Critical Vulnerability in cPanel & WHM; Patch Now
Critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers
Continue ReadingVulnerability
Network Security in Litecoin Compromised by ZeroDay Bug
- Litcoin network security compromised
- A zero-day bug caused a DoS attack that disrupted major mining pools.
- Unpatched Litecoin Nodes Created the Vulnerability, allowed an invalid MWEB transaction allowing them to peg out coins to third party DEX’s
A sophisticated zero-day bug triggered a chain of events that included a Denial of Service (DoS) attack on Litcoin a major mining pools and a specialized exploit of the MimbleWimble Extension Blocks (MWEB). The zero-day specifically targeted MWEB, Litecoin’s privacy feature which are complex in nature and that creates attack surfaces. The specific vulnerability has been patched in version 0.21.5.4,
How is Litecoin different from Bitcoin?
Litecoin is a 2011 fork of Bitcoin with faster block times (2.5 minutes vs. 10 minutes), a larger supply cap (84 million vs. 21 million), and the Scrypt mining algorithm instead of SHA-256. The biggest functional difference today is MWEB, which gives Litecoin optional transaction privacy that Bitcoin does not offer at the base layer.
Attack Module
The attack had two components. First, the attackers used a DoS scheme to take mining nodes running the updated code offline. Then, unprotected nodes formed an alternative chain that included invalid MWEB transactions.
What caused the zero day vulnerability?
The bug or flaw led to a denial-of-service assault that temporarily interrupted operations at several prominent mining pools. The event, which occurred over the weekend, exposed a narrow window of risk but was contained efficiently through coordinated technical measures.
At the core of the disruption were mining nodes that had not yet applied the most recent security patches. Litcon said now the bug has now been fully patched, and the network continues to operate normally. A new core version was released subsequently, including important security updates.
The zero-day attack succeeded because many Litecoin nodes ran outdated software that improperly validated MWEB transactions. This created a two-tier network in which different participants operated under distinct consensus rules.
Bitcoin and Litecoin have no mandatory update mechanism so mostly Nodes can run old software indefinitely. Attackers seized this opportunity and the exact vulnerability exploited in the attack.
Litecoin developers have fixed the issue and the zeroday incident exposes how dependent decentralized networks are on coordinated node updates and careful operator behavior. The network was recovered, but it did not emerge unscathed.
Team Litcoin confirmed the bug on their official X account and stated a patch has been fully deployed, with node operators urged to update immediately. No user funds were lost, but the reorg reversed transactions across those 13 blocks, a depth that qualifies as a serious network event by any measure.
Conclusion:
As per security experts the incident exposed a vulnerability in the update mechanism in Proof-of-Work (PoW) networks and there is a level of risk in its privacy layers as threat actors took advantage by channeling funds through external platforms.
At the same time causing a Denial of Service attack (DoS) on large mining pools. The incident proved how important it is for nodes and miners to stay up to date and patch timely.
Sources: Litecoin Network Security: Zero-Day Bug Fixed
Litecoin MWEB Exploit Explained | 13-Block Reorg and What It Means | 2026
Scanners Turn Attack Vector as TrivyScanner Hijacked via GitHub Actions Tags
Attackers Targeted SSH keys, Cloud Tokens & API secrets in CI/CD Pipelines; Highlights Securing CI/CD Pipelines
In latest vulnerability discovery Aqua Security revealed HackerBot-claw bot hijacked 75 of 76 GitHub Actions tags for its Trivy vulnerability scanner. The HackerBot-claw first distributed credential-stealing malware through the widely used security tool for the second time in a one month.
Malicious code rode alongside legitimate scans, targeting SSH keys, cloud tokens and API secrets in CI/CD pipelines. Security researcher Paul McCarty was the first to warn publicly that Trivy version 0.69.4 had been backdoored, with malicious container images and GitHub releases published to users.
Attack module on Trivy
When it comes to workflow it has been observed that more then 10,000 GitHub workflow files rely on trivy-action. Attackers can leverage this pipeline and pull versions during the attack window which are affected and carry sensitive credentials exfiltrated.
Attackers compromised the GitHub Action by modifying its code and retroactively updating version tags to reference a malicious commit. This permitted data used in CI/CD workflows to be printed in GitHub Actions build logs and finally leaking credentials.
A self-propagating npm worm compromised 47 packages, extending the blast radius into the broader JavaScript ecosystem.
Aqua Security disclosed in a GitHub Discussion that the incident stemmed from incomplete containment of an earlier March 1 breach involving a hackerbot-claw bot.
- Attackers swapped the entrypoint.sh in Trivy’s GitHub Actions with a 204-line script that prepended credential-stealing code before the legitimate scanner.
- Lines 4 through 105 contained the infostealer payload, while lines 106 through 204 ran Trivy as normal.
- This made difficult to detect during routine scans.
TeamPCP preserved normal scan functionality to avoid triggering CI/CD failures as detection now will require cryptographic verification of commit signatures .
For defenders, traditional CI/CD monitoring, which watches for build failures or unexpected output, can no longer catch supply-chain compromises that deliberately maintain normal behavior.
Organizations relying on Trivy or similar open-source security tools are facing attacks from the very scanners meant to protect their pipelines can become the attack vector. Only cryptographic provenance checks can distinguish legitimate releases from poisoned ones.
As per security researchers once inside a pipeline, the malicious script scanned memory regions of the GitHub Actions Runner.
Github Compromise
The attack appears to have been accomplished via the compromise of the cx-plugins-releases (GitHub ID 225848595) service account, as that is the identity involved in publishing the malicious tags.
Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory.
Key Findings b Wiz Research
- According to Wiz, the attack appears to have been carried out via the compromise of the “cx-plugins-releases” service account, with the attackers with malicious container images and GitHub releases published to users.
- The second stage extension is activated and the malicious payload checks whether the victim has credentials from cloud service providers such as GitHub, AWS, Google Cloud, and Microsoft Azure.
- When credentials if they are detected, it proceeds to fetch a next-stage payload from the same domain (“checkmarx[.]zone”).
“The payload attempts execution via npx, bunx, pnpx, or yarn dlx. This covers major JavaScript package managers,” Wiz researchers Rami McCarthy, James Haughom, and Benjamin Read said. “The retrieved package contains a comprehensive credential stealer.
Harvested credentials are then encrypted, using the keys as elsewhere in this campaign, and exfiltrated to ‘checkmarx[.]zone/vsx’ as tpcp.tar.gz.”
Conclusion: Aqua Security urged affected users to “treat all pipeline secrets as compromised and rotate immediately.”
Organizations that ran any version of trivy-action, setup-trivy, or Trivy v0.69.4 during the attack window should audit their CI/CD logs for unexpected network connections to scan.aquasecurtiy[.]org and check whether any tpcp-docs repositories were created under their GitHub accounts.
With three major tag-hijacking incidents in 12 months, Wiz security researcher Rami McCarthy recommended that organizations “pin GitHub Actions to full SHA hashes, not version tags.”
Microsoft Patch Tuesday Feb-2026, Critical Azure RCE & Windows EoP & 0-Days
Microsoft’s February 2026 Patch Tuesday
Continue Reading
Enterprise Flaw ‘GeminiJack’ ZeroClick in Gemini Fixed by Google: Case of Prompt Injection Attack
Google Fixes Gemini Enterprise Flaw
Continue Reading
Gladinet Triofox Patched Critical Unauthenticated Remote Access Vulnerability
Summary : A critical unauthenticated access vulnerability in Triofox is being actively exploited in the wild by threat actor UNC6485. Attackers exploit a Host header spoofing vulnerability to bypass authentication, create native admin accounts and chain abuse of the built-in antivirus feature to execute arbitrary code under SYSTEM privileges.
| OEM | Gladinet |
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-12480 |
| POC Available | YES |
| Actively Exploited | YES |
| Exploited in Wild | YES |
| Advisory Version | 1.0 |
Overview
Triofox is an enterprise file-sharing and remote access platform by Gladinet that enables secure file sync, sharing, and collaboration across on-premises and cloud environments. Immediate upgrade is mandatory to prevent full system compromise, ransomware and persistent remote access.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Unauthenticated Access via Host Header Spoofing & Antivirus RCE Chain | CVE-2025-12480 | Triofox | Critical | v16.7.10368.56560 or later |
Technical Summary
The vulnerability in the CanRunCriticalPage() function within GladPageUILib.dll, which allows access to setup pages, if the Host header is “localhost” – without validating the request origin. Attackers spoof this header externally to initiate the setup process, create a Cluster Admin account, and gain authenticated access.
Once logged in, attackers exploit the antivirus configuration feature, which allows arbitrary executable paths. By uploading a malicious script to a shared folder and setting it as the antivirus scanner, the file executes with SYSTEM-level privileges inherited from the Triofox service.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025- 12480 | Triofox < 16.7.10368.56560 | Host header attack bypasses authentication to AdminDatabase.aspx that enables admin account creation. Chained with antivirus path abuse to run uploaded payloads as SYSTEM | Authentication Bypass, Admin Account Creation, Remote Code Execution, Full System Compromise, Persistent Access, Data Exfiltration, Lateral Movement |
Indicators of Compromise (IOCs)
Host-Based Artifacts
| Artifact | Description | SHA-256 Hash |
| C:\Windows\appcompat\SAgentInst aller_16.7.10368.56560.exe | Installer containing Zoho UEMS Agent | 43c455274d41e58132be7f66139566a941190ceba46082eb 2ad7a6a261bfd63f |
| C:\Windows\temp\sihosts.exe | Plink | 50479953865b30775056441b10fdcb984126ba4f98af4f647 56902a807b453e7 |
| C:\Windows\temp\silcon.exe | PuTTy | 16cbe40fb24ce2d422afddb5a90a5801ced32ef52c22c2fc7 7b25a90837f28ad |
| C:\Windows\temp\file.exe | AnyDesk | ac7f226bdf1c6750afa6a03da2b483eee2ef02cd9c2d6af71e a7c6a9a4eace2f |
| C:\triofox\centre_report.bat | Attacker batch script filename | N/A |
Network-Based Artifacts
| IP Address | ASN | Description |
| 85.239.63[.]37 | AS62240 – Clouvider Limited | IP address of the attacker used to initially exploit CVE-2025-12480 to create the admin account and gain access to the Triofox instance |
| 65.109.204[.]197 | AS24950 – Hetzner Online GmbH | After a dormant period, the threat actor used this IP address to login back into the Triofox instance and carry out subsequent activities |
| 84.200.80[.]252 | AS214036 – Ultahost, Inc. | IP address hosting the installer for the Zoho UEMSAgent remote access tool |
| 216.107.136[.]46 | AS396356 – LATITUDE-SH | Plink C2 |
Source: cloud.google.com
Recommendations:
Upgrade Triofox to version 16.7.10368.56560 or latest from the official Gladinet portal.
Conclusion:
This vulnerability represents a severe supply-chain risk in enterprise file-sharing platforms, enabling zero-authentication RCE through misconfigured access controls and feature abuse. With active in-the-wild exploitation by UNC6485 and rapid post-patch attacks, delayed patching significantly increases breach likelihood.
Immediate upgrade, log monitoring, and network hardening are essential to prevent ransomware deployment, data theft, and network pivoting. This incident reinforces the need for secure-by-design input validation and principle of least privilege in remote access tools.
References:
Critical React Native CLI Vulnerability Enables OS Command Injection
Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-11953 |
| POC Available | Yes |
| Actively Exploited | No |
| Advisory Version | 1.0 |
Overview
A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.
The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| OS Command Injection | CVE-2025-11953 | @react-native-community/cli @react-native-community/cli-server-api | Critical | @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 |
Technical Summary
The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.
On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-11953 | Development Server’s /open-url Endpoint | The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows. | Remote OS Command Injection |
Recommendations
- Update to @react-native-community/cli-server-api version 20.0.0 or later immediately.
If upgrading is not possible,
- Restrict the Metro server to localhost by adding the flag: –host 127.0.0.1 when starting the server.
- Integrate static and dynamic code analysis tools in development pipelines to detect injection risks early.
How these kind of security flaw can cause damage?
This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.
The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.
The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.
The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.
What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.
Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner
- GaarudNode excels at detecting vulnerabilities, misconfigurations, and compliance issues across a wide range of systems and applications.
- Provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
- Any Application security tools are designed to identify a wide range of vulnerabilities across different stages of the software development lifecycle and other types of security issues.
- GaarudNode can be used for intrusion detection, making it a flexible tool for cybersecurity professionals on a budget.
- Prompt patching and secure server binding are essential to mitigate this type of risk. There is no current evidence of active exploitation, but the ease of exploitation makes this a high priority vulnerability to fix. Continuous, real-time monitoring of vulnerabilities is necessary to stay ahead of threats.
References:
Microsoft October Patch Fixes 175 Vulnerabilities, 6 Zero-Days & Critical Exploits
Summary: Microsoft’s October 2025 Patch Tuesday fixes 175 security vulnerabilities in the products Windows, Office, Azure, and .NET and others. It includes patches for 6 – zero-day vulnerabilities where three vulnerabilities have been exploited and three publicly known vulnerabilities.
Microsoft advises immediate deployment of updates and removal of affected drivers, while assessing legacy fax hardware for compatibility issues introduced by the driver removal in this month update.
The October 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-10-14 |
| No. of Patches | 175 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
Major fixes address serious remote code execution issues in Office and WSUS, along with privilege escalation vulnerabilities in Windows and Azure. The update also removes the Agere Modem driver, which could affect older fax devices. Users & Administrator are urged to update the patch to immediately to stay protected.
Here are the CVE addresses for Microsoft & non-Microsoft:
- 175 Microsoft CVEs addressed
- 21 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
- 80 Elevation of Privilege (EoP)
- 31 Remote Code Execution (RCE)
- 28 Information Disclosure
- 11 Denial of Service (DoS)
- 11 Security Feature Bypass
- 12 Spoofing
- 2 Tampering
Source: Microsoft
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Agere Modem Driver Elevation of Privilege Vulnerability | CVE-2025-24990 | Windows 10, 11, Server 2016-2022 | High | 7.8 |
| Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | CVE-2025-59230 | Windows 10, 11, Server 2016-2022 | High | 7.8 |
| Secure Boot Bypass Vulnerability in IGEL OS | CVE-2025-47827 | IGEL OS | Medium | 4.6 |
| Windows Server Update Service (WSUS) Remote Code Execution Vulnerability | CVE-2025-59287 | Windows Server | Critical | 9.8 |
| Microsoft Office Remote Code Execution Vulnerability | CVE-2025-59234 | Microsoft Office | High | 7.8 |
| Microsoft Excel Remote Code Execution Vulnerability | CVE-2025-59236 | Microsoft Excel (2016-2021) | High | 8.4 |
Technical Summary
October 2025 Patch Tuesday includes security updates addresses remote code execution, privilege escalation and information disclosure vulnerabilities in core Windows components, Office applications and Azure cloud services.
3 zero-days are actively exploited, including CVE-2025-24990 in the Agere Modem driver, where attackers can abuse the third-party component to gain administrative privileges without needing the modem hardware active, leading to local system compromise.
Additionally, exposes improper access controls in Windows Remote Access Connection Manager, enabling authorized attackers to escalate to SYSTEM privileges with moderate effort.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24990 | Windows Agere Modem Driver | Third-party driver abused for admin privileges; removed in updates, may break fax modem hardware | Privilege Escalation |
| CVE-2025-59230 | Windows Remote Access Connection Manager | Improper access control allows local attackers to gain SYSTEM privileges | Privilege Escalation |
| CVE-2025-47827 | IGEL OS < v11 | Improper cryptographic signature verification enables Secure Boot bypass via crafted root filesystem | Security Feature Bypass |
| CVE-2025-59287 | Windows Server Update Service | Deserialization of untrusted data allows unauthenticated RCE over networks, prime for supply-chain attacks | Remote Code Execution |
| CVE-2025-59234 | Microsoft Office (2016-2021) | Use-after-free in Office allows RCE via malicious files, no authentication required | Remote Code Execution |
| CVE-2025-59236 | Microsoft Excel (2016-2021) | Use-after-free in Excel enables RCE via malicious files, potentially leading to system control | Remote Code Execution |
Source: Microsoft
In addition to several other publicly exploited Zero-Day & Critical severity issues were addressed
- CVE-2025-0033: AMD SEV-SNP Flaw – Race condition in AMD EPYC processors allows hypervisor to tamper with guest memory; needs privileged access. (Critical)
- CVE-2025-24052: Windows Agere Modem EoP – Flaw in modem driver enables local admin privilege escalation; driver removed, may affect fax hardware. (High)
- CVE-2025-2884: TCG TPM 2.0 Vulnerability – Out-of-bounds read in TPM cause info disclosure or DoS, impacting secure boot. (Medium)
- CVE‑2025‑49708: Microsoft Graphics Component EoP – Memory corruption enables network-based privilege escalation. (Critical)
- CVE-2025-59227: Microsoft Office RCE – Use-after-free affecting multiple Office versions. (Critical)
- CVE-2016-9535: LibTIFF Heap Buffer Overflow – RCