Qualcomm Chipset Vulnerability Allows RCE
Multi-Component Qualcomm Vulnerabilities
Continue ReadingCVE
Surge in CVE Volume lead NIST to Prioritizes NVD Program
NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists that mostly assisted cybersecurity professionals prioritize and mitigate vulnerabilities.
Continue Reading
Microsoft Releases Tuesday Patch-March 2026; Fixed 83 Flaws
Microsoft Tuesday Patch March 2026 fixes 83 Vulnerabilities Including 2 Actively Exploited Zero-Days
Continue Reading
Microsoft Released Emergency Security Updates; Patches Microsoft Office 0-Day Vulnerability
Microsoft Released Emergency Security Updates
Continue Reading
Linux Local Privilege Escalation via udisksd and libblockdev (CVE-2025-6019) PoC released
Summary : A local privilege escalation vulnerability poc has been released, tracked as CVE-2025-6019, discovered in the udisksd daemon and its backend libblockdev library, affecting widely used Linux distributions including Fedora and SUSE.
| Severity | High |
| CVSS Score | 7.0 |
| CVEs | CVE-2025-6019 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
CVE-2025-6019 is a local privilege escalation (LPE) vulnerability affecting systems where:
- udisksd is installed and running (e.g., Fedora, SUSE)
- Users in the allow active group are trusted to execute disk-related actions
- libblockdev fails to validate privileged backend operations under unprivileged contexts
This flaw allows unprivileged users in the “allow_active” group to escalate privileges and execute commands as root by exploiting insecure trust boundaries in D-Bus IPC communication.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Local Privilege Escalation Vulnerability | CVE-2025-6019 | udisksd / libblockdev | High |
Technical Summary
This vulnerability is triggered when an attacker in the “allow_active” group issues a crafted D-Bus request to the udisksd daemon using tools like udisksctl. Because the daemon improperly relies on group membership alone (without UID validation), it mistakenly grants root-level mount permissions.
An attacker can exploit this by
- Crafting a malicious disk image (like XFS with a SUID-root shell).
- Using “udisksctl mount -b /dev/loop0” to mount it as root.
- Escalating privileges and compromising the system.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-6019 | Fedora, SUSE, and other Linux distros using udisks2/libblockdev | Improper user validation in D-Bus authorization allows unprivileged users to perform privileged disk operations. | Local privilege escalation to root |
Remediation:
Here are the recommendations below
- Update “udisks2” and “libblockdev” to the latest versions provided by your distribution.
- Audit and restrict membership of the “allow_active” group.
- Disable unsafe or legacy D-Bus actions in system services where possible.
Conclusion:
CVE-2025-6019 highlights a breakdown in privilege boundary enforcement within a core system component used by many Linux desktop environments.
The availability of a public PoC, combined with the low complexity of exploitation, makes this vulnerability highly dangerous, particularly in multi-user or shared computing environments.
Organizations must act swiftly to patch vulnerable systems, reassess group-based privilege models and implement stricter D-Bus and Polkit rules to reduce attack surface.
References:
Apple’s USB Restricted Mode Exploited in Targeted Attacks
| OEM | Apple |
| Severity | High |
| CVSS | Not Assigned |
| CVEs | CVE-2025-24200 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
Apple has issued emergency security patches to mitigate a zero-day vulnerability, CVE-2025-24200, which has been actively exploited in sophisticated attacks targeting specific individuals. The flaw allows attackers to bypass USB Restricted Mode on a locked device, potentially exposing sensitive data. Initially identified by The Citizen Lab, this vulnerability is believed to have been leveraged in real-world scenarios against high-profile targets. Apple has responded by enhancing state management in iOS 18.3.1 and iPadOS 18.3.1 to prevent exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| USB Restricted Mode Bypass Vulnerability | CVE-2025-24200 | Apple | High |
Technical Summary
The vulnerability, tracked as CVE-2025-24200, affects USB Restricted Mode, a security feature introduced in 2018 to prevent data transfer over USB when a device remains locked for seven days. A flaw in the Accessibility framework allows an attacker with physical access to disable USB Restricted Mode, bypassing this protection and potentially accessing sensitive data.
Apple has mentioned “This issue has been exploited in extremely sophisticated attacks against specific individuals.” The vulnerability was discovered by Bill Marczak, a senior researcher at The Citizen Lab.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24200 | iPhone XS and later iPad Pro (13-inch) iPad Pro 12.9-inch (3rd generation and later) iPad Pro 11-inch (1st generation and later) iPad Air (3rd generation and later) iPad (7th generation and later) iPad mini (5th generation and later) | A flaw in the Accessibility framework allows a physical attacker to disable USB Restricted Mode, bypassing protections designed to prevent unauthorized data transfer. | Unauthorized access to sensitive data |
Remediation:
- Users are strongly advised to update their devices to the latest versions:
- iOS: Update to version 18.3.1
- iPadOS: Update to version 18.3.1
- To update your device, go to Settings > General > Software Update, and follow the on-screen instructions.
Conclusion
The CVE-2025-24200 vulnerability poses a serious risk to device security, particularly for individuals targeted in sophisticated cyberattacks. While the exploitation has been limited to specific individuals, all users of affected devices should install the latest updates immediately to mitigate potential risks. Apple remains committed to user security by addressing vulnerabilities promptly and ensuring continuous protection against emerging threats.
References:
Zero-Day Vulnerability in Microsoft Sysinternals Tools
Summary
A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 2025-02-05 |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability Name | Zero-Day |
Overview
Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw.
| Vulnerability Name | CVE ID | Product Affected | Severity | Impact |
| zero-day | Not Yet Assigned | Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others) | High | Arbitrary Code Execution, Privilege Escalation, Malware Deployment |
Technical Summary
The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories.
The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as:
- The Current Working Directory (CWD)
- Network locations (e.g., shared drives)
- User-writable paths over secure system directories
This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL.
Exploit Workflow
- Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan.
- The DLL is placed in the same directory as a vulnerable Sysinternals tool.
- The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory.
- The malicious DLL is loaded instead of the legitimate system DLL.
- Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights).
Recommendations
- Avoid Running Sysinternals Tools from Network Locations
- Always copy tools to a local trusted directory before execution.
- Disable execution of .exe files from network drives if feasible.
- Restrict DLL Search Paths
- Use SafeDLLSearchMode to prioritize secure directories.
- Implement DLL redirection to force tools to load DLLs from trusted paths.
- Implement Application Control Policies
- Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading.
- Restrict execution of Sysinternals tools to trusted admin-only directories.
- Verify DLL Integrity Before Execution
- Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed.
- Block execution of unsigned or suspicious DLLs in sensitive directories.
- Monitor for Suspicious DLL Loading Behavior
- Enable Sysmon logging to detect anomalous DLL loads (Event ID 7).
- Monitor for executions of Sysinternals tools from network shares (Event ID 4688).
Conclusion
Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.
The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems.
References:
Critical Apache Tomcat Vulnerabilities Allow RCE & DoS
Summary
| OEM | Apache |
| Severity | Critical |
| CVSS | 9.8 |
| CVEs | CVE-2024-50379, CVE-2024-54677 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Race Condition Vulnerability | CVE-2024-50379 | Apache | Critical | Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 |
| Uncontrolled Resource Consumption Vulnerability | CVE-2024-54677 | Apache | Medium | Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-50379 | Apache Tomcat | A race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system. | Remote Code Execution |
| CVE-2024-54677 | Apache Tomcat | The examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service. | Denial of Service |
Remediation:
- Upgrade Apache Tomcat to the latest fixed versions:
- Apache Tomcat 11.0.2 or latest
- Apache Tomcat 10.1.34 or latest
- Apache Tomcat 9.0.98 or latest
Recommendations:
- Configuration Hardening:
- Restrict write permissions for the default servlet to prevent unauthorized JSP file uploads.
- Remove or disable example applications to reduce exposure to potential attacks.
- Monitor and Audit:
- Regularly review server logs for signs of exploitation attempts.
- Apply a robust file upload policy to limit sizes and validate content.
- Regularly update all your software’s to address security vulnerabilities
References:
Recent Comments