2 critical vulnerabilities affecting Splunk Enterprise and Splunk Universal Forwarder on Windows platforms were disclosed, both involving incorrect permission assignments during installation or upgrade. The vulnerabilities addressed may enable attackers to exploit issues such as privilege escalation, information disclosure, or remote code execution.
Continue Reading
Azure Bastion Elevation of Privilege Vulnerability CVE-2025-49752
Continue Reading
Any phishing scams that occur, the purpose is to trick unsuspecting victims or organizations into taking a specific action and that can range from clicking on malicious links, downloading harmful files or sharing login credentials. Sometimes the effectiveness of phishing attacks stems from their use of social engineering techniques that have the ability to exploit human psychology or behavior. In 2025 we have witnessed the how evolving phishing scams that have affected organizations financially.
Often we see phishing scams create a sense of urgency, or curiosity thereby prompting victims to act quickly without verifying the authenticity of incoming request. Now with evolving technology, phishing tactics are also evolving making these attacks increasingly sophisticated, hard to detect. In coming years we will witness how AI will power more phishing attacks, including text-based impersonations to deepfake communications. These will be more cheap and popular with threat actors.
Cyber security researchers found that there is a link between ransomware, malware and form encryption and most were caused by.
14% Malicious websites
54% Phishing
27% Poor user pactices / gullibility
26% Lack of cybersecurity training
A survey by Statista found that ransomware infections were caused by:
In this blog we will highlight latest phishing statistics that emerged in 2025 ,affecting organizations and phishing scams are changing.
As per APWG report found on Unique phishing sites. This is a primary measure of reported phishing across the globe. This is determined by the unique bases of phishing URLs found in phishing emails reported to APWG’s repository.
In the first quarter of 2025, APWG observed 1,003,924 phishing attacks. This was the largest quarterly
total since 1.07 million were observed in Q4 2023. The number has climbed steadily over the last year:
from 877,536 in Q2 2024, to 932,923 in Q3, to 989,123 in Q4. One of the reason cited being advancement in AI is also making it easier for criminals to create convincing and personalized phishing lures.
Hoxhunt find alarming statistics on phishing related attack of 2025
| Business email compromise (BEC) | A staggering 64% of businesses report facing BEC attacks in 2024, with a typical financial loss averaging $150,000 per incident. These phishing attacks frequently target employees with access to financial systems, mimicking executives or trusted contacts. |
| Credential phishing | Around 80% of phishing campaigns aim to steal credentials, particularly targeting cloud-based services like Microsoft 365 and Google Workspace. With the growing reliance on cloud platforms, cyber attackers leverage realistic fake login pages to deceive users. |
| HTTPS phishing | An increasing number of phishing sites now use HTTPS to appear legitimate. In 2024, approximately 80% of phishing websites feature HTTPS, complicating detection for users. |
| Voice phishing (vishing) | Vishing attacks are growing in prevalence, with 30% of organizations reporting instances where threat actors used fake calls to impersonate officials or executives. |
| Quishing (QR code phishing) | QR code phishing attacks (quishing) increased by 25% year-over-year, as attackers exploit physical spaces like posters or fake business cards to lure victims. |
| AI-driven attacks | AI is powering phishing attacks, with deepfake impersonations increasing by 15% in the last year. These attacks often target high-value individuals in finance and HR. |
| Multi-channel phishing | Attackers are increasingly exploiting platforms like Slack, Teams, and social media. Around 40% of phishing campaigns now extend beyond email, reflecting a shift to these channels. |
| Government agency impersonation | Phishing emails mimicking government bodies such as the IRS or international tax agencies have increased by 35%. These often involve claims about overdue taxes or fines. |
| Phishing kits | The availability of ready-to-use phishing kits on the dark web has risen by 50%, enabling less sophisticated attackers to deploy high-quality phishing schemes. |
| Brand impersonation | Attackers frequently impersonate well-known brands like Microsoft, Amazon, and Facebook, leveraging user trust. For example, over 44,750 phishing attacks specifically targeted Facebook by embedding its name in domains and subdomains over the past year. |
Cost of Phishing attacks
According to the 2024 IBM / Ponemon Cost of a Data Breach study, the average annual cost of phishing rose by nearly 10% from 2024 to 2023, from $4.45m to $4.88m. That’s the biggest jump since the pandemic.
The IBM study reported the following costs:
The above-listed categories of cyber security breach costs are all related to people-targeted attacks. BEC, social engineering, and stolen credentials often contain a phishing element.
Barracuda research found that email remains the common attack vector for cyber threats and highlighted their key findings:
1 in 4 email messages are malicious or unwanted spam.
83% of malicious Microsoft 365 documents contain QR codes that lead to phishing websites.
20% of companies experience at least one account takeover (ATO) incident each month.
Nearly one-quarter of all HTML attachments are malicious and more than three-quarters of
companies are not actively preventing spoofed emails.
Bitcoin sextortion scams, an emerging trend, account for 12% of malicious PDF attachments.
Nearly half of all companies have not configured a DMARC policy, putting them at risk
of email spoofing, phishing attacks, and business email compromise.
The Barracuda research also found malicious one in four emails are either malicious or unwanted spam and malicious attachment is prevalent in various file.
An alarming 87% of binaries detected were malicious, highlighting the need for strict policies against executable files being sent via email, since they can directly install malware. Despite a relatively low total volume, HTML files have a high malicious rate of 23% and are often used for phishing and credential theft.
The research say that small businesses more vulnerable to email threats, due to limited cybersecurity resources, smaller IT teams and they rely on basic email security solutions. Small business may not have required solutions to handle sophisticated attacks, such as business email compromise (BEC), phishing and ransomware.
How Organizations can strengthen their defense
As organizations embark to strengthen their defenses, it’s crucial they don’t overlook the human element and Cybersecurity hygiene. That definitely starts by identifying security at every step starting from ensuring every user, machine or system that has right to access privileges.
Cybersecurity is as much a cultural issue as it is a technical one, as a single click can compromise an entire organization, behavior starts to shift from compliance to accountability
Whenever there is a successful phishing attack, researchers emphasize that this attack succeeds by exploiting human trust and familiarity with corporate communication formats. Security awareness remains the most vigorous defense as the growing complexity of these campaigns indicates that phishing operations are increasingly automated, data-driven and adaptive.
Conclusion: As organizations move towards adopting AI, so as attackers to continuously refining their tactics, evade traditional security measures. In this scenario organizations must mitigate the risks by adopting a multi-layered approach to email security. This will include all from leveraging AI-driven threat detection, real-time monitoring and user awareness training.
Phishing Detection & DeepPhish
For organizations who reply on unlike traditional rule-based phishing detection, which relies on blacklists and predefined rules. DeepPhish is implemented, that continuously learns from new phishing attempts, making it highly adaptive and effective against evolving threats.
DeepPhish employs a multi-layered AI approach to detect phishing threats and theses include Email and Website Analysis,uses ML algorithms to analyze historical phishing attacks and identify new patterns and NLP helps DeepPhish analyze email content, message tone, and linguistic patterns that phishers use to trick users.
(Source: APWG.org)
(Source: https://www.barracuda.com/reports/2025-email-threats-report)
(Sources: hoxhunt.com)
Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-11953 |
| POC Available | Yes |
| Actively Exploited | No |
| Advisory Version | 1.0 |
Overview
A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.
The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| OS Command Injection | CVE-2025-11953 | @react-native-community/cli @react-native-community/cli-server-api | Critical | @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 |
Technical Summary
The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.
On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-11953 | Development Server’s /open-url Endpoint | The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows. | Remote OS Command Injection |
Recommendations
If upgrading is not possible,
How these kind of security flaw can cause damage?
This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.
The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.
The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.
The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.
What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.
Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner
References:
Are you planning to trade in online related digital assets , well you might think twice as chances are you might fall in scammers lap where fake traders exploit retail traders who are seeking quick gains amid volatile crypto and stock markets.
According to sources 1400 illegal online trading domains/ websites operating out of Eastern Europe and Germany, marking one of the largest coordinated crackdowns on cyber-trading fraud in the region. “Operation Heracles,” name given took offline 1,406 active illegal domains in cooperation with the European police authority Europol and Bulgarian law enforcement authorities. German investigators and banking watchdog BaFin decided to shut down these websites after the Cyber-trading fraud came to light.
Modus Operandi by Scammers
Firstly users were lured with good returns and sophisticated online ads and social media campaigns before being connected to brokers working from call centers abroad. The shuttered websites displayed huge returns and exciting offers and convinced victims to invest substantial sums, often promising high returns through forex, crypt, or stock trading.
The scammers open fake trading platforms without a license from the BaFin and use call centers to encourage victims to invest money in the scheme.
The scammers posed as international agency but deliberately targeted the German market and people residing in Germany. Since the affected websites were redirected on October 3, authorities have recorded around 866,000 hits on the seized pages, showing the scale of the issue.
The site’s users were directed to brokers operating from overseas call centers, who then persuaded them to invest large amounts of funds. Many victims just realized after months that their money had never actually been invested, authorities said.
“The perpetrators are getting more professional,” said Birgit Rodolphe from BaFin. They use artificial intelligence to create mass illegal sites and trap investors to invest money.
(Sources: German authorities nix 1,400 websites used for cybertrading fraud | Reuters)
The operation follows the closure of 800 illegal domains in June this year. Since then, there have been around 20 million attempts to access the sites that have been blocked.
The Alarming Rise of Online Cyber-fraud
The digital world offers incredible opportunities for earning within short time and scammers are lurking every where while harboring sinister plan reminding of stark dangers.
This incident serves as a crucial warning to anyone considering online investments
Here are few important guidelines to protect yourself from similar trading fraud:
It is important that you report the issue to the police ASAP. You will need a crime number from the police to help you work with your bank and other organizations.
How you can try and get your money back very much depends on how the money was stolen. Here we are going to focus on four different approaches:
1) Authorised payments (where you were tricked into making a payment),
2) Unauthorised payments (where the criminal actually carried out the payment using your accounts),
3) ID fraud (where you have been impersonated with a financial organisation) and
4) card fraud (where they money was transferred by a credit or debit card payment).
Managing cyber risk across the cyber security set up of an enterprise is harder than ever and keeping architectures and systems secure also compliant can be challenging and over whelming.
DoW (Deprtament of war) recently announced implementing of a groundbreaking Cybersecurity Risk Management Construct (CSRMC).
This is a transformative framework to deliver real-time cyber defense at operational speed and its five-phase construct that ensures a hardened, verifiable, continuously monitored and actively defended environment to ensure that U.S. warfighters maintain technological superiority against rapidly evolving cyber threats.
In comparison the previous Risk management framework dependent on static checklists and manual processes . The framework failed to account for operational needs and cyber survivability requirements.
How (CSRMC) is going to address legacy infrastructure shortcoming?
CSRMC addresses these gaps by shifting from “snapshot in time” assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.
The construct is composed of a five-phase lifecycle and ten foundational tenets.
The Five-Phase Lifecycle
The new construct organizes cybersecurity into five phases aligned to system development and operations:
Ten Foundational Tenets
The CSRMC has 10 core principal
“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” said Kattie Arrington, performing the duties of the DoW CIO. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges.”
With the above tenants DoW is ensuring cyber survivability and mission assurance in every domain,air, land, sea, space, and cyberspace.
Addressing Cyber security risk management
Cybersecurity risk management isn’t simply the job of the security team; everyone in the organization has a role to play. Often siloed, employees and business unit leaders view risk management from their business function.
Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.
GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
Mirage Cloak offers various deception methods to detect and stop threats before they cause damage. These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.
BISO Analytics stands out as the pioneering security analytics platform designed to assist enterprises in effectively handling their first-party, third-party, and emerging risks, all within a single platform. This comprehensive solution facilitates a quicker and safer progression for your business.
By adopting a groundbreaking approach, BISO Analytics integrates open, data-centric cyber risk management practices, offering organizations a consolidated view of their cyber risk landscape across the entire attack surface.
BISO Analytics empowers CXO, mid-management, and operational teams with real-time, reliable, and defensible data that not only complies with regulatory standards but also aligns with the expectations of the board regarding safeguarding shareholder value and fortifying the business.
Why it is important to implement cybersecurity risk management at organisational level
Having an effective cybersecurity risk management program can only be implemented in an organization through a structured process. This requires careful planning, resource allocation and commitment to improving security framework.
Registering documents that assess risk related activities include high asset inventories like all systems and data. When risk are registered it contain records of determined risk, data theft or results of assessment and planned treatments.
Organizations that possess all documentation involving controls and their implementation level. In this scenario organizations actually understands what exactly is risk assessment and identifying what can go wrong in an organization’s system either anything that is via threats, vulnerabilities and their possible impact.
As the saying goes we can’t protect what you don’t understand and one can’t manage what they don’t assess.
Visit our website for more informed details on our products.
(Source: www.miragenews.com/war-dept-unveils-new-cybersecurity-risk-1540279/)
The US Secret Service, the agency in charge of security for the United Nations General Assembly, discovered a threatening network of over 300 servers and 10,000 SIM cards across the New York tri-state area.
The network could have “disabled cell phone towers and potentially shut down the cellular network in New York City,” Matt McCool, the special agent in charge of the Secret Service’s New York field office.
Key Points:
The network could also facilitate denial of service attacks and could send up to 30 million text messages per minute. All of the devices were found within 35 miles of the United Nations headquarters in Midtown Manhattan.
Analysis indicates cellular communications between nation-state threat actors and individuals that are known to federal law enforcement the report said.
The investigation into the devices is ongoing, the Secret Service said, but early forensic analysis indicates it was used for communications between “foreign actors” and people already known to federal law enforcement. No arrests have been announced, and investigators are still searching through the equivalent of 100,000 cell phones worth of data.
“This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City,” Matt McCool, special agent in charge of the Secret Service field office in New York, said in a video statement.
The telecommunications gear was recovered from so-called SIM farms housed in abandoned apartment buildings in at least five undisclosed sites. The devices discovered could be used to conduct a range of telecommunications attacks including disabling cell phone towers, enabling cybersecurity attacks and allowing encrypted communication between criminal groups and threat actors.
According to the Secret Service, the devices could facilitate a wide range of attacks on telecommunications systems, including disabling cell phone towers, enabling denial of service attacks.
This also allowed encrypted, anonymous communication between potential threat actors and criminal enterprises.
The forensic analysis indicates potential links between the network and overseas threat actors, as well as connections to individuals already known to federal law enforcement agencies.
According to Bloomberg, it is still unclear whether the network was connected to earlier incidents this year in which unknown individuals impersonated White House Chief of Staff Susie Wiles and Secretary of State Marco Rubio.
A full forensic review of the seized devices is ongoing as authorities continue to assess the scope and origins of the network.
Investigations started after threats to US officials
According to agents who spoke to the New York Times, the investigation began after anonymous telephonic threats were made against three US government officials earlier this year. One of the officials who was threatened worked with the Secret Service, while the other two were White House staffers.
State of crime
The agency first detected the New York-area SIM farm after it was linked to swatting incidents on Christmas Day in 2023. Those incidents involved Congresswoman Marjorie Taylor Greene and US Senator Rick Scott.
The cases were tied to two Romanian men, Thomasz Szabo and Nemanja Radovanovic, who were working with an American swatter, Alan Filion, also known as “Torswats.” All three have since been convicted on swatting-related charges.
Ben Coon, head of intelligence at cybersecurity firm Unit 221b, believes there was little foreign state involvement, and the operation is based on financial crimes.
Images released by the Secret Service showed racks of neatly arranged telecom equipment, each component numbered and labeled. Cables were carefully laid out and secured, which could mean the operation was handled by well-resourced professionals.
