Vulnerabilities News

Australian organizations using Fortinet products are being urged to take immediate action following a new advisory highlighting the active exploitation of previously known vulnerabilities. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has issued this alert primarily for technical users within organizations across the private and public sectors. Fortinet has observed malicious actors exploiting older, unpatched vulnerabilities to gain and maintain unauthorized access to Fortinet devices. While patches were released previously, many compromised devices were either not updated in time or were attacked before security fixes were applied. What Happened? Fortinet’s latest findings reveal a threat actor is actively targeting three known vulnerabilities: FG-IR-24-015: Out-of-bounds write vulnerability in sslvpnd. FG-IR-23-097: Heap buffer overflow during SSL VPN pre-authentication. FG-IR-22-398: Heap-based buffer overflow in sslvpnd. These issues affect the SSL VPN component in Fortinet’s FortiGate devices, which are commonly used by businesses for secure remote access. Although Fortinet previously released patches addressing these vulnerabilities, a new technique has been revealed where attackers can retain read-only access to devices even after the original security holes have been patched. This access is achieved by inserting a symbolic link that connects the user and root filesystems through a folder used for serving language files in the SSL VPN. The symbolic link avoids detection and allows the attacker to read potentially sensitive information such as device configurations. Importantly, devices without SSL VPN enabled are not affected. Who Is Affected? Organizations that have not updated their Fortinet devices to the latest versions. Devices that were compromised before patching may still be at risk due to remnants of the attacker’s access method. This threat is not region or industry-specific, and all sectors are encouraged to assess their environments. How Was It Discovered? Fortinet’s investigation—supported by internal monitoring and collaboration with third-party organizations—uncovered this post-exploitation technique. The discovery triggered the company’s Product Security Incident Response Team (PSIRT) to develop countermeasures and notify impacted customers. This new approach by the attacker is a reminder that known vulnerabilities, especially when unpatched, remain an attractive target. Fortinet emphasized that state-sponsored and financially motivated threat actors continue to scan and exploit such vulnerabilities within days of their public disclosure. What Should You Do Now? The ASD’s ACSC strongly recommends the following: Upgrade all Fortinet devices immediately to one of the following secure versions: FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17, or 6.4.16 Review all configurations on affected devices for signs of modification or compromise. Investigate your environment for any suspicious behaviour or anomalies in device logs. What Has Fortinet Done? To help customers secure their environments and prevent further abuse of these vulnerabilities, Fortinet has taken multiple steps: Released updated AV/IPS signatures to detect and remove the symbolic link. Enhanced FortiOS versions to: Detect and remove the symbolic link during updates. Prevent SSL VPNs from serving malicious files. Provided direct communication and assistance to known impacted customers based on internal telemetry. These mitigations are automatically applied if customers have the AV/IPS engine enabled and licensed. Enhanced Security in New Releases Customers upgrading to the latest FortiOS versions will benefit from improved security features, such as: Virtual patching for interim protection before applying formal patches. Firmware integrity validation at the BIOS level. Filesystem integrity monitoring through Integrity Measurement Architecture (IMA). Automatic updates, allowing devices to receive critical patches without manual intervention. Features like Uninterrupted Cluster Upgrade, Auto-restore configurations, and Scheduled patch upgrades for a smoother upgrade process. These enhancements are part of Fortinet’s broader commitment to cybersecurity best practices and responsible transparency. Why This Matters Fortinet’s alert emphasizes a vital principle in cybersecurity: patching alone is not enough if devices are compromised before the fix is applied. Attackers are becoming more advanced, using stealthy techniques like symbolic links to maintain access under the radar. The incident also highlights the shared responsibility in cybersecurity: Vendors must deliver secure products, disclose vulnerabilities responsibly, and support customers with quick fixes. Customers must apply patches promptly and maintain strong cyber hygiene to defend against known and emerging threats. With more than 40,000 vulnerabilities reported in 2024 alone (as per NIST data), managing security updates has become an essential routine for all IT environments.

A new exploit, traced to a MorphoBlue vulnerability, has resulted in the theft of $2.6 million. The breach, which occurred on April 11, 2025, was first reported by PeckShieldAlert, highlighting a major security flaw in the decentralized finance (DeFi) ecosystem. The attacker, operating under the Ethereum address c0ffeebabe.eth, managed to frontrun a transaction, siphoning off the funds to a new address, 0x1A5B…C742.  The vulnerability in MorphoBlue’s frontend allowed the malicious actor to exploit the system and steal funds from an unsuspecting address. Once the exploit was executed, the stolen funds were promptly transferred to the designated address.   Market Impact: Volatility and Market Reactions  The effects of the MorphoBlue vulnerability rippled through the cryptocurrency markets almost immediately. As the exploit became public knowledge, the price of MorphoBlue’s native token, MORPH, experienced a sharp decline. Within just 30 minutes, the token lost 8.2%, dropping from $12.45 to $11.43, as recorded by CoinGecko on April 11, 2025. This decrease in value led to a noticeable market reaction, as traders reacted to the news of the breach.  Further volatility was seen across other DeFi tokens as well. Aave (AAVE) and Compound (COMP) were not immune to the disruption. Both tokens saw intraday fluctuations of 3.5% and 2.8%, respectively, in the wake of the exploit, with CoinMarketCap reporting these price movements within an hour of the incident. The sell-off was not limited to MORPH alone but affected other assets within the MorphoBlue ecosystem, indicating widespread concern within the DeFi market. The stolen funds and the MorphoBlue vulnerability also sparked an uptick in trading activity across multiple decentralized exchanges (DEXs). Notably, the trading volume for MORPH surged by an astonishing 150%, reaching $45.6 million within one hour of the exploit being reported. Increased Liquidity and Active Address Growth  Along with the spike in trading volume, the exploit led to a noticeable shift in liquidity dynamics across various platforms. On decentralized exchanges like Uniswap and SushiSwap, liquidity for MORPH-ETH and MORPH-USDC trading pairs saw a 20% increase as users rushed to react to the unfolding events. This surge in liquidity provision was reflective of the broader market’s heightened concern over the security of DeFi protocols. On-chain data further revealed a 30% increase in active addresses interacting with MORPH during this period. This surge indicates that while many were concerned about the vulnerability, it also sparked a rush of new and existing participants looking to engage with the asset. Whether this was driven by fear, opportunism, or both remains unclear, but the heightened activity suggests that the exploit had caught the attention of a significant portion of the DeFi community, reported Blockchain News. Technical Analysis: A Bearish Outlook for MORPH  From a technical analysis standpoint, the MorphoBlue vulnerability and the subsequent exploit set the stage for a bearish market trend. Following the exploit, the Relative Strength Index (RSI) for MORPH dropped to 32, signaling that the token was oversold. This was a clear indication that the market sentiment had turned negative as a result of the vulnerability. Further supporting the bearish outlook, the Moving Average Convergence Divergence (MACD) for MORPH showed a bearish crossover, reinforcing the notion that the token was experiencing downward pressure. With trading volume remaining high for the following hours, averaging around $30 million per hour, traders remained active in a market grappling with uncertainty.  Moreover, the Bollinger Bands widened, signifying increased market volatility. This suggests that the token’s price could face swings in the short term, as investors continue to react to the fallout from the MorphoBlue vulnerability and its impact on stolen funds. While the exploit primarily affected MORPH, other tokens like AAVE and COMP also exhibited similar technical patterns, though to a lesser extent.  Conclusion   The MorphoBlue Frontend Vulnerability, which resulted in $2.6 million in stolen funds, has cast a spotlight on the fragility of platform security and raised urgent questions about the reliability of DeFi protocols. As the full scope of the exploit continues to unfold, it’s clear that both developers and investors must reevaluate their approach to security. With tokens like MORPH already showing signs of instability, this breach highlights the critical need for better protective measures in the DeFi space. 

A recently uncovered SureTriggers vulnerability has put more than 100,000 websites at risk, highlighting once again how critical plugin security is for WordPress site administrators. The vulnerability, officially identified as CVE-2025-3102, has a CVSS score of 8.1, placing it in the high-severity category. This flaw allows unauthorized users to create administrator accounts under specific conditions, potentially giving attackers full control over affected websites. SureTriggers—an automation platform designed to link various web apps, services, and WordPress plugins—was recently rebranded from OttoKit. While it’s widely used for streamlining online workflows, this WordPress plugin vulnerability has become a major point of concern in the cybersecurity community. SureTriggers Vulnerability: Under Active Exploitation Hours After Disclosure  According to Wordfence Intelligence, the flaw began seeing active exploitation just hours after it was publicly disclosed. The vulnerability is an authorization bypass due to a missing empty value check in the plugin’s authenticate_user() function. This oversight can be exploited by an attacker if the plugin is installed and activated but not configured with an API key—something that’s unfortunately common with newly deployed plugins.  Security researcher mikemyers was credited with discovering the issue, which earned a bug bounty of $1,024. The vulnerability affects all versions of SureTriggers up to version 1.0.78. Users are strongly advised to update to the fully patched version, 1.0.79, to protect their sites.  A Closer Look at the Vulnerability in SureTriggers  The root cause of the issue lies in the plugin’s use of the autheticate_user() function within the RestController class. This function is meant to validate API requests using a secret key found in the request header. However, the implementation fails to check for empty values. If a website hasn’t been configured with an API key, this check will return true even when the attacker provides a blank secret key, giving them access to the REST API endpoints. This critical oversight means that attackers can bypass authentication entirely and trigger automated actions—one of which includes creating a new administrator user. As a result, vulnerabilities in WordPress plugins like this one can lead to total site takeover. Full Site Compromise a Real Threat  Once administrative access is gained, attackers have free rein over the site. This includes uploading malicious themes or plugins, injecting spam or malware into posts and pages, or redirecting users to external malicious sites. The ramifications are far-reaching, from SEO damage to compromised customer data.  The vulnerability in SureTriggers is especially concerning because it doesn’t require the attacker to already be logged in or have any kind of prior access. The only requirement is that the site is running a vulnerable, unconfigured version of the plugin. This type of SureTriggers vulnerability is a textbook example of why secure default configurations are vital for plugin developers.  Conclusion   The SureTriggers vulnerability highlights the importance of proactive site security and timely updates in the WordPress ecosystem. Security experts, including those at Wordfence, strongly recommend that all users update to version 1.0.79 or later—even if the plugin is inactive but still installed—as unpatched versions remain exploitable. Administrators should also check for unauthorized admin accounts and thoroughly audit plugin settings. Compounding the risk, this flaw could be chained with other vulnerabilities, such as arbitrary plugin installation, making even dormant installations a potential entry point.  

A new vulnerability has been identified in the TP-Link Tapo H200 V1 IoT Smart Hub that could allow attackers to access sensitive information, particularly Wi-Fi credentials. The Computer Emergency Response Team of India (CERT-In) has issued a detailed vulnerability note (CIVN-2025-0072), highlighting the technical aspects, risk assessment, and mitigation considerations surrounding this flaw. The vulnerability, rated medium in severity, affects users of the TP-Link Tapo H200 V1 Smart Hub running firmware version 1.4.0 or earlier. What Is the TP-Link Tapo H200 Smart Hub? The TP-Link Tapo H200 Smart Hub is a central device used to connect and control various smart home appliances. It acts as a bridge between the internet and other smart devices like motion sensors, door sensors, light switches, and more. By using a hub, users can create automation routines, monitor home security, and control IoT devices remotely through mobile apps or voice assistants. However, the convenience of centralized control also makes smart hubs an attractive target for cyber attackers — especially if sensitive information such as Wi-Fi credentials is not properly secured. Overview of the Vulnerability According to CERT-In, the TP-Link Tapo H200 Smart Hub stores Wi-Fi credentials in plain text within its firmware. This presents a clear information disclosure vulnerability, which can be exploited if an attacker gains physical access to the device. The vulnerability has been assigned the identifier CVE-2025-3442, although full public details under this CVE are not yet available. It is expected that additional information will be published when the reporting organization officially discloses the vulnerability. Technical Description Vulnerability Type: Information Disclosure Attack Vector: Physical access to device Impact: Exposure of stored Wi-Fi credentials Affected Firmware Versions: 1.4.0 or earlier Vulnerability Location: Firmware binary The issue arises because the firmware does not encrypt or obfuscate the Wi-Fi credentials that are used by the device to connect to the user’s wireless network. An attacker with technical knowledge and physical access could: Extract the firmware from the device (e.g., through flash memory dumping), Analyze the binary data using reverse engineering tools, Locate and retrieve the plain text credentials from memory storage. This would give the attacker unauthorized access to the user’s home network, potentially opening doors to further exploitation — including snooping on traffic, injecting malicious payloads into the network, or taking control of other connected smart devices. Source: CERT-In Who Is at Risk? The main risk is to end-users who have deployed the TP-Link Tapo H200 V1 Smart Hub as part of their smart home ecosystem. Since the attack requires physical access, this vulnerability does not expose the device to remote attacks over the internet. However, environments with shared physical spaces — such as offices, rental apartments, or multi-tenant buildings — may be at greater risk if the device is left unprotected or exposed. Risk and Impact Assessment Risk Level: Medium Impact: Exposure of Wi-Fi network credentials Attack Complexity: Requires physical access and technical knowledge While the requirement for physical access limits the scale of potential attacks, the impact of credential exposure could be significant. Once an attacker retrieves the Wi-Fi password, they could: Join the same network and eavesdrop on communications, Launch attacks on other devices in the same network, Exploit misconfigured or vulnerable devices for broader intrusions. This makes it essential for users and administrators to address the issue, especially in environments where physical access to the device cannot be guaranteed. Recommended Mitigation Measures CERT-In recommends the following actions for users and administrators: Check for Firmware Updates: Visit TP-Link’s official support page for firmware updates. Upgrade the Smart Hub firmware to the latest version, if available. Restrict Physical Access: Install the device in a location not easily accessible to unauthorized individuals. Secure devices inside locked enclosures if possible. Monitor Network Activity: Regularly check connected devices on your Wi-Fi network. Enable alerts for new or unknown devices connecting to your router. Change Wi-Fi Password: If physical compromise is suspected, change the Wi-Fi password immediately. Reconnect devices using updated credentials and disable access for unauthorized clients. Disable Unused Services: Turn off any unneeded IoT features to reduce the attack surface. Network Segmentation: Consider placing IoT devices on a separate network or VLAN. Limit cross-communication between networks to contain potential breaches. This vulnerability was responsibly disclosed by Shravan Singh, Ganesh Bakare, and Abhinav Giridhar — security researchers based in Mumbai, India. Conclusion Smart home hubs like the TP-Link Tapo H200 are great for making everyday life easier, but this incident shows how they can also create serious security risks if not properly protected. Storing Wi-Fi credentials in plain text is a basic mistake — and it highlights how important it is for both manufacturers and users to take security seriously. Firmware security and data protection shouldn’t be an afterthought, especially for devices connected to our homes and networks. If you’re using a TP-Link Tapo H200, updating your firmware and limiting physical access to the device isn’t just a suggestion — it’s necessary. Staying alert and following simple security steps can go a long way in keeping your connected home safe.

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding two new vulnerabilities that are actively being exploited in the wild. The vulnerabilities identified by CISA, includes CVE-2025-30406 and CVE-2025-29824. These two vulnerabilities are identified by Gladinet CentreStack and Microsoft Windows systems, respectively. CVE-2025-30406: Gladinet CentreStack’s Cryptographic Key Vulnerability One of the newly cataloged vulnerabilities, CVE-2025-30406, pertains to a cryptographic weakness in Gladinet CentreStack. This flaw, discovered in versions up to 16.1.10296.56315 (fixed in 16.4.10315.56368), involves the improper handling of cryptographic keys used by the CentreStack portal. Specifically, the vulnerability arises from the use of a hardcoded cryptographic key in the web configuration files (web.config), a critical security oversight. This issue is classified under the Common Weakness Enumeration (CWE) as CWE-321, highlighting the use of hard-coded cryptographic keys, which can easily be exploited by attackers. The flaw allows cybercriminals who have knowledge of the machineKey to forge ViewState data and bypass integrity checks. By doing so, they can potentially execute remote code on the server, gaining control over the affected system. Active exploitation of this vulnerability was observed in March 2025, prompting immediate action from security teams. The cryptographic key vulnerability in CentreStack is particularly concerning because of its potential to facilitate remote code execution (RCE) attacks, a common tactic used by threat actors to escalate privileges or deploy malware. Gladinet has responded by releasing a patch (version 16.4.10315.56368) that automatically generates a unique machineKey for each installation. Organizations are strongly encouraged to update to this patched version to mitigate the risk of exploitation. For those unable to upgrade immediately, rotating the machineKey values serves as an interim mitigation. The severity of this vulnerability is rated as Critical, with a CVSS score of 9.0. This emphasizes the potential for damage if left unaddressed. For users of CentreStack, it is imperative to follow the vendor’s guidelines for securely managing cryptographic keys and applying the necessary patches. CVE-2025-29824: Windows Common Log File System Use-After-Free Vulnerability The second vulnerability added to CISA’s catalog, CVE-2025-29824, affects the Microsoft Windows Common Log File System (CLFS) driver. This vulnerability is a Use-After-Free issue, classified under CWE-416. A Use-After-Free Vulnerability occurs when an application continues to reference memory after it has been freed, leading to unexpected behavior that could be exploited by attackers. In this case, an attacker with local access can exploit the CLFS driver to elevate their privileges within the system. The flaw affects multiple versions of Microsoft Windows, including Windows Server editions and Windows 10, spanning from version 10.0.17763.0 to later versions such as 10.0.26100.0. Once exploited, the vulnerability enables attackers to gain elevated privileges, potentially leading to full control over the compromised machine. The Use-After-Free Vulnerability in Windows CLFS poses a security risk for users and organizations relying on these platforms. The vulnerability affects both 32-bit and x64-based systems, as well as several versions of Windows Server. With a CVSS score of 7.8, this vulnerability is classified as High severity and could lead to severe consequences if exploited. Microsoft has released updates to address this vulnerability, and users are urged to promptly apply the latest security patches to protect their systems from potential exploitation. As with other vulnerabilities, timely updates are essential to minimize the risk of attacks that exploit memory handling flaws. Conclusion The addition of CVE-2025-30406 and CVE-2025-29824 to the CISA KEV Catalog highlights a growing trend of active exploitation targeting critical infrastructure systems and widely used platforms. Organizations using Gladinet CentreStack and Microsoft Windows must take immediate action to mitigate the risks of these vulnerabilities, including applying patches, rotating cryptographic keys, and ensuring proper system configurations.

Adobe has released a new security update addressing 30 vulnerabilities across various products, including multiple critical-severity bugs in ColdFusion versions 2025, 2023 and 2021 that could result in arbitrary file read and code execution. This Adobe security update includes patches for critical issues that could lead to code execution, arbitrary file system access, memory leaks, and other security risks. The Adobe security update includes patches and fixes for ColdFusion, After Effects, Media Encoder, Premiere Pro, Photoshop, Animate, FrameMaker, Experience Manager (AEM), Adobe Commerce, Magento Open Source, and Adobe Bridge. Details of the Adobe Security Update Adobe Security Update (Source: Adobe) ColdFusion Security Update: A Critical Patch for Multiple Versions Among the most prominent fixes in the latest Adobe security update is the patch for ColdFusion, the company’s web application development platform. ColdFusion is widely used to build dynamic websites and applications, and vulnerabilities in this platform can be a risk for developers and organizations relying on it. Adobe’s security update addresses multiple security flaws, including 11 critical vulnerabilities that could lead to arbitrary code execution and unauthorized access to the file system.  The vulnerabilities were discovered in ColdFusion versions 2025, 2023, and 2021, with the following issues reported:  Arbitrary file system read: CVE-2025-24446 and CVE-2025-30281  Arbitrary code execution: CVE-2025-24447 and CVE-2025-30282  Security feature bypass: CVE-2025-30288 and CVE-2025-30290  These flaws were classified as critical and important, with a CVSS (Common Vulnerability Scoring System) base score of 7.8, indicating the high potential for exploitation.  Adobe recommends that users update to the following versions to mitigate these risks:  ColdFusion 2025: Update to version Build 331385  ColdFusion 2023: Update to Update 13  ColdFusion 2021: Update to Update 19  It’s crucial for users of ColdFusion to install these security updates as soon as possible to avoid the risk of cybercriminals exploiting these vulnerabilities. After Effects and Media Encoder Security Updates In addition to ColdFusion, Adobe also released security updates for other major products in its suite. For example, Adobe After Effects received patches for several vulnerabilities that could lead to arbitrary code execution and application crashes. These vulnerabilities were identified in After Effects versions 24.6.4 and earlier.  Adobe recommends updating to:  After Effects 24.6.5 or After Effects 25.2 (Priority 3)  Similarly, Adobe Media Encoder, which handles media conversion and rendering, also saw updates addressing critical code execution vulnerabilities. These flaws could allow attackers to execute arbitrary code and compromise the host system.  For Adobe Media Encoder, users should update to:  Media Encoder 24.6.5 or Media Encoder 25.2 (Priority 3)  No active exploits have been reported for these issues, but Adobe strongly encourages all users to apply the updates to maintain security.  Security Patches for Adobe Premiere Pro and Photoshop Adobe’s latest security update also includes fixes for Adobe Premiere Pro and Adobe Photoshop, both of which are used extensively in the creative industry. For Premiere Pro, a critical vulnerability could allow attackers to execute arbitrary code, potentially compromising system integrity.  Affected versions include:  Premiere Pro 25.1 and earlier  Premiere Pro 24.6.4 and earlier  Adobe recommends updating to:  Premiere Pro 25.2 or Premiere Pro 24.6.5 (Priority 3)  Similarly, Photoshop 2025 and Photoshop 2024 versions were found to contain vulnerabilities leading to arbitrary code execution. Adobe urges users to apply the following updates to mitigate the risks:  Photoshop 2025: Update to 26.5  Photoshop 2024: Update to 25.12.2  Vulnerabilities in Adobe Animate and Other Products Adobe also released patches for other creative tools, including Adobe Animate, Adobe FrameMaker, and Adobe XMP Toolkit SDK. For Adobe Animate, multiple vulnerabilities were found that could result in arbitrary code execution, with the potential for memory leaks. Similarly, Adobe FrameMaker had vulnerabilities that could lead to denial-of-service attacks or arbitrary code execution.  Adobe recommends the following updates for these products:  Animate 2023: Update to 23.0.11  Animate 2024: Update to 24.0.8  FrameMaker 2020: Update to FrameMaker 2020 Update 8  FrameMaker 2022: Update to FrameMaker 2022 Update 6  As with other Adobe updates, these patches should be applied as soon as possible to prevent any exploitation.  Security Update for Adobe Experience Manager (AEM) Adobe also addressed security concerns for Adobe Experience Manager (AEM) products, including AEM Forms on JEE and AEM Screens. Vulnerabilities in these tools could allow attackers to bypass security features or execute arbitrary code. Adobe urges users to update to the latest versions to close these security gaps. For AEM Forms on JEE, affected versions include:  6.5.22.0 and earlier  For AEM Screens, updates are recommended for versions earlier than FP11.3.  Users should update to the following versions:  AEM Forms on JEE 6.5.22.0 (AEMForms-6.5.0-0095)  AEM Screens FP11.4  Other Adobe Products Receiving Security Updates Apart from the flagship creative tools, Adobe has also patched vulnerabilities in Adobe Commerce, Magento Open Source, and Adobe Bridge, among other products. These patches address a range of security issues from code execution to memory leaks and denial-of-service attacks. For Adobe Commerce and Magento, the affected versions include 2.4.8-beta2, 2.4.7-p4, and earlier versions. Adobe recommends updating to the latest versions available to mitigate the risks.  Adobe Bridge, a tool used for organizing and managing creative assets, also saw a critical patch for vulnerabilities that could allow arbitrary code execution. Affected versions include 14.1.5 and earlier and 15.0.2 and earlier. Adobe advises users to update to version 14.1.6 or 15.0.3.  Conclusion   The latest Adobe security update addresses critical vulnerabilities in several of its products, including ColdFusion, Premiere Pro, Photoshop, and Animate, which could lead to issues like arbitrary code execution, memory leaks, and security feature bypass. While no active exploits have been reported, Adobe advises users of affected versions to promptly apply the updates to mitigate these risks and ensure system security. 

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added a new vulnerability to its Known Exploited Vulnerabilities Catalog. The vulnerability, identified as CVE-2025-31161, is an Authentication Bypass Vulnerability in CrushFTP, a widely used FTP server software.   CVE-2025-31161 specifically affects versions of CrushFTP prior to 10.8.4 and 11.3.1, leaving users vulnerable to an authentication bypass attack. This flaw allows attackers to bypass authentication mechanisms and take over administrative accounts, such as the “crushadmin” account unless specific protective measures like a DMZ proxy instance are in place. The vulnerability is linked to a race condition in the AWS4-HMAC (compatible with S3) authorization method used by CrushFTP’s HTTP component.  The flaw allows attackers to authenticate as any user, including administrative accounts, without needing to provide the correct password. By exploiting the vulnerability, attackers can bypass standard authentication processes, making it trivial to compromise the system. This flaw not only facilitates unauthorized access but also allows for full system compromise, putting sensitive data and critical infrastructure at risk.  How Does CVE-2025-31161 Vulnerability Work? The vulnerability arises from the way CrushFTP verifies user credentials during the login process. Specifically, the server first checks if a username exists without requiring a password, allowing the session to be authenticated through the HMAC verification process. However, the server fails to fully check the user’s credentials until later, creating a window of opportunity for an attacker to inject a manipulated AWS4-HMAC header. This leads to an anypass authentication process, where the server mistakenly authenticates the attacker as a valid user. Furthermore, by manipulating the AWS4-HMAC header, the attacker can trigger an “index-out-of-bounds” error that prevents the session from being cleaned up, effectively allowing the attacker to retain access indefinitely. This combination of factors makes the flaw particularly dangerous and easy to exploit.  Impact and Severity of CVE-2025-31161 The vulnerability has been classified as critical, with a CVSS score of 9.8. This high severity rating indicates that the flaw poses a risk to organizations using affected versions of CrushFTP. The vulnerability is particularly concerning because it can lead to the full compromise of systems, including the ability to take over administrative accounts without proper authorization.  This flaw is not just a theoretical risk but has been actively exploited in the wild, making it important for users to take immediate action. If left unaddressed, the vulnerability could lead to data breaches, unauthorized access to sensitive files, and potential system outages.  Affected Versions and Mitigation The following versions of CrushFTP are affected by the Authentication Bypass Vulnerability:  CrushFTP 10.0.0 to 10.8.3  CrushFTP 11.0.0 to 11.3.0  To mitigate the risk, users are strongly advised to update to the latest versions:  CrushFTP 10.8.4 or later  CrushFTP 11.3.1 or later  For those who have not yet updated, it is critical to do so as soon as possible to avoid exposure to this vulnerability. The update process is straightforward and can be done from the CrushFTP dashboard. If direct updates are not possible, users can download the latest versions manually and apply the patches offline.  Conclusion   To enhance protection against vulnerabilities like CVE-2025-31161, users should not only update CrushFTP to the latest secure versions but also enable automated updates by setting the “daily_check_and_auto_update_on_idle” flag in the preferences XML file for v11.2.3_19+. Additionally, configuring email reset URL domains and implementing extra security measures, such as a DMZ proxy, is highly recommended. Users on older versions like v10.6.1 or v10.5.5 must update immediately to avoid unauthorized access. This vulnerability is not an isolated issue, as previous CrushFTP versions have also been targeted by flaws such as password reset exploits and XSS bugs, emphasizing the need for regular security patches.  

On April 3, 2025, Ivanti disclosed an unauthenticated buffer overflow vulnerability tracked as CVE-2025-22457, affecting multiple Ivanti products. Australian organizations using Ivanti solutions such as Connect Secure, Policy Secure, and Neurons for ZTA gateways are urged to take immediate action to protect their infrastructure. This technical alert aims to provide an in-depth overview of the vulnerability, its exploitation, and guidance on mitigation for technical teams and system administrators. Summary of CVE-2025-22457 Vulnerability Type: Unauthenticated Buffer Overflow Impact: Remote Code Execution (RCE) Affected Products: Pulse Connect Secure 9.1.X (End-of-Support: December 31, 2024) Ivanti Connect Secure ≤ 22.7R2.5 Ivanti Policy Secure Neurons for ZTA gateways This vulnerability enables a remote attacker to execute arbitrary code on affected devices without authentication. Ivanti and cybersecurity firm Mandiant have observed active exploitation in the wild targeting unpatched systems, particularly Connect Secure and legacy Pulse Connect Secure appliances. Mitigation Guidance from the Australian Cyber Security Centre (ACSC) The Australian Signals Directorate’s ACSC has issued urgent mitigation recommendations: Follow Ivanti’s Official Security Advisory for affected products. Immediately upgrade to Ivanti Connect Secure 22.7R2.6, released on February 11, 2025, which includes a complete patch for CVE-2025-22457. Ensure device configurations are in line with Ivanti’s deployment guidance, particularly ensuring Policy Secure is not internet-facing. Perform forensic investigations to detect any compromise indicators. Monitor connected environments for anomalous activity or signs of lateral movement. Technical Analysis and Exploitation Details When Ivanti released version 22.7R2.6 in February 2025, the vulnerability was believed to be a low-risk denial-of-service issue due to its limited character space. However, adversaries were later able to reverse-engineer the patch and develop a reliable remote code execution exploit against version 22.7R2.5 and earlier. Mandiant’s investigation found exploitation starting in mid-March 2025. This campaign involves: Deployment of two novel malware families: TRAILBLAZE: An in-memory only dropper. BRUSHFIRE: A passive SSL-based backdoor. Use of the previously observed SPAWN malware ecosystem, attributed to the China-linked espionage actor UNC5221. Post-Exploitation Techniques and Malware Overview 1. Shell Script Dropper: After exploiting CVE-2025-22457, attackers execute a shell script that: Identifies the correct /home/bin/web process. Generates several temporary files: /tmp/.p (PID of web process) /tmp/.m (memory map) /tmp/.w, .s (base addresses for web and libssl) /tmp/.r, .i (BRUSHFIRE and TRAILBLAZE payloads) Executes /tmp/.i (TRAILBLAZE dropper). Cleans up all temporary files and kills child processes for stealth. 2. TRAILBLAZE Written in C, using raw syscalls and optimized for stealth. Injects BRUSHFIRE into a memory cave of the /home/bin/web process. Non-persistent—reboot removes the payload unless re-executed. 3. BRUSHFIRE SSL_read hook-based backdoor. Checks for a specific byte signature in decrypted traffic. On match, executes decrypted shellcode, and uses SSL_write to exfiltrate responses. 4. SPAWN Ecosystem Components SPAWNSLOTH: Modifies the dslogserver to disable local and remote logging. SPAWNSNARE: Extracts and encrypts the kernel image. SPAWNWAVE: Combines features from SPAWNANT and SPAWNCHIMERA for broader functionality. Attribution to UNC5221 The Google Threat Intelligence Group (GTIG) and Mandiant attribute this exploitation campaign to UNC5221, a China-nexus espionage actor known for: Zero-day exploits targeting edge devices. Previous campaigns involving: CVE-2023-46805 CVE-2024-21887 CVE-2025-0282 CVE-2023-4966 (NetScaler ADC/Gateway) UNC5221 continues to operate with a high level of sophistication, using: Custom tooling. Passive backdoors. Obfuscated command-and-control networks utilizing compromised Cyberoam, QNAP, and ASUS devices. Risk Context for Affected Products Pulse Connect Secure 9.1x: End-of-life, no further patches. Immediate migration required. Ivanti Connect Secure ≤ 22.7R2.5: High risk—actively exploited. Ivanti Policy Secure: Risk minimized if properly deployed behind a firewall. Neurons for ZTA: Exploitation is not feasible in production as per Ivanti. What Organizations Should Do Now Patch all Ivanti Connect Secure deployments to 22.7R2.6 or later. If using Pulse Connect Secure 9.1x, migrate immediately—the product is deprecated. Validate system configurations and eliminate internet-facing exposure where inappropriate. Conduct threat hunts and endpoint forensics to detect TRAILBLAZE or BRUSHFIRE malware. Inspect for indicators of compromise (IoCs) such as modified logs or unknown processes. Monitoring and Response Implement network and host-based detection rules. Watch for suspicious SSL traffic and inject shellcode patterns. Enable and monitor full packet capture where possible. Validate the integrity of Ivanti’s Integrity Checker Tool (ICT). Conclusion This active exploitation campaign targeting CVE-2025-22457 is a serious threat to Australian organizations using Ivanti products. The vulnerability, while initially underestimated, has proven to be a viable remote code execution vector in the hands of an actor. Given the direct involvement of UNC5221, known for high-impact espionage operations, timely patching and robust monitoring are essential. Organizations should treat this advisory with urgency, prioritize upgrading vulnerable appliances, and assess the integrity of affected environments. In the evolving threat landscape, proactive defense and adherence to vendor and ACSC guidance remain critical to securing edge infrastructure.

The Cybersecurity and Infrastructure Security Agency (CISA) issued two crucial Industrial Control Systems (ICS) advisories, highlighting vulnerabilities that could have serious impacts on critical infrastructure. These ICS advisories, identified as ICSA-25-091-01 and ICSA-24-331-04, are designed to inform organizations about current security threats, vulnerabilities, and necessary mitigations related to ICS products and systems.  Details of the Industrial Control Systems Advisories  The two ICS advisories shared by CISA include vulnerabilities targeting Rockwell Automation Lifecycle Services with Veeam Backup and Replication and itachi Energy MicroSCADA Pro/X SYS600. Here is a quick breakdown of the vulnerabilities and their advisories.   ICSA-25-091-01  The first advisory, ICSA-25-091-01, focuses on a severe vulnerability in Rockwell Automation’s Lifecycle Services integrated with Veeam Backup and Replication. This vulnerability is related to the deserialization of untrusted data (CWE-502), a common type of issue in which attackers can manipulate software to execute malicious code remotely. A CVSS v4 score of 9.4 has been assigned to this flaw, indicating a high risk, as it is remotely exploitable with low attack complexity. Rockwell Automation’s affected products include the Industrial Data Center (IDC) with Veeam (Generations 1 – 5) and VersaVirtual Appliance (VVA) with Veeam (Series A – C). If successfully exploited, this vulnerability could allow attackers with administrative privileges to execute arbitrary code on affected systems, potentially leading to a complete system compromise. CISA urges organizations to take immediate defensive measures to mitigate the risk, including:  Minimizing network exposure for all control systems and ensuring they are not directly accessible from the internet. Using secure access methods like Virtual Private Networks (VPNs) when remote access is necessary.  Keeping VPNs up to date to prevent vulnerabilities from being exploited.  Rockwell Automation is actively working with CISA to notify affected customers, especially those with an active Infrastructure Managed Service contract, and provide them with guidance on patching and remediation.  ICSA-24-331-04  The second advisory, ICSA-24-331-04, addresses a series of vulnerabilities in Hitachi Energy’s MicroSCADA Pro/X SYS600 system, an essential part of critical infrastructure in manufacturing and energy sectors. This advisory outlines multiple flaws, including issues such as improper neutralization of special elements in data query logic, path traversal vulnerabilities, and session hijacking possibilities through authentication bypass. The most severe vulnerability, CVE-2024-4872, has been assigned a CVSS v3 score of 9.9, highlighting its critical nature. This flaw allows authenticated attackers to inject malicious code into the system, potentially compromising the integrity of persistent data and allowing unauthorized access to sensitive functions. Other issues, such as improper limitations on file paths (CVE-2024-3980), could allow attackers to manipulate files essential to the system’s operation, leading to further compromise.  As with the Rockwell Automation advisory, CISA urges users to implement mitigations immediately to reduce the risks. Hitachi Energy has released patches for the affected versions, including a critical update to Version 10.6 for MicroSCADA Pro/X SYS600. Users are also advised to apply necessary workarounds and stay updated with security patches to protect against exploitation. 

Apple has released a series of critical security updates to address vulnerabilities that were actively exploited as zero-day threats. These updates include backported patches for older versions of iOS, iPadOS, macOS, and watchOS, aiming to secure devices that may still be running outdated software.   A key focus of these updates is the backporting of zero-day patches to older devices, reflecting the ongoing efforts to mitigate risks across a broad range of hardware. Notable vulnerabilities include CVE-2025-24200 and CVE-2025-24201, both of which were actively exploited before patches were issued.  Backporting Zero-Day Fixes  The vulnerability CVE-2025-24200 allowed mobile forensic tools to bypass the USB Restricted Mode on locked devices, a feature designed to prevent unauthorized data access via USB ports. This flaw was addressed with the release of iOS 18.3.1, iPadOS 18.3.1, and macOS 17.7.5 on February 10, 2025, with backports provided for older versions such as iOS 16.7.11 and iPadOS 16.7.11.  Similarly, CVE-2025-24201, which affected the WebKit engine, enabled attackers to break out of the Web Content sandbox through specially crafted web content. This vulnerability was exploited in several attacks, prompting company to release fixes in iOS 18.3.2, iPadOS 18.3.2, and macOS Sequoia 15.3.2 on March 11, 2025. Older devices received updates through versions like iOS 16.7.11 and corresponding macOS releases.  Apple Addresses Other Vulnerabilities and Fixes  In addition to the zero-day flaws, Apple addressed CVE-2025-24085, a privilege escalation issue within the Core Media framework. This vulnerability was patched in the January 2025 updates for iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, and tvOS 18.3, with backports available in iPadOS 17.7.6 and macOS Sonoma 14.7.5.  The updates also cover a range of other security flaws across various system components, including Safari, CoreAudio, Maps, Calendar, and more. These patches aim to enhance the overall security posture of company’s ecosystem, addressing risks that could lead to data breaches, system crashes, or unauthorized access.  Security Content of Latest Updates  The latest update, watchOS 11.4, released on April 1, 2025, targets vulnerabilities affecting the Apple Watch Series 6 and later. Key fixes include CVE-2025-24097, which addresses a permissions issue with AirDrop, and CVE-2025-24244, a flaw in font processing that could lead to memory disclosure.  Authentication services have also been fortified, with patches for issues like CVE-2025-30430, which could allow attackers to bypass password autofill restrictions, and CVE-2025-24180, which affected WebAuthn credentials across websites with similar suffixes. Other security enhancements cover audio-related vulnerabilities, such as CVE-2025-24243, which addressed a flaw in processing malicious font files capable of triggering arbitrary code execution.  Conclusion  The release of these security updates highlights the critical role of timely patching in addressing vulnerabilities, particularly zero-day threats like CVE-2025-24200 and CVE-2025-24201. By backporting fixes to older devices, company aims to provide broader protection, though the effectiveness of such measures relies heavily on user promptness in applying updates.