Threat actors

Security Advisory

Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required 

Summary : SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.

SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.

OEM  SAP 
Severity  Critical 
Date of Announcement  2025-05-13 
No. of Vulnerabilities Patched  16 
Actively Exploited  Yes 
Exploited in Wild  Yes 
Advisory Version  1.0 

Overview 

The most severe issue, CVE-2025-31324 (CVSS 10.0), is a critical unauthenticated file upload vulnerability that has been exploited in the wild since January 2025 for remote code execution (RCE). 

This issue was originally addressed in an SAP security note issued on April 24, 2025, and has since been supplemented by a second vulnerability, CVE-2025-42999, involving insecure deserialization.

These vulnerabilities have been used together in chained attacks to gain full system access on vulnerable SAP NetWeaver servers. 

Vulnerability Name  CVE ID  Product Affected  Severity  CVSS Score 
Unauthenticated File Upload (RCE)  CVE-2025-31324  SAP NetWeaver  Critical  10.0 
Insecure Deserialization (RCE)  CVE-2025-42999  SAP NetWeaver  Critical  9.1 

Technical Summary 

Attackers have leveraged two flaws in SAP NetWeaver Visual Composer in chained exploit scenarios to gain unauthorized remote access and execute arbitrary commands.

CVE-2025-31324 enables unauthenticated file uploads, and CVE-2025-42999 allows privileged users to exploit insecure data deserialization for command execution.

These vulnerabilities have impacted hundreds of internet-facing SAP instances, including systems operated by major enterprises. 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2025-31324  SAP NetWeaver Visual Composer  Unauthenticated file upload vulnerability in development server.  Remote Code Execution (RCE) without privileges 
CVE-2025-42999  SAP NetWeaver Visual Composer  Insecure deserialization in Visual Composer user-accessible function.  Remote Code Execution (RCE) without privileges 

Source: SAP 

In addition to the actively exploited vulnerabilities, several other High Severity Vulnerabilities were also addressed: 

  • CVE-2025-30018: SAP Supplier Relationship Management (Live Auction Cockpit) – Multiple vulnerabilities (CVSS 8.6) 
  • CVE-2025-43010: SAP S/4HANA Cloud Private Edition / On Premise (SCM Master Data Layer) – Code injection (CVSS 8.3) 
  • CVE-2025-43000: SAP Business Objects Business Intelligence Platform (PMW) – Information disclosure (CVSS 7.9) 
  • CVE-2025-43011: SAP Landscape Transformation (PCL Basis) – Missing authorization check (CVSS 7.7) 
  • CVE-2024-39592: SAP PDCE – Missing authorization check (CVSS 7.7) 

Remediation

  • Apply Patches Promptly: Install the May 2025 security updates immediately to mitigate risks from CVE-2025-42999 and other high-severity vulnerabilities, including CVE-2025-31324, along with additional security improvements across various SAP products. 

General Recommendations: 

  • Disable Visual Composer Service: If possible, disable the Visual Composer service to further reduce risk. 
  • Restrict Access to Metadata Upload Functions: Limit access to the metadata uploader to trusted users to prevent unauthorized file uploads. 
  • Monitor for Suspicious Activity: Continuously monitor the SAP NetWeaver environment for any signs of suspicious activity related to the vulnerabilities. 

Conclusion: 

  • The dual exploitation of CVE-2025-31324 and CVE-2025-42999 underscores the critical need for proactive patching and vigilant monitoring of enterprise SAP environments.
  • The vulnerabilities are being exploited by sophisticated threat actors, including the Chinese APT group Chaya_004, with over 2,000 exposed NetWeaver instances and hundreds already compromised. 
  • In response to the severity, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-31324 in its Known Exploited Vulnerabilities Catalog and has mandated federal agencies to remediate by May 20, 2025, under Binding Operational Directive 22-01. Organizations are strongly urged to act immediately to protect their SAP environments. 

References

 

 

Security Advisory

FBI Warns  End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns 

Summary 

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities. 

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately. 

Technical Details 

Attack Overview 

  • Entry Point: Remote administration services exposed to the Internet. 
  • Authentication Bypass: Attackers bypass password protection to gain shell/root access. 
  • Malware Capabilities
  • Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes. 
  • Opens ports to act as proxy relays. 
  • Enables the sale of infected routers as “proxy-as-a-service” infrastructure. 

Confirmed Vulnerable Devices 

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns: 

  • E1200 
  • E2500 
  • E1000 
  • E4200 
  • E1500 
  • E300 
  • E3200 
  • WRT320N 
  • E1550 
  • WRT610N 
  • E100 
  • M10 
  • WRT310N 

Indicators of Compromise (IOCs) 

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign: 

Name Hash 
0_forumdisplay-php_sh_gn-37-sh 661880986a026eb74397c334596a2762 
1_banana.gif_to_elf_t 62204e3d5de02e40e9f2c51eb991f4e8 
2_multiquote_off.gif_to_elf_gn-p_forward- 
hw-data-to-exploit-server 		9f0f0632b8c37746e739fe61f373f795 
3_collapse_tcat_gif_sh_s3-sh 22f1f4c46ac53366582e8c023dab4771 
4_message_gif_to_elf_k cffe06b0adcc58e730e74ddf7d0b4bb8 
5_viewpost_gif_to_elf_s 084802b4b893c482c94d20b55bfea47d 
6_vk_gif_to_elf_b e9eba0b62506645ebfd64becdd4f16fc 
7_slack_gif_DATA 41e8ece38086156959804becaaee8985 
8_share_gif_DATA 1f7b16992651632750e7e04edd00a45e 
banana.gif-upx 2667a50869c816fa61d432781c731ed2 
message.gif-upx 0bc534365fa55ac055365d3c31843de7 

Recommended Mitigations

  • Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates. 
  • Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet. 
  • Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it. 
  • Network Segmentation: Isolate critical devices from consumer routers or IoT networks. 
  • Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior. 

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References


Security Advisory

April Zero-Day Threats Addressed in Microsoft’s Patch Tuesday

Summary of Microsoft April Patch Tuesday

Microsoft released April 2025 Patch Tuesday, addressed 135 security vulnerabilities, including a critical zero-day vulnerability (CVE-2025-29824) already being actively exploited.

  • 126 Microsoft CVEs addressed
  • 9 non-Microsoft CVEs included

Microsoft April Patch Tuesday is released every month on priority basis so that organization can address the vulnerabilities as advised by security analysts

OEMMicrosoft
SeverityCritical
Date of Announcement2025-04-08
No. of Vulnerabilities Patched135
Actively ExploitedYes
Exploited in WildYes
Advisory Version1.0

Overview

Key updates focus on core Windows components like the CLFS driver, Windows Kernel, and multiple remote code execution (RCE) vulnerabilities across many services including Remote Desktop Gateway, LDap, and TCP/IP.

The update addresses both Microsoft and non-Microsoft vulnerabilities, with a significant emphasis on fixing issues that allow attackers to elevate privileges, execute remote code, or bypass security features.

On a similar note publication of 11 critical remote code execution (RCE) vulnerabilities. 13 browser vulnerabilities have already been published separately this month, and are not included in the total.

Vulnerability NameCVE IDProduct AffectedSeverityCVSS Score
Microsoft Windows CLFS Driver Use-After-Free Vulnerability [zero-day vulnerability]  CVE-2025-29824WindowsHigh7.8
Remote Desktop Gateway Service RCE VulnerabilityCVE-2025-27480 CVE-2025-27482WindowsHigh8.1
LDAP Service RCE VulnerabilityCVE-2025-26663WindowsHigh   8.1
LDAP Client RCE VulnerabilityCVE-2025-26670WindowsHigh8.1

Technical Summary

The April 2025 update fixes several high-severity vulnerabilities in Microsoft products, here are some vulnerabilities details:

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-29824  Windows 10/11, Windows ServerAn elevation of privilege vulnerability in the Windows Kernel caused by improper object access. Attackers with local access could exploit this to gain SYSTEM privileges.    Elevation of Privilege
  CVE-2025-27480 CVE-2025-27482  Windows RDSRace condition in Remote Desktop Gateway; triggers use-after-free allowing code execution  Remote Code Execution
  CVE-2025-26663  Windows LDAPCrafted LDAP call causes use-after-free, leading to arbitrary code execution  Remote Code Execution
CVE-2025-26670  Windows TCP/IPMemory mismanagement during DHCPv6 handling, complex exploit chain.  Remote Code Execution

Source: Microsoft & NVD

In addition to the actively exploited vulnerabilities, several other Vulnerabilities were also addressed:

  • CVE-2025-27745, CVE-2025-27748, CVE-2025-27749 – Office Use-After-Free RCE Vulnerability

These vulnerabilities allow attackers to execute arbitrary code remotely by exploiting use-after-free conditions when opening malicious Office files, potentially leading to system compromise.

  • CVE-2025-27752 – Excel Heap Overflow RCE Vulnerability

An attacker could bypass security features via improper neutralization in the Microsoft Management Console, leading to remote code execution and potential full system compromise.

  • CVE-2025-29791 – Excel Type Confusion RCE Vulnerability

This vulnerability allows local attackers to exploit improper logging in NTFS, potentially granting unauthorized access to sensitive memory areas, which could lead to arbitrary code execution.

  • CVE-2025-26686 – Windows TCP/IP RCE Vulnerability

Memory mismanagement during DHCPv6 handling could allow remote attackers to execute arbitrary code, requiring a complex exploit chain to be effective.

  • CVE-2025-27491 – Windows Hyper-V RCE Vulnerability

This vulnerability can be exploited by guest users through social engineering, enabling remote code execution on the host system, with a high complexity for successful exploitation.

Remediation:

  • Apply Patches Promptly: Install the April 2025 security updates immediately to mitigate risks.

General Recommendations:

  • Prioritize Zero-Day & Critical Vulnerabilities: Focus on patching actively exploited vulnerabilities, especially those affecting Windows CLFS, RDS, LDAP, Excel, and SharePoint-related CVEs.
  • Secure File System Access: Implement security controls to prevent unauthorized access to NTFS and FAT file systems, particularly against USB-based attack vectors.
  • Educate Employees: Train users in phishing risks to reduce the chances of executing malicious Microsoft Access files.
  • Monitor for Exploitation: Continuously monitor systems for any signs of exploitation or suspicious activity.

“Microsoft highly recommends that organizations prioritize applying security updates for elevation of privilege vulnerabilities to add a layer of defense against ransomware attacks if threat actors are able to gain an initial foothold,” the company said in a blog post.

Conclusion:

The April 2025 Patch Tuesday release underscores the critical need for timely patching of Microsoft systems to protect against actively exploited vulnerabilities, including a zero-day privilege escalation flaw.

Microsoft has addressed multiple high-severity vulnerabilities, many of which could result in remote code execution, unauthorized system access, or privilege escalation.

IT teams and users are urged to promptly install the security updates and implement recommended security controls to mitigate these risks. As these vulnerabilities are actively exploited, immediate action is crucial to safeguarding systems from potential compromise.

References:

Blogs

DDoS Attacks on Critical Infrastructure Re-shaping Geopolitical Conflicts

DDoS Attacks on Critical Infrastructure Reshaping Geopolitical Conflicts

Continue Reading
Blogs Cybersecurity News

Codefinger Ransomware attack encrypts Amazon S3 buckets

  • Ransomware crew dubbed Codefinger targets AWS S3 buckets
  • Sets data-destruct timer for 7 days
  • Threat actors demand for Ransom payment made for the symmetric AES-256 keys required to decrypt it

Amazon S3 buckets encrypted using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) and somehow the threat actors knew details of the keys. And this made them demand ransoms to demand the decryption key.

The campaign was discovered by Halcyon , and according to them the threat actors after exploiting the compromised keys, they called the “x-amz-server-side-encryption-customer-algorithm” header and use a locally stored AES-256 encryption key they generate to lock up the victims’ files. There is great chance that more cyber criminal groups can adopt the tactic and use.

The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the SSE-C algorithm, utilizing a locally generated and stored AES-256 encryption key.

“It is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies on the threat actor first obtaining an AWS customer’s account credentials,” Halcyon notes.

According to Halcyon, because the attack relies on AWS’s infrastructure for encryption, it is impossible to recover the encrypted data without the symmetric AES-256 keys required to decrypt it. Halcyon reported its findings to Amazon, and the cloud services provider told them that they do their best to promptly notify customers who have had their keys exposed so they can take immediate action.

In recent month hackers and cyber criminal have gained traction In recent months and have begun targeting their product gateways and find ways to extort customers using it. 

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys says Halcyon team.

Ransomware capabilities gain new tactics where the threat actor first obtains an AWS customer’s account credentials and there is no know method that data can be recovered without paying the ransom.

As per AWS they encourage customers to utilize their security tools, such as IAM roles, Identity Center and Secrets Manager, to minimize credential exposure and improve defense postures.

Sources:

https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/

www.Bleeping computers.com

Security Advisory

Ivanti Connect Secure VPN Actively Being Exploited in the Wild 

Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.

As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.

Summary 

OEM Ivanti  
Severity Critical 
CVSS 9.0 
CVEs CVE-2025-0282, CVE-2025-0283  
Exploited in Wild  Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another  Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Stack-Based Buffer Overflow Vulnerability  CVE-2025-0282 Ivanti Critical 22.7R2 through 22.7R2.4  22.7R1 through 22.7R1.2  22.7R2 through 22.7R2.3  
Stack-Based Buffer Overflow Vulnerability CVE-2025-0283  Ivanti High 22.7R2.4 and prior 9.1R18.9 and prior  22.7R1.2 and prior 22.7R2.3 and prior  

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-0282  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.  RCE, System compromise, Data theft, Network breaches, and Service disruptions.  
CVE-2025-0283  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges Allow Local Authenticated Attackers to Escalate Privileges. 

Remediation

  • Ensure that the appropriate patches or updates are applied to the relevant Ivanti 
  • Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.

versions as listed below: 

Affected Version(s) Fixes and Releases 
22.7R2 through 22.7R2.4  22.7R2.5  
22.7R2.4 and prior,  9.1R18.9 and prior  22.7R2.5  
22.7R2 through 22.7R2.3  22.7R2.5, Patch planned availability Jan. 21  
22.7R2.3 and prior  22.7R2.5, Patch planned availability Jan. 21  
22.7R1 through 22.7R1.2  Patch planned availability Jan. 21  
22.7R1.2 and prior  Patch planned availability Jan. 21  
  • Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security. 
  • Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools. 
  • Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025. 
  • Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025. 

General Recommendation 

  • Regularly update software and systems to address known vulnerabilities. 
  • Implement continuous monitoring to identify any unauthorized access or suspicious activities. 
  • Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces. 
  • Create and Maintain an incident response plan to quickly mitigate the impact of any security breach. 

References: 

Scroll to top