The operation is linked to swatting incidents, organized crime groups, and nation-state actors, with equipment seized across New York and New Jersey.
Sources: https://www.telegraphindia.com/world/us-secret-service-dismantles-telecom-threat-network-in-new-york-ahead-of-un-general-assembly/cid/2124609
A third-party passenger system disruption at Heathrow may caused delays in the check-in process at Heathrow Airport and major European Airlines signaled as cyber attack. Third Party System Disruption Coordinated for Cyber attack on Major European Airlines.
The cyber attack targeted at third party vendor Collin Aerospace ,providing check-in and boarding systems for several airlines across multiple airports globally, experienced technical issue leading to flight disruption.
Heathrow Airport warned departing passengers of probable delays and urged them to monitor their flight status closely during the disruption.
Similarly Brussels Airport confirmed that automated check-in and boarding services were inoperable, forcing staff to use manual processes to handle departing passengers.
Berlin Airport also communicated the situation via a banner on its website, stating: “Due to a technical issue at a system provider operating across Europe, there are longer waiting times at check-in. We are working on a quick solution,” Berlin Airport said in a banner on its website.
As per reports the impact is limited to electronic customer check-in and baggage drop and can be mitigated with manual check-in operations,” RTX, which owns Collins Aerospace, reportedly said in a statement, adding that it had become aware of a ‘cyber-related disruption’ to its software at selected airports, without naming them. It added that it was working to fix the issue as quickly as possible.
A Highly coordinated attack by Hackers on Aviation Sector – What do we know
“The aviation industry has become an increasingly attractive target for cybercriminals because of its heavy reliance on shared digital systems,” Charlotte Wilson, head of enterprise at cybersecurity firm Check Point, told Euronews Next.
“These attacks often strike through the supply chain, exploiting third-party platforms that are used by multiple airlines and airports at once. When one vendor is compromised, the ripple effect can be immediate and far-reaching, causing widespread disruption across borders,” she added.
Weaklink targeted in connected the ecosystem
The attack on third party ecosystem indicates that cyber security needs to be treated on high priority as IT is related and its high time airlines and aviation take cybersecurity seriously
According to a recent SecurityScorecard study, at least 29% of all breaches were attributable to a third-party attack vector, meaning the core risk originated outside of the organization.
Of these, 75% involved software or other technology products and services, with the remaining 25% stemming from non-technical products or services. These statistics highlight the digital interconnectivity across the supply chain — and the risks inherent within those relationships.
Reducing Third party cyber risk related loss
In this competitive market and aggression of cyber criminals towards vendors and third party service providers, utmost necessity and guard is required while choosing critical product and service providers. The entire ecosystem is relying for their service and this includes, where possible, identifying the critical vendors and suppliers the providers use, otherwise known as fourth-party vendors.
Verifying that third parties who have adequate cyber insurance to meet the requirements of the first-party organization. This demonstrates cyber risk management hygiene is maintained and certain controls are in place.
A strong incident response plan is maintained well ahead before any incident occurs.
(Sources: https://www.euronews.com/next/2025/09/21/what-do-we-know-about-the-cyberattacks-that-hit-europes-airports)
Imagine you come to know small payments via your mobile phone is being carried out without your knowledge & come to know that payments are directed to small base stations created by hackers linking your service providers.
Cyber criminals hacked ultra-small base stations accessed the KT communication network and intercepted traffic during an on-site inspection on the 8th sep.
The Telcom giant got hacked in a clever managed systematic way when the hacker has created a similar base station by stealing femtocells that are not used or under-managed. KT has disconnected the base station in question.
To prevent a recurrence, it will upgrade the management system for micro base stations and strengthen a system that monitors abnormal payment types in real time. It will convert about 2,000 stores nationwide into “Safe and Secure Specialty Stores” and provide affected customers with the “KT Safe and Secure Insurance” (tentative name) free of charge for the next three years to compensate for financial fraud linked to communication devices.
This happened when KT, the south Korean telecom provider discovered two additional illegal ultrasmall base stations, or femtocells, that were used to facilitate a large-scale micropayment scam, bringing the confirmed total to four.
The telecom giant said Thursday that the devices had leaked IMSI, IMEI and phone numbers, and that number of confirmed impacted subscribers had risen from 278 to 362 and that funds embezzled through fraudulent charges to gift cards and transit passes had reached 240 million won, or 173-thousand U.S. dollars.
Attacks on devices
KT said no additional funds have been stolen since it blocked abnormal transactions on September 5, and that all newly confirmed cases predate that date.
In this attack type personal details such as names and birth dates were not leaked via its network and that SIM authentication keys remain secure, meaning perpetrators of the data breach do not have the ability to clone impacted users’ devices.
Mitigation steps by KT
KT said it is reimbursing victims, offering free SIM card replacements and instructing customers via its website and app, as well as text message, to keep an eye out for fraudulent charges and sign up for the carrier’s SIM protection service.
To prevent a recurrence, it will upgrade the management system for micro base stations and strengthen a system that monitors abnormal payment types in real time.
It will convert about 2,000 stores nationwide into “Safe and Secure Specialty Stores” and provide affected customers with the “KT Safe and Secure Insurance” (tentative name) free of charge for the next three years to compensate for financial fraud linked to communication devices.
Security advisory: Jenkins addressed critical security flaws in its built-in HTTP server related to the handling of HTTP/2 connections, where attackers could overwhelm servers causing denial of service. This mainly impacts Jenkins instances running with HTTP/2 enabled, which is not the default setting.
| Severity | High |
| CVSS Score | 7.7 |
| CVEs | CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Jenkins, a popular open-source automation server used for building and deploying software, recently patched several high & medium security flaws.
The high severity issue is a Denial-of-Service (DoS) vulnerability that could allow attackers to overwhelm the server and make it stop working properly even without needing to log in.
Other issues included the risk of unauthorized users viewing sensitive configuration information and the possibility of attackers inserting fake log entries to confuse system administrators. Jenkins released updates to fix these issues and strongly recommends users upgrade to the latest versions to stay protected.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| HTTP/2 Denial of Service in bundled Jetty | CVE-2025-5115 | Jenkins (bundled Jetty) | High | Weekly 2.524+, LTS 2.516.3+ |
| Missing permission check – agent names | CVE-2025-59474 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
| Missing permission check – user profile menu | CVE-2025-59475 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
| Log Message Injection Vulnerability | CVE-2025-59476 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
Technical Summary
Additionally, permission checks in some user interface areas were incomplete, allowing unauthorized users to access sensitive information such as agent names and configuration details.
There was also a vulnerability in log message processing that could let attackers insert misleading entries to confuse administrators. All the issues are fixed in Jenkins latest version.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5115 | Jenkins instances with embedded Jetty server with HTTP/2 enabled | It causes the Jetty server to repeatedly reset HTTP/2 streams (RST_STREAM) in response to malicious or malformed frames, leading to resource exhaustion and potential denial of service. | Denial of service |
| CVE-2025-59474 | Jenkins automation server | Permission check flaw allowing unauthorized users to view Jenkins agent/executor names via the side panel executor’s widget | Information Disclosure |
| CVE-2025-59475 | Jenkins automation server | Permission check flaw allowing authenticated users without Overall/Read permission to view sensitive configuration details via the Jenkins user profile dropdown menu. | Information Disclosure |
| CVE-2025-59476 | Jenkins automation server | An attacker can inject line breaks into Jenkins log messages, leading to forged or misleading log entries. | Misleading administrators |
Remediation:
Here are some recommendations below.
Conclusion:
These security flaws could seriously impact Jenkins users, especially those relying on it for continuous integration and deployment. The DoS vulnerability is particularly dangerous because it can be triggered by anyone over the internet, even if they don’t have an account.
Enterprise admins & users should upgrade immediately to the patched versions or disable HTTP/2 to reduce the risk. Keeping Jenkins up to date and following good security practices along with restricting user permissions and monitoring logs is essential to prevent attacks and maintain the stability and safety of software delivery pipelines.
References: