Infosec

New Exploit Allows Remote Code Execution in Apache Tomcat

Patch Without Delay

OEM	Apache
Severity	Critical
CVSS	9.8
CVEs	CVE-2025-24813
Exploited in Wild	Yes
POC Available	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

The CVE-2025-24813 is recently identified Apache Tomcat vulnerability that is being actively exploited in the wild. Under certain circumstances, this vulnerability permits information disclosure and remote code execution (RCE).

A two-step exploit procedure can be used by attackers to take over compromised systems. Patching became more urgent after a proof-of-concept (PoC) vulnerability was made public within 30 hours of disclosure.

Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

Vulnerability Name	CVE ID	Product Affected	Severity
Remote Code Execution Vulnerability	CVE-2025-24813	Apache Tomcat	Critical

Technical Summary

The vulnerability arises from Tomcat’s handling of PUT and GET requests in environments where specific configurations are enabled. Exploitation requires:

Writes enabled for the default servlet

Partial PUT support enabled

Security-sensitive files stored in a sub-directory of public uploads

Attacker knowledge of the file names

Use of file-based session persistence

Successful exploitation allows attackers to upload malicious Java session files via a PUT request and trigger deserialization through a GET request, leading to RCE. A PoC exploit has been publicly released, making detection and mitigation critical.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24813	Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98	Exploits PUT and GET request handling, allowing arbitrary file injection and execution.	Remote Code Execution, Information Disclosure.

Remediation:

Update the Apache Tomcat versions to the latest one v11.0.3, v10.1.35, v9.0.99 to mitigate the vulnerability.

General Recommendations:

Disable partial PUT support: Prevent attackers from leveraging the exploit by disabling this feature if not required.

Restrict access to sensitive files: Ensure security-sensitive files are not stored in publicly accessible directories.

Implement authentication controls: Strengthen authentication and authorization for file upload operations.

Enhance API security: Deploy real-time API security solutions to detect and block malicious PUT requests.

Conclusion:

CVE-2025-24813 represents a significant security risk, with active exploitation already observed. The availability of a public PoC exploit further increases the likelihood of widespread attacks. The ease of exploitation and the potential for severe consequences make it critical for affected organizations to apply the latest patches immediately. Additionally, security teams should enhance monitoring for suspicious PUT and GET request patterns to mitigate this attack technique.

References:

https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

https://xmcyber.com/blog/cve-2025-24813-critical-apache-tomcat-vulnerability-already-being-exploited-patch-now/

Multiple High-Severity Vulnerabilities Patched in Zoom

Summary

Multiple high-severity vulnerabilities have been identified in Zoom applications, including Zoom Workplace, Rooms Controller, Rooms Client, and Meeting SDK, causing exposure of Sensitive Data.

The most critical flaws, patched in Zoom’s March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free) CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps).

All rated high severity with CVSS scores ranging from 7.1 to 8.5.

OEM	Zoom
Severity	High
CVSS	8.5
CVEs	CVE-2025-27440, CVE-2025-27439, CVE-2025-0151, CVE-2025-0150, CVE-2025-0149
Publicly POC Available	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

These vulnerabilities could allow attackers to escalate privileges, execute arbitrary code, or cause denial-of-service (DoS) attacks. Zoom has released patches addressing these issues in version 6.3.0.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score
Heap-Based Buffer Overflow Vulnerability	CVE-2025-27440	ZOOM	High	8.5
Buffer Underflow Vulnerability	CVE-2025-27439	ZOOM	High	8.5
Use-After-Free Vulnerability	CVE-2025-0151	ZOOM	High	8.5
Incorrect Behavior Order Vulnerability	CVE-2025-0150	ZOOM	High	7.1
Insufficient Data Verification Vulnerability	CVE-2025-0149	ZOOM	Medium	6.5

Technical Summary

These vulnerabilities could be exploited to gain unauthorized access, execute arbitrary code, or disrupt services through privilege escalation and memory corruption techniques. Exploitation requires authentication and network access, posing a risk to enterprise users.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-27440	Zoom Workplace Apps ( Windows, macOS, and Linux, as well as mobile apps for iOS and Android.)	Heap-based buffer overflow, allowing attackers to inject malicious code	Privilege Escalation
CVE-2025-27439	Zoom Workplace Apps	Buffer underflow, leading to unexpected crashes or data leakage	Denial of Service, Data Exposure
CVE-2025-0151	Zoom Workplace Apps	Use-after-free issue leading to memory corruption and arbitrary code execution	Privilege Escalation
CVE-2025-0150	Zoom Workplace Apps (iOS)	Incorrect behavior order allowing unauthorized access to authentication tokens	Information Disclosure
CVE-2025-0149	Zoom Workplace Apps	Insufficient verification of data authenticity, allowing malformed network packets to bypass security checks	Denial of Service

Remediation:

Apply Patches Promptly: Ensure all Zoom applications are updated to version 6.3.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.

Conclusion:

The recent vulnerabilities in Zoom highlight the ongoing challenges in securing widely used communication platforms. While Zoom has acted swiftly in providing patches, the recurrence of memory corruption and input validation flaws suggests architectural challenges.

Organizations should maintain a proactive security stance, ensuring timely updates and implementing stringent controls to safeguard sensitive data.

Organizations must treat Zoom not as a neutral utility but as a high-risk vector requiring stringent controls.

References:

https://www.zoom.com/en/trust/security-bulletin/?pageSize=20&page=3&sort=newestupdated

https://cybersecuritynews.com/multiple-zoom-client-vulnerabilities/

PoC Released for High-Severity Linux Kernel UVC Driver Vulnerability

OEM	Linux
Severity	HIGH
CVSS	7.8
CVEs	CVE-2024-53104
Actively Exploited	Yes
Publicly POC Available	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

CVE-2024-53104 is a high-severity out-of-bounds write vulnerability in the Linux kernel’s USB Video Class (UVC) driver, leading to privilege escalation. The issue affects Linux kernel versions 2.6.26 and later. The vulnerability has gained renewed attention as a proof-of-concept (PoC) exploit has now been publicly released, increasing the risk of exploitation. A patch has been released to address this vulnerability, but unpatched systems remain at high risk.

Vulnerability Name	CVE ID	Product Affected	Severity
out-of-bounds write vulnerability	CVE-2024-53104	Linux Kernel	High

Technical Summary

The vulnerability exists in the uvc_parse_format function of the UVC driver (uvc_driver.c). It arises due to improper parsing of UVC_VS_UNDEFINED frames, leading to incorrect buffer allocation and out-of-bounds writes.

An attacker could exploit this flaw by inserting a malicious USB device or manipulating video streams, potentially leading to memory corruption, privilege escalation, or arbitrary code execution.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-53104	Linux Kernel (2.6.26 and later)	Incorrect parsing of `UVC_VS_UNDEFINED` frames in `uvc_parse_format`, leading to miscalculated buffer sizes and memory corruption.	Privilege escalation, system instability, arbitrary code execution

Remediation:

Apply Security Patches: Ensure that the latest security patches provided by the Linux distribution maintainers are promptly applied to mitigate vulnerability.

Recommendations

Implement USB Device Control Policies: Organizations should establish and enforce USB device control policies to prevent unauthorized usage and ensure only approved devices can be connected.
Deploy Log Monitoring and Analysis Tools: Implement security monitoring tools to continuously monitor logs for potential security incidents, such as exploitation attempts or suspicious activity.

Conclusion:

CVE-2024-53104 is a major vulnerability that poses a substantial risk to Linux systems since it allows for privilege escalation and arbitrary code execution. Users and administrators are strongly urged to apply the latest security patches to mitigate the risk of exploitation. Additionally, implementing a multi-layered security approach can further enhance system protection.

The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) list, emphasizing the need for immediate remediation.

CISA has ordered federal agencies to secure their systems within three weeks against a high-severity Linux kernel flaw actively exploited in attacks.

References:

https://cybersecuritynews.com/poc-exploit-linux-kernel-write-vulnerability/
https://hackyboiz.github.io/2025/03/08/j0ker/2025-03-08/
https://lore.kernel.org/linux-cve-announce/2024120232-CVE-2024-53104-d781@gregkh/T/

Critical Security Flaw in Kibana Requires Immediate Attention

Kibana is a robust tool for data visualization and exploration that can be used to search, examine, and track data that is stored in Elasticsearch. A vital part of many organizations’ data analysis procedures, it offers real-time insights through interactive dashboards.

Elastic released security updates to address a critical vulnerability, tracked as CVE-2025-25012 (CVSS score of 9.9), impacting the Kibana data visualization dashboard software for Elasticsearch.

OEM	Elastic
Severity	Critical
CVSS	9.9
CVEs	CVE-2025-25012
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A critical security vulnerability (CVE-2025-25012) has been identified in Kibana, affecting versions 8.15.0 to 8.17.2. The flaw allows attackers to execute arbitrary code, potentially compromising affected systems. Elastic has released a patch in Kibana version 8.17.3to address this issue, and users are strongly advised to update immediately.

Vulnerability Name	CVE ID	Product Affected	Severity
Arbitrary code execution Vulnerability	CVE-2025-25012	Elastic	Critical

Technical Summary

This vulnerability arises from improper handling of JavaScript object prototypes in Kibana’s file upload and HTTP request processing functionalities.

Attackers can exploit this flaw to inject malicious payloads, modify application behavior, and execute arbitrary code. The vulnerability is classified under CWE-1321 (Improper Control of Prototype-Based Attribute Modifications) and aligns with the MITRE ATT&CK framework under tactic T1059 (Command and Scripting Interpreter).

Affected Versions and Exploitation Conditions:

Kibana 8.15.0 – 8.17.0: Exploitable by users with the Viewer role.

Kibana 8.17.1 – 8.17.2: Requires privileges fleet-all, integrations-all, and actions:execute-advanced-connectors.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-25012	Kibana 8.15.0 – 8.17.2	Prototype pollution via crafted file uploads and HTTP requests, allowing manipulation of JavaScript object properties and security controls.	Remote Code Execution, Unauthorized Data Access, Lateral Movement

Remediation:

Upgrade: Elastic has released a security patch to address the issue. It is highly recommended to upgrade to Kibana 8.17.3 or a later version

Temporary Mitigation: If upgrading is not feasible in the short term, apply the following measure to reduce risk:

Disable the Integration Assistant feature by setting xpack.integration_assistant.enabled: false in kibana.yml.

Conclusion:

Organizations utilizing Kibana should take urgent action to patch CVE-2025-25012 by upgrading to version 8.17.3.

The vulnerability is highly severe, particularly for environments using Kibana for security monitoring, as attackers could exploit this flaw to disable alerts and manipulate detection pipelines. If patching is not immediately possible, temporary mitigations should be applied to reduce the risk of exploitation. Ensuring real-time vulnerability monitoring and implementing strict access controls are also recommended to safeguard against similar threats in the future.

References:

https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441

https://nvd.nist.gov/vuln/detail/CVE-2025-25015

https://thehackernews.com/2025/03/elastic-releases-urgent-fix-for.html

Image

Critical VMware Vulnerabilities Exploited in the Wild – Patch Immediately

Broadcom released a security alert on Tuesday morning to warn VMware customers about three zero-days that have been exploited in the wild.

Critical Vulnerabilities in IBM Storage: Authentication Bypass and Code Execution Risks

Critical Vulnerabilities in IBM Storage:

Decade-Old Threat: CVE-2018-8639 Still Poses Risks to Unpatched Windows Systems

CVE-2018-8639 is a privilege escalation flaw in the Win32k component of Microsoft Windows that lets attackers run any code in kernel mode. This vulnerability, which was first fixed by Microsoft in December 2018, still poses a risk to unpatched computers.

OEM	Microsoft
Severity	High
CVSS	7.8
CVEs	CVE-2018-8639
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview on Vulnerability

The vulnerability gives hackers the ability to install persistent malware, get around security measures, and alter system operations covertly. The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, further highlighting its ongoing threat.

Vulnerability Name	CVE ID	Product Affected	Severity
Privilege Escalation Vulnerability	CVE-2018-8639	Windows	High

Technical Summary

The vulnerability exists within the Win32k.sys driver, which handles graphical user interface (GUI) interactions.

Designated as CWE-404: Improper Resource Shutdown or Release, the flaw enables authenticated local attackers to improperly release system resources, leading to privilege escalation. Exploiting this vulnerability grants kernel-mode execution rights, allowing attackers to bypass security mechanisms, install persistent malware, and manipulate system functions without detection.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2018-8639	Windows 7, 8.1, 10, RT 8.1, Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019	Improper Resource Shutdown or Release in Win32k.sys driver, enabling privilege escalation.	System compromise, unauthorized access, potential malware persistence

Remediation:

Organizations and individuals must apply Microsoft’s security updates released in December 2018 (KB4483235) to mitigate the risk.

Additionally, it is essential to apply all available updates from Windows to ensure comprehensive protection against known vulnerabilities.

General Recommendations:

Implement network segmentation to isolate critical assets and minimize the impact of potential security breaches.

Adopting the principle of least privilege (PoLP) to limit user access.

Continuous monitoring of anomalous kernel-mode activities.

Conclusion:

Unpatched Windows systems are particularly vulnerable, especially in industrial control systems (ICS) and healthcare facilities where obsolete software is ubiquitous. While Microsoft has fixed the issue, firms that rely on legacy systems must implement additional security measures. Cyber adversaries are always refining their exploitation techniques, making proactive security strategies critical to reducing risk.

References:

https://nvd.nist.gov/vuln/detail/cve-2018-8639

https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exploited-vulnerabilities-catalog

https://github.com/ze0r/CVE-2018-8639-exp

Wazuh Server Vulnerability (CVE-2025-24016) Exposes Systems to RCE Attacks

Wazuh Server Vulnerability

High-Severity DoS Vulnerability in Cisco NX-OS Software

MPLS Encapsulated IPv6 Denial of Service Vulnerability

OEM	CISCO
Severity	High
CVSS score	7.4
CVEs	CVE-2025-20111
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A high-severity vulnerability (CVE-2025-20111) in Cisco Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode could allow unauthenticated attackers to trigger a denial-of-service (DoS) condition by sending crafted ethernet frames, leading to unexpected device reloads.

Vulnerability Name	CVE ID	Product Affected	Severity
Denial of service vulnerability	CVE-2025-20111	Cisco Nexus	High

Technical Summary

The vulnerability originates from improper handling of specific Ethernet frames within the health monitoring diagnostics of Cisco Nexus switches.

An unauthenticated, adjacent attacker can exploit this flaw by sending a sustained rate of crafted Ethernet frames to a vulnerable device. Successful exploitation results in repeated device reloads, disrupting network operations and potentially impacting high-availability environments.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20111	Nexus 3000 Series: 3100, 3200, 3400, and 3600 models Nexus 9000 Series: 9200, 9300, and 9400 switches running standalone NX-OS	Improper handling of specific Ethernet frames in health monitoring diagnostics	Repeated device reboots, potential network downtime

Remediation:

Apply Software Updates: Cisco has released patched software versions to address the vulnerability. Network administrators should upgrade affected devices immediately.

Use Cisco Software Checker: Organizations should verify their exposure using Cisco’s Software Checker tool to identify the earliest fixed release.

Implement Workarounds: If immediate patching is not feasible, organizations can mitigate risks using Access Control Lists (ACLs) to filter anomalous Ethernet frames targeting the health monitoring subsystem.

Conclusion:

CVE-2025-20111 presents a significant risk to enterprise and data center networks relying on Cisco Nexus switches. While there is no known active exploitation, organizations should prioritize patching and mitigation strategies to prevent service disruptions. Proactive monitoring and adherence to Cisco’s security advisories will help ensure network resilience against potential exploitation.

References: