by Sansec Forensics Team - sansec.io
Published in Threat Research − September 08, 2025
Adobe released an out-of-band emergency patch for SessionReaper (CVE-2025-54236). The bug may hand control of a store to unauthenticated attackers. Automated abuse is expected and merchants should act immediately.
Article updated: Sep 9th, 2025 13:48 UTC
Adobe broke their regular release schedule to publish a fix for a critical (9.1) flaw in all versions of Adobe Commerce and Magento. The bug, dubbed SessionReaper and assigned CVE-2025-54236, allows customer account takeover and unauthenticated remote code execution under certain conditions. Sansec was able to simulate the attack and so may less benign parties. It does not help that the Adobe patch was accidentally leaked last week, so bad actors may already be working on the exploit code.
Adobe's official advisory describes the impact as "an attacker could take over customer accounts," which does not mention the risk of remote code execution. The vulnerability researcher who discovered CVE-2025-54236 confirmed this on Slack:
"Blaklis
BTW, this is a potential preauth RCE, whatever the bulletin is saying.
Please patch ASAP"
SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). Each time, thousands of stores got hacked, sometimes within hours of the flaw being published.
Timeline
Aug 22nd: Adobe internally discusses emergency fix
Sep 4th: Adobe privately announces emergency fix to selected Commerce customers
Sep 9th: Adobe releases emergency patch for SessionReaper - CVE-2025-54236 in APSB25-88What merchants should do
If you are already using Sansec Shield, you are protected against this attack.
If you are not using Sansec Shield, you should test and deploy the patch as soon as possible. Because the patch disables internal Magento functionality, chances are that some of your custom/external code will break. Adobe published a developer guide with instructions.
If you cannot safely apply the patch within the next 24 hours, you should activate a WAF for immediate protection. Only two WAFs block this attack right now: Adobe Fastly and Sansec Shield.
If you did deploy the patch but not within 24 hours of publication, we recommend to run a malware scanner like eComscan to find any signs of compromise on your system. We also recommend to rotate your secret crypt key, as leaking it would allow attackers to update your CMS blocks indefinitely.
How the attack works
Our security team successfully reproduced one possible avenue to exploit SessionReaper, but there are likely multiple vectors. While we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year's CosmicSting attack. The attack combines a malicious session with a nested deserialization bug in Magento's REST API.
The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.
Active exploitation
Sansec tracks ecommerce attacks in real-time around the globe. We have not seen any active abuse yet but will update this section when we do.
Follow live ecommerce attacks here.Acknowledgements
Credits to Blaklis for discovering the flaw.
Thanks to Scott Robinson, Pieter Hoste and Tu Van for additional research.
Sansec is not affiliated with Adobe and runs unbiased security research across the eCommerce ecosystem. Sansec protects 10% of all Magento stores worldwide.
SAP has addressed 21 new vulnerabilities affecting its products, including three critical severity issues impacting the NetWeaver software solution.
SAP NetWeaver is the foundation for SAP's business apps like ERP, CRM, SRM, and SCM, and acts as a modular middleware that is broadly deployed in large enterprise networks.
In its security bulletin for September, the provider of enterprise resource planning (ERP) software lists a vulnerability with a maximum severity score of 10 out of 10 that is identified as CVE-2025-42944.
The security issue is an insecure deserialization vulnerability in SAP NetWeaver (RMIP4), ServerCore 7.50.
An unauthenticated attacker could exploit it to achieve arbitrary OS command execution by sending to an open port a malicious Java object through the RMI-P4 module.
RMI-P4 is the Remote Method Invocation protocol used by SAP NetWeaver AS Java for internal SAP-to-SAP communication, or for administration.
Though the P4 port is open on the host, some organizations may inadvertently expose it to wider networks, or the internet, due to firewall or other misconfigurations.
According to the security bulletin, the second critical flaw SAP fixed this month is CVE-2025-42922 (CVSS v3.1 score: 9.9), an insecure file operations bug impacting NetWeaver AS Java (Deploy Web Service), J2EE-APPS 7.50.
An attacker with non-administrative authenticated access can exploit a flaw in the web service deployment functionality to upload arbitrary files, potentially allowing full system compromise.
The third flaw is a missing authentication check in NetWeaver, tracked under CVE-2025-42958 (CVSS v3.1 score: 9.1).
This vulnerability allows unauthorized high-privileged users to read, modify, or delete sensitive data and access administrative functionality.
SAP also addressed the following new high-severity flaws:
CVE-2025-42933 (SAP Business One SLD): Insecure storage of sensitive data (e.g., credentials) that could be extracted and abused.
CVE-2025-42929 (SLT Replication Server): Missing input validation allowing malicious input to corrupt or manipulate replicated data.
CVE-2025-42916 (S/4HANA): Missing input validation in core components, risking unauthorized data manipulation.
SAP products, deployed by large organizations and often handling mission-critical data, are often targeted by threat actors seeking high-value compromises.
Earlier this month, it was revealed that hackers were exploiting a critical code injection vulnerability tracked as CVE-2025-42957, impacting S/4HANA, Business One, and NetWeaver products.
System administrators are recommended to follow the patching and mitigation recommendations for the three critical flaws, available here (1, 2, 3) for customers with a SAP account.
infosecurity-magazine James Coker
Deputy Editor, Infosecurity Magazine 29 Aug 2025
Recorded Future highlighted the vast capabilities of state actors to rapidly weaponize newly disclosed vulnerabilities for geopolitical purposes
The majority (53%) of attributed vulnerability exploits in the first half 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to a new report by Recorded Future’s Insikt Group.
The researchers said the findings demonstrate the growing ability of well-resourced state-sponsored groups to weaponize flaws rapidly following disclosure. Geopolitical purposes, such as espionage and surveillance, are the key motives for these threat actors.
“The significant state-sponsored involvement also implies that these threats are not just random or opportunistic but often targeted and persistent campaigns aiming at specific sectors or high-value systems,” they noted.
The majority of state-sponsored campaigns were conducted by Chinese state-sponsored actors. These groups primarily targeted edge infrastructure and enterprise solutions, a tactic that has continued since 2024.
Read now: Chinese Tech Firms Linked to Salt Typhoon Espionage Campaigns
The suspected China-linked group UNC5221 exploited the highest number of vulnerabilities in H1 2025. It demonstrated a preference for Ivanti products, including Endpoint Manager Mobile, Connect Secure and Policy Secure.
Financially motivated groups accounted for the remaining 47% of vulnerability exploits – 27% were made up of those actors involved in theft and fraud but not linked to ransomware and 20% attributed to ransomware and extortion groups.
The researchers predicted that the exploitation of edge security appliances, remote access tools and other gateway-layer software will remain a top priority for both state-sponsored and financially-motivated groups.
“The strategic value of these systems – acting as intermediaries for encrypted traffic and privileged access – makes them high-reward targets,” they noted.
Microsoft was the most targeted vendor, with the tech giant’s products accounting for 17% of exploitations.
Most Vulnerability Exploits Required No Authentication
Insikt Group’s H1 2025 Malware and Vulnerability Trends report, published on August 28, found that the total number of disclosed common vulnerabilities and exposures (CVEs) grew 16% year-over-year.
Attackers exploited 161 distinct vulnerabilities in the six-month period, up from 136 in H1 2024.
Of the 161 flaws, 69% required no authentication to exploit, while 48% could be exploited remotely over a network.
“This heavy tilt toward unauthenticated, remote exploits means that attacks can be launched directly from the internet against vulnerable hosts, with no credentials or insider access needed,” the researchers commented.
Additionally, 30% of the exploited CVEs enabled remote code execution (RCE), which often grants an attacker full control over the target system.
ClickFix Becomes a Favored Initial Access Technique
The report observed that ransomware actors adopted new initial access techniques in H1 2025.
This included a significant increase in ClickFix social engineering attacks. ClickFix involves the use of a fake error or verification message to manipulate victims into copying and pasting a malicious script and then running it.
The tactic preys on users’ desire to fix problems themselves rather than alerting their IT team or anyone else. Therefore, it is effective at bypassing security protections as the victim infects themselves.
The Interlock gang was observed using ClickFix in campaigns in January and February 2025.
The group has also leveraged FileFix in later attacks. This tactic is an evolution on ClickFix, where users are tricked into pasting a malicious file path into a Windows File Explorer’s address bar rather than using a dialog box.
Inskit group assess that the success of ClickFix means this method will remain a favored initial access technique through the rest of 2025 unless widespread mitigations reduce its effectiveness.
Post-compromise, ransomware groups have increased their use of endpoint detection and response (EDR) evasion via bring-your-own-installer (BYOI) techniques, and custom payloads using just-in-time (JIT) hooking and memory injection to bypass detection.
www.root.io Root Security Bulletin - CVE: CVE-2025-48384 Date: August 26, 2025 Severity: High (CVSS v3.1 Score: 8.0)
Overview
A critical Git vulnerability, CVE-2025-48384, has been identified and is actively exploited in the wild, now listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. This flaw enables remote code execution (RCE) through malicious repositories and poses a significant risk to developers and CI/CD pipelines across Linux and macOS systems. Windows installations are unaffected due to filesystem restrictions.
The vulnerability impacts all Git versions prior to the patched releases issued on July 8, 2025. While Ubuntu responded immediately with security advisories, Debian has marked the issue "no-dsa," delaying fixes until future point releases—leaving many Debian-based environments exposed.
Technical Details
The vulnerability arises from an inconsistency in Git's configuration parsing logic:
When reading config values, Git strips trailing CRLF characters.
When writing, values with trailing carriage returns (CR) are not properly quoted, leading to discrepancies when read back.
Attackers can exploit this by creating malicious .gitmodules files with submodule paths ending in CR characters. When combined with symlinked hooks directories and executable post-checkout hooks, this enables arbitrary file writes and ultimately remote code execution.
Exploitation scenario: Victims running git clone --recursive on a malicious repository may initialize submodules in unintended filesystem locations. Security researchers (liamg, acheong08, and others) have published proof-of-concept exploits validating the attack's real-world impact.
Affected versions:
Git versions prior to v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1
Systems: Linux, macOS (where control characters are allowed in filenames)
Not affected: Windows
CVSS v3.1 Vector: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Base Score: 8.0 (High)
Impact
Active exploitation confirmed: CISA added CVE-2025-48384 to its KEV catalog on August 25, 2025, with a remediation deadline of September 15, 2025 for U.S. federal agencies.
Developer tools at risk: GitHub Desktop for macOS is particularly vulnerable due to its default use of recursive cloning.
Distribution disparity: Ubuntu issued immediate advisories and patches, while Debian deferred remediation, leaving production systems running Bookworm, Bullseye, or Trixie without timely fixes.
This uneven patching cadence underscores the supply chain risks when critical open-source infrastructure receives inconsistent remediation across ecosystems.
Timeline
July 8, 2025: Git project discloses CVE-2025-48384 and issues patched releases across eight version branches.
July 9-15, 2025: Security researchers publish multiple proof-of-concept exploits, confirming real-world exploitability.
August 8, 2025: Root tested, backported, and deployed patches for Debian Bookworm, Bullseye, Trixie, and all Slim variants, delivering them seamlessly across all Root users' environments without disruption.
August 15, 2025: Debian marked the issue as "no-dsa," opting for remediation only in future point releases.
August 25, 2025: CISA added CVE-2025-48384 to the KEV catalog, mandating U.S. federal agencies remediate by September 15.
Recommendations
For Debian Users
Confirm exposure: Determine if your systems use the git package maintained by Debian. Tools like Trivy or enterprise vulnerability scanners can quickly verify vulnerable versions.
Short-term mitigations:
Avoid git clone --recursive on untrusted repositories.
Inspect .gitmodules files before initializing submodules.
Consider compiling patched versions of Git from source where feasible.
For Root Users
Customers using Root's Agentic Vulnerability Remediation (AVR) platform are already protected. Root delivered patched and backported Git packages on August 8, 2025, covering Debian Bookworm, Bullseye, Trixie, and all Slim variants. Patches were deployed seamlessly across all user environments without disruption.
Users can verify their protection in the Artifact Explorer or trigger an on-demand remediation in under five minutes.
Extended availability: Root's patched versions are also accessible through partners such as Aikido and scanners using Trivy, where advanced tier subscribers receive immediate coverage.
For Non-Customers
Get free remediation: Sign up at app.root.io to remediate affected images and push them back to your repositories at no cost.
Root's Approach
Root’s Agentic Vulnerability Remediation (AVR) technology leverages AI-driven automation overseen by security experts, replicating the decision-making of seasoned engineers at scale.
The platform operates in five phases:
Assessment – Mapping CVEs across known databases.
Recommendation – Identifying the optimal remediation path.
Application – Applying and backporting security patches where needed.
Validation – Rigorous testing against public frameworks.
Deployment – Delivering fully remediated, auditable images.
Unlike traditional vulnerability scanners, Root fixes vulnerabilities proactively—eliminating false positives, providing comprehensive SBOMs and VEX statements, and reducing remediation time to minutes.
Conclusion
CVE-2025-48384 highlights both the responsiveness of the Git project and the uneven patching practices across Linux distributions. While upstream patches were released promptly, Debian's deferred remediation created a critical exposure window that attackers are already exploiting.
Organizations relying on Debian-based containers cannot afford to wait for delayed point releases. Automated remediation platforms like Root AVR bridge this gap by providing continuous, proactive protection at container-build speeds—ensuring development teams remain secure without sacrificing velocity.
For broader industry analysis of what this vulnerability reveals about modern security approaches, see our blog post: CVE- 2025-48384: The Git Vulnerability That's Exposing a Broken System.
Take action now: Explore Root's remediation for CVE-2025-48384 at app.root.io
bleepingcomputer.com - Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability.
The company has yet to assign a CVE-ID to track the flaw and didn't provide additional details regarding the patch, only saying that it impacts Plex Media Server versions 1.41.7.x to 1.42.0.x.
Yesterday, four days after releasing security updates that addressed the mysterious security bug, Plex emailed those running affected versions to update their software as soon as possible.
"We recently received a report via our bug bounty program that there was a potential security issue affecting Plex Media Server versions 1.41.7.x to 1.42.0.x. Thanks to that user, we were able to address the issue, release an updated version of the server, and continue to improve our security and defenses," the company said in the email.
"You're receiving this notice because our information indicates that a Plex Media Server owned by your Plex account is running an older version of the server. We strongly recommend that everyone update their Plex Media Server to the most recent version as soon as possible, if you have not already done so."
Plex Media Server 1.42.1.10060, the version that patches this vulnerability, can be downloaded from the server management page or the official downloads page.
While Plex hasn't shared any details regarding the vulnerability so far, users are advised to follow the company's advice and patch their software before threat actors reverse engineer the patches and develop an exploit.
Although Plex has experienced its share of critical and high-severity security flaws over the years, this is one of the few instances where the company has emailed customers about securing their systems against a specific vulnerability.
In March 2023, CISA tagged a three-year-old remote code execution (RCE) flaw (CVE-2020-5741) in the Plex Media Server as actively exploited in attacks. As Plex explained two years earlier, when it released patches, successful exploitation can allow attackers to make the server execute malicious code.
While the cybersecurity agency didn't provide any information on the attacks exploiting CVE-2020-5741, they were likely linked to LastPass' disclosure that one of its senior DevOps engineers' computers had been hacked in 2022 to install a keylogger by abusing a third-party media software RCE bug.
The attackers exploited this access to steal the engineer's credentials and compromise the LastPass corporate vault, resulting in a massive data breach in August 2022 after stealing LastPass's production backups and critical database backups.
The same month, Plex also notified users of a data breach and asked them to reset passwords after an attacker gained access to a database containing emails, usernames, and encrypted passwords.
The Wiz Research team has discovered a chain of critical vulnerabilities in NVIDIA's Triton Inference Server, a popular open-source platform for running AI models at scale. When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE).
This attack path originates in the server's Python backend and starts with a minor information leak that cleverly escalates into a full system compromise. This poses a critical risk to organizations using Triton for AI/ML, as a successful attack could lead to the theft of valuable AI models, exposure of sensitive data, manipulating the AI model's responses and a foothold for attackers to move deeper into a network.
Wiz Research responsibly disclosed these findings to NVIDIA, and a patch has been released. We would like to thank the NVIDIA security team for their excellent collaboration and swift response. NVIDIA has assigned the following identifiers to this vulnerability chain: CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334. We strongly recommend all Triton Inference Server users update to the latest version. This post provides a high-level overview of these new vulnerabilities and their potential impact.
The enclosed work is the latest in a series of NVIDIA vulnerabilities we’ve disclosed, including two container escapes: CVE-2025-23266 and CVE 2024-0132.
Mitigations
Update Immediately: The primary mitigation is to upgrade both the NVIDIA Triton Inference Server and the Python backend to version 25.07 as advised in the NVIDIA security bulletin.
Wiz customers can use the following to detect vulnerable instances in their cloud environment:
Wiz customers can use the Vulnerability Findings page to find all instances of these vulnerabilities in their environment, or filter results to instances related to critical issues. Alternatively, you can use the Security Graph to identify publicly exposed vulnerable VMs/serverless or containers.
Wiz Advanced customers can filter on findings identified or validated by the Dynamic Scanner, and Wiz Sensor customers can filter on runtime validated findings.
Wiz Code customers can filter on findings with one-click remediation to generate a pull request with fixes for vulnerable instances detected in code repositories.
mobile-hacker.com - On June 13, 2025 was disclosed vulnerability in the iOS version of the Air Keyboard app that exposes users to remote input injection over Wi-Fi. The flaw, documented in CXSecurity Report, allows an attacker on the same local network to send keystrokes to a target iOS device without authentication. As of this writing, the app remains available on the App Store and is still affected by the vulnerability. With the report is also published prove of concept python script. In this blog I will test the exploit, have a look on their Android version of Air Keyboard app and conclude with security tips.
According to its official information, Air Keyboard is an app that turns your mobile device into a wireless keyboard and mouse for your computer. It connects over the local network and sends or receives input to or from a companion desktop application installed on Windows or macOS. The app’s goal is to offer convenient remote control for presentations, media playback, or general PC use, all from your smartphone or tablet.
The vulnerability stems from the iOS app listening on TCP port 8888 for incoming input — without any form of authentication or encryption. A proof-of-concept Python script included in the advisory demonstrates how an attacker can craft data and remotely inject arbitrary keystrokes to the victim’s device. A video demonstration further confirms how trivial the attack is to execute. Because the iOS app does not verify the origin or integrity of the incoming commands, any device on the same Wi-Fi network can send input as if it were the user.
The app remains available on the App Store in this vulnerable state, with no fix or warning issued to users.
Google has issued an urgent security update for its Chrome browser, addressing a critical zero-day vulnerability that is being actively exploited by attackers.
The flaw, tracked as CVE-2025-6554, is a type confusion vulnerability in Chrome’s V8 JavaScript engine, which underpins the browser’s ability to process web content across Windows, macOS, and Linux platforms.
The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group (TAG) on June 25, 2025. According to Google, attackers have already developed and deployed exploits targeting this flaw in the wild, prompting the company to act quickly.
The Sudo utility is a privileged command-line tool installed on Linux systems that allows a permitted user to execute a command as the superuser, or another user, as specified by the security policy. It is commonly used to implement the least privilege model by delegating administrative tasks that require elevated privileges without sharing the root password, while also creating an audit trail in the system log.
The Stratascale Cyber Research Unit (CRU) team discovered two local privilege vulnerabilities in Sudo. These vulnerabilities can result in the escalation of privileges to root on the impacted system.
The research focused on infrequently used command-line options. This blog explores how the Sudo chroot option can be leveraged by any local user to elevate privileges to root, even if no Sudo rules are defined for that user.
The default Sudo configuration is vulnerable. Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed. The following versions are known to be vulnerable. Note: Not all versions within the range have been tested.
Stable 1.9.14 - 1.9.17
Note: The legacy versions of Sudo (currently <= 1.8.32) are not vulnerable because the chroot feature does not exist.
Exploitation has been verified on:
Ubuntu 24.04.1; Sudo 1.9.15p5, Sudo 1.9.16p2
Fedora 41 Server; Sudo 1.9.15p5
A critical pre-authentication vulnerability (CVE-2025-6709) in MongoDB Server enables unauthenticated attackers to trigger denial-of-service (DoS) conditions by exploiting improper input validation in OIDC authentication.
The flaw allows malicious actors to crash database servers by sending specially crafted JSON payloads containing specific date values, causing invariant failures and server crashes.
This vulnerability affects MongoDB Server versions before 7.0.17, 8.0.5, and 6.0.21 (with authentication required for 6.x exploitation).
Vulnerability Analysis
Attackers can reproduce the exploit using MongoDB’s mongo shell to send malicious JSON payloads targeting the OIDC authentication mechanism.
The server fails to properly validate date values in JSON input, leading to:
Complete server crashes without authentication in v7.0 and v8.0 deployments
Post-authentication DoS in v6.0 environments
Critical disruption of database operations through invariant failures
The vulnerability carries a CVSS score of 7.5 (High) due to its network-based attack vector, low attack complexity, and high availability impact.
MongoDB has classified this as CWE-20 (Improper Input Validation).
Mitigation and Updates
Administrators should immediately upgrade to patched versions:
MongoDB v6.0 → 6.0.21 or later
MongoDB v7.0 → 7.0.17 or later
MongoDB v8.0 → 8.0.5 or later
For environments where immediate patching isn’t feasible, consider disabling OIDC authentication until updates are applied.
Imperva’s Offensive Security Team discovered CVE-2025-49763, a high-severity vulnerability (CVSS v3.1 estimated score: 7.5) in Apache Traffic Server’s ESI plugin that enables unauthenticated attackers to exhaust memory and potentially crash proxy nodes. Given ATS’s role in global content delivery[1], even a single node failure can black-hole thousands of sessions. Organizations should urgently upgrade to version 9.2.11 or 10.0.6 and enforce the new inclusion-depth safeguard.
Why reverse‑proxy servers matter
Every web request you make today almost certainly travels through one or more reverse‑proxy caches before it reaches the origin application. These proxies:
This vulnerability can be exploited via two different ways:
A threat actor could exploit an Edge Side Include injection and recursively inject the same page over and over again.
exploitation via esi injection
A threat actor could also host a malicious server next to a target, behind a vulnerable traffic server proxy and take down the proxy by triggering the ESI request avalanche. (see Fig 2).
exploitation via malicious error
This results in a full denial of service on edge proxy nodes, triggered remotely without requiring authentication.
Issue Details
CVE-2025-23121
A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user.
Severity: Critical
CVSS v3.0 Score: 9.9
Source: Reported by watchTowr and CodeWhite.
Note: This vulnerability only impacts domain-joined backup servers.
Veeam Backup & Replication Security Best Practice Guide > Workgroup or Domain?
Affected Product
Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.
Solution
This vulnerability was fixed starting in the following build:
Veeam Backup & Replication 12.3.2 (build 12.3.2.3617)CVE-2025-24286
A vulnerability allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code.
Severity: High
CVSS v3.1 Score: 7.2
Source: Reported by Nikolai Skliarenko with Trend Micro.
Affected Product
Veeam Backup & Replication 12.3.1.1139 and all earlier version 12 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.
Solution
This vulnerability was fixed starting in the following build:
Veeam Backup & Replication 12.3.2 (build 12.3.2.3617)CVE-2025-24287
A vulnerability allowing local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions.
Severity: Medium
CVSS v3.1 Score: 6.1
Source: Reported by CrisprXiang working with Trend Micro Zero Day Initiative.
Affected Product
Veeam Agent for Microsoft Windows 6.3.1.1074 and all earlier version 6 builds.
Note: Unsupported product versions are not tested, but are likely affected and should be considered vulnerable.
Solution
This vulnerability was fixed starting in the following build:
Veeam Agent for Microsoft Windows 6.3.2 (build 6.3.2.1205)
Veeam Agent for Microsoft Windows is included with Veeam Backup & Replication and available as a standalone application.Severity - Critical
Description of Problem
A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.
Affected Versions
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPSDetails
NetScaler ADC and NetScaler Gateway contain the vulnerabilities mentioned below:
CVE ID Description Pre-conditions CWE CVSSv4
CVE-2025-5349 Improper access control on the NetScaler Management Interface Access to NSIP, Cluster Management IP or local GSLB Site IP CWE-284: Improper Access Control
CVSS v4.0 Base Score: 8.7
(CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
CVE-2025-5777 Insufficient input validation leading to memory overread NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server CWE-125: Out-of-bounds Read
CVSS v4.0 Base Score: 9.3
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover.
The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics.
The vulnerability was discovered by bug bounty hunter Alvaro Balada and was addressed in security updates that Grafana Labs released on May 21.
After ignoring the advice from my friend, I bought a new ASUS motherboard for my PC. I was a little concerned about having a BIOS that would by default silently install software into my OS in the background. But it could be turned off so I figured I would just do that.
DriverHub is an interesting piece of driver software because it doesn’t have any GUI. Instead it’s just a background process that communicates with the website driverhub.asus.com and tells you what drivers to install for your system and which ones need updating. Naturally I wanted to know more about how this website knew what drivers my system needed and how it was installing them, so I cracked open the Firefox network tab.
As I expected, the website uses RPC to talk to the background process running on my system. This is where the background process hosts an HTTP or Websocket service locally which a website or service can connect to by sending an API request to 127.0.0.1 on a predefined port, in this case 53000.
Right about now my elite hacker senses started tingling.
An APT hacking group known as 'Stealth Falcon' exploited a Windows WebDav RCE vulnerability in zero-day attacks since March 2025 against defense and government organizations in Turkey, Qatar, Egypt, and Yemen.
Stealth Falcon (aka 'FruityArmor') is an advanced persistent threat (APT) group known for conducting cyberespionage attacks against Middle East organizations.
The flaw, tracked under CVE-2025-33053, is a remote code execution (RCE) vulnerability that arises from the improper handling of the working directory by certain legitimate system executables.
Specifically, when a .url file sets its WorkingDirectory to a remote WebDAV path, a built-in Windows tool can be tricked into executing a malicious executable from that remote location instead of the legitimate one.
This allows attackers to force devices to execute arbitrary code remotely from WebDAV servers under their control without dropping malicious files locally, making their operations stealthy and evasive.
The vulnerability was discovered by Check Point Research, with Microsoft fixing the flaw in the latest Patch Tuesday update, released yesterday.
A high-severity vulnerability was uncovered in Splunk Universal Forwarder for Windows that compromises directory access controls.
The flaw, designated CVE-2025-20298 with a CVSSv3.1 score of 8.0, affects multiple versions of the software and poses significant security risks to enterprise environments relying on Splunk’s data forwarding capabilities.
The vulnerability stems from incorrect permission assignment during the installation or upgrade of Universal Forwarder for Windows.
This security flaw is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating a fundamental issue with access control mechanisms.
The vulnerability manifests when Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9 are newly installed or upgraded to an affected version.
During these processes, the installation directory—typically located at C:\Program Files\SplunkUniversalForwarder—receives incorrect permissions that allow non-administrator users to access the directory and all its contents.
This represents a significant breach of the principle of least privilege, a cornerstone of enterprise security frameworks.
The CVSSv3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H indicates that while the attack requires low-level privileges and user interaction, it can result in high impact across confidentiality, integrity, and availability.
The network attack vector component suggests potential for remote exploitation under certain circumstances.
The scope of this vulnerability is considerable, affecting four major release branches of Splunk Universal Forwarder for Windows.
Specifically, the vulnerability impacts versions in the 9.4 branch below 9.4.2, the 9.3 branch below 9.3.4, the 9.2 branch below 9.2.6, and the 9.1 branch below 9.1.9.
Throughout late 2024 and early 2025, iVerify detected anomalous activity on iPhones belonging to individuals affiliated with political campaigns, media organizations, A.I. companies and governments operating in the United States and European Union.
Specifically, we detected exceedingly rare crashes typically associated with sophisticated zero-click attacks via iMessage – an exploitation technique previously unobserved in any systematic way in the United States. Subsequent forensic examination of several of these devices ultimately revealed a previously unknown vulnerability in the “imagent” process which, owing to its relative position in the operating system and functionality, would provide attackers a primitive for further exploitation. This vulnerability was patched by Apple in iOS 18.3. We’ve dubbed this vulnerability NICKNAME.
In the course of our investigation, we discovered evidence suggesting – but not definitively proving – this vulnerability was exploited in targeted attacks as recently as March of this year. Specifically, we learned that Apple sent Threat Notifications to at least one device belonging to a senior government official in the EU on which we saw the highly anomalous crashes. Likewise, one device demonstrated behavior frequently associated with successful exploitation, specifically the creation and deletion of iMessage attachments in bulk within a matter of seconds on several occasions after an anomalous crash. We only observed these crashes on devices belonging to extremely high value targets. And these crashes constituted only .0001% of the crash log telemetry taken from a sample of 50,000 iPhones.
Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.
Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud.
"A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained.