Exploitable Command Injection in F5 BIG-IP (CVE-2025-20029)
F5 BIG-IP
Continue ReadingSecurity advisory
Authentication Bypass Vulnerability in FortiOS & FortiProxy
Summary
A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2025-24472 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-24472 | FortiOS FortiProxy | Critical | FortiOS v7.0 – v7.0.16 FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 |
Technical Summary
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-24472 | An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests. | Execute unauthorized code or commands |
Recommendations:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below
| Version | Fixes and Releases |
| FortiOS 7.0 – 7.0.16 | Upgrade to 7.0.17 or latest version |
| FortiProxy 7.0 – 7.0.19 | Upgrade to 7.0.20 or latest version |
| FortiProxy 7.2 – 7.2.12 | Upgrade to 7.2.13 or latest version |
Workarounds:
Below are some workarounds provided by the Fortinet team.
- Disable HTTP/HTTPS administrative interface
- Limit IP addresses that can reach the administrative interface via local-in policies
According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”
References:
7Zip Mark-Of-The-Web Vulnerability
A high severity vulnerability in 7-Zip is exploiting in the wild. This vulnerability, identified as a Mark-of-the-Web (MoTW) bypass, allows attackers to craft a double archive file that, when extracted, bypasses MoTW protections.
| OEM | 7Zip |
| Severity | High |
| CVSS | 7.0 |
| CVEs | CVE-2025-0411 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The vulnerability enables threat actors to create archives containing malicious scripts or executables, which, due to the flaw, will not receive the usual MoTW protection.
This exposes Windows users to potential attacks and has recently been added to the CISA Known Exploited Vulnerabilities Catalog. Furthermore, a Proof of Concept (PoC) for this vulnerability has been publicly released, increasing the risk of exploitation.
7-Zip vulnerability allows attackers to bypass the Mark of the Web (MotW) Windows security feature and was exploited by Russian hackers as a zero-day since September 2024.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| MOTW Bypass vulnerability | CVE-2025-0411 | 7zip | High |
Technical Summary
This vulnerability bypasses the Mark-of-the-Web (MoTW) feature, a security measure in Windows operating systems that flags files originating from the internet as potentially untrusted. MoTW is typically applied to files like downloaded documents, images, or executable files, which prompts a warning when opened. However, this vulnerability occurs when 7-Zip fails to properly propagate MoTW protections to files inside double-encapsulated archives.
An attacker can craft an archive containing another archive (a “double archive”), and 7-Zip did not properly propagate MoTW protections to the content to the inner archive.
This flaw allows any malicious content in the inner archive to be executed without triggering any security warnings. Consequently, this exposes Windows users to the risk of remote code execution and other malicious activities.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-0411 | 7Zip Prior to v24.09 | This flaw allows attackers to execute arbitrary code through double-encapsulated archives that bypass MoTW protections. | Arbitrary remote code injection, potential system compromise |
Remediation:
Update 7zip to v24.09 or the latest version. Installing the latest version will ensure that vulnerability is addressed, protecting systems from potential exploitation.
Generic Recommendations
- Exercise Caution with File Extraction: Always verify the source before extracting files, especially from unfamiliar or untrusted sources.
- Enhance User Awareness: Educate users on identifying phishing attempts and avoiding clicks on suspicious links or attachments.
- Monitor for Anomalies: Continuously monitor systems for signs of exploitation, unusual file extraction behaviors, or unauthorized access attempts.
Conclusion
The MoTW bypass vulnerability in 7-Zip represents a serious security concern for Windows users, as it allows attackers to circumvent protective measures and execute malicious code. Updating to the latest version of 7-Zip is the recommended action to ensure systems are protected against this vulnerability.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2025-0411
- https://www.zerodayinitiative.com/advisories/ZDI-25-045/
- https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html
- https://cybersecuritynews.com/poc-exploit-released-for-7-zip-vulnerability/
- https://github.com/dhmosfunk/7-Zip-CVE-2025-0411-POC
#CyberSecurity #7Zip #SecurityAdvisory #VulnerabilityManagement #CISO #CXO #PatchManagement #Intrucept
Active Exploitation of Microsoft Outlook RCE Vulnerability (CVE-2024-21413)
A critical remote code execution (RCE) vulnerability, CVE-2024-21413, affecting Microsoft Outlook has been actively exploited.
CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.
| OEM | Microsoft |
| Severity | Critical |
| CVSS | 9.8 |
| CVEs | CVE-2024-21413 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The flaw allows attackers to bypass security protections, leading to NTLM credential theft and arbitrary code execution. The vulnerability is critical, and Microsoft has released patches to mitigate the risk.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2024-21413 | Microsoft | Critical |
Technical Summary
The CVE-2024-21413 vulnerability arises due to improper input validation in Microsoft Outlook when handling emails containing malicious links. Exploitation of this flaw enables attackers to bypass Protected View, a security feature designed to prevent execution of harmful content embedded in Office files.
By manipulating URLs with the file:// protocol and inserting an exclamation mark followed by arbitrary text, attackers can evade Outlook’s built-in security measures, tricking users into opening malicious Office files in editing mode instead of read-only mode. The Preview Pane also serves as an attack vector, enabling zero-click exploitation. Here is the POC also available for this vulnerabilty.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-21413 | Microsoft Office LTSC 2021, Microsoft 365 Apps, Microsoft Outlook 2016, Microsoft Office 2019 | Exploits improper input validation to bypass Outlook security protections using manipulated hyperlinks. | NTLM credential theft, remote code execution, potential full system compromise |
Remediation:
- Apply Security Patches: Ensure that all the Microsoft Office products are updated with the latest security patches.
- Disable NTLM Authentication: Where feasible, reduce reliance on NTLM authentication to prevent credential theft.
General Remediation:
- Monitor Network Activity: Watch unusual outbound connections to attacker-controlled servers.
- User Awareness Training: Educate employees on recognizing phishing attempts and avoiding click on suspicious links or attachments.
- Enable Advanced Threat Protection: Use security tools like Microsoft Defender to enhance security monitoring and detection.
- Regularly Update Software: Maintain a routine patching schedule to ensure all systems are protected against known vulnerabilities.
- Restrict Macros and External Content: Configure Microsoft Office to block macros and disable automatic external content execution.
Conclusion:
The exploitation of CVE-2024-21413 underscores the ongoing threat posed by improperly validated inputs in widely used enterprise software. With this vulnerability being actively exploited and the POC publicly available, organizations must prioritize patching, strengthen monitoring, and follow best security practices to minimize risks. CISA has included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action.
References:
Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild
Summary
OEM | Microsoft |
Severity | Critical |
CVSS Score | 7.8 |
CVE | CVE-2024-49138 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Publicly POC Available | Yes |
Overview
The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.
Vulnerability Name | CVE ID | Product Affected | Severity |
CLFS Privilege Escalation | CVE-2024-49138 | Microsoft Windows | High |
Technical Summary
CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-49138 | Windows 10, Windows 11, Windows Server 2008–2025 | Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released. | Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device. |
Remediations
- Update Systems: Apply Microsoft’s December 2024 patches without delay.
- Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
- Limit Access: Implement robust access controls and harden systems.
Conclusion:
The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.
References
- https://securityonline.info/zero-day-vulnerability-in-windows-exploited-cve-2024-49138-poc-code-released/
- https://github.com/MrAle98/CVE-2024-49138-POC?tab=readme-ov-file
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-49138
- https://intruceptlabs.com/2024/12/microsoft-december-2024-patch-tuesday-critical-fixes-for-zero-day-and-remote-code-execution/
Banshee Stealer: A Growing Threat to macOS Users
Overview
Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS.
Key Threat Details:
Malware Capabilities:
- Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security.
- User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access.
- Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging.
C&C decryption Source: Cybersecurity News
Evasion Tactics:
- Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems.
- Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods.
Distribution Mechanisms:
- Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files.
- Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware.
Repository releases source: Cybersecurity News
Recent Developments:
- Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally.
- Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape.
Impact:
- Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses.
- Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications.
- Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide.
Indicators of Compromise (IOCs):
The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link .
| IP Address and Domain | File Hash |
| 41.216.183[.]49 | 00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93 |
| Alden[.]io | 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416 |
| api7[.]cfd | 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab |
| Authorisev[.]site | b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114 |
Recommendations:
To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures:
- Avoid Untrusted Downloads:
- Refrain from downloading software from unverified sources, particularly free or “cracked” versions.
- Verify the authenticity of GitHub repositories before downloading any files.
- Strengthening System Defenses:
- Regularly update macOS and all installed applications to patch known vulnerabilities.
- Deploy advanced security solutions with real-time threat detection and proactive intelligence.
- Enhance Awareness and Training:
- Educate users on identifying phishing websites and suspicious downloads.
- Encourage caution when responding to system prompts or entering credentials.
- Enable Two-Factor Authentication (2FA):
- Secure accounts with 2FA to minimize the impact of stolen credentials.
- Monitor System Activity:
- Regularly review system logs for unauthorized changes or suspicious activity.
- Use tools to monitor unexpected outgoing data transmissions.
- Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.
- Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early.
Conclusion:
The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats.
References:
Security Update for NVIDIA Base Command & Bright Cluster Managers
NVIDIA has issued a security advisory addressing a critical vulnerability (CVE-2024-0138) discovered in its Base Command Manager software. This flaw, located within the CMDaemon component, poses significant risks, including the potential for remote code execution, denial of service, privilege escalation, information disclosure, and data tampering.
What does the Vulnerability mean
The source of the vulnerability was from insecure temporary file handling, which could lead to a denial of service (DoS) condition on affected systems.
NVIDIA has released patches to address the issue and prevent potential exploitation. This critical flaw can be exploited remotely without any prerequisites, such as user interaction or special privileges, making it highly dangerous.
| Vulnerability Name | CVE ID | Product Affected | Impact | Fixed Version |
| Insecure Temporary File Vulnerability | CVE-2024-0139 | NVIDIA Base Command Manager, Bright Cluster Manager | Medium | Base Command Manager: 10.24.09a; Bright Cluster Manager: 9.0-22, 9.1-19, 9.2-17 |
Technical Summary
NVIDIA confirmed earlier versions, including 10.24.07 and earlier, are not impacted by this vulnerability.
To mitigate the issue, NVIDIA recommends updating the CMDaemon component on all head nodes and software images.
Remediation:
1. Base Command Manager
- Update to version 10.24.09a to address the vulnerability.
2. Bright Cluster Manager
- Depending on your version, update to one of the following:
- 9.0-22
- 9.1-19
- 9.2-17
3. CMdaemon Update
- Ensure the most recent version of CMdaemon is installed on the head nodes and in all software images.
4. Node Update .
After applying the update, systems should be rebooted or resynchronized with the updated software image to ensure the fix is fully implemented. These measures are essential to eliminate the root cause that created vulnerability and protect systems from potential exploitation.
References:
- For additional details on the vulnerability and patch instructions, visit NVIDIA’s security bulletin.
| CVE ID | System Affected | Platform | Vulnerability Details | Impact |
| CVE-2024-0139 | NVIDIA Base Command Manager (Versions 3, 10) NVIDIA Bright Cluster Manager (Versions 9.0-9.2) | Linux | The vulnerability stems from insecure handling of temporary files in both Base Command Manager and Bright Cluster Manager. Exploiting this flaw could disrupt system availability, potentially causing a denial of service. | Potential denial of service on affected systems. |
- ‹ Previous
- 1
- 2
- 3