Vulnerability management

Security Advisory

Palo Alto Firewall Vulnerabilities Under Active Exploitation 

An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.

Summary 

OEM Palo Alto 
Severity High 
Date of Announcement 2025-02-19 
CVEs CVE-2025-0108 
CVSS Score 8.8 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.

This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
 Authentication Bypass Vulnerability  CVE-2025-0108  Pan OS         High PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 

Technical Summary 

This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations. 

Vulnerability Name Details Severity Impact 
 Authentication Bypass Vulnerability  This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111.         High Root access of the affected system, unauthorized file exfiltration. 

Recommendations 

  • Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately. 

Here are the details of the required upgrades: 

Version Updated Version 
PAN-OS 11.2 Upgrade to 11.2.4-h4 or later 
PAN-OS 11.1 Upgrade to 11.1.6-h1 or later 
PAN-OS 10.2 Upgrade to 10.2.13-h3 or later 
PAN-OS 10.1 Upgrade to 10.1.14-h9 or later 

General Recommendations 

  • Restrict access to PAN-OS management interfaces to trusted IPs only. 
  • Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions. 
  • Follow best practices for firewall security, including network segmentation and regular vulnerability assessments. 
  • Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity. 

Conclusion 

The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat. 

The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.

References

  • https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/ 
  • https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise   

Security Advisory

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw 

macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw 

A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution.

Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.

This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates. 

OEM Apple 
Severity Critical 
CVSS 9.8 
CVEs CVE-2025-24118 
Exploited in Wild No 
Publicly POC Available Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A proof-of-concept (PoC) exploit is publicly available, making it critical for users to apply the patch on priority. The vulnerability arises from a race condition in Apple’s XNU kernel due to improper handling of per-thread credentials in read-only structures.

Vulnerability Name CVE ID Product Affected Severity 
 Race Condition Vulnerability  CVE-2025-24118   Apple  Critical 

Technical Summary 

This issue results from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings and memcpy behavior, leading to unauthorized credential modification. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-24118  macOS Sonoma prior to 14.7.3  
macOS Sequoia prior to 15.3 
iPadOS prior to 17.7.4   		A concurrency issue in XNU kernel allows corruption of a thread’s kauth_cred_t credential pointer through a non-atomic memory update. This results in a time-of-check to time-of-use (TOCTOU) race condition. Privilege escalation, memory corruption, potential kernel-level code execution  

Remediation

  • Patch Installation: Users should upgrade to macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4 to mitigate the risk. 

Conclusion: 

CVE-2025-24118 is a critical race condition vulnerability in Apple’s XNU kernel that allows local attackers to escalate privileges and compromise system integrity. Users and organizations are strongly advised to apply the latest patches provided by Apple to protect against potential exploits.

References: 

Security Advisory

High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel 

High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel 

Jordy Zomer, a Security researcher have recently discovered two critical vulnerabilities in KSMBD, the in-kernel SMB server for Linux. These vulnerabilities, CVE-2024-56626 and CVE-2024-56627, could allow attackers to gain control of vulnerable systems.

SUMMARY

OEM  Linux 
Severity  High 
CVSS  7.8 
CVEs  CVE-2024-56626, CVE-2024-56627  
Exploited in Wild   No 
Publicly POC Available  Yes 
Patch/Remediation Available  Yes 
Advisory Version  1.0 

These vulnerabilities affect Linux kernel versions greater than 5.15 and have been addressed in version 6.13-rc2. Proof-of-concept (PoC) exploits have been publicly released, emphasizing the critical nature of these issues. 

Vulnerability Name  CVE ID  Product Affected  Severity  Affected Version 
Out-of-bounds write vulnerability in ksmbd.  CVE-2024-56626  Linux  High  Linux kernel versions greater than 5.15  
Out-of-bounds read vulnerability in ksmbd.  CVE-2024-56627   Linux  High  Linux kernel versions greater than 5.15  

Technical Summary 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2024-56626     Linux Kernel  A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative offsets from clients, causing out-of-bounds writes and potential memory corruption. It was triggered when using vfs objects = streams_xattr in ksmbd.conf. The issue has been fixed in recent kernel updates.    Attackers can execute arbitrary code with kernel privileges  
CVE-2024-56627      Linux Kernel  A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative client offsets, enabling out-of-bounds writes and potential memory corruption. This issue occurred when the vfs objects = streams_xattr parameter was set in ksmbd.conf and has been resolved in recent kernel updates.   Attackers can read sensitive kernel memory, leading to information disclosure 

Remediation

  • Update: Ensure that the appropriate patches or updates are applied to the relevant versions 

 listed below 

Version  Fixes and Releases 
 kernel version > 5.15  kernel version 6.13-rc2  

Conclusion: 

The discovery of CVE-2024-56626 and CVE-2024-56627 highlights critical security flaws in the Linux kernel’s SMB server implementation. Given the availability of proof-of-concept exploits, immediate action is essential to protect systems from potential exploitation. Regularly updating systems and applying security patches are vital practices to maintain a secure environment. 

References: 

 

 

Security Advisory

Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild

Summary

OEM

Microsoft

Severity

Critical

CVSS Score

7.8

CVE

CVE-2024-49138

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Publicly POC Available

Yes


Overview

The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.

Vulnerability Name

CVE ID

Product Affected

Severity

CLFS Privilege Escalation

CVE-2024-49138

Microsoft Windows

High

Technical Summary

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49138

Windows 10, Windows 11, Windows Server 2008–2025

Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released.

Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device.

Remediations

  1. Update Systems: Apply Microsoft’s December 2024 patches without delay.
  2. Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
  3. Limit Access: Implement robust access controls and harden systems.

Conclusion:

The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.

References

Security Advisory

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.

Summary 

Application  OpenSSH 
Severity  High 
CVSS  8.1 
CVEs  CVE-2024-6387 
Exploited in Wild  Yes 
Patch/Remediation Available  Yes 
Advisory Version  1.0 

Overview 

CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.

A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns. 

The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats. 

Vulnerability Name  CVE ID  Product Affected  Severity  Fixed Version 
Race Condition vulnerability    CVE-2024-6387   OpenSSH (8.5p1–9.8p1)   High   OpenSSH 9.8p2 or later 

Technical Summary 

CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.

Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms. 

CVE ID  System Affected  Vulnerability Details  Impact 
CVE-2024-6387  OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems  Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime).  Remote Code Execution (Root Privileges) 

Impact:

This Vulnerability if exploited could lead to complete system takeover.

Remediation

  • Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue. 
  • Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges. 
  • Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns. 

Indicators of Compromise (IOCs): 

IP Address / Hostname  File Hash 
209.141.53[.]247  0df799f05c6d97e2b7d4b26c8e7246f7 
108.174.58[.]28  11cc5f00b466d4f9be4e0a46f2eb51ae 
195.85.205[.]47  1f452448cea986aedc88ba50d48691f7 
62.72.191[.]203  207eb58423234306edaecb3ec89935d8 
botbot.ddosvps.cc   

Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387 

Conclusion: 

The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.

Swift patching and the adoption of layered security measures are imperative to mitigate the risks. 

Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2024-6387 
  • https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/

Security Advisory

Critical Apache Tomcat Vulnerabilities Allow RCE & DoS

Summary

OEMApache
SeverityCritical
CVSS9.8
CVEsCVE-2024-50379, CVE-2024-54677
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.

Vulnerability NameCVE IDProduct AffectedSeverityAffected Version
Race Condition Vulnerability CVE-2024-50379ApacheCriticalApache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97
Uncontrolled Resource Consumption Vulnerability CVE-2024-54677ApacheMediumApache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97

Technical Summary

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2024-50379Apache TomcatA race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system.    Remote Code Execution
CVE-2024-54677Apache TomcatThe examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service.    Denial of Service

Remediation:

  • Upgrade Apache Tomcat to the latest fixed versions:
    • Apache Tomcat 11.0.2 or latest
    • Apache Tomcat 10.1.34 or latest
    • Apache Tomcat 9.0.98 or latest

Recommendations:

  • Configuration Hardening:
    • Restrict write permissions for the default servlet to prevent unauthorized JSP file uploads.
    • Remove or disable example applications to reduce exposure to potential attacks.
  • Monitor and Audit:
    • Regularly review server logs for signs of exploitation attempts.
    • Apply a robust file upload policy to limit sizes and validate content.
  • Regularly update all your software’s to address security vulnerabilities 

References:

Scroll to top