Imperva’s Offensive Security Team discovered CVE-2025-49763, a high-severity vulnerability (CVSS v3.1 estimated score: 7.5) in Apache Traffic Server’s ESI plugin that enables unauthenticated attackers to exhaust memory and potentially crash proxy nodes. Given ATS’s role in global content delivery[1], even a single node failure can black-hole thousands of sessions. Organizations should urgently upgrade to version 9.2.11 or 10.0.6 and enforce the new inclusion-depth safeguard.
Why reverse‑proxy servers matter
Every web request you make today almost certainly travels through one or more reverse‑proxy caches before it reaches the origin application. These proxies:
This vulnerability can be exploited via two different ways:
A threat actor could exploit an Edge Side Include injection and recursively inject the same page over and over again.
exploitation via esi injection
A threat actor could also host a malicious server next to a target, behind a vulnerable traffic server proxy and take down the proxy by triggering the ESI request avalanche. (see Fig 2).
exploitation via malicious error
This results in a full denial of service on edge proxy nodes, triggered remotely without requiring authentication.
Attacker rained down the equivalent of 9,300 full-length HD movies in just 45 seconds.
Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare.
The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.
Indiscriminate target bombing
Cloudflare said the attackers “carpet bombed” an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack.
The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally establishing a connection before data is transferred. Unlike the more common Transmission Control Protocol, UDP doesn't wait for a connection between two computers to be established through a handshake and doesn't check whether data is properly received by the other party. Instead, it immediately sends data from one machine to another.
The government cited the recent hacks on Bank Sepah and cryptocurrency exchange Nobite as reasons to shut down internet access to virtually all Iranians.
Earlier this week, virtually everyone in Iran lost access to the internet in what was called a “near-total national internet blackout.”
At the time, it was unclear what happened or who was responsible for the shutdown, which has severely limited Iranians’ means to get information about the ongoing war with Israel, as well as their ability to communicate with loved ones inside and outside of the country.
Now Iran’s government has confirmed that it ordered the shutdown to protect against Israeli cyberattacks.
“We have previously stated that if necessary, we will certainly switch to a national internet and restrict global internet access. Security is our main concern, and we are witnessing cyberattacks on the country’s critical infrastructure and disruptions in the functioning of banks,” Fatemeh Mohajerani, Iran’s government spokesperson, was quoted as saying in a local news story. “Many of the enemy’s drones are managed and controlled via the internet, and a large amount of information is exchanged this way. A cryptocurrency exchange was also hacked, and considering all these issues, we have decided to impose internet restrictions.”
Les systèmes informatiques de la commune de Villars-sur-Glâne ont été la cible d’une cyberattaque. Des mesures ont immédiatement été prises pour la contrer et sécuriser l’infrastructure.
Selon les premiers éléments de l’investigation, des connexions non autorisées ont été effectuées sur certains serveurs de la commune mercredi matin. Il s'agirait d'une tentative d'attaque de type rançongiciel qui demanderait une somme d'argent en échange de la libération des données volées. Des mesures de protection immédiates ont été prises et aucun dommage supplémentaire n'est possible. Une analyse est en cours et permettra d'obtenir plus d'informations sur l'attaque.
"C'est à chacun de se rendre compte que l'informatique est à la fois extraordinaire pour la quantité de données que l'on peut conserver, mais c'est aussi extrêmement fragile si l'on n'a pas une approche rigoureuse", rappelle le syndic de Villars-sur-Glâne, Bruno Mamier.
L’incident a été signalé à la police cantonale, à l’Office fédéral de la cybersécurité (OFCS) et à l’autorité cantonale de la transparence, de la protection des données et de la médiation.
En raison de cet incident, les lignes téléphoniques principales ont été déviées. En cas de questions, les habitants de la commune peuvent se rendre à l'administration ou suivre l’évolution de la situation sur la page internet suivante.
Le syndic invite les personnes dont la démarche administrative n'est pas urgente à se rendre à l'administration communale la semaine prochaine.
Tonga’s National Health Information System (NHIS) suffered a ransomware breach this week, says Dr ʻAna ʻAkauʻola his evening. The system has been shut down, and staff moved to manual operations.
The breach came to light during a parliament debate on the MEIDECC budget, when Deputy PM Dr Taniela Fusimalohi alerted MPs to the intrusion. Dr ʻAkauʻola confirmed she learned of the hack earlier this week and immediately summoned system administrators. She noted that staff member managing the NHIS “was unaware that it was a serious breach.”
The minister disclosed that hackers encrypted the NHIS and demanded payment, assuring MPs “the hackers won’t damage the information on the NHIS.” She also said she promptly emailed Dr Fusimalohi when she knew of the breach, who engaged the Australian High Commission.
Dr Fusimalohi confirmed an Australian cyber team arrived in Tonga today to help resolve the issue.
June 19 (Reuters) - Tata Consultancy Services (TCS.NS), opens new tab said none of its "systems or users were compromised" as part of the cyberattack that led to the theft of customer data at retailer Marks and Spencer (MKS.L), opens new tab, its client of more than a decade.
"As no TCS systems or users were compromised, none of our other customers are impacted" independent director Keki Mistry told its annual shareholder meeting.
The Reuters Daily Briefing newsletter provides all the news you need to start your day. Sign up here.
"The purview of the investigation (of customer) does not include TCS," Mistry added.
This is the first time India's No 1 IT services company has publicly commented on the cyber hack. M&S did not immediately respond to a request for comment.
TCS is one of the technology services providers for the British retailer. In early 2023, TCS reportedly, opens new tab won a $1 billion contract for modernising M&S' legacy technology with respect to its supply chain and omni-channel sales while increasing its online sales.
The "highly sophisticated and targeted" cyberattack which M&S disclosed in April will cost about 300 million pounds ($403 million) in lost operating profit, and disruption to online services is likely until July.
Last month, Financial Times reported that TCS is internally investigating whether it was the gateway for a cyberattack.
Mistry presided as the chairman at the company's annual shareholder meeting as Tata Group Chairman N Chandrasekaran skipped it due to "exigencies".
The chairman's absence comes as the Group's airline Air India plane with 242 people on board crashed after take-off in Ahmedabad last week, killing all passengers except one.
Reporting by Sai Ishwarbharath B and Haripriya Suresh, Editing by Louise Heavens
Securonix Threat Research uncovers SERPENTINE#CLOUD, a stealthy malware campaign abusing Cloudflare Tunnels to deliver in-memory Python-based payloads via .lnk phishing lures. Learn how this multi-stage attack evades detection, establishes persistence, and executes Donut-packed shellcode using Early Bird APC injection.
An ongoing malware campaign tracked as SERPENTINE#CLOUD has been identified as leveraging the Cloudflare Tunnel infrastructure and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. For initial access, the threat actors are luring users to execute malicious .lnk files (shortcut files) disguised as documents to silently fetch and execute remote code. This kicks off a rather elaborate attack chain consisting of a combination of batch, VBScript and Python stages to ultimately deploy shellcode that loads a Donut-packed PE payload.
The shortcut files are delivered via phishing emails that contain a link to download a zipped document, often themed around payment or invoice scams. This assessment is based on the naming convention of the ZIP files observed, many of which included the word “invoice.”
Attribution remains unknown, though the attacker demonstrates fluency in English based on code comments and scripting practices. Telemetry indicates a strong focus on Western targets, with confirmed activity observed in the United States, United Kingdom, Germany and other regions across Europe and Asia. The use of Cloudflare for payload hosting allows the attackers to remain anonymous and since their infrastructure is secured behind a trusted network, monitored traffic to this network will rarely raise alarms or be flagged as suspicious by network monitoring tools.
The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.
This libblockdev/udisks flaw is extremely significant. Although it nominally requires “allow_active” privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable. Techniques to gain “allow_active”, including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort. Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay.
The Qualys Threat Research Unit (TRU) has developed proof-of-concept exploits to validate these vulnerabilities on various operating systems, successfully targeting the libblockdev/udisks flaw on Ubuntu, Debian, Fedora, and openSUSE Leap 15.
