

Initially observed spreading via game cheats and cracked software, Webrat is now being distributed under the guise of exploit code for widely discussed vulnerabilities, leveraging trust in open-source repositories and vulnerability research workflows.

Distribution Technique

Threat actors created GitHub repositories falsely advertising exploits for high-CVSS vulnerabilities, including:

• CVE-2025-59295 (CVSS 8.8)
• CVE-2025-10294 (CVSS 9.8)
• CVE-2025-59230 (CVSS 7.8)

The repositories were professionally structured with AI-generated descriptions, including:

• Vulnerability overview and impact
• Affected system specifications
• Download and installation instructions
• Exploit usage steps
• Mitigation guidance

This presentation was designed to resemble legitimate security research content and increase victim confidence.

Infection Chain

Victims are directed to download a password-protected ZIP archive from the repository. The password is hidden inside a misleading filename within the archive.

The archive typically contains:

• pass – 8511: Empty file revealing the ZIP password
• payload.dll: Corrupted decoy PE file
• rasmanesc.exe (filename varies): Primary loader
• start_exp.bat: Launches the malicious executable

Malware Execution & Behavior

Upon execution, the loader performs the following actions:

• Privilege escalation to administrator
• Disables Windows Defender to evade detection
• Downloads and executes the Webrat payload from a hardcoded URL
• Establishes persistent backdoor access

Webrat Capabilities

Webrat is a full-featured backdoor and spyware platform capable of:

• Remote command execution
• Credential theft from:
  • Cryptocurrency wallets
  • Telegram, Discord, Steam
• Screen recording
• Webcam and microphone surveillance
• Keylogging

The observed variant is consistent with previously documented Webrat samples.

Threat Actor Intent

The campaign appears intentionally designed to target security students and junior researchers who may execute “exploit” code directly on their host systems without sandboxing. Experienced professionals would likely detect the deception or use isolated environments, limiting campaign effectiveness against mature targets.

Indicators of Compromise (IoCs)

Malicious GitHub repositories (partial list):

• https://github[.]com/RedFoxNxploits/CVE-2025-10294-Poc
• https://github[.]com/FixingPhantom/CVE-2025-10294
• https://github[.]com/usjnx72726w/CVE-2025-59295
• https://github[.]com/stalker110119/CVE-2025-59230
• https://github[.]com/h4xnz/CVE-2025-10294-POC

Command-and-Control Infrastructure:

• http://ezc5510min[.]temp[.]swtest[.]ru
• http://shopsleta[.]ru

MD5 Hashes:

• 28a741e9fcd57bd607255d3a4690c82f
• a13c3d863e8e2bd7596bac5d41581f6a
• 61b1fc6ab327e6d3ff5fd3e82b430315

Recommended Actions

• Never execute PoCs or exploits on production or personal systems
• Analyze exploit code only in isolated VMs or sandboxes
• Treat GitHub exploit repositories with zero trust
• Monitor for suspicious archive-based execution chains
• Block known malicious repositories and C2 domains
• Deploy EDR detections for privilege escalation and Defender tampering

References
https://securelist.com/webrat-distributed-via-github/118555/

18. Fake WhatsApp API Package on npm Steals Messages, Contacts, and Authentication Tokens

Security researchers have identified a malicious npm package impersonating a legitimate WhatsApp API library, designed to covertly hijack WhatsApp accounts, intercept communications, and establish persistent attacker access. The package, named “lotusbail,” presents itself as a fully functional WhatsApp API while secretly exfiltrating sensitive data and linking attacker-controlled devices to victim accounts.

The package was first uploaded to the npm registry in May 2025 by a user named seiren_primrose and has been downloaded over 56,000 times, including 700+ downloads in the past week, indicating active and ongoing exposure.

Malware Overview

• Package Name: lotusbail
• Ecosystem: npm (Node.js)
• Impersonated Library: @whiskeysockets/baileys (legitimate WhatsApp Web API library)
• Threat Type: Supply-chain malware / Account takeover
• Status: Still available at time of reporting

Under the guise of a working WhatsApp API, the package covertly intercepts all communications and authentication data routed through it.

Technical Behavior

The malicious functionality is implemented through a custom WebSocket wrapper, which transparently intercepts all WhatsApp traffic during normal API usage. No additional malicious function calls are required—compromise occurs during standard authentication and messaging operations.

Captured data includes:

• WhatsApp authentication tokens and session keys
• Full message history
• Contact lists with phone numbers
• Media files and shared documents

All stolen data is encrypted and transmitted to attacker-controlled infrastructure.

Persistent Account Compromise

A particularly severe aspect of the attack involves device linking abuse:

• During authentication, the package silently uses a hard-coded pairing code
• This links the attacker’s device to the victim’s WhatsApp account
• The attacker retains persistent access even if the package is later uninstalled
• Access persists until the victim manually unlinks devices via WhatsApp settings

This results in long-term, stealthy account surveillance without visible indicators.

Evasion Techniques

• Anti-debugging logic detects debugging tools
• Triggers infinite loop execution to stall analysis
• Malicious logic blends seamlessly with legitimate WhatsApp API operations, bypassing static analysis and reputation-based trust systems

Impact / Risk

• Full compromise of WhatsApp accounts
• Persistent interception of private communications
• Unauthorized access to contacts and shared media
• Long-term surveillance without user awareness
• Abuse of trusted open-source ecosystems
• High risk to developers integrating WhatsApp automation into applications

Related Supply Chain Activity

In parallel disclosures, researchers also identified 14 malicious NuGet packages impersonating popular cryptocurrency libraries (e.g., Nethereum, Binance, Coinbase, Solana tools). These packages were used to:

• Redirect cryptocurrency transactions
• Steal private keys and seed phrases
• Exfiltrate Google Ads OAuth credentials (GoogleAds.API)

The campaigns relied on inflated download counts, frequent version updates, and trusted naming conventions to evade detection.

Recommended Actions

• Immediately audit npm dependencies for lotusbail or unknown WhatsApp API wrappers
• Avoid unofficial WhatsApp API libraries
• Revoke and relink WhatsApp devices if compromise is suspected
• Monitor outbound encrypted WebSocket traffic from Node.js applications
• Implement strict dependency vetting and lockfile enforcement
• Educate developers on supply-chain attack risks

References
https://thehackernews.com/2025/12/fake-whatsapp-api-package-on-npm-steals.html

19. Malicious Chrome Extensions Secretly Stealing Credentials from Over 170 Websites

Cybersecurity researchers have uncovered two malicious Google Chrome extensions masquerading as a legitimate multi-location network speed test and proxy service, which were found to secretly intercept web traffic and steal user credentials across more than 170 high-value websites. Both extensions share the same name, developer, and malicious behavior, indicating a coordinated long-running operation.

The extensions, named “Phantom Shuttle,” have been available on the Chrome Web Store for years and remain accessible at the time of reporting.

Extension Details

• Name: Phantom Shuttle
• Extension IDs:
  • fbfldogmkadejddihifklefknmikncaj (Published: Nov 2017 | ~2,000 users)
  • ocpcmfmiidofonkbodpdhgddhlcmcofd (Published: Apr 2023 | ~180 users)
• Advertised Purpose: Multi-location network speed test / proxy tool
• Monetization: Subscription-based (¥9.9–¥95.9 CNY)

Users are led to believe they are purchasing a legitimate VPN-like service, while in reality the extensions enable full traffic interception.

Technical Behavior

Once a user subscribes and gains VIP status, the extensions automatically enable a “smarty” proxy mode, routing traffic from selected domains through attacker-controlled proxy infrastructure.

Key malicious capabilities include:

• Acting as a Man-in-the-Middle (MitM) proxy
• Intercepting and modifying HTTP/HTTPS traffic
• Injecting credentials into authentication challenges
• Exfiltrating sensitive user data to a command-and-control (C2) server

The malicious logic is embedded within modified JavaScript files bundled with the extension, including:

• jquery-1.12.2.min.js
• scripts.js

The extensions register a listener on chrome.webRequest.onAuthRequired to automatically inject hard-coded proxy credentials (topfany / 963852wei) into all HTTP authentication requests before the browser can prompt the user, ensuring silent credential interception.

Targeted Domains

In “smarty” mode, traffic from over 170 predefined domains is selectively routed through attacker infrastructure, including:

• Developer platforms: GitHub, Stack Overflow, Docker
• Cloud providers: AWS, Microsoft Azure, DigitalOcean
• Enterprise vendors: Cisco, IBM, VMware
• Social media platforms
• Adult content websites

The inclusion of adult sites suggests potential blackmail or extortion use cases in addition to credential theft.

Data Exfiltration and Persistence

• The extension maintains a 60-second heartbeat with the C2 server
• Every five minutes, it exfiltrates:
  • User email address
  • Password (in plaintext)
  • Extension version details
• C2 Domain: phantomshuttle[.]space (active at time of reporting)

This combination enables continuous credential theft, session monitoring, and traffic manipulation while the extension remains installed.

Recommended Actions

• Immediately remove both Phantom Shuttle extensions
• Audit enterprise browsers for unauthorized extensions
• Enforce browser extension allow-listing policies
• Monitor network traffic for unexpected proxy authentication attempts
• Educate users on risks of paid proxy/VPN browser extensions

References
https://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.html