Wazuh Server Vulnerability (CVE-2025-24016) Exposes Systems to RCE Attacks
Wazuh Server Vulnerability
Continue ReadingPatching
High-Severity DoS Vulnerability in Cisco NX-OS Software
MPLS Encapsulated IPv6 Denial of Service Vulnerability
| OEM | CISCO |
| Severity | High |
| CVSS score | 7.4 |
| CVEs | CVE-2025-20111 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A high-severity vulnerability (CVE-2025-20111) in Cisco Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode could allow unauthenticated attackers to trigger a denial-of-service (DoS) condition by sending crafted ethernet frames, leading to unexpected device reloads.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Denial of service vulnerability | CVE-2025-20111 | Cisco Nexus | High |
Technical Summary
The vulnerability originates from improper handling of specific Ethernet frames within the health monitoring diagnostics of Cisco Nexus switches.
An unauthenticated, adjacent attacker can exploit this flaw by sending a sustained rate of crafted Ethernet frames to a vulnerable device. Successful exploitation results in repeated device reloads, disrupting network operations and potentially impacting high-availability environments.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20111 | Nexus 3000 Series: 3100, 3200, 3400, and 3600 models Nexus 9000 Series: 9200, 9300, and 9400 switches running standalone NX-OS | Improper handling of specific Ethernet frames in health monitoring diagnostics | Repeated device reboots, potential network downtime |
Remediation:
- Apply Software Updates: Cisco has released patched software versions to address the vulnerability. Network administrators should upgrade affected devices immediately.
- Use Cisco Software Checker: Organizations should verify their exposure using Cisco’s Software Checker tool to identify the earliest fixed release.
- Implement Workarounds: If immediate patching is not feasible, organizations can mitigate risks using Access Control Lists (ACLs) to filter anomalous Ethernet frames targeting the health monitoring subsystem.
Conclusion:
CVE-2025-20111 presents a significant risk to enterprise and data center networks relying on Cisco Nexus switches. While there is no known active exploitation, organizations should prioritize patching and mitigation strategies to prevent service disruptions. Proactive monitoring and adherence to Cisco’s security advisories will help ensure network resilience against potential exploitation.
References:
Zero-Day Vulnerability in Microsoft Sysinternals Tools
Summary
A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 2025-02-05 |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability Name | Zero-Day |
Overview
Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw.
| Vulnerability Name | CVE ID | Product Affected | Severity | Impact |
| zero-day | Not Yet Assigned | Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others) | High | Arbitrary Code Execution, Privilege Escalation, Malware Deployment |
Technical Summary
The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories.
The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as:
- The Current Working Directory (CWD)
- Network locations (e.g., shared drives)
- User-writable paths over secure system directories
This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL.
Exploit Workflow
- Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan.
- The DLL is placed in the same directory as a vulnerable Sysinternals tool.
- The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory.
- The malicious DLL is loaded instead of the legitimate system DLL.
- Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights).
Recommendations
- Avoid Running Sysinternals Tools from Network Locations
- Always copy tools to a local trusted directory before execution.
- Disable execution of .exe files from network drives if feasible.
- Restrict DLL Search Paths
- Use SafeDLLSearchMode to prioritize secure directories.
- Implement DLL redirection to force tools to load DLLs from trusted paths.
- Implement Application Control Policies
- Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading.
- Restrict execution of Sysinternals tools to trusted admin-only directories.
- Verify DLL Integrity Before Execution
- Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed.
- Block execution of unsigned or suspicious DLLs in sensitive directories.
- Monitor for Suspicious DLL Loading Behavior
- Enable Sysmon logging to detect anomalous DLL loads (Event ID 7).
- Monitor for executions of Sysinternals tools from network shares (Event ID 4688).
Conclusion
Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.
The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems.
References:
Critical Authentication Bypass Vulnerability in CybersFortinet Products Under Active Exploitation
Summary
Fortinet recently announced a critical severity vulnerability affecting the FortiOS and FortiProxy products.
A critical Zero-day vulnerability with a CVSSv3 score of 9.6 that affects FortiOS and FortiProxy. Categorised as an “Authentication Bypass Using an Alternate Path or Channel” vulnerability (CWE-288), the flaw allows an attacker to circumvent authentication.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2024-55591 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
According to data from the Shadowserver Foundation, almost 50,000 devices are still unpatched as of January 20, 2025.
The vulnerability, which has been actively exploited since November 2024, enables unauthenticated attackers to obtain super-admin privileges through specially crafted requests to the Node.js websocket module. Although patches have been released, but a large number of devices remain exposed and vulnerable.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Authentication Bypass Vulnerability | CVE-2024-55591 | FortiOS and FortiProxy | Critical |
Technical Summary
CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. Exploiting this flaw allows remote attackers to gain super-admin privileges by sending specially crafted requests to the Node.js websocket module. This can lead to unauthorized administrative access, enabling attackers to modify firewall configurations, extract credentials, and move laterally within compromised environments.
Impact by Region (Unpatched Devices)
- Asia: 20,687 devices
- North America: 12,866 devices
- Europe: 7,401 devices
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-55591 | FortiOS 7.0.0 – 7.0.16, FortiProxy 7.0.0 – 7.0.19, FortiProxy 7.2.0 – 7.2.12 | Crafted requests to Node.js WebSocket module bypass authentication and allow attackers to gain super-admin privileges. | Unauthorized administrative access, credential extraction, and lateral movement. |
Remediation:
- Upgrade Firmware:
- FortiOS: Update to version 7.0.17 or latest
- FortiProxy: For 7.0.x version update to v7.0.20 or latest and for 7.2.x version update to v7.2.13 or latest
- Restrict Administrative Interface Access:
- Disable HTTP/HTTPS interfaces or limit access to trusted IP addresses using local-in policies.
- Enable Multi-Factor Authentication (MFA):
- Enforce MFA on all administrative accounts to reduce the risk of unauthorized access.
- Monitor Suspicious Activities:
- Check for unauthorized admin accounts, suspicious logins, or unexpected changes in firewall configurations.
Conclusion:
The exploitation of CVE-2024-55591 underscores the critical importance of timely patch management and robust security practices. Organizations using Fortinet products should act swiftly to apply the necessary updates and implement recommended security measures to protect their networks from potential attacks.
References:
- https://www.fortiguard.com/psirt
- https://cybersecuritynews.com/50000-fortinet-firewalls-remain-vulnerable-to-critical-zero-day-exploit/
- https://dashboard.shadowserver.org/statistics/combined/map/?map_type=std&day=2025-01-19&source=http_vulnerable&source=http_vulnerable6&tag=cve-2024-55591%2B&geo=all&data_set=count&scale=log
Hashtags
Banshee Stealer: A Growing Threat to macOS Users
Overview
Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS.
Key Threat Details:
Malware Capabilities:
- Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security.
- User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access.
- Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging.
C&C decryption Source: Cybersecurity News
Evasion Tactics:
- Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems.
- Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods.
Distribution Mechanisms:
- Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files.
- Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware.
Repository releases source: Cybersecurity News
Recent Developments:
- Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally.
- Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape.
Impact:
- Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses.
- Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications.
- Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide.
Indicators of Compromise (IOCs):
The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link .
| IP Address and Domain | File Hash |
| 41.216.183[.]49 | 00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93 |
| Alden[.]io | 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416 |
| api7[.]cfd | 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab |
| Authorisev[.]site | b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114 |
Recommendations:
To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures:
- Avoid Untrusted Downloads:
- Refrain from downloading software from unverified sources, particularly free or “cracked” versions.
- Verify the authenticity of GitHub repositories before downloading any files.
- Strengthening System Defenses:
- Regularly update macOS and all installed applications to patch known vulnerabilities.
- Deploy advanced security solutions with real-time threat detection and proactive intelligence.
- Enhance Awareness and Training:
- Educate users on identifying phishing websites and suspicious downloads.
- Encourage caution when responding to system prompts or entering credentials.
- Enable Two-Factor Authentication (2FA):
- Secure accounts with 2FA to minimize the impact of stolen credentials.
- Monitor System Activity:
- Regularly review system logs for unauthorized changes or suspicious activity.
- Use tools to monitor unexpected outgoing data transmissions.
- Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.
- Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early.
Conclusion:
The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats.
References:
Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released
Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released
OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.
Summary
| Application | OpenSSH |
| Severity | High |
| CVSS | 8.1 |
| CVEs | CVE-2024-6387 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.
A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns.
The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Race Condition vulnerability | CVE-2024-6387 | OpenSSH (8.5p1–9.8p1) | High | OpenSSH 9.8p2 or later |
Technical Summary
CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.
Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-6387 | OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems | Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). | Remote Code Execution (Root Privileges) |
Impact:
This Vulnerability if exploited could lead to complete system takeover.
Remediation:
- Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue.
- Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges.
- Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns.
Indicators of Compromise (IOCs):
| IP Address / Hostname | File Hash |
| 209.141.53[.]247 | 0df799f05c6d97e2b7d4b26c8e7246f7 |
| 108.174.58[.]28 | 11cc5f00b466d4f9be4e0a46f2eb51ae |
| 195.85.205[.]47 | 1f452448cea986aedc88ba50d48691f7 |
| 62.72.191[.]203 | 207eb58423234306edaecb3ec89935d8 |
| botbot.ddosvps.cc |
Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387
Conclusion:
The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.
Swift patching and the adoption of layered security measures are imperative to mitigate the risks.
Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability.
References:
- https://nvd.nist.gov/vuln/detail/cve-2024-6387
- https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/
Denial of Service Vulnerability in DNS Security Feature of Palo Alto Networks PAN-OS
Summary
| OEM | Palo Alto |
| Severity | High |
| CVSS | 8.7 |
| CVEs | CVE-2024-3393 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A Denial-of-Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| (DoS) in DNS Security Using a Specially Crafted Packet | CVE-2024-3393 | Palo Alto | High | PAN-OS 11.2 – < 11.2.3* PAN-OS 11.1 – < 11.1.5* PAN-OS 10.2 – >= 10.2.8*, <10.2.14* PAN-OS 10.1 – >= 10.1.14*, <10.1.15* |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-3393 | Palo Alto PAN-OS | CVE-2024-3393 is a high-severity DoS vulnerability in Palo Alto Networks PAN-OS exists in the DNS Security feature, where malformed DNS packets are improperly parsed and logged. If exploited, this vulnerability enables an unauthenticated attacker to remotely trigger a firewall reboot. Repeated exploitation attempts can cause the firewall to enter maintenance mode. CISA added it to the KEV catalog, with patching required by January 20, 2025. | Dos – Denial-of-Service |
Remediation:
- Update: Ensure that the appropriate patches or updates are applied to the relevant PAN-OS versions as listed below
| PAN-OS Version | Fixes and Releases |
| PAN-OS 11.1 | 11.1.2-h16, 11.1.3-h13, 11.1.4-h7, 11.1.5 |
| PAN-OS 10.2 | 10.2.8-h19, 10.2.9-h19, 10.2.10-h12, 10.2.11-h10, 10.2.12-h4, 10.2.13-h2, 10.2.14 |
| PAN-OS 10.1 | 10.1.14-h8, 10.1.15 |
| PAN-OS 10.2.9-h19 | Only applicable to Prisma Access |
| PAN-OS 10.2.10-h12 | Only applicable to Prisma Access |
| PAN-OS 11.0 | No fix (reached end-of-life status on November 17, 2024) |
Recommendations:
- Avoid Using EOL Versions:
- PAN-OS 11.0 is end-of-life (EOL) as of November 17, 2024. Ensure that you are not using this version and upgrade to be supported versions.
- Monitoring & Incident Response:
- Regularly monitor firewall logs for unusual behavior, especially DoS triggers.
- For Prisma Access Users (Workaround):
- Disable DNS Security logging across all NGFWs if patching cannot be applied immediately. This can be done by opening a support case with Palo Alto Networks.
References:
Adobe released Security updates Addressing critical ColdFusion vulnerability with (PoC) Exploit code
Adobe released security updates (APSB24-107) addressing an arbitrary file system vulnerability ColdFusion, identified as CVE-2024-53961, is linked to a path traversal weakness with proof-of-concept (PoC) exploit code.
This could allow attackers to exploit the flaw and gain unauthorized access to arbitrary files on vulnerable servers.
As per the updates Adobe ColdFusion versions 2023 and 2021 that addressed an arbitrary file proof-of-concept may enable attackers to read arbitrary files on vulnerable servers, potentially leading to unauthorized access and data exposure warns of critical ColdFusion bug with PoC exploit code.
Summary:
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe earlier gave statement cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
Key findings:
- The vulnerability, CVE-2024-53961, affects ColdFusion 2021 and 2023.
- Adobe has provided a patch to address the issue.
- The vulnerability can potentially lead to unauthorized access and data exposure
- The flaw has been given a Priority 1 severity rating, the highest possible level, due to its potential for exploitation in the wild.
- Adobe has highlighted the critical nature of these updates and classified the vulnerability with a CVSS base score of 7.4, signifying a threat to the security of affected systems.
Adobe has issued advisory
- Monitor systems for any signs of exploitation.
- Adobe has provided a patch to address the vulnerability remediation to mitigate the risk of exploitation.
- Consider implementing file system monitoring and logging to detect and prevent unauthorized file access.
Path traversal weakness in ColdFusion; CVE-2024-53961
What is Path Traversal?
Hackers uses a tactics by Tricking a web application into displaying the contents of a directory that was not on request by user to gain access to sensitive files on a server.
The path traversal weakness in ColdFusion could be exploited by an attacker to perform unauthorized file system reads on affected servers.
This means that an attacker could manipulate file paths to access sensitive files that are otherwise restricted. This kind of vulnerability can lead to exposure of critical system information, unauthorized access and data exposure.
Reference: https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code/
- ‹ Previous
- 1
- 2
- 3
Recent Comments