DDoS Attacks on Critical Infrastructure Re-shaping Geopolitical Conflicts
DDoS Attacks on Critical Infrastructure Reshaping Geopolitical Conflicts
Continue ReadingAttackers
WordPress Ultimate CSV Importer Flaws Put 20,000+ Sites at Risk
Threat researchers discovered an arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability within the WP Ultimate CSV Importer plugin. This is affecting versions 7.19 and earlier.
The vulnerabilities have been addressed in version 7.19.1 of the plugin.
Summary
| OEM | WordPress |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-2008, CVE- 2025-2007 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The security flaw WordPress plugin, Ultimate CSV Importer, affecting over 20,000 websites. The vulnerabilities, identified as CVE-2025-2008 and CVE-2025-2007, can lead to catastrophic consequences, including complete site compromise.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Arbitrary File Upload | CVE-2025-2008 | WordPress | High | 8.8 |
| Arbitrary File Deletion | CVE-2025-2007 | WordPress | High | 8.1 |
Technical Summary
A critical security vulnerability has been discovered in the WP Ultimate CSV Importer plugin (versions ≤ v7.19). This flaw allows attackers with only Subscriber level access to exploit the system in two dangerous ways:
- Malicious File Upload: Attackers can upload malicious files, potentially enabling remote code execution and granting full control over the affected site. This allows for complete site compromise, including the ability to install backdoors or steal sensitive information.
- Critical File Deletion: Attackers can delete crucial files, such as wp-config.php, which can reset the WordPress site and give attackers the ability to take full control over the site.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-2008 | WP Ultimate CSV Importer plugin (versions ≤ 7.19) | A critical flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to upload malicious files due to improper file type validation. This can lead to remote code execution (RCE) and full site takeover. | Remote code execution (RCE) |
| CVE-2025-2007 | WP Ultimate CSV Importer plugin (versions ≤ 7.19) | A serious flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to delete critical files, like wp-config.php, due to weak file path validation. This can reset the site, letting attackers take control. | Arbitrary file deletion leading to site reset |
Remediation:
Install version 7.19.1 or later to fix the security flaws. Keeping all plugins and WordPress updated helps prevent attacks.
General Recommendations
- Update the Plugin – Install the latest version (7.19.1+) to fix security issues and keep your site safe.
- Limit User Access – Allow only trusted users to upload or delete files to prevent hackers from exploiting vulnerabilities.
- Use Security Plugins – Install tools to block threats, monitor activity, and protect your site.
- Backup Your Website – Regularly save backups so you can restore your site if it gets hacked or files are deleted.
Conclusion:
A major security issue in a popular WordPress plugin put over 20,000 websites at risk of being taken over by hackers.
Attackers could upload harmful files or delete important ones, making websites vulnerable. This incident shows why keeping plugins updated, limiting user access, and using security tools is crucial. Updating to version 7.19.1 is necessary to stay protected.
References:
Windows Zero-Day Exploit NTLM Hash Disclosure via Malicious Files
Summary
| OEM | Microsoft |
| Severity | High |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability | Zero-Day |
Overview
A newly discovered NTLM vulnerability in Windows, allows attackers to obtain login credentials when a user view a malicious file in Windows Explorer. This issue affects all Windows versions, from Windows 7 and Server 2008 R2 to the most recent Windows 11 v24H2 and Server 2025.
Attackers can exploit this flaw by using shared network folders, USB drives, or previously downloaded malicious files, making credential theft easy and difficult to detect.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fix |
| NTLM Hash Disclosure Vulnerability | Not Yet Assigned | Windows OS and Windows Server | High | Unofficial micropatch available via 0patch |
Technical Summary
This vulnerability enables attackers to steal NTLM authentication credentials simply by having users view a malicious file in Windows Explorer. Unlike previous NTLM relay attack techniques that required users to execute files, this exploit works just by rendering the malicious file’s metadata in the Windows Explorer preview pane. Attackers can leverage this method in various ways:
- Hosting a shared network folder containing the malicious file.
- Distributing infected USB drives that trigger the attack when inserted.
- Tricking users into downloading the malicious file from a compromised or attacker-controlled website.
Once the credentials are captured, attackers can use NTLM relay attacks to gain unauthorized access to internal systems, escalate privileges, and move laterally across the network.
| CVE ID | System Affected | Vulnerability Technical Details | Impact |
| Not Assigned Yet | Windows 7 – Windows 11 v24H2, Server 2008 R2 – Server 2025 | Attackers can capture NTLM credentials when users view malicious files in Windows Explorer. Exploitation methods include shared folders, USB drives, or downloads. | Credential theft, network compromise, and potential lateral movement. |
Recommendations
- Microsoft Patch Awaited: The vulnerability has been reported to Microsoft, and an official security update is expected in the near future.
- Unofficial Micropatch Available: Security researchers at 0patch have released an unofficial micropatch that mitigates this issue. The micropatch is available for all affected Windows versions and will remain free until an official fix is provided by Microsoft.
Steps to Apply 0patch Micropatch:
- Create a free account on 0patch Central.
- Install and register the 0patch Agent on affected systems.
- The micropatch is applied automatically without requiring a system reboot.
Security Best Practices
- Disable NTLM authentication where possible.
- Implement SMB signing to prevent relay attacks.
- Restrict access to public-facing servers like Exchange to limit credential relaying risks.
- Educate users to avoid interacting with unknown or suspicious files in shared folders and USB drives.
Conclusion
Although not classified as critical, this NTLM credential theft vulnerability is extremely harmful due to its ease of exploitation. Attackers can exploit NTLM hashes in relay attacks to compromise internal network resources.
Security researchers confirm that comparable flaws have been actively exploited in real-world assaults. Until an official Microsoft patch is available, organizations should prioritize applying the 0patch micropatch and following NTLM security best practices to reduce potential risks.
References:
Critical NGINX Ingress Vulnerabilities Expose Kubernetes Clusters to Compromise
Security Advisory
Summary:
The Kubernetes Ingress NGINX Admission Controller has detected 5 significant security vulnerabilities affecting all versions of the ingress-nginx controller prior to v1.12.1 and v1.11.5. Here are the cve ids CVE-2025-1974, CVE-2025-1098, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.
| Maintainer | Kubernetes ingress community |
| Severity | Critical |
| CVSS Score | 9.8 |
| No. of Vulnerabilities Patched | 05 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Patch Available | Yes |
| Advisory Version | 1.0 |
Overview
Admission Controllers frequently don’t require authentication and essentially function as web servers, introducing an additional internal network-accessible endpoint in the cluster. This architecture allows attackers to access them directly from any pod in the network, significantly increasing the attack surface.
The most critical of these, CVE-2025-1974, allows attackers on the pod network to remotely execute code and gain full control of the cluster without authentication.
Although there has not been any active exploitation in the wild, this vulnerability poses a serious risk as it could enable attackers to take complete control of a cluster.
The issue was publicly disclosed on March 24, 2025, and security patches have been released.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Admission Controller Remote Code Execution (RCE) Vulnerability | CVE-2025-1974 | Ingress NGINX Admission Controller | Critical | 9.8 |
| Configuration Injection via Unsanitized auth-tls-match-cn annotation | CVE-2025-1097 | High | 8.8 | |
| Configuration Injection via Unsanitized Mirror Annotations | CVE-2025-1098 | High | 8.8 | |
| Unsanitized auth-URL Injection Vulnerability | CVE-2025-24514 | High | 8.8 | |
| Auth Secret File Path Traversal Vulnerability | CVE-2025-24513 | Medium | 4.8 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-1974 | Ingress NGINX Controller v1.12.0 & v1.11.4 and below versions | The Validating Admission Controller does not properly check incoming annotations, allowing attackers on the Pod network to inject configurations and potentially execute arbitrary code across the entire cluster. | Full Kubernetes cluster compromise |
| CVE-2025-1097 | Improper validation of the auth-tls-match-cn annotation allows malicious annotation values to override controller configurations. | Remote code execution | |
| CVE-2025-1098 | Unsafe input handling in mirror annotations could result in unauthorized configuration manipulation. | Config injection, security bypass | |
| CVE-2025-24514 | Unsanitized input from auth-URL annotations can allow malicious URLs to modify ingress-controller behavior. | Remote code execution | |
| CVE-2025-24513 | A path traversal issue in handling auth secret files could let attackers access sensitive information. | Information disclosure |
Remediation:
- Apply Patches Promptly: Immediately upgrade to ingress-nginx v1.12.1, v1.11.5 or latest versions to mitigate the vulnerabilities.
- Temporarily Disable the Validating Admission Controller: It is mandatory to upgrade. If upgrading is not immediately possible, you can temporarily disable the Validating Admission Controller.
General Recommendations:
- Set strict RBAC rules to control who can change ingress and webhook settings.
- Disable dynamic admission controllers if they aren’t needed.
- Monitor cluster audit logs for unusual ingress creation activities and suspicious annotations.
- Conduct security reviews and scans for clusters that have not recently been updated.
- Regularly check ingredients for weak or unsafe configurations.
Conclusion:
The Kubernetes ingress-nginx vulnerabilities disclosed in March 2025 are among the most severe to date, with CVE-2025-1974 posing a real threat of full cluster compromise. All organizations running affected versions must apply patches or mitigation steps immediately.
The vulnerabilities found are affecting the admission controller component of Ingress NGINX Controller for Kubernetes and highlight the importance of strict configuration validation and access control in Kubernetes environments.
Security researchers from Wiz found that 43% of cloud environments are vulnerable to these vulnerabilities. They uncovered over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk.
References:
Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately
Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.
Continue Reading
Critical WordPress Security Flaw in Everest Forms Plugin
UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin
Palo Alto Firewall Vulnerabilities Under Active Exploitation
An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.
Summary
| OEM | Palo Alto |
| Severity | High |
| Date of Announcement | 2025-02-19 |
| CVEs | CVE-2025-0108 |
| CVSS Score | 8.8 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.
This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-0108 | Pan OS | High | PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 |
Technical Summary
This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations.
| Vulnerability Name | Details | Severity | Impact |
| Authentication Bypass Vulnerability | This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111. | High | Root access of the affected system, unauthorized file exfiltration. |
Recommendations
- Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately.
Here are the details of the required upgrades:
| Version | Updated Version |
| PAN-OS 11.2 | Upgrade to 11.2.4-h4 or later |
| PAN-OS 11.1 | Upgrade to 11.1.6-h1 or later |
| PAN-OS 10.2 | Upgrade to 10.2.13-h3 or later |
| PAN-OS 10.1 | Upgrade to 10.1.14-h9 or later |
General Recommendations
- Restrict access to PAN-OS management interfaces to trusted IPs only.
- Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions.
- Follow best practices for firewall security, including network segmentation and regular vulnerability assessments.
- Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity.
Conclusion
The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat.
The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.
References:
- https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/
- https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise
Authentication Bypass Vulnerability in FortiOS & FortiProxy
Summary
A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2025-24472 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-24472 | FortiOS FortiProxy | Critical | FortiOS v7.0 – v7.0.16 FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 |
Technical Summary
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-24472 | An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests. | Execute unauthorized code or commands |
Recommendations:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below
| Version | Fixes and Releases |
| FortiOS 7.0 – 7.0.16 | Upgrade to 7.0.17 or latest version |
| FortiProxy 7.0 – 7.0.19 | Upgrade to 7.0.20 or latest version |
| FortiProxy 7.2 – 7.2.12 | Upgrade to 7.2.13 or latest version |
Workarounds:
Below are some workarounds provided by the Fortinet team.
- Disable HTTP/HTTPS administrative interface
- Limit IP addresses that can reach the administrative interface via local-in policies
According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”
References:
Microsoft Updates Patch Tuesday for Feb 2025; Address 67 Vulnerabilities, Includes 2 Exploited Zero-Days
Summary
Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.
Microsoft issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-02-11 |
| No. of Vulnerabilities Patched | 67 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks.
- 63 Microsoft CVEs addressed
- 4 non-Microsoft CVEs included
The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | CVE-2025-21418 | Windows | High | 7.8 |
| Windows Storage Elevation of Privilege Vulnerability | CVE-2025-21391 | Windows | High | 7.1 |
| Microsoft Surface Security Feature Bypass Vulnerability | CVE-2025-21194 | Windows | High | 7.1 |
| NTLM Hash Disclosure Spoofing Vulnerability | CVE-2025-21377 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21418 | Windows server and Windows 10 & 11 | Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed. | Unauthorized access with SYSTEM privileges. |
| CVE-2025-21391 | Windows server and Windows 10 & 11 | Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data. | Deletion of critical data, leading to service disruption. |
| CVE-2025-21194 | Microsoft Surface | Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware. | Bypass of security features, potentially compromising system integrity. |
| CVE-2025-21377 | Windows server and Windows 10 & 11 | NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks. | Potential for attackers to authenticate as the user, leading to unauthorized access. |
Source: Microsoft
In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed:
- CVE-2025-21376: A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability that could allow attackers to execute arbitrary code remotely.
- CVE-2025-21379: A DHCP Client Service RCE vulnerability that may enable remote attackers to execute code with elevated privileges.
- CVE-2025-21381: An RCE vulnerability in Microsoft Excel that could be triggered through malicious spreadsheet files.
Remediation:
- Apply Updates: Immediately install the February 2025 Patch Tuesday updates to address these vulnerabilities.
Conclusion:
The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity.
The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.
References: