Attackers

Security Advisory

Reflected XSS Vulnerability in Splunk Enterprise & Cloud Platform 

Summary 

Splunk has disclosed a medium-severity cross-site scripting (XSS) vulnerability affecting multiple versions of its Enterprise and Cloud Platform products that could allow low-privileged attackers to execute malicious JavaScript code in users’ browsers.

OEM Cisco 
Severity MEDIUM 
CVSS Score 4.3 
CVEs CVE-2025-20297 
CWEs CWE-79 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A security vulnerability identified as CVE-2025-20297 has been found in older versions of Splunk Enterprise and Splunk Cloud Platform.

This issue allows low privileged users to execute unauthorized JavaScript code in a victim’s browser using a specific Splunk feature that generates Pdf from dashboards.

Although the vulnerability is rated as Medium (CVSS 4.3) but it could be a significant risk in environments where Splunk Web is widely accessed by users. 

The vulnerability specifically targets instances with Splunk Web enabled, which represents the majority of production deployments given the component’s central role in dashboard management and user interface functionality.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Reflected Cross Site Scripting  CVE-2025-20297 Splunk Enterprise & Cloud  Medium  Check the remediation section. 

Technical Summary 

The vulnerability lies in the pdfgen/render REST endpoint used to create dashboard PDFs. In vulnerable versions, a low \privileged user (not an admin or power user) can inject a malicious script via this endpoint.

If a legitimate user interacts with the resulting PDF or link, their browser may execute the injected script without their consent, this is working as reflected XSS. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-20297  Splunk Enterprise & Cloud multiple versions Low-privileged users can exploit the pdfgen/render endpoint to inject unauthorized JavaScript code into a victim’s browser. Code Execution/Reflected xss. 

Remediation

Splunk has released updates, that addressed the vulnerability:  

  • Splunk Enterprise: Upgrade to version 9.4.2, 9.3.4, 9.2.6, 9.1.9 or latest. 
  • Splunk Cloud Platform: Upgrade to version 9.3.2411.102, 9.3.2408.111, 9.2.2406.118 or latest. 

If you cannot upgrade immediately, you can disable Splunk Web to prevent exploitation. For this you can review the web.conf configuration file and follow the Splunk guidance on disabling unnecessary components. 

Disabling Splunk Web may impact users who rely on the web interface so consider access controls or network-based restrictions as temporary mitigations. 

Conclusion: 
While CVE-2025-20297 is rated as a medium severity vulnerability, it should not be ignored in the environments where many users interact with Splunk dashboards. Attackers with limited permissions could potentially target higher privileged users by modifying malicious links or payloads. 

Organizations should prioritize upgrading Splunk to the fixed versions or implementing the workarounds immediately.

Even though this vulnerability requires some user interaction, the risks include unauthorized access to sensitive data through potential session hijacking. 

While Splunk has not provided specific detection methods for this vulnerability, organizations should monitor access patterns to the pdfgen/render endpoint and review user privilege assignments to minimize potential exposure

This vulnerability poses a significant risk to organizations relying on Splunk’s data analytics platform for security monitoring and business intelligence operations.

References

Security Advisory

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.

If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.

OEMD-link
SeverityMedium
CVSS Score6.5
CVEsCVE-2025-46176
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.

The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
Hardcoded Telnet Credentials vulnerability  CVE-2025-46176D-Link Router  MediumNo official fix available

Technical Summary

The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.

Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.

Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-46176D-Link DIR-605L v2.13B01, DIR-816L v2.06B01Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords.      RCE

Recommendations:

As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :

  • Disable Telnet access via the router’s web interface.
  • Block Telnet port (23) using firewall rules:

“iptables -A INPUT -p tcp –dport 23 -j DROP”

  • Restrict WAN access to management interfaces.
  • Monitor D-Link’s official support page for firmware updates.

Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users. 

While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.

Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

Threat from Legacy Devices:

The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.

Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.

References:

Security Advisory

Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance

Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.

OEMLinux
SeverityHigh
CVSS ScoreN/A
CVEsCVE-2025-37899
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.

Vulnerability NameCVE IDProduct AffectedSeverity
​ksmbd use-after-free vulnerability  CVE-2025-37899Linux kernel  High

Technical Summary

The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.

A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-37899  Linux kernel (ksmbd)A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations.  Kernel memory corruption, privilege escalation, remote code execution

Remediation:

  • Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.

General Recommendations

  • Monitor your distribution’s security advisories and apply patches as soon as they are available.
  • Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
  • Use firewall rules to restrict access to SMB services to trusted networks.
  • Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
  • Audit SMB traffic for signs of abnormal session setup and teardown behavior.

Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.

The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.

References:

Security Advisory

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).

The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.

OEMCISCO
SeverityHIGH
CVSS Score8.6
CVEsCVE-2025-20152, CVE-2025-20113, CVE-2025-20114
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).

These unpatched issues, could result in network disruption and unauthorized access to sensitive data.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
​RADIUS DoS Vulnerability  CVE-2025-20152Cisco Identity Services Engine  High  ISE 3.4 Patch 1 (3.4P1)
Privilege Escalation Vulnerability  CVE-2025-20113Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04
Privilege Escalation Vulnerability  CVE-2025-20114Unified Intelligence Center  High  UIC 12.5(1)SU ES04, 12.6(2)ES04

Technical Summary

The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.

Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-20152  CISCO ISE 3.4Improper handling of malformed RADIUS authentication requests can cause a system reload.    Denial of Service (DoS), Network Disruption
      CVE-2025-20113 Unified Intelligence Center  12.5, 12.6Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions.    Privilege Escalation, Unauthorized Data Access
    CVE-2025-20114Unified Intelligence Center  12.5, 12.6Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users.    Horizontal Privilege Escalation, Data Exposure

Remediation:

Cisco has released security updates to address these vulnerabilities:

  • For CVE-2025-20152 (Cisco ISE):

Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.

  • For CVE-2025-20113 and CVE-2025-20114 (UIC):

Upgrade to:

  • UIC 12.5(1)SU ES04 or later.
    • UIC 12.6(2)ES04 or later.
    • Unified CCX users should migrate to a fixed release if using affected versions.

Administrators are advised to verify product versions and apply patches through official Cisco channels.

Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.

Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.

References:

Security Advisory

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

Summary : SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

OEM  SAP 
Severity  Critical 
Date of Announcement  2025-05-13 
No. of Vulnerabilities Patched  16 
Actively Exploited  Yes 
Exploited in Wild  Yes 
Advisory Version  1.0 

Overview 

The most severe issue, CVE-2025-31324 (CVSS 10.0), is a critical unauthenticated file upload vulnerability that has been exploited in the wild since January 2025 for remote code execution (RCE). 

This issue was originally addressed in an SAP security note issued on April 24, 2025, and has since been supplemented by a second vulnerability, CVE-2025-42999, involving insecure deserialization.

These vulnerabilities have been used together in chained attacks to gain full system access on vulnerable SAP NetWeaver servers. 

Vulnerability Name  CVE ID  Product Affected  Severity  CVSS Score 
Unauthenticated File Upload (RCE)  CVE-2025-31324  SAP NetWeaver  Critical  10.0 
Insecure Deserialization (RCE)  CVE-2025-42999  SAP NetWeaver  Critical  9.1 

Technical Summary 

Attackers have leveraged two flaws in SAP NetWeaver Visual Composer in chained exploit scenarios to gain unauthorized remote access and execute arbitrary commands.

CVE-2025-31324 enables unauthenticated file uploads, and CVE-2025-42999 allows privileged users to exploit insecure data deserialization for command execution.

These vulnerabilities have impacted hundreds of internet-facing SAP instances, including systems operated by major enterprises. 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2025-31324  SAP NetWeaver Visual Composer  Unauthenticated file upload vulnerability in development server.  Remote Code Execution (RCE) without privileges 
CVE-2025-42999  SAP NetWeaver Visual Composer  Insecure deserialization in Visual Composer user-accessible function.  Remote Code Execution (RCE) without privileges 

Source: SAP 

In addition to the actively exploited vulnerabilities, several other High Severity Vulnerabilities were also addressed: 

  • CVE-2025-30018: SAP Supplier Relationship Management (Live Auction Cockpit) – Multiple vulnerabilities (CVSS 8.6) 
  • CVE-2025-43010: SAP S/4HANA Cloud Private Edition / On Premise (SCM Master Data Layer) – Code injection (CVSS 8.3) 
  • CVE-2025-43000: SAP Business Objects Business Intelligence Platform (PMW) – Information disclosure (CVSS 7.9) 
  • CVE-2025-43011: SAP Landscape Transformation (PCL Basis) – Missing authorization check (CVSS 7.7) 
  • CVE-2024-39592: SAP PDCE – Missing authorization check (CVSS 7.7) 

Remediation

  • Apply Patches Promptly: Install the May 2025 security updates immediately to mitigate risks from CVE-2025-42999 and other high-severity vulnerabilities, including CVE-2025-31324, along with additional security improvements across various SAP products. 

General Recommendations: 

  • Disable Visual Composer Service: If possible, disable the Visual Composer service to further reduce risk. 
  • Restrict Access to Metadata Upload Functions: Limit access to the metadata uploader to trusted users to prevent unauthorized file uploads. 
  • Monitor for Suspicious Activity: Continuously monitor the SAP NetWeaver environment for any signs of suspicious activity related to the vulnerabilities. 

Conclusion: 

  • The dual exploitation of CVE-2025-31324 and CVE-2025-42999 underscores the critical need for proactive patching and vigilant monitoring of enterprise SAP environments.
  • The vulnerabilities are being exploited by sophisticated threat actors, including the Chinese APT group Chaya_004, with over 2,000 exposed NetWeaver instances and hundreds already compromised. 
  • In response to the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog and has mandated federal agencies to remediate by May 20, 2025, under Binding Operational Directive 22-01. Organizations are strongly urged to act immediately to protect their SAP environments. 

References

 

 

Security Advisory

Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days

May 2025 Patch Tuesday by Microsoft

Continue Reading
Security Advisory

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Summary 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities. 

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately. 

Technical Details 

Attack Overview 

  • Entry Point: Remote administration services exposed to the Internet. 
  • Authentication Bypass: Attackers bypass password protection to gain shell/root access. 
  • Malware Capabilities
  • Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes. 
  • Opens ports to act as proxy relays. 
  • Enables the sale of infected routers as “proxy-as-a-service” infrastructure. 

Confirmed Vulnerable Devices 

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns: 

  • E1200 
  • E2500 
  • E1000 
  • E4200 
  • E1500 
  • E300 
  • E3200 
  • WRT320N 
  • E1550 
  • WRT610N 
  • E100 
  • M10 
  • WRT310N 

Indicators of Compromise (IOCs) 

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign: 

Name Hash 
0_forumdisplay-php_sh_gn-37-sh 661880986a026eb74397c334596a2762 
1_banana.gif_to_elf_t 62204e3d5de02e40e9f2c51eb991f4e8 
2_multiquote_off.gif_to_elf_gn-p_forward- 
hw-data-to-exploit-server 		9f0f0632b8c37746e739fe61f373f795 
3_collapse_tcat_gif_sh_s3-sh 22f1f4c46ac53366582e8c023dab4771 
4_message_gif_to_elf_k cffe06b0adcc58e730e74ddf7d0b4bb8 
5_viewpost_gif_to_elf_s 084802b4b893c482c94d20b55bfea47d 
6_vk_gif_to_elf_b e9eba0b62506645ebfd64becdd4f16fc 
7_slack_gif_DATA 41e8ece38086156959804becaaee8985 
8_share_gif_DATA 1f7b16992651632750e7e04edd00a45e 
banana.gif-upx 2667a50869c816fa61d432781c731ed2 
message.gif-upx 0bc534365fa55ac055365d3c31843de7 

Recommended Mitigations

  • Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates. 
  • Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet. 
  • Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it. 
  • Network Segmentation: Isolate critical devices from consumer routers or IoT networks. 
  • Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior. 

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References


Security Advisory

High-Severity Linux Kernel Flaw Exposes Systems to Root-Level Attacks

Security advisory: Linux Kernel Flaw raised from vulnerability related to improper memory handling when the splice() function is called. Specifically, the kTLS code fails to correctly update the internal accounting of the plaintext scatter-gather buffer, leading to an out-of-bounds memory write flaw. 

OEMLinux
SeverityHigh
CVSS Score7.8
CVEsCVE-2025-21756
POC AvailableYes
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

A high-severity vulnerability (CVE-2025-21756) has been discovered in the Linux kernel’s Virtual Socket (vsock) implementation, allowing local privilege escalation to root via a use-after-free (UAF) condition caused by incorrect reference counting during socket binding operations.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
​ Use-After-Free vulnerability  CVE-2025-21756Linux kernel  High  7.8

Technical Summary

The kTLS subsystem in the Linux Kernel enables direct TLS encryption and authentication functions within the kernel, supporting secure communication for protocols like HTTPS, email, and other internet-connected applications.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-21756    Linux kernel (pre-6.6.79, 6.12.16, 6.13.4, and 6.14-rc1)Improper handling of reference counts in vsock_remove_sock() leads to premature freeing of vsock objects. Attackers can exploit the Use-After- Free (UAF) by reclaiming free memory using crafted pipe buffers and leveraging unprotected tools like vsock_diag_dump() to leak kernel pointers.      Local privilege escalation to root and potential full system compromise.

CVE-2025-21756 is a use-after-free vulnerability in the Linux kernel’s vsock subsystem. It arises due to incorrect reference counter management during transport reassignment of sockets, leading to memory corruption and potential privilege escalation.

Affected systems are particularly exposed in virtualized environments where vsock is actively used.

Remediation:

  • Update Linux Kernel: Users should update their systems immediately with the latest kernel versions
  • Restrict Local Access: Until patches are applied, limit vsock use in shared environments and restrict local access where feasible.
  • Monitor for Exploitation Attempts: Watch for anomalies related to the vsock subsystem, including unexpected kernel panics or vsock socket activity.
  • Review Security Module Configurations: While AppArmor and similar LSMs offer partial protection, ensure they are enabled and correctly configured.

Conclusion:
CVE-2025-21756 poses a significant threat to Linux systems, particularly in cloud and virtualized environments. Its discovery and detailed analysis by Michael Hoefler revealed not only a critical vulnerability but also advanced exploitation techniques capable of bypassing protections like AppArmor and KASLR.

Given the existence of public proof-of-concept code and reliable attack paths, organizations must prioritize patching and mitigation to avoid root-level compromise.

References:



Security Advisory

Dell Releases Patches for Multiple PowerScale OneFS Security Vulnerabilities 

Summary 

Dell Technologies Security Advisory

OEM Dell 
Severity Critical 
CVSS 9.8 
CVEs CVE-2025-27690, CVE-2025- 26330, CVE-2025-22471 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

​Dell Technologies has released security updates addressing multiple vulnerabilities of varying severity in its PowerScale OneFS operating system.

These vulnerabilities could be exploited by attackers to gain control of high-privilege accounts, bypass security mechanisms, or disrupt system functionality. Dell has issued patches for several of these issues, a summary of some key vulnerabilities is provided in the table below. 

Vulnerability Name CVE ID Product Affected Severity 
Default Password Vulnerability CVE-2025-27690 PowerScale OneFS   Critical 
Incorrect Authorization Vulnerability CVE-2025-26330 PowerScale OneFS   High 
Integer Overflow or Wraparound Vulnerability CVE-2025-22471 PowerScale OneFS  Medium 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact Affected Version 
CVE-2025-27690 PowerScale OneFS Dell PowerScale OneFS multiple versions contain a default password vulnerability where an unauthenticated remote attacker could potentially exploit this vulnerability, leading to the privilege escalation. Gain Privileges or Assume Identity  Versions 9.5.0.0 through 9.10.1.0 
CVE-2025-26330 PowerScale OneFS Dell PowerScale OneFS multiple versions contain an incorrect authorization vulnerability where unauthenticated local attacker could potentially exploit this vulnerability to access the cluster with previous privileges of a disabled user account. Unauthorized Access Versions 9.4.0.0 through 9.10.0.1 
CVE-2025-22471 PowerScale OneFS Dell PowerScale OneFS multiple versions contain an integer overflow or wraparound vulnerability where an unauthenticated remote attacker exploits this which leads to denial of service. Service unavailable Versions 9.4.0.0 through 9.10.0.1 

Remediation

It has been recommended to upgrade to the following versions to address the security risks 

OneFS Version Updated Version 
9.10.x.x 9.10.1.1 
9.9.x.x 9.9.0.2 
9.8.x.x 9.8.0.3 
9.7.x.x 9.7.1.7 
9.5.x.x 9.5.1.3 

Workaround for CVE-2025-27690 

It’s always recommended to update to the latest version. If you’re unable to upgrade immediately, you can follow the workarounds provided by the vendor from here

References: 

Blogs

DDoS Attacks on Critical Infrastructure Re-shaping Geopolitical Conflicts

DDoS Attacks on Critical Infrastructure Reshaping Geopolitical Conflicts

Continue Reading
Scroll to top