Critical Vulnerabilities in IBM Storage: Authentication Bypass and Code Execution Risks
Critical Vulnerabilities in IBM Storage:
Continue ReadingCritical Vulnerabilities in IBM Storage:
Continue ReadingAn authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.
Summary
OEM | Palo Alto |
Severity | High |
Date of Announcement | 2025-02-19 |
CVEs | CVE-2025-0108 |
CVSS Score | 8.8 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.
This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation.
Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
Authentication Bypass Vulnerability | CVE-2025-0108 | Pan OS | High | PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 |
Technical Summary
This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations.
Vulnerability Name | Details | Severity | Impact |
Authentication Bypass Vulnerability | This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111. | High | Root access of the affected system, unauthorized file exfiltration. |
Recommendations
Here are the details of the required upgrades:
Version | Updated Version |
PAN-OS 11.2 | Upgrade to 11.2.4-h4 or later |
PAN-OS 11.1 | Upgrade to 11.1.6-h1 or later |
PAN-OS 10.2 | Upgrade to 10.2.13-h3 or later |
PAN-OS 10.1 | Upgrade to 10.1.14-h9 or later |
General Recommendations
Conclusion
The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat.
The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.
References:
macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw
A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution.
Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.
This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates.
OEM | Apple |
Severity | Critical |
CVSS | 9.8 |
CVEs | CVE-2025-24118 |
Exploited in Wild | No |
Publicly POC Available | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
A proof-of-concept (PoC) exploit is publicly available, making it critical for users to apply the patch on priority. The vulnerability arises from a race condition in Apple’s XNU kernel due to improper handling of per-thread credentials in read-only structures.
Vulnerability Name | CVE ID | Product Affected | Severity |
Race Condition Vulnerability | CVE-2025-24118 | Apple | Critical |
Technical Summary
This issue results from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings and memcpy behavior, leading to unauthorized credential modification.
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2025-24118 | macOS Sonoma prior to 14.7.3 macOS Sequoia prior to 15.3 iPadOS prior to 17.7.4 | A concurrency issue in XNU kernel allows corruption of a thread’s kauth_cred_t credential pointer through a non-atomic memory update. This results in a time-of-check to time-of-use (TOCTOU) race condition. | Privilege escalation, memory corruption, potential kernel-level code execution |
Remediation:
Conclusion:
CVE-2025-24118 is a critical race condition vulnerability in Apple’s XNU kernel that allows local attackers to escalate privileges and compromise system integrity. Users and organizations are strongly advised to apply the latest patches provided by Apple to protect against potential exploits.
References:
High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel
Jordy Zomer, a Security researcher have recently discovered two critical vulnerabilities in KSMBD, the in-kernel SMB server for Linux. These vulnerabilities, CVE-2024-56626 and CVE-2024-56627, could allow attackers to gain control of vulnerable systems.
SUMMARY
OEM | Linux |
Severity | High |
CVSS | 7.8 |
CVEs | CVE-2024-56626, CVE-2024-56627 |
Exploited in Wild | No |
Publicly POC Available | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
These vulnerabilities affect Linux kernel versions greater than 5.15 and have been addressed in version 6.13-rc2. Proof-of-concept (PoC) exploits have been publicly released, emphasizing the critical nature of these issues.
Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
Out-of-bounds write vulnerability in ksmbd. | CVE-2024-56626 | Linux | High | Linux kernel versions greater than 5.15 |
Out-of-bounds read vulnerability in ksmbd. | CVE-2024-56627 | Linux | High | Linux kernel versions greater than 5.15 |
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-56626 | Linux Kernel | A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative offsets from clients, causing out-of-bounds writes and potential memory corruption. It was triggered when using vfs objects = streams_xattr in ksmbd.conf. The issue has been fixed in recent kernel updates. | Attackers can execute arbitrary code with kernel privileges |
CVE-2024-56627 | Linux Kernel | A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative client offsets, enabling out-of-bounds writes and potential memory corruption. This issue occurred when the vfs objects = streams_xattr parameter was set in ksmbd.conf and has been resolved in recent kernel updates. | Attackers can read sensitive kernel memory, leading to information disclosure |
listed below
Version | Fixes and Releases |
kernel version > 5.15 | kernel version 6.13-rc2 |
The discovery of CVE-2024-56626 and CVE-2024-56627 highlights critical security flaws in the Linux kernel’s SMB server implementation. Given the availability of proof-of-concept exploits, immediate action is essential to protect systems from potential exploitation. Regularly updating systems and applying security patches are vital practices to maintain a secure environment.
OEM | Microsoft |
Severity | Critical |
CVSS Score | 7.8 |
CVE | CVE-2024-49138 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Publicly POC Available | Yes |
The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.
Vulnerability Name | CVE ID | Product Affected | Severity |
CLFS Privilege Escalation | CVE-2024-49138 | Microsoft Windows | High |
CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-49138 | Windows 10, Windows 11, Windows Server 2008–2025 | Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released. | Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device. |
The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.
Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released
OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.
Summary
Application | OpenSSH |
Severity | High |
CVSS | 8.1 |
CVEs | CVE-2024-6387 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.
A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns.
The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats.
Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
Race Condition vulnerability | CVE-2024-6387 | OpenSSH (8.5p1–9.8p1) | High | OpenSSH 9.8p2 or later |
Technical Summary
CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.
Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms.
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-6387 | OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems | Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). | Remote Code Execution (Root Privileges) |
Impact:
This Vulnerability if exploited could lead to complete system takeover.
Remediation:
Indicators of Compromise (IOCs):
IP Address / Hostname | File Hash |
209.141.53[.]247 | 0df799f05c6d97e2b7d4b26c8e7246f7 |
108.174.58[.]28 | 11cc5f00b466d4f9be4e0a46f2eb51ae |
195.85.205[.]47 | 1f452448cea986aedc88ba50d48691f7 |
62.72.191[.]203 | 207eb58423234306edaecb3ec89935d8 |
botbot.ddosvps.cc |
Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387
Conclusion:
The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.
Swift patching and the adoption of layered security measures are imperative to mitigate the risks.
Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability.
References:
Summary
OEM | Apache |
Severity | Critical |
CVSS | 9.8 |
CVEs | CVE-2024-50379, CVE-2024-54677 |
Exploited in Wild | Yes |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.
Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
Race Condition Vulnerability | CVE-2024-50379 | Apache | Critical | Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 |
Uncontrolled Resource Consumption Vulnerability | CVE-2024-54677 | Apache | Medium | Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-50379 | Apache Tomcat | A race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system. | Remote Code Execution |
CVE-2024-54677 | Apache Tomcat | The examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service. | Denial of Service |
Remediation:
Recommendations:
References: