Critical ‘by design’ weakness located in Anthropic’s MCP SDK
Systemic remote code execution vulnerability in Anthropic’s Model Context Protocol (MCP) SDK
Continue ReadingThreat intellegence
CISCO’s Secure FMC Being Exploited in 0-Day Attack, Targeting Firewalls
Zeroday attack attributed to Interlock ransomware group by CISCO
Continue Reading
Open AI, Quick to Respond on Mixpanel Breach; Security Analytics Tool for Proactive Security
Open AI, Quick to Respond on Mixpanel Breach; Security Analytics Tool for Proactive Security
Continue Reading
Unpatched Systems, Software’s Exposes Business to Cyber Threats
Remember when Qantas, Australia’s flagship airline confirmed a cyberattack exposing data from its frequent flyer program and customer accounts. The data was upto 6 million, which is staggering in number. This means any kind of exploits are malicious programs designed to take advantage of bugs or vulnerabilities in unpatched software or operating systems to gain unauthorised access. When left unpatched, these weak points act as open doors for cybercriminals.
Kaspersky research shows that the share of exploits targeting critical vulnerabilities in operating systems reached 64% in Q2 2025 (up from 48% in Q1 2025), with third-party apps (29%) and browsers (7%) following.
Unpatched Systems, Software’s exposes Business to Cyber Threats
The breach originated from a third-party customer service platform, proving that even indirect systems can expose millions of records we all knew. This was a clear case how unpatched software’s but Qantas denied any of its service platform was vulnerable and there was no sign the platform was compromised.
Similarly 1.5 billion records across 760 global companies record exposed to data breach when Salesforce was hit and the hacking group claimed to have breached Salesforce through compromised integrations with third-party tools like Drift and SalesLoft, stealing huge amounts of CRM data. And as recent Salesloft Drift cyberattack may have also compromised some Google Workspace accounts.
The above case are all about software vulnerabilities when left unpatched. Latest data from cybersecurity and privacy company Kaspersky revealed that existing vulnerabilities in business networks continue to leave Malaysian enterprises exposed to cyberattacks.
Globally, in Q2 2025, the most common exploits targeted vulnerable Microsoft Office products with unpatched security flaws, according to Kaspersky’s findings. Its solutions detected the most exploits on the Windows platform for the following vulnerabilities:
- CVE-2018-0802: Remote code execution vulnerability in the Equation Editor component
- CVE-2017-11882: Another remote code execution vulnerability in Equation Editor
- CVE-2017-0199: Vulnerability in Microsoft Office and WordPad allowing attackers to gain control of the system
(Source: Kaspersky: Unpatched Systems Expose Malaysian Businesses To Exploits – TechTRP)
The report also revealed that the top 10 most exploited vulnerabilities included both new zero-day flaws and older unpatched issues that organisations continue to overlook. A zero-day vulnerability is a software flaw discovered by attackers before the vendor is aware of it. As no patch exists at the time, zero-day attacks often succeed.
Key findings from Kaspersky reports to secure your unpatched systems
- Increased Exploitation: In the first half of 2025, more Windows and Linux users encountered vulnerability exploits compared to the previous year.
- Targeted Vulnerabilities: Common exploits in Q2 2025 targeted Microsoft Office products with unpatched security flaws, such as those in the Equation Editor (CVE-2018-0802 and CVE-2017-11882).
- End of Support: The end of free support for Windows 10 means millions of users will no longer receive critical security patches, leaving their systems vulnerable to new threats.
- High volume of attacks: Kaspersky solutions blocked over 700,000 exploits targeting Indian organizations in the first half of 2025, averaging more than 4,000 per day
“Attackers increasingly use methods to escalate privileges and exploit weaknesses in digital systems. As the number of vulnerabilities continues to grow, it is very important to constantly prioritize patching known vulnerabilities and use software that can mitigate post-exploitation actions. CISOs should counter the consequences of exploitation by searching for and neutralizing command and control implants that can be used by attackers on a compromised system,” says Alexander Kolesnikov, a security expert at Kaspersky.
What Businesses can do to remain Secure from Cyber threats when systems are unpatched?
For legacy systems and applications there is a lack ongoing vendor support, leaving remote code execution vulnerabilities open for exploitation. These attacks enable full system control with little user interaction.
How to Fix:
Apply host-based intrusion prevention and patch virtualization and replace or containerize legacy apps. It is important to isolate critical workloads in secure enclaves as being in legacy catagory they are prone to any kind of cyber threats and intrusion.
Follow more below recommendations
Conduct 24/7 monitoring of your infrastructure, focusing on perimeter defenses and using tools that can detect and block malicious software.
- Utilize solutions for vulnerability assessment, patch management
- Prioritize defense strategies & threat detection like phishing emails and web threats
- Deploy comprehensive cybersecurity solutions that include incident response, employee training, and access to updated threat intelligence.
- Implement a robust patch management process
Critical Lua Sandbox Escape Flaw in Redis Allows Remote Code Execution (RCE)
Summary: Security Advisory: A critical vulnerability has been found in the Lua scripting engine of Redis, enabled by default in all versions, allows authenticated attackers to break out of the Lua sandbox and perform remote code execution (RCE) to gain full control of the affected system.
| OEM | Redis |
| Severity | Critical |
| CVSS Score | 10.0 |
| CVEs | CVE-2025-49844 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Since Redis is used in most cloud environments the impact is highly critical. Redis team has released the patches and urged for immediate updates recommended to secure systems.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Lua Use-After-Free RCE Vulnerability | CVE-2025-49844 | All Redis Software & OSS/CE/Stack versions with Lua scripting | Critical | Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+ Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+ Redis Stack: 7.4.0-v7+, 7.2.0-v19+ |
Technical Summary
The vulnerability comes from a use-after-free (UAF) bug in Redis’s Lua scripting system, caused by improper checks during memory cleanup. Authenticated attackers can send malicious Lua scripts via EVAL or EVALSHA commands to manipulate memory, bypass the sandbox, and run arbitrary code. Even internal servers are at risk if attackers gain network access, making this flaw highly critical for both exposed and internal environments.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-49844 | All Redis Software & OSS/CE/Stack below the fixed version | A user after free in the Lua garbage collector allows memory corruption via crafted scripts, enabling sandbox escape and RCE | Remote Code Execution |
Recommendations
Upgrade to the below fixed versions immediately.
- Redis Software: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, 6.4.2-131+
- Redis OSS/CE: 8.2.2+, 8.0.4+, 7.4.6+, 7.2.11+
- Redis Stack: 7.4.0-v7+, 7.2.0-v19+
Here are some best practices
- Enable Strong Authentication: Configure strong passwords on all the instances, ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
- Network Controls: Restrict access to authorized IPs using firewalls or VPCs, limit access to trusted sources and prevent unauthorized connectivity.
- Limit permissions: To enhance security, user needs to give minimum necessary permissions.
- Monitoring: Check the logs to see if there are any suspicious activities.
- Incident Response: If compromised, isolate systems, rotate credentials, and scan for malware.
Conclusion:
This is a critical vulnerability with a CVSS score of 10.0, affecting all Redis versions with Lua scripting. The widespread Redis usage, default insecure configurations makes this a critical threat. Immediate patching and hardening are essential to prevent full system compromise, data breaches, and further attacks.
References:
Service Provider for Volvo NA, ‘Miljödata’ hit by Ransomware; Critical Data exposed
Third-party supplier Miljödata, for Volvo North America,hit by ransomware disclosed a data breach that exposed the personal data of its employees . The ransomware attack happened in month of August 2025. and impacted at least 25 companies. The ransomware group DataCarry claimed responsibility for the attack on Miljödata and also published allegedly stolen data on its Tor leak site.
Ransomware attacks are increasingly targeting both enterprise of all sizes across all sectors. The attack affected Scandinavian airline SAS, Boliden and included 200 Swedish municipalities. The affected systems were mostly for HR purposes that handled medical certificates, rehabilitation matters, reporting and managing work-related injuries.
The service provider of Volvo, launched an investigation into the incident with the help of cybersecurity experts, enhanced the security of its hosted environment, and is working to prevent similar security breaches in the future.
According to the data breach notification service Have I Been Pwned (HIBP), the leaked data belongs to 870,000 accounts. Exposed data includes email addresses, names, physical addresses, phone numbers, government IDs, dates of birth, and gender.
DataCarry Ransomware Group
The DataCarry ransomware group claimed responsibility for the attack on Miljödata’s Adato system, and has Miljödata’s files available for download on its dark web-based site.
Need of the hour for Enterprise security who are soft target of ransomware attack.
- Continuously monitor to detect breached credentials, leaked databases, and threat actor’s activites in near real-time before damage gas taken full control.
- Assessment on cyber attack module as soon as an attack was initiated and do proper full incident review to determine how attackers infiltrated enterprise network and how data exfiltrated and if there is any existing threat.
- Authenticate backups of data that have been stored currently and if they have been encrypted or stored offline. It is responsibility of enterprise to keep immutable backup solutions to defend against any ransomware attack that may encompass from encryption and deletion attempts by threat actors.
- Implement threat intelligence for real time alert against any external threat that gets feeder into system . Enterprise security must Include indicators of compromise (IOCs), into company’s XDR platforms for real-time alerting .
- Include phishing simulations and enforce multi-factor authentication (MFA) across all access points.
While Volvo did not specify the exact scale of its breach, it is one of many large organizations to be caught up in the data raid. As per reports Volvo Group provided the affected individuals with 18 months of free identity protection and credit monitoring services.
Source: Volvo North America disclosed a data breach following a ransomware attack on IT provider Miljödata
Fake Govt & Banking Apps Spreading Android Droppers Evolved as Malware
Security Advisory:
Cybersecurity researchers have discovered a major shift in how Android malware is being delivered. Dropper apps, which were earlier used mainly to distribute banking trojans.
The Malware’s being used to deliver simpler threats like SMS stealers and basic spyware as official government or banking apps, primarily targeting users in India, Southeast Asia, and some parts of Europe.
ThreatFabric researchers warn of a shift in Android malware: dropper apps now deliver not just banking trojans, but also SMS stealers and spyware, mainly in Asia.
Vulnerability Details
The recent surge in Android dropper apps introduces a critical security vulnerability affecting mobile users globally. These droppers are impersonating as banking apps, government services, or trading platforms,, bypass Google Play
Pilot Program by initially requesting minimal permissions to avoid detection, making them appear as legitimate applications.
Once installed, they fetch malicious payloads like spyware, SMS stealers, cryptocurrency miners, and banking trojans from remote servers. Attackers also exploit malvertising campaigns on social media to spread fake apps widely. This evolving tactic enables cybercriminals to switch payloads dynamically, making traditional security measures less effective and increasing the risk of data theft and device compromise.
Source: cybersecuritynews
Attack Flow
| Step | Description |
| 1. Craft | Attackers create malicious dropper apps disguised as government schemes, banking apps |
| 2. Send | The droppers are distributed through third-party APK sites, malicious ads |
| 3. Trigger | The victim downloads and installs the dropper app, often believing it’s legitimate due to its official-looking design and branding. |
| 4. Execution | When the user clicks “Update” or interacts with the app, the dropper fetches the real malicious payload (spyware, SMS stealer |
| 5. Exploit | The installed malware requests high-risk permissions, such as SMS access or notification access, allowing attackers to steal data, track activities, or control the device remotely. |
Proof-of-Concept
Once the user interacts, the dropper initiates an HTTPS request to a remote server
Source: cybersecurity news
Why It’s Effective
Dynamic Payload Delivery – Attackers hide the real malicious file inside a harmless-looking dropper app. The payload is only downloaded after user interaction, making it harder to detect.
Permission Evasion – Droppers initially request minimal or safe permissions and only ask for high-risk permissions (like SMS or accessibility access) after installation, bypassing Google Play Protest’sProtects initial scans.
Fake Update Screens – Many droppers display legitimate looking “Update Required” prompts to trick users into downloading malware, increasing their success rate.
Recommendations:
Download Apps Safely
- Install apps only from trusted sources like Google Play Store, Apple store etc.
- Avoid third-party APKs, unknown links
,or apps promoted through social media ads.
Check Permissions Carefully
- Do not grant unnecessary permissions like SMS, notifications, or accessibility dependent on the app services.
- Always review requested permissions before installing or updating an app.
Keep Devices Secure
- Enable Google Play Protect and keep your Android security patches up to date.
- Use a reliable mobile security solution for real-time malware detection.
Stay Alert and Aware
- Be aware of fake update prompts; apps
,and malicious sites.
- Stay updated on the latest tactics used by Android malware
Conclusion:
- Android droppers are evolving fast, making them more flexible and harder to detect, increasing risks for both individuals and organizations.
- Droppers started as tools for advanced banking malware, but now they’re used to install all kinds of harmful apps and sneak past local security.
- It is always recommended to stay vigilant, keep your phone and software updated from the original source
References:
Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited
Summary :
A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.
| OEM | Fortinet |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-32756 |
| POC Available | Yes |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2025-32756 | Fortinet Products | Critical |
Technical Summary
CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.
This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication.
The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-32756 | FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera | Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate. | Remote Code Execution, Full device takeover, persistence, data theft, log erasure. |
Remediation:
- Update Immediately: Apply the latest security patches provided by Fortinet.
- FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+
- FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+
- FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+
- FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+
- FortiCamera: 2.1.4+
- Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround
Indicator of Compromise
For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:
| IP Addresses | FileHash-MD5 |
| 156.236.76.90 | 2c8834a52faee8d87cff7cd09c4fb946 |
| 198.105.127.124 | 4410352e110f82eabc0bf160bec41d21 |
| 218.187.69.244 | 489821c38f429a21e1ea821f8460e590 |
| 218.187.69.59 | ebce43017d2cb316ea45e08374de7315 |
| 43.228.217.173 | 364929c45703a84347064e2d5de45bcd |
| 43.228.217.82 |
Conclusion:
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.
Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss.
These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.
Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.
References:
NIST & CISA Proposed Metric for Vulnerability Exploitation Probability
The National Institute of Standards and Technology (NIST) is proposing a new metric to determine the likelihood of any software or hardware vulnerability being exploited.
The new metric is “Likely Exploited Vulnerabilities” (LEV), that aims to close a key gap in vulnerability management.
This new data point can benefit the SecOps teams who are working to release an effective patch management strategy and address the development flaws.
NIST now wants members of cyber security community to come forward and validate the method as predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation.
However NIST proposed that predicting ones which is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts is important.
Currently, such remediation efforts rely on the Exploit Prediction Scoring System (EPSS), which has known inaccurate values, and Known Exploited Vulnerability (KEV) lists, which may not be comprehensive.
The proposed likelihood metric may augment EPSS remediation (correcting some inaccuracies) and KEV lists (enabling measurements of comprehensiveness). However, collaboration with industry is necessary to provide necessary performance measurements.
Importance of Metric for Vulnerability Exploitation Probability
Remediating vulnerabilities is time-consuming and costly. According to the paper, most companies only manage to patch about 16% of the vulnerabilities affecting their systems each month.
Meanwhile, research shows that only about 5% of vulnerabilities are exploited in the wild.
It is found organizations would spend their limited resources patching that small but dangerous subset, but identifying them has proven difficult.
That’s where LEV comes in to assist organizations prioritize vulnerabilities that are likely to have already been used in attacks, the metric could make patching efforts more targeted and effective.
In a recently published paper, Peter Mell (formerly of NIST) and Jonathan Spring of CISA presented a vulnerability exploitation metric that builds upon the existing Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The researchers noted that studies show only about 5% of known vulnerabilities are exploited in the wild, while organizations typically remediate only 16% of vulnerabilities each month.
The researchers outline four key ways LEV could be used:
1. Estimate how many vulnerabilities have been exploited.
2. Check how complete KEV lists are.
3. Identify high-risk vulnerabilities missing from those lists.
4. Fix blind spots in EPSS, which sometimes underestimates risk for already-exploited bugs.
Introducing the LEV Metric
Mell and Spring’s new metric—called Likely Exploited Vulnerabilities (LEV) probabilities—aims to address the limitations of both EPSS and the KEV catalog. While EPSS provides 30-day exploitation probabilities, it has known inaccuracies, particularly underestimating risk for already-exploited vulnerabilities. KEV, on the other hand, is limited by its reliance on known exploit data and may not be comprehensive.
LEV probabilities are designed to:
- Estimate how many and which vulnerabilities are likely to have been exploited
- Assess the completeness of the KEV catalog
- Enhance KEV-based prioritization by identifying likely-exploited vulnerabilities not yet listed
- Improve EPSS-based prioritization by correcting underestimations
Key Findings
The researchers compared LEV and EPSS scores for specific vulnerabilities, showing significant differences.
For example:
- CVE-2023-1730 (SupportCandy WordPress plugin SQL injection): before 3.1.5, the LEV probability was 0.70, while the peak EPSS score was 0.16.
- CVE-2023-29373 (Microsoft ODBC Driver RCE – Remote Code Execution vulnerability): the LEV probability was 0.54350, while the peak EPSS probability was 0.08.
The LEV analysis identified hundreds of vulnerabilities with probabilities near 1.0. However, many of these are not listed in current KEV catalogs. NIST is actively seeking collaboration with partners as real-world validation is must for LEV to be a promising idea rather than a trusted tool.
NIST is currently seeking industry partners with relevant datasets to empirically evaluate the effectiveness of LEV probabilities through real-world performance measurements.
Sources: https://www.helpnetsecurity.com/2025/05/26/nist-likely-exploited-vulnerabilities/#:~:text=LEV%20aims%20to%20bridge%20that,%2C%20not%20replace%2C%20existing%20methods.
Cyber Security News at a Glance; May 2025
For the month of May 2025 here are the Top News including Security Advisory & Blogs
Tesla Model 3 VCSEC Vulnerability Allows Remote Code Execution via TPMS Exploit
A high-severity vulnerability (CVE-2025-2082) in Tesla Model 3’s Vehicle Controller Security (VCSEC) module allows attackers within wireless range to remotely execute arbitrary code by exploiting a flaw in the Tire Pressure Monitoring System (TPMS)
The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.
Microsoft May 2025 Patch Tuesday Released; Fixed 83 Vulnerabilities, Including 5 Zero-Days
Microsoft addressed 83 vulnerabilities across its product suite. Among them are 5 zero-day vulnerabilities have been confirmed as actively exploited in the wild. The updates span Windows components, Office, Visual Studio, and other core services.
11 vulnerabilities were rated critical, emphasizing the importance of timely remediation especially for enterprise environments.
5 non-Microsoft CVEs included
78 Microsoft CVEs addressed
Critical SAP NetWeaver Vulnerabilities Addressed in May 2025 Patch – Immediate Action Required
SAP has released critical security updates for its May 2025 patch, including fixes for two actively exploited zero-day vulnerabilities in SAP NetWeaver Visual Composer.
SAP Visual Composer is not installed by default, however it is enabled because it was a core component used by business process specialists to develop business application components without coding.
CISA is officially changing the way it disseminates online security updates and guidance.
CISA says the enhanced information dissemination system will from now on use social media and email only to disperse cybersecurity alerts and advisories, saving its landing page for more critical warnings on May 12.
Updates on May 13
Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.
“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”
Zero-Day Threat in Chrome’s Loader Component (CVE-2025-4664) – CISA Flags Urgent Risk
A zero-day vulnerability (CVE-2025-4664) in Google Chrome’s Loader component has been actively exploited in the wild.This flaw allows attackers to bypass security policies, leak cross-origin data, and potentially execute unauthorized code. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching.
Recent Comments