Vulnerabilities News

A security flaw in Apache Traffic Server (ATS) is targeting cloud service providers worldwide. The vulnerability, identified as CVE-2025-49763, exposes affected systems to denial-of-service (DoS) attacks that exploit a critical ACL issue in the server’s Edge Side Includes (ESI) plugin, enabling attackers to exhaust server memory and disrupt operations.  Apache Traffic Server is widely used as a high-performance, scalable caching proxy and traffic management system. The newly reported Apache Traffic Server vulnerability centers on the ESI plugin, a component designed to assemble web content at the edge dynamically. This feature, while valuable, contains a flaw in its processing of inclusion depth, a mechanism that controls how many nested ESI requests the server will follow.  Decoding CVE-2025-49763 Vulnerability  Attackers can craft malicious requests that recursively force the ESI plugin to process deeper inclusion layers than intended. This triggers excessive memory consumption, ultimately overwhelming the server’s resources and leading to a DoS condition that can take critical infrastructure offline.  In an official advisory, the Apache Software Foundation highlighted not only this flaw but also a related ACL issue affecting the PROXY protocol client IP address handling. These combined vulnerabilities pose a multifaceted threat to systems running vulnerable ATS versions.  Details of CVE-2025-49763 and Related Issues  CVE-2025-49763: A remote DoS vulnerability via memory exhaustion in the ESI plugin. Affected Versions: ATS versions 9.0.0 through 9.2.10 and 10.0.0 through 10.0.5. Reporter: The DoS flaw was reported by security researcher Yohann Sillam. Related ACL Issue: CVE-2025-31698, involving incorrect client IP address handling for access control, was reported by Masakazu Kitajo. Mitigation Strategies and Recommendations  In response to these vulnerabilities, the Apache Software Foundation promptly released patched versions—ATS 9.2.11 and 10.0.6—that introduce new configurable settings aimed at mitigating the risks rather than applying an automatic fix. Users are strongly encouraged to upgrade to these versions or later releases.  Key mitigation steps include:  Upgrading ATS: Organizations should update their servers to version 9.2.11 or 10.0.6 or above.  Configuring ESI Plugin Limits: The new –max-inclusion-depth setting, defaulting to 3, limits the depth of nested ESI includes, effectively preventing infinite recursive processing that leads to memory exhaustion.  Addressing the ACL Issue: For deployments using the PROXY protocol, administrators should configure the proxy.config.acl.subject setting to correctly determine which IP addresses are subject to access control lists (ACLs), as outlined in ip_allow.config and remap.config.  If left unaddressed, CVE-2025-49763 could allow remote attackers to incapacitate ATS servers by exhausting memory resources, causing service interruptions that impact user experience and potentially incur financial and reputational damage. Conclusion  By promptly upgrading affected ATS versions and applying the recommended configuration changes, especially around the ESI plugin inclusion depth and ACL rules, organizations can reduce their exposure to disruptive DoS attacks.  Administrators running ATS versions 9.0.0 to 9.2.10 or 10.0.0 to 10.0.5 should prioritize these actions to protect their web infrastructure from the damaging effects of memory exhaustion-based attacks. 

Cloud Software Group has released a security bulletin warning customers of two newly identified vulnerabilities, CVE-2025-5349 and CVE-2025-5777, affecting both NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).   CVE-2025-5349 has been classified as an improper access control issue affecting the NetScaler Management Interface. This flaw allows unauthorized users to potentially gain elevated access if they can connect via NSIP, Cluster Management IP, or the local GSLB Site IP. It has been assessed under the Common Weakness Enumeration (CWE) as CWE-284 and has been assigned a CVSS v4.0 base score of 8.7, signaling a high-severity vulnerability.  The second vulnerability, CVE-2025-5777, results from insufficient input validation, leading to a memory overread condition. The flaw is exploitable only when NetScaler is configured as a Gateway, such as through VPN virtual servers, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers. This issue is classified under CWE-125: Out-of-bounds Read, with a CVSS v4.0 base score of 9.3, making it even more critical than the first.  Affected Versions  The following versions of NetScaler ADC and NetScaler Gateway are impacted:  Versions 14.1 before 14.1-43.56  Versions 13.1 before 13.1-58.32  13.1-FIPS and 13.1-NDcPP before build 13.1-37.235-FIPS and NDcPP  12.1-FIPS before build 12.1-55.328-FIPS  It is important to note that versions 12.1 and 13.0 are now designated as End of Life (EOL). As a result, these versions are no longer supported and are vulnerable to both CVE-2025-5349 and CVE-2025-5777. Customers still operating on these legacy builds are strongly encouraged to migrate to currently supported versions immediately.  Additionally, organizations using Secure Private Access in on-premises or hybrid deployment modes that rely on NetScaler instances are also affected. Cloud Software Group emphasizes that these setups must also be upgraded to the specified secure builds to ensure complete protection.  Remediation for CVE-2025-5349 and CVE-2025-5777  To address these critical vulnerabilities, Cloud Software Group advises customers to upgrade to the following versions:  NetScaler ADC and NetScaler Gateway 14.1-43.56 or later  NetScaler ADC and NetScaler Gateway 13.1-58.32 or later  NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 or later  NetScaler ADC 12.1-FIPS 12.1-55.328 or later  After upgrading, administrators are also advised to terminate all active ICA and PCoIP sessions using the following commands to ensure no lingering session-based vulnerabilities:  bash  CopyEdit  kill icaconnection -all kill pcoipConnection -all   These commands should be run only after all appliances in an HA pair or cluster are fully updated to the secure builds.  These vulnerabilities specifically impact customer-managed instances of Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Customers utilizing Citrix-managed cloud services or Citrix Adaptive Authentication do not need to take action, as Cloud Software Group handles all necessary updates for those environments.  Conclusion  Cloud Software Group extended its appreciation to Positive Technologies and ITA MOD CERT (CERTDIFESA) for their collaborative efforts in identifying and disclosing these vulnerabilities responsibly. Their cooperation played a vital role in enabling a timely and effective response to protect end-users.  Given the severity of CVE-2025-5349 and CVE-2025-5777, organizations using NetScaler ADC and NetScaler Gateway cannot afford to delay. With one vulnerability granting elevated access and the other enabling memory-based exploits, attackers could gain control over affected systems. Upgrading to the latest supported versions is not only recommended but essential for maintaining a secure enterprise infrastructure. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about the active exploitation of a critical Linux kernel vulnerability, officially listed as CVE-2023-0386.   The vulnerability, which carries a CVSS score of 7.8, is categorized as a Linux Kernel Privilege Escalation flaw. It stems from improper ownership management within the Linux kernel’s OverlayFS subsystem. If exploited successfully, attackers can escalate privileges on affected systems, gain unauthorized access, and potentially execute arbitrary code with elevated rights.  Breakdown of CVE-2023-0386 Vulnerability CVE-2023-0386 was identified and patched in early 2023. The flaw arises when a user copies a file with elevated capabilities from a nosuid mount into another mount. According to the CISA alert, “Linux kernel contains an improper ownership management vulnerability, where unauthorized access to the execution of the setuid file with capabilities was found… in how a user copies a capable file from a nosuid mount into another mount.”  The vulnerability was disclosed and patched by Miklos Szeredi, a well-known contributor to the Linux kernel. The specific commit that addressed the flaw (commit ID: 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3) was made on January 27, 2023. Szeredi noted the importance of rejecting copy-up operations when the user ID (UID) or group ID (GID) lacks proper mapping in the user namespace. This patch ensures consistency with POSIX ACLs, which fail operations when invalid UID/GID mappings are detected.  Technical Insights The vulnerability exists in the OverlayFS subsystem, particularly in the function ovl_copy_up_one. In affected Linux kernel versions before 6.2-rc6, a lack of proper checks allows invalid UID/GID mappings to be exploited. According to the patch notes, if st_uid or st_gid does not have a valid mapping in the mounting user namespace, the copy-up operation should fail, mirroring the behavior of standard Linux tools like cp -a.  A notable edge case was identified where cp-a might succeed even when a copy-up fails, due to a default fallback UID/GID of 65534, used when no valid mapping is found. This inconsistency could be abused by attackers unless the flaw is patched.  CISA’s decision to include CVE-2023-0386 in its Known Exploited Vulnerabilities catalog confirms that threat actors are actively leveraging this flaw in cyberattacks. Privilege escalation vulnerabilities are particularly dangerous in multi-user environments, containers, and cloud-based workloads, where strict privilege boundaries are critical.  Industry Response and NetApp Advisory Leading tech companies responded to the flaw, including NetApp, which issued its advisory (NTAP-20230420-0004) detailing the impact across various product lines. NetApp identified multiple products using vulnerable versions of the Linux kernel and confirmed that exploitation could result in data disclosure, data modification, or denial-of-service (DoS).  Affected systems include:  NetApp HCI Baseboard Management Controllers (H300S, H500S, H700S, H410S, H410C)  Other products incorporating Linux kernel versions before 6.2-rc6  NetApp published a full list of impacted and unaffected products in its 2023 advisory, confirming that software updates will be made available through its support portal. As of the latest update, there are no available workarounds, suggesting the need for direct patching.  Mitigations and Recommendations System administrators and security professionals are urged to:  Update to Linux kernel 6.2-rc6 or later to ensure the patch for CVE-2023-0386 is in place.  Monitor systems for unusual privilege elevation behavior, especially in containerized or multi-user environments.  The exploit’s technical complexity is relatively low, requiring local access but no user interaction, and has been assigned a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high potential for damage. 

A security flaw has been identified in the keyless entry systems (KES) used extensively in KIA vehicles across Ecuador, exposing thousands of cars to a severe risk of theft. This vulnerability, officially catalogued as CVE-2025-6029, centers around outdated technology in aftermarket key fobs homologated and distributed by KIA Ecuador. The affected models include the Kia Soluto, Rio, and Picanto from 2022 through 2025. The Nature of the KIA Vulnerability (CVE-2025-6029) The Keyless Entry Vulnerability was discovered by Danilo Erazo, an independent hardware security researcher, ethical hacker, and founder of Reverse Everything. Erazo has been studying vehicle security extensively, particularly focusing on the hardware and radio frequency (RF) protocols behind key fobs used in Latin America. His research highlights a critical flaw in the KES installed on many KIA vehicles in Ecuador: the continued use of “learning code” technology, rather than more secure rolling codes.  Most modern vehicles globally employ rolling code technology, which changes the access code every time the key fob is used, drastically reducing the risk of replay attacks or key cloning. Rolling codes became widespread in vehicle security systems in the mid-1990s and have been standard in Latin America since the early 2000s. In contrast, the vulnerable KIA key fobs use fixed learning codes—static codes that remain the same every time the key fob transmits a signal.  What Are Learning Codes? Learning codes are programmable fixed codes stored both in the vehicle’s receiver and in the key fob transmitter. Unlike fixed codes that are permanently hardwired, learning codes can be reprogrammed. Each vehicle typically supports up to four learning codes, allowing multiple keys to be programmed to the same car. However, these codes do not change dynamically with each use, leaving them open to exploitation via replay or cloning attacks.  An attacker can capture the radio frequency signal transmitted by the key fob using specialized antennas or Software Defined Radio (SDR) devices, then replay this exact signal to unlock the vehicle—hence the vulnerability’s name, the Keyless Entry Vulnerability.  The HS2240 and EV1527 Chips KIA Ecuador key fobs from 2022 and early 2023 utilize the HS2240 chip, while models from 2024 and 2025 employ the EV1527 chip. Both chips rely on the same insecure learning code technology. These chips have approximately 1 million possible fixed code combinations, but with brute force methods, hackers can systematically attempt all codes to gain unauthorized access.  In addition to replay and brute force attacks, the system allows “backdoor” vulnerabilities. Since the vehicle receiver accepts up to four learning codes, malicious actors can potentially add their own fixed codes, granting permanent unauthorized access without the owner’s knowledge. This backdoor could be introduced anywhere along the production or supply chain before the vehicle reaches the customer.  The vulnerability affects thousands of KIA vehicles across Ecuador, with confirmed cases involving Kia Soluto, Rio, and Picanto models from 2022 to 2025. Theft incidents in public and private parking lots have been linked to this weakness. Although this issue has been publicly disclosed in Ecuador, it is believed that other Latin American countries also use similarly vulnerable KES in vehicles.  This security gap is exacerbated by the fact that KIA Ecuador not only installs these key fobs but also officially homologates and distributes them. Interestingly, these vulnerable key fobs are even available for purchase on the KIA Ecuador website, despite not being original equipment manufacturer (OEM) parts.  Conclusion Danilo Erazo’s research on CVE-2025-6029 revealed how KIA vehicles in Ecuador with learning code-based keyless entry systems (KES) are vulnerable to replay attacks, brute forcing, and backdoor access. Danilo Erazo and other experts stress the urgent need to replace these outdated learning code fobs with rolling code technology and call on manufacturers to phase out vulnerable KES. The vulnerability also poses a global risk due to overlapping fixed code ranges. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released seven new ICS advisories, each highlighting cybersecurity vulnerabilities in key Industrial Control Systems across energy, communications, emergency response, and manufacturing sectors.   The alerts shed light on remotely exploitable flaws discovered in devices and software produced by CyberData, Hitachi Energy, and Mitsubishi Electric—names synonymous with modern operational technology (OT).   A Breakdown of the Latest ICS Advisories  The first advisory, ICSA-25-155-01, addresses multiple high-impact issues in CyberData’s 011209 SIP Emergency Intercom. With a CVSS v4 severity score of 9.3, this vulnerability, reported by Claroty researcher Vera Mens, enables authentication bypass, SQL injection, and path traversal. Affected systems using firmware versions prior to 22.0.1 are vulnerable to remote code execution and denial-of-service attacks. CISA recommends upgrading to version 22.0.1 and advises isolating the intercoms from public networks using firewalls and VPNs.  The second alert, ICSA-25-155-02, involves a critical integer overflow in Hitachi Energy’s Relion 670, 650 series, and SAM600-IO devices. The flaw resides in the VxWorks OS memory allocator and holds a CVSS v3 score of 9.8. Exploitation could lead to memory corruption, potentially crippling protective relays in power systems. Multiple firmware subversions across series 1.1 to 2.2.5 are affected. Mitigation entails upgrading to version 2.2.5.2 or applying interim workarounds provided by Hitachi.  ICSA-21-049-02 (Update H) highlights vulnerabilities in Mitsubishi Electric’s broad range of FA Engineering Software, such as GX Developer, GT Designer3, and RT ToolBox2. With a CVSS v4 score of 8.7, attackers can exploit heap-based buffer overflows to crash the software or interfere with PLC diagnostics in factory automation environments. Users are advised to install the latest updates—e.g., GX Developer version 8.507D+ and RT ToolBox2 version 3.74C+.  Continued Focus on Hitachi Energy’s Industrial Control Systems  CISA’s June release includes updates to prior ICS advisories concerning Hitachi Energy’s Relion products and IEC 61850 MMS Server implementations. Notable among them:  ICSA-25-133-02 details CVE-2023-4518, where malformed GOOSE messages could cause vulnerable Relion firmware versions to reboot, creating a denial-of-service condition. Firmware series 2.2.0.x to 2.2.5.6 are affected, and the agency recommends upgrading to secure versions such as 2.2.2.6 or 2.2.3.7.  ICSA-23-068-05 (CVE-2022-3864) uncovers weaknesses in firmware signature validation. If exploited by an authenticated attacker, this vulnerability could lead to unauthorized firmware uploads. Affected firmware spans across versions 2.2.0 to 2.2.5.5.  ICSA-21-336-05 is about outdated VxWorks boot components in the Relion series. CVE-2021-35535, with a CVSS v4 score of 8.9, references known “Urgent/11” vulnerabilities that could allow TCP session hijacking or packet injection. Users must patch to at least version 2.2.2.5 or apply physical and network isolation strategies.  ICSA-23-089-01 points to a medium-severity issue (CVE-2022-3353) in Hitachi’s IEC 61850 MMS Server, where malformed client requests can block new connections. Though scoring a 5.9, it could still disrupt operations under targeted conditions.  Conclusion   CISA’s latest ICS advisories highlight the urgent need for critical infrastructure operators to secure vulnerable systems against remote exploitation. With many legacy ICS components lacking basic protections, the risks are growing, but so are the tools. CISA’s guidance offers a clear roadmap: patch systems, segment networks, restrict access, monitor threats, and train staff.  

Hewlett Packard Enterprise (HPE) has issued a new security advisory addressing eight newly discovered vulnerabilities in its StoreOnce data backup and deduplication platform. Among these, the most severe is an authentication bypass vulnerability tracked as CVE-2025-37093, which carries a near-maximum CVSS score of 9.8, indicating a critical risk to affected systems.  In a security bulletin (document ID: HPESBST04847 rev.1), HPE outlined that multiple versions of its StoreOnce Virtual Storage Appliance (VSA), particularly those prior to version 4.3.11, are vulnerable to a range of remote exploitation risks. These include remote code execution (RCE), server-side request forgery (SSRF), arbitrary file deletion, information disclosure, directory traversal, and authentication bypass.  “These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass, arbitrary file deletion, and directory traversal information disclosure,” HPE warned in the advisory.  Spotlight on CVE-2025-37093: A Critical StoreOnce Vulnerability  The most concerning among the identified threats is CVE-2025-37093, a critical StoreOnce vulnerability. This flaw affects all software versions prior to 4.3.11 and enables unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to systems.  HPE stated that this vulnerability was reported on October 31, 2024, by an anonymous researcher in collaboration with the Trend Micro Zero Day Initiative (ZDI). The vulnerability, cataloged under ZDI-CAN-24985, is now patched in the newly released software version.  With a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the CVE-2025-37093 vulnerability in StoreOnce poses a serious threat due to its low attack complexity and lack of user interaction required.  Full List of Vulnerabilities  Besides CVE-2025-37093, the advisory highlights the following security issues:  CVE-2025-37089 (ZDI-CAN-24981) – Remote Code Execution (CVSS: 7.2)  CVE-2025-37090 (ZDI-CAN-24982) – Server-Side Request Forgery (CVSS: 5.3)  CVE-2025-37091 (ZDI-CAN-24983) – Remote Code Execution (CVSS: 7.2)  CVE-2025-37092 (ZDI-CAN-24984) – Remote Code Execution (CVSS: 7.2)  CVE-2025-37094 (ZDI-CAN-25314) – Directory Traversal / Arbitrary File Deletion (CVSS: 5.5)  CVE-2025-37095 (ZDI-CAN-25315) – Directory Traversal / Information Disclosure (CVSS: 4.9)  CVE-2025-37096 (ZDI-CAN-25316) – Remote Code Execution (CVSS: 7.2)  Each of these poses various degrees of threat, but it is CVE-2025-37093, the authentication bypass flaw, that requires immediate attention due to its potential to grant full access to unprivileged attackers without requiring credentials.  Who Is Affected and How to Mitigate  Systems running HPE StoreOnce VSA software versions earlier than 4.3.11 are directly impacted. These installations are urged to upgrade to version 4.3.11 or later, which contains the necessary patches to remediate all eight vulnerabilities, including CVE-2025-37093.  While HPE has made the updated software available through the HPE Support Center, organizations are also advised to adhere to their internal patch management protocols when applying third-party patches.   Conclusion   The recent disclosure of multiple vulnerabilities in HPE’s StoreOnce software, most notably the critical authentication bypass flaw tracked as CVE-2025-37093, highlights a pressing security concern for organizations relying on this widely used backup solution. The flaws expose systems to risks such as remote code execution and unauthorized access. With attackers increasingly targeting backup infrastructure to gain deeper access into networks or sabotage recovery efforts, unpatched StoreOnce deployments present a tempting target. Immediate action to upgrade to the patched version is not just advisable—it’s essential for any organization looking to protect sensitive data and maintain operational resilience. 

A newly disclosed vulnerability, tracked as CVE-2025-27522, has been discovered in Apache InLong, a widely used real-time data streaming platform. The Apache InLong vulnerability introduces the potential for remote code execution (RCE).  The vulnerability affects Apache InLong versions 1.13.0 through 2.1.0, making a wide range of deployments potentially vulnerable. According to the official Apache security advisory, the flaw results from the deserialization of untrusted data during JDBC verification processing, allowing attackers to exploit how serialized Java objects are handled.  The Nature of the Apache InLong Vulnerability (CVE-2025-27522)  Designated as CVE-2025-27522, this vulnerability is classified as moderate in severity, yet its potential impact on production environments is far from trivial. It serves as a secondary mining bypass for a previously disclosed vulnerability, CVE-2024-26579.  This particular vulnerability stems from insecure handling of serialized data in InLong’s JDBC component. When data is received during JDBC verification, Apache InLong fails to adequately sanitize or validate the contents before deserializing them. Malicious actors could exploit this gap to send specially crafted payloads, which, when deserialized, could trigger unauthorized behavior such as file manipulation or arbitrary code execution.  Official Disclosure and Technical Insight The vulnerability was disclosed by security researchers known as yulate and m4x, and was officially published in a message by Charles Zhang to Apache’s developer mailing list on Wednesday, May 28. According to Apache, affected users should immediately upgrade to InLong version 2.2.0 or apply the fix included in GitHub Pull Request #11732.  The CVE entry for CVE-2025-27522 can be found in the official CVE database. Apache’s GitHub repository includes detailed documentation of the issue and the remediation steps taken in the patch. The patch, merged by contributor dockerzhang on February 9, addressed sensitive parameter bypasses during JDBC processing.  Security Implications and Exploitation Risk  While no public proof-of-concept or reports of active exploitation have surfaced, the vulnerability is considered network-exploitable and does not require user interaction, which elevates the risk. The Common Weakness Enumeration (CWE) identifier assigned to this flaw is CWE-502: Deserialization of Untrusted Data—a well-known class of vulnerabilities that has historically led to severe security breaches.  According to Apache, the CVSS v3.1 base score for CVE-2025-27522 ranges between 5.3 and 6.5, indicating a moderate to high severity level. Given its potential for enabling remote code execution, even moderate CVSS scores warrant serious attention. Recommended Mitigation Steps  To mitigate the Apache InLong vulnerability:  Upgrade to Apache InLong 2.2.0 immediately.  Alternatively, apply the cherry-picked patch #11732 from the Apache GitHub repository.  Restrict sources of serialized data and implement input validation and sanitization on all data that may be deserialized.  Monitor systems for signs of suspicious deserialization behavior or unauthorized activity.  A sample secure deserialization code snippet for Java can help reduce similar risks in custom implementations:  Conclusion  CVE-2025-27522 highlights how deserialization vulnerabilities can target enterprise systems. Given Apache InLong’s role in managing large-scale data ingestion and distribution, any security flaw, especially one that could lead to remote code execution, requires quick and decisive action. Security teams should prioritize applying the patch or upgrading to Apache InLong 2.2.0, while also reinforcing general deserialization protections across their application stack.  

Cloudflare has alerted users of a security vulnerability—tracked as CVE-2025-4366—in the widely used Pingora OSS framework. This vulnerability, a request smuggling flaw, was discovered by a security researcher while testing exploits against Cloudflare’s Content Delivery Network (CDN) free tier, which utilizes Pingora to serve cached assets.  The vulnerability surfaced within the Pingora caching components—specifically in the pingora-proxy and pingora-cache crates, which provide HTTP caching functionality to improve performance on Cloudflare’s CDN. When enabled, caching allows content to be served from a storage backend, reducing bandwidth and load on origin servers. However, an HTTP/1.1 request parsing bug in Pingora’s caching logic allowed for potential request smuggling attacks.  Overview of the CVE-2025-4366 Vulnerability  Request smuggling exploits inconsistencies in how HTTP requests are parsed across different network components. Typically, a client’s HTTP request passes through multiple layers, such as load balancers, proxies, and servers, each parsing the request independently. If these layers interpret the request boundaries differently, such as the length of the request body, a malicious actor can craft a request that is treated as two distinct requests by different components. This discrepancy enables the attacker to “smuggle” a malicious request inside a legitimate one on the same connection.  In Pingora’s case, the vulnerability occurred due to skipped request body consumption on cache hits. Normally, Pingora processes requests in a manner compliant with HTTP/1.1 standards, fully consuming request bodies or refusing to reuse connections when errors occur. But when a cached response was served, Pingora skipped this step, leaving unread data in the connection. This leftover data could be manipulated to inject a “smuggled” HTTP request, causing Pingora to misinterpret subsequent requests.  Because of the vulnerability, Pingora might treat the injected “smuggled” request as part of the next request sequence, allowing attackers to alter headers or URLs seen by the origin server.  Impact on Cloudflare’s CDN Free Tier Users  At the time the vulnerability was identified, Cloudflare was rolling out a new Pingora proxy with caching enabled to a portion of its free CDN plan traffic. This meant that customers using the free tier or those directly employing the caching features of Pingora OSS were potentially exposed to this flaw.  The most concerning impact was the ability of attackers to cause visitors to Cloudflare-hosted sites to make additional requests to attacker-controlled servers, effectively leaking which URLs the visitor had originally accessed. This attack was made possible because some vulnerable origin servers responded to the smuggled Host header with HTTP 301 redirects to the attacker’s domain, which would prompt browsers to follow the redirect and send the original URL in the Referer header. This behavior could expose sensitive browsing patterns and enable the injection of malicious content. Upon receiving notification of the vulnerability on April 11, 2025, Cloudflare’s security addressed this vulnerability. Between April 11, and April 12, they confirmed the flaw and identified the vulnerable Pingora component responsible. By April 12, preparations were underway to disable traffic to the affected proxy with caching enabled, and by 06:44 UTC that same day, traffic to the vulnerable component was fully blocked.   Conclusion  Cloudflare advised all users of the Pingora OSS framework—especially those leveraging the caching crates—to upgrade to version 0.5.0 or later, which includes the fix for this request smuggling vulnerability. Importantly, customers using the Cloudflare CDN free tier do not need to take any action, as the patch has already been deployed on their behalf. In a statement, Cloudflare expressed gratitude to security researchers James Kettle and Wannes Verwimp, who responsibly disclosed the flaw through the Bug Bounty Program.  

In the ever-volatile world of decentralized finance (DeFi), yet another major exploit has shaken investor confidence—this time with a staggering $223 million theft from Cetus Protocol, a key player in the Sui blockchain ecosystem. On May 22, Cetus announced an emergency pause of its smart contract following the detection of “an incident” impacting the protocol. Within hours, the scope of the breach became alarmingly clear: attackers had siphoned off roughly $223 million in digital assets. While the team acted swiftly to lock down the contract and halt further losses, the damage had already been done. “We took immediate action to lock our contract preventing further theft of funds,” the protocol posted on X. Swift Response Halts $162M Mid-Exploit The rapid response wasn’t just damage control—it prevented further catastrophe. Cetus confirmed that $162 million of the stolen assets were successfully paused, likely through disabling or restricting access to impacted contracts and freezing certain token transfers. The team also activated an ecosystem-wide alert, working closely with the Sui Foundation, associated builders, and blockchain security researchers to trace the stolen assets and mitigate collateral risks to other protocols operating within the Sui ecosystem. Root Cause Identified and Patched In a follow-up statement, Cetus confirmed it had identified the root cause of the exploit and patched the vulnerable package. It did not, however, disclose the technical details of the vulnerability.  Notably, they acted quickly to inform other developers and ecosystem partners, reducing the risk of similar exploits elsewhere. “We informed ecosystem builders as fast as we could with help from ecosystem members to prevent other teams being affected,” Cetus stated. This level of collaboration speaks to the maturing security response of newer blockchain ecosystems like Sui, which—despite still being in the early innings of adoption—are working to build reputational resilience in the face of inevitable technical setbacks. Law Enforcement and White Hat Negotiations In a move that’s becoming increasingly common in DeFi exploits, Cetus has identified the Ethereum wallet address linked to the attacker and is attempting to negotiate a whitehat settlement. The offer: return the funds in exchange for immunity from legal prosecution. “We have offered a time-sensitive whitehat settlement in exchange for the outstanding balance. Should the hacker accept our terms, we would also refrain from pursuing further legal action.” Cetus even made the negotiation offer public, sharing links on-chain: SuiVision Whitehat Offer Etherscan Transaction Log Simultaneously, Cetus has brought in anti-cybercrime organizations to assist with fund tracing and law enforcement engagement, in case negotiations fail and a legal path becomes inevitable. Also read: Morpho App Vulnerability Triggers $2.6M Incident, Funds Later Returned by White Hat Community Reactions and Market Fallout While the crypto market has largely learned to absorb shock from exploits of this magnitude, sentiment around newer Layer 1 ecosystems like Sui has taken a hit. Community members on social media praised the speed of the response, but many also questioned the underlying security audit processes that failed to catch such a high-impact vulnerability. As DeFi matures, the industry is being forced to reckon with an uncomfortable truth: innovative code doesn’t always mean secure code. Also read: Abracadabra Cyberattack: How Hackers Drained $13M from DeFi Platform What’s Next for Cetus Protocol? The protocol has promised a full post-mortem report once the investigation is complete, and all eyes are now on how much of the $223 million will be recovered—or lost forever. In the meantime, Cetus says its highest priority is fund recovery and is keeping communication channels open for updates. While the full impact remains to be seen, this breach is a stark reminder that even in the most promising ecosystems, one exploit can undo months of growth and trust. For investors, developers, and DeFi platforms alike, the Cetus incident underscores a critical mantra in web3: move fast, but patch faster. This is a developing story. The Cyber Express will continue to monitor and update as more details emerge.

A zero-day vulnerability in the Linux kernel’s SMB (Server Message Block) implementation, identified as CVE-2025-37899, has been discovered using OpenAI’s powerful language model, o3. The vulnerability is a use-after-free flaw located in the logoff command handler of the ksmbd kernel module.  Security researcher Sean H. documented the process in a detailed technical blog. He had initially set out to audit ksmbd, a Linux kernel module responsible for implementing the SMB3 protocol. While intending to take a break from large language model (LLM) tools, curiosity led him to benchmark the capabilities of o3, a new AI model from OpenAI.  Rather than using complex frameworks or automation tools, Sean leveraged only the o3 API to analyze targeted code sections. During this process, o3 successfully unearthed CVE-2025-37899, a zero-day vulnerability in the Linux kernel. The model identified a scenario where shared objects between concurrent server connections led to unsafe memory access—specifically, a use-after-free situation in the SMB ‘logoff’ command handler.  Technical Breakdown of CVE-2025-37899  The issue arises when one thread processes an SMB2 LOGOFF request and frees the sess->user object while another thread may still be using it. This occurs without proper synchronization mechanisms, which can lead to dereferencing of freed memory, opening doors to kernel memory corruption or arbitrary code execution.  The vulnerability exploits a subtle interaction between SMB session handling and Linux kernel memory management: Multiple connections may bind to the same SMB session.  One thread (Worker-B) handling a LOGOFF request frees the session’s user object (ksmbd_free_user(sess->user)).  Another thread (Worker-A), still processing requests using the same session, continues accessing sess->user, now pointing to freed memory. Depending on timing, this results in a traditional use-after-free exploit or a null pointer dereference, leading to system crashes or privilege escalation.  Comparative Performance: o3 vs. Other Models  Interestingly, o3 also rediscovered CVE-2025-37778, another use-after-free vulnerability that Sean had previously identified manually. This bug resides in the Kerberos authentication path during SMB session setup. The AI detected this bug in 8 out of 100 runs, while OpenAI’s Claude Sonnet 3.7 managed only 3 detections in 100 tries, and Claude 3.5 failed to detect it altogether. These results reflect both the promise and current limitations of AI-assisted vulnerability research. o3 showed notable capability but also returned a high false positive rate—about 28 out of 100 attempts. Still, with a true positive to false positive ratio of around 1:4.5, the model proved useful enough to warrant serious consideration in practical workflows.  Lessons from o3’s Analysis  One of the most insightful takeaways from o3’s analysis of CVE-2025-37899 was its understanding of concurrency in kernel operations. The model successfully reasoned through non-trivial control flow paths and object lifecycle management under concurrent execution—something even experienced researchers may overlook, especially under time pressure. What’s more compelling is that o3 sometimes offered better remediation advice than its human counterpart. For example, in addressing CVE-2025-37778, Sean had initially suggested setting sess->user = NULL after freeing it. However, o3 identified that such a fix might be insufficient due to the SMB protocol allowing multiple connections to bind to a session. Conclusion   Large language models are not yet a replacement for expert analysts. o3’s success in identifying complex flaws highlights its ability to augment human expertise, streamline analysis, and extend the reach of automated security tools. Though the experiment revealed limitations in processing large codebases, it also highlighted the model’s effectiveness in targeted scans and the importance of developing tools to manage false positives and intelligently structure input.