Corporate Employees Targeted by Vidar Malware
The purpose of Vidar malware is to infiltrate systems and deploy a payload to extract sensitive data.
Continue ReadingSOC
Critical YARA Vulnerability Exposes Linux Systems – Patch Now
Summary : YARA is an open-source pattern matching engine widely used by malware researchers, SOC teams, and threat intelligence platforms to identify and classify malware using detection rules. It plays a critical role in malware analysis pipelines, endpoint detection systems, and threat hunting operations.
Kamil Frankowicz discovered that a number of YARA’s functions generated memory exceptions when processing specially crafted rules or files. A remote attacker could possibly use these issues to cause YARA to crash, resulting in a denial of service.
| OEM | Virus Total / YARA Project (Tool) |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2021-3402, CVE-2021-45429, CVE-2019-19648, CVE-2018-19974, 2018-19975, 2018-19976 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Ubuntu has released a security advisory addressing multiple vulnerabilities in YARA that could allow attackers to cause denial-of-service conditions, disclose sensitive information, or potentially execute arbitrary code when processing specially crafted files or rules.
These vulnerabilities affect Ubuntu 16.04 LTS, 18.04 LTS, and 20.04 LTS depending on the specific issue. Organizations using YARA in security monitoring systems, malware sandboxes, or automated threat detection workflows should apply the security updates immediately.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
| Mach-O Parser Overflow Read Vulnerability | CVE-2021-3402 | YARA | Critical | 9.1 | Updated Ubuntu packages |
| Mach-O File Parsing Out-of-Bounds Access | CVE-2019-19648 | YARA | High | 7.8 | Updated Ubuntu packages |
Technical Summary
The most critical vulnerability CVE-2021-3402 exists in the macho.c implementation used by YARA to parse Mach-O files.
The flaw allows specially crafted Mach-O files to trigger overflow reads, which could result in denial of service or potential information disclosure. Given its high CVSS score, this issue represents the most severe risk addressed in this advisory.
Another high-severity vulnerability CVE-2019-19648 affects the macho_parse_file() function. When parsing specially crafted Mach-O files, the function may trigger out-of-bounds memory access, potentially leading to application crashes or execution of malicious code in certain scenarios.
Because YARA is frequently integrated into malware analysis platforms and automated threat detection pipelines, successful exploitation could disrupt security monitoring operations or compromise malware analysis environments.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2021-3402 | YARA (Ubuntu 20.04) | Overflow read vulnerability in Mach-O parsing implementation | DoS, potential information disclosure |
| CVE-2019-19648 | YARA (Ubuntu 20.04) | Out-of-bound memory access during Mach-O file parsing | DoS or possible code execution |
Additional Vulnerabilities
The advisory also includes several medium-severity vulnerabilities affecting YARA components.
| CVE ID | Vulnerability Details | Impact |
| CVE-2021-45429 | Buffer overflow in yr_set_configuration() when parsing crafted rules | Denial of Service |
| CVE-2018-19976 | YARA virtual machine sandbox escape | Possible code execution |
| CVE-2018-19975 | VM sandbox escape vulnerability | Possible code execution |
| CVE-2018-19974 | Virtual machine security bypass | Possible code execution |
Potential Consequences
- Disruption of malware detection pipelines
- Denial of service in security analysis environments
- Information disclosure through crafted files
- Potential arbitrary code execution in analysis systems
- Reduced visibility in SOC threat detection workflows
Remediation
Upgrade affected packages immediately to the patched versions provided by Ubuntu are mentioning below-
Released patches
| Ubuntu Release | Package | Fixed Version |
| Ubuntu 20.04 LTS | libyara3 | 3.9.0-1ubuntu0.1 esm1 |
| yara | 3.9.0-1ubuntu0.1 esm1 | |
| Ubuntu 18.04 LTS | libyara3 | 3.7.1-1ubuntu2+esm1 |
| yara | 3.7.1-1ubuntu2+esm1 | |
| Ubuntu 16.04 LTS | libyara3 | 3.4.0+dfsg-2ubuntu0.1 esm1 |
| python-yara | 3.4.0+dfsg-2ubuntu0.1 esm1 | |
| python3-yara | 3.4.0+dfsg-2ubuntu0.1 esm1 | |
| yara | 3.4.0+dfsg-2ubuntu0.1 esm1 |
If immediate patching is not possible, apply the following temporary mitigations –
- Restrict scanning of untrusted files in automated YARA pipelines.
- Limit rule ingestion from untrusted sources.
- Monitor malware analysis systems for abnormal crashes.
- Limit exposure of YARA-based detection pipelines to untrusted Mach-O or .NET file inputs.
You can follow the recommendations below as the best practice.
- Regularly update malware detection tools.
- Validate YARA rules before deployment.
- Validate and sandbox file inputs before passing them to YARA for analysis.
- Implement least-privilege execution environments for YARA scanning processes.
- Monitor logs for abnormal process crashes or memory-related errors in YARA.
Conclusion:
Multiple vulnerabilities in YARA could allow attackers to disrupt malware detection processes or compromise analysis environments. The critical vulnerability CVE-2021-3402 and high-severity vulnerability CVE-2019-19648 pose the greatest risk and should be prioritized for remediation.
Organizations using YARA in SOC operations, malware analysis pipelines, or threat intelligence systems should apply the latest Ubuntu security updates immediately to maintain reliable threat detection capabilities.
References:
SolarWinds Serv-U15.5.4 Rocked by Critical RCE Vulnerabilities; Patch Now
Summary : SolarWinds has fixed four critical vulnerabilities in its popular Serv-U file transfer solution, which is used by businesses and organizations of all sizes. vulnerabilities impact SolarWinds Serv-U Managed File Transfer, a platform frequently deployed as an internet-facing FTP/FTPS/SFTP gateway or as an internal file exchange service handling sensitive data.
| OEM | SolarWinds |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
SolarWinds stated that there are no confirmed reports of active exploitation at this time. However, given previous Serv-U vulnerabilities were exploited by advanced threat actors.
SolarWinds Serv-U
is a secure file transfer server used by organizations to manage FTP, FTPS, SFTP, and HTTP/S file transfers across enterprise environments. It is commonly deployed on Windows and Linux servers to securely exchange sensitive business data.
SolarWinds fixed four critical remote code execution vulnerabilities in Serv-U 15.5. These vulnerabilities could allow an attacker with administrative privileges to execute arbitrary native code as root on the affected server.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
| Broken Access Control Remote Code Execution Vulnerability | CVE-2025-40538 | Serv-U | Critical | 9.1 | Serv-U 15.5.4 |
| Type Confusion Remote Code Execution Vulnerability | CVE-2025-40539 | Serv-U | Critical | 9.1 | Serv-U 15.5.4 |
| Type Confusion Remote Code Execution Vulnerability | CVE-2025-40540 | Serv-U | Critical | 9.1 | Serv-U 15.5.4 |
| Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability | CVE-2025-40541 | Serv-U | Critical | 9.1 | Serv-U 15.5.4 |
Technical Summary
These critical vulnerabilities affect SolarWinds Serv-U version 15.5 and arise from weaknesses such as improper access control checks, type confusion errors, and insecure object reference handling.
If exploited, they may allow an attacker to run arbitrary native code with root-level privileges on the affected server.
Successful exploitation requires administrative access. Once obtained, an attacker could create unauthorized administrator accounts, and execute malicious code, potentially resulting in complete system compromise and further movement across the network.
SolarWinds strongly advises upgrading to Serv-U version 15.5.4 to address these security risks.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-40538 | Serv-U 15.5 | Improper access control enabling admin creation and root-level code execution | Admin account creation, full system compromise |
| CVE-2025-40539 | Serv-U 15.5 | Type confusion enabling arbitrary native code execution as root | Arbitrary native code execution |
| CVE-2025-40540 | Serv-U 15.5 | Type confusion leading to root-level native code execution | Root-level execution |
| CVE-2025-40541 | Serv-U 15.5 | IDOR enabling unauthorized access and root-level code execution | Remote code execution as root |
Potential Consequences
- Full server takeover
- Privilege escalation
- Lateral movement within enterprise network
- Data exfiltration
- Malware or backdoor deployment
Remediation:
Upgrade immediately to Serv-U product with below mentioning fixed version-
- Serv-U 15.5.4
If immediate patching is not possible, apply the following temporary mitigations-
- Restrict Serv-U administrative access to trusted IP ranges.
- Enforce MFA for all Serv-U admin accounts.
- Ensure services run with least privilege.
- Conduct audit of newly created administrative accounts.
You can follow the recommendations below as a best practice-
- Enforce strict administrative access controls.
- Monitor logs for unauthorized privilege escalation.
- Implement network segmentation for file transfer servers.
- Apply regular patch management and vulnerability scanning.
Conclusion:
These four newly disclosed vulnerabilities in SolarWinds Serv-U represent critical remote code execution risks. Although exploitation has not been confirmed, Serv-U’s history of targeted attacks increases the urgency for patching.
Organizations should treat this as a priority patching event and immediately upgrade to Serv-U 15.5.4 to prevent potential root-level compromise.
References:
Critical Fortinet Vulnerability in FortiCloud SSO Authentication Bypass
FortiCloud Single Sign-On (SSO)
Continue Reading
Cyber Security Trends 2026; Cloud Environments, Identity systems & Third-Party Tools Key Area’s of Threat
Cyber Security Trends 2026; Cloud Environments, Identity systems & Third-Party Tools Key Area’s of Threat
Continue Reading
SonicWall Releases Patches in Actively Exploited Privilege Escalation Vulnerability
SonicWall has released a security update to fix a privilege escalation vulnerability in the SonicWall SMA1000 Appliance Management Console (AMC) that was tricked in zero-day attacks to escalate privileges.
Continue Reading
Open AI, Quick to Respond on Mixpanel Breach; Security Analytics Tool for Proactive Security
Open AI, Quick to Respond on Mixpanel Breach; Security Analytics Tool for Proactive Security
Continue Reading
Critical Fluent Bit Vulnerabilities Allow RCE & Cloud Infrastructure at Risk
Summary : Fluent Bit is a widely used opensource tool for collecting and forwarding logs in cloud and containers like Kubernetes environments. A chain of 5 critical vulnerabilities discovered by Oligo Security team and findings reveal that attackers can misuse via Remote code execution putting cloud and container at risk.
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-12969, CVE-2025-12970, CVE-2025-12972, CVE-2025-12977, CVE-2025-12978 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These vulnerabilities are CVE-2025-12977 CVE-2025-12970, CVE-2025-12969, CVE-2025-12978 , CVE-2025-12972. The vulnerabilities allow attackers to bypass authentication, manipulate log routing, achieve remote code execution, potentially leading to full compromise of cloud and Kubernetes environments using Fluent Bit for logging and observability.
Organizations relying on Fluent Bit must upgrade to the fixed versions and harden configurations to prevent remote takeover and log tampering.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
| Fluent Bit Tag_Key Input Validation Bypass | CVE-2025-12977 | Fluent Bit | Critical | 9.1 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Docker Input Stack Buffer Overflow | CVE-2025-12970 | Fluent Bit | High | 8.8 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Forward Input Authentication Bypass | CVE-2025-12969 | Fluent Bit | Medium | 6.5 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Tag Spoofing via Partial Tag_Key Match | CVE-2025-12978 | Fluent Bit | Medium | 5.4 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit File Output Path Traversal | CVE-2025-12972 | Fluent Bit | Medium | 5.3 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
Technical Summary
Fluent Bit vulnerabilities center around unsafe handling of tags and inputs, enabling attackers to manipulate routing, file paths and memory in ways that directly impact host systems and downstream security tooling.
These flaws can allow path traversal and arbitrary file writes, which in many real-world setups may escalate to remote code execution and persistent node compromise.
Additional vulnerabilities include stack buffer overflows and missing authentication checks that let attackers crash agents, execute code and inject false telemetry into trusted logging pipelines.
Source: Oligo.security
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-12977 | Improper input validation allows injection of control chars, newlines, and path traversal sequences in tag values. | Log corruption and output injection. |
| CVE-2025-12970 | Stack buffer overflow on container name copy due to lack of length check. | Crash or RCE. |
| CVE-2025-12969 | Authentication bypass disables user-based auth, allowing unauthenticated log injection. | Unauthorized log injection. |
| CVE-2025-12978 | Partial string comparison on Tag_Key lets attacker spoof tags by guessing first char. | Manipulation of log routing and filtering. |
| CVE-2025-12972 | Path traversal via unsanitized tags causes arbitrary file write and possible remote code execution. | Arbitrary file write and RCE. |
Remediation:
- Upgrade all Fluent Bit deployments to v4.2.0 / v4.1.1 / v4.0.12 or latest version.
Here are some recommendations below
- Avoid using dynamic or untrusted tags in configuration for routing or file naming.
- Always set explicit fixed Path or File parameters in out_file outputs to prevent path traversal.
- Ensure forward inputs use both Shared_Key and Security.Users for proper authentication enforcement.
- Limit network access to Fluent Bit instances to trusted sources only.
- Run Fluent Bit with least privilege and restrict filesystem and configuration file write permissions.
- Monitor logs and telemetry for abnormal tag values or unexpected log routing changes.
Conclusion:
The Fluent Bit vulnerabilities enable attackers to hide activity, corrupt evidence and even gain direct control of cloud workloads.
This puts cloud systems at risk because security teams may not see the real activity happening inside their environment.
Organizations using Fluent Bit should patch immediately, restrict network access and enforcing strong authentication and least‑privilege deployment as urgent priorities to reduce the risk of remote takeover and systemic observability compromise.
References:
Microsoft Patched Critical Azure Bastion Elevation of Privilege Vulnerability
Azure Bastion Elevation of Privilege Vulnerability CVE-2025-49752
Continue Reading
Cyber-Breach on Qantas Airliner re-echo’s Cyber Risk associated with Third Party
Third-party vendors are critical to and business or industry – but they confirm to significant amount of cyber risk. Qanatas airline confirmed of cyber attack where nearly six million customers data may have been compromised. The airliner issued statement that said credit card details, financial information, and passport details were not part of the breach.
Qantas said in a statement: “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”
The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop.
KPMG, study showed how 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years.
Qantas Group chief executive Vanessa Hudson said the company was working closely with the National Cyber Security Coordinator and the Australian Cyber Security Centre.
We sincerely apologies to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously,” she said.
In the breach that affected Qantas airliner which is one of the oldest, did not point to any hackers group. This data breach is one of Australia’s biggest breach in years which caused major setback and reputation damage to an airliner.
Last week, FBI said Scattered Spider group was targeting airlines and that Hawaiian Airlines (HAII.UL) and Canada’s WestJet had already reported breaches. Read more on our blogs:
Key pointer of the Qantas Breach
The Cyber hacker broke into a database containing the personal information of millions of customer.
The breach was executed by hackers who targeted a call center and gained access to a third-party customer service platform containing six million names, email addresses, phone numbers, birth dates and frequent flyer numbers.
Third party risk management is complex but neglecting can be fatal for organizations whose data volume is huge such as airliners.
The airline is emailing affected customers and has set up a dedicated support line at 1800 971 541 (or +61 2 8028 0534 from overseas).
If we observe in recent past 2020, the solar Winds attack that happened where Solar winds confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ.
Such is the magnitude of the attack that the malware program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.
The solar winds attack cost to the company amounted to significant loss with Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million).
How to make sure your vendor don’t create unnecessary risk that pose challenge for organization at large
First ensure your third party vendor’s meet the required robust security posture
Vendor risk assessment must be done holistically by streamlining due diligence
Upon discovery of any vulnerabilities, it is important that customizing and updating security requirements of the newly discovered threats and patch.
As a part of better threat mitigation strategy it is important that to automate vendors onboarding this will provide agility.
Managing Third party risk with Intru360
A research with KPMG found that found 61% of businesses underestimate third party risk management and often also struggle to have a healthy operation model and scale it same time.
KPMG research further found that Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.
With most of the technology investments fail to provide visibility into third-party risk, we at Intercept help you to expand the scope and cover third parties related risk areas by identifying.
Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
In vendor security and management here are some of the features we offer to make sure cyber health of each and every supplier is checked and alerts are placed to get notification.
Prebuilt playbooks and automated response capabilities.
Over 400 third-party and cloud integrations.
More than 1,100 preconfigured correlation rules.
Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
Sources: https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know
Recent Comments