Urgent OpenVPN Security Patch to Stop Remote Denial of Service Attacks
OpenVPN vulnerabilities
Continue ReadingCybersecurity News
Cyber Threats in Maritime Domain; National Security in Focus at Delhi Seminar
Seminar Titled ‘Impact of Cyber Attacks on Maritime Sector and its Effects on National Security and International Relations’
The event in Delhi organized by Indian Navy and address cyber threat on the Maritime domain and how the threats are aligned to national security and their impact.
The event organized at a time when geo -politics is evolving and the seminar aims to deepen understanding of cyber threats in the maritime domain and foster collaboration amongst key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.
Cyber threats evolving and looming above the maritime sector as the Maritime industry steps into the world of cyber risk. The cyber risk is vast and includes array of ransomware capable of shutting down port operations to GPS, halting steering vessels as hackers are get more creative.
Any cyberthreat on maritime sector also involves national security and is not isolated and target of cyber criminals. Maritime security involves trade, global logistics, oil and gas, defense which are major reasons to map maritime cyber threat to national security.
With an aim to deepen understanding of cyber threats in the maritime domain, the Indian Navy is organized the seminar.
The seminar, titled ‘Impact of Cyber Attacks on Maritime Sector and Its Effects on National Security and International Relations’, aims to foster collaboration among key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.
Minister of State for IT Ministry, Jitin Prasada, deliver the keynote address during the inaugural session. The seminar will feature panel discussions each led by distinguished experts from the ministries and organizations.
The seminar aims to advance Hon’ble PM’s vision of MAHASAGAR (Mutual and Holistic Advancement for Security and Growth Across the Regions) by reinforcing a safe, secure cyberspace, and echoes the call for ‘Aatmanirbhar Bharat’ through indigenous, secure-by-design digital systems and robust public-private partnership.
Aligned with Maritime India Vision 2030 and the Amrit Kaal Vision 2047, the seminar positions cybersecurity as a core enabler of port-led growth, smart logistics, offshore energy security, and mission critical naval operations.
These include the Ministry of Ports, Shipping and Waterways, the Ministry of Petroleum and Natural Gas (MoPNG), the National Security Council Secretariat (NSCS), the Gas Authority of India Limited (GAIL), the Directorate General of Hydrocarbons (DGH), the Indian Computer Emergency Response Team (CERT-In), the National Critical Information Infrastructure Protection Centre (NCIIPC), and the National Maritime Foundation (NMF) as well as leaders from private organisations.
The topics for panel discussions are ‘Global Cyber Threats to Maritime Infrastructure,’ ‘Civil and Military Partnership,’ and ‘Maritime Sector as Critical Information Infrastructure’.
CISA Warns Critical Cisco Firewall Vulnerabilities Under Active Exploitation
4 Actively exploited Zero-days affecting millions of devices,. This include 3 targeted by Nation-state actor “ArcaneDoor”.
Security Advisory: Cisco has released critical security updates to address two zero-day vulnerabilities referring to CVE-2025-20333 and CVE-2025-20362 in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software.
CISA has also added in their KEV catalog and including additional actions tailored to each agency’s status in Emergency Directive ED 25-03 document.
CISA said ‘”The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution [RCE] on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade,”.
CISA has reported that an advanced threat actor ArcaneDoor, threat actor has demonstrated a capability to successfully modify ASA ROM at least as early as 2024. These zero-day vulnerabilities in the Cisco ASA platform are also present in specific versions of Cisco Firepower appliances’ Secure Boot would detect the identified manipulation of the ROM.
| Severity | Critical |
| CVSS Score | 9.9 |
| CVEs | CVE-2025-20333, CVE-2025-20362 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.1 |
Overview
The flaws discovered are actively exploited in the wild which allow attackers to execute arbitrary code or access restricted endpoints without authentication. Admins are urged to immediately apply Cisco’s fixed releases to mitigate these actively exploited zero-day vulnerabilities
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Buffer Overflow Vulnerability | CVE-2025-20333 | Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD) | Critical | Update to the latest version |
| Missing Authorization Vulnerability | CVE-2025-20362 | Cisco Secure Firewall Adaptive Security Appliance (ASA), Cisco Secure Firewall Threat Defense (FTD) | Medium | Update to the latest version |
Technical Summary
Cisco has released security updates to address multiple vulnerabilities in the VPN web server of Secure Firewall ASA and FTD Software.
The most severe issue is a critical remote code execution vulnerability that could allow an authenticated attacker with valid VPN credentials to send specially crafted HTTP(S) requests and execute arbitrary code with root-level privileges, potentially resulting in full compromise of the affected device and control of its operations.
In addition, a medium-severity vulnerability was identified that could enable unauthenticated attackers to bypass access controls and access restricted web resources without authentication, potentially exposing sensitive information or limited administrative functions.
Both vulnerabilities are caused by improper validation of user-supplied HTTP(S) input, making them exploitable over the network.
Cisco has confirmed that there are no workarounds available, and administrators are strongly advised to upgrade to the fixed software versions immediately to ensure the security and integrity of their environments.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20333 | Cisco Secure Firewall ASA Software, Cisco Secure FTD Software | Improper input validation in the VPN web server enables authenticated remote users to send crafted HTTP requests that allow arbitrary code execution with root privileges. | Remote Code Execution |
| CVE-2025-20362 | Cisco Secure Firewall ASA Software, Cisco Secure FTD Software | The VPN web server does not properly validate HTTP(S) user-supplied input. Attackers can exploit this by sending specially crafted requests to bypass authentication and access restricted URL endpoints. | Unauthorized access |
Recommendations:
- Install the fixed software releases for Cisco Secure Firewall ASA and FTD Software
- Use the Cisco Software Checker to identify the earliest fixed release for your software version.
- Navigate the device management interface (Cisco Secure Firewall Management Center or Device Manager) to apply updates.
- Restart devices after installation and ensure auto-updates are enabled.
- Review the Configure Threat Detection for VPN Services section in the Cisco Secure Firewall ASA Firewall CLI Configuration Guide to enable protection against VPN-related attacks.
Conclusion:
These vulnerabilities present a significant risk as they are actively being exploited in the wild and can lead to complete system compromise or unauthorized access to sensitive resources.
Since no workarounds are available, applying the latest Cisco security updates is the only effective remediation. Administrators should prioritize immediate patching across all affected devices to protect their environment from ongoing exploitation attempts and ensure continued resilience of critical firewall infrastructure.
References:
Telecom Network in New York Area Dismantled after Network Threat Detected
The US Secret Service, the agency in charge of security for the United Nations General Assembly, discovered a threatening network of over 300 servers and 10,000 SIM cards across the New York tri-state area.
The network could have “disabled cell phone towers and potentially shut down the cellular network in New York City,” Matt McCool, the special agent in charge of the Secret Service’s New York field office.
Key Points:
The network could also facilitate denial of service attacks and could send up to 30 million text messages per minute. All of the devices were found within 35 miles of the United Nations headquarters in Midtown Manhattan.
Analysis indicates cellular communications between nation-state threat actors and individuals that are known to federal law enforcement the report said.
The investigation into the devices is ongoing, the Secret Service said, but early forensic analysis indicates it was used for communications between “foreign actors” and people already known to federal law enforcement. No arrests have been announced, and investigators are still searching through the equivalent of 100,000 cell phones worth of data.
“This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City,” Matt McCool, special agent in charge of the Secret Service field office in New York, said in a video statement.
The telecommunications gear was recovered from so-called SIM farms housed in abandoned apartment buildings in at least five undisclosed sites. The devices discovered could be used to conduct a range of telecommunications attacks including disabling cell phone towers, enabling cybersecurity attacks and allowing encrypted communication between criminal groups and threat actors.
According to the Secret Service, the devices could facilitate a wide range of attacks on telecommunications systems, including disabling cell phone towers, enabling denial of service attacks.
This also allowed encrypted, anonymous communication between potential threat actors and criminal enterprises.
The forensic analysis indicates potential links between the network and overseas threat actors, as well as connections to individuals already known to federal law enforcement agencies.
According to Bloomberg, it is still unclear whether the network was connected to earlier incidents this year in which unknown individuals impersonated White House Chief of Staff Susie Wiles and Secretary of State Marco Rubio.
A full forensic review of the seized devices is ongoing as authorities continue to assess the scope and origins of the network.
Investigations started after threats to US officials
According to agents who spoke to the New York Times, the investigation began after anonymous telephonic threats were made against three US government officials earlier this year. One of the officials who was threatened worked with the Secret Service, while the other two were White House staffers.
State of crime
The agency first detected the New York-area SIM farm after it was linked to swatting incidents on Christmas Day in 2023. Those incidents involved Congresswoman Marjorie Taylor Greene and US Senator Rick Scott.
The cases were tied to two Romanian men, Thomasz Szabo and Nemanja Radovanovic, who were working with an American swatter, Alan Filion, also known as “Torswats.” All three have since been convicted on swatting-related charges.
Ben Coon, head of intelligence at cybersecurity firm Unit 221b, believes there was little foreign state involvement, and the operation is based on financial crimes.
Images released by the Secret Service showed racks of neatly arranged telecom equipment, each component numbered and labeled. Cables were carefully laid out and secured, which could mean the operation was handled by well-resourced professionals.
The operation is linked to swatting incidents, organized crime groups, and nation-state actors, with equipment seized across New York and New Jersey.
Sources: https://www.telegraphindia.com/world/us-secret-service-dismantles-telecom-threat-network-in-new-york-ahead-of-un-general-assembly/cid/2124609
ENISA to operate the EU Cybersecurity Reserve with EUR 36 million
ENISA to operate the EU Cybersecurity Reserve with EUR 36 million
Continue Reading
Cyber Security News at a Glance; May 2025
For the month of May 2025 here are the Top News including Security Advisory & Blogs
Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit
A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)
The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.
Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days
Microsoft addressed 83 vulnerabilities across its product suite. Among them are 5 zero-day vulnerabilities have been confirmed as actively exploited in the wild. The updates span Windows components, Office, Visual Studio, and other core services.
11 vulnerabilities were rated critical, emphasizing the importance of timely remediation especially for enterprise environments.
5 non-Microsoft CVEs included
78 Microsoft CVEs addressed
Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required
SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.
SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.
CISA is officially changing the way it disseminates online security updates and guidance.
CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.
Updates on May 13
Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.
“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”
Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk
A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching.
CISA’s Support for MITRE CVE, CWE programs Extended.
Contract extension by CISA for MITRE CVE, CWE program prevents shutdown providing sign of relief for Cybersecurity community.
The CVE Program is the primary way software vulnerabilities are tracked maintained by MITRE. Recently the contract between MITRE, a non-profit research and development group including the U.S. Department of Homeland Security (DHS) to operate the CVE program, was about to expire on April 16, 2025, with no renewal in place.
This created panic in cyber security world as the CVE Program was about to expire. The United States Cyber security and Infrastructure Security Agency (CISA), stepped in during the last minute and renewed its funding for the software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program(CVE).
CISA ensured that the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs did not lapse.
Renewal of Contract with MITRE & Last Minute Rescue by CISA
‘The contract with MITRE is being extended for 11 months said a CISA’ spokesman..The importance of CVE Program is a focal point for cybersecurity program that is provides critical data and services for digital defense and research.
During the last minute when the contract was about to expire on tuesday night, the United States Cybersecurity and Infrastructure Security Agency (CISA) renewed its funding for the longtime software-vulnerability-tracking project known as the Common Vulnerabilities and Exposures Program.
MITRE’s vice president and director of the Center for Securing the Homeland, Yosry Barsoum, said in a statement on Wednesday that “CISA identified incremental funding to keep the Programs operational.” With the clock ticking down before this decision came out, some members of the CVE Program’s board announced a plan to transition the project into new non profit entity called the CVE Foundation.
The CVE program is of prime importance for the entire cyber security community and CISA, the very reason for extending support so that there is no lapse in critical CVE services.
The extension will bring in a sense of security for cyber sec professionals, vendors, and government agencies worldwide can continue to rely on the CVE program for coordinated vulnerability tracking and response.
Since its inception, the CVE Program has operated as a US government-funded initiative, with oversight and management provided under contract.
Over the years there has been doubt among members of the CVE Board about the sustainability and neutrality of a globally relied-upon resource being tied to a single government sponsor. The foundation has also written about its concern.
The cyber security community that includes researchers and cyber professionals were relieved on Wednesday, as the news flashed about the CVE Program hadn’t suddenly ceased to exist as the result of unprecedented instability in US federal funding.
Not only the US but every organization and every security tool is dependent on the CVE program and despite CISA’s last-minute funding, the future of the CVE Program is still unclear.
What makes the CVE program vital for cyber-security community?
Considering the importance of the CVE program, it should be fully funded to conduct job meant for its mission and well resourced.
On its 25th anniversary, the CVE Program continues playing vital role in global cybersecurity by identifying, defining, and cataloging publicly disclosed vulnerabilities. There is one CVE Record for each vulnerability in the catalog.
The vulnerabilities are discovered, then assigned and published by organizations globally that have partnered with the CVE Program
Lets wait for the 11 months contract funding that has been extended by CISA. Still the question remains about sustainability and neutrality of having a prominent globally recognized resource like CVE tied to a single government sponsor.
Sources: CISA Provides Last-Minute Support to Keep CVE Program Running
Codefinger Ransomware attack encrypts Amazon S3 buckets
- Ransomware crew dubbed Codefinger targets AWS S3 buckets
- Sets data-destruct timer for 7 days
- Threat actors demand for Ransom payment made for the symmetric AES-256 keys required to decrypt it
Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.
The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.
The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.
“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.
According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.
In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it.
Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.
Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.
As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.
Sources:
https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
www.Bleeping computers.com
Adobe released Security updates Addressing critical ColdFusion vulnerability with (PoC) Exploit code
Adobe released security updates (APSB24-107) addressing an arbitrary file system vulnerability ColdFusion, identified as CVE-2024-53961, is linked to a path traversal weakness with proof-of-concept (PoC) exploit code.
This could allow attackers to exploit the flaw and gain unauthorized access to arbitrary files on vulnerable servers.
As per the updates Adobe ColdFusion versions 2023 and 2021 that addressed an arbitrary file proof-of-concept may enable attackers to read arbitrary files on vulnerable servers, potentially leading to unauthorized access and data exposure warns of critical ColdFusion bug with PoC exploit code.
Summary:
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe earlier gave statement cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
Key findings:
- The vulnerability, CVE-2024-53961, affects ColdFusion 2021 and 2023.
- Adobe has provided a patch to address the issue.
- The vulnerability can potentially lead to unauthorized access and data exposure
- The flaw has been given a Priority 1 severity rating, the highest possible level, due to its potential for exploitation in the wild.
- Adobe has highlighted the critical nature of these updates and classified the vulnerability with a CVSS base score of 7.4, signifying a threat to the security of affected systems.
Adobe has issued advisory
- Monitor systems for any signs of exploitation.
- Adobe has provided a patch to address the vulnerability remediation to mitigate the risk of exploitation.
- Consider implementing file system monitoring and logging to detect and prevent unauthorized file access.
Path traversal weakness in ColdFusion; CVE-2024-53961
What is Path Traversal?
Hackers uses a tactics by Tricking a web application into displaying the contents of a directory that was not on request by user to gain access to sensitive files on a server.
The path traversal weakness in ColdFusion could be exploited by an attacker to perform unauthorized file system reads on affected servers.
This means that an attacker could manipulate file paths to access sensitive files that are otherwise restricted. This kind of vulnerability can lead to exposure of critical system information, unauthorized access and data exposure.
Reference: https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/
Sophisticated Phishing Attack Exposed Over 600,000 Users to Data Theft; 16 Chrome Extensions Hacked
A sophisticated phishing attack exposed 600, 000 user data to theft as 16 Chrome Extensions got hacked amounting to credential theft. The attack targeted extension publishers through phishing emails where Developers were tricked into granting access to a malicious OAuth app via fake Chrome Web Store emails. The malicious update mimicked official communications from the Chrome Web Store, stealing sensitive user data.
This breach puts Facebook ad users at high risk of account hacking or unknown access
Summary of the attack
The phishing email was designed to create a sense of urgency posing as Google Chrome Web Store Developer Support, warns the employee of the extension removal for policy violations. The message urges the recipient to accept the publishing policy.
As per Cyberhaven, a cybersecurity firm report mentioned about the impacted firms as the attack occurred on December 24 and involved phishing a company employee to gain access to their Chrome Web Store admin credentials.
16 Chrome Extensions, including popular ones like “AI Assistant – ChatGPT and Gemini for Chrome,” “GPT 4 Summary with OpenAI,” and “Reader Mode,” were compromised, exposing sensitive user data.
Response & Recommendations:
The attackers targeted browser extension publishers with phishing campaigns to gain access to their accounts and insert malicious code.
Extensions such as “Rewards Search Automator” and “Earny – Up to 20% Cash Back” were used to exfiltrate user credentials and identity tokens, particularly from Facebook business accounts.
Malicious versions of extensions communicated with external Command-and-Control (C&C) servers, such as domains like “cyberhavenext[.]pro.”
- Cyberhaven released a legitimate update (version 24.10.5), hired Mandiant to develop an incident response plan and also notified federal law enforcement agencies for investigation.
- All users advised to revoke credentials, monitor logs, and secure extensions; investigations continue.
- As per Cyberhaven, version 24.10.4 of Chrome extension was affected, and the malicious code was active for less than a day.
- The malicious extension used two files: worker.js contacted a hardcoded C&C server to download configuration and executed HTTP calls, and content.js that collected user data from targeted websites and exfiltrated it to a malicious domain specified in the C&C payload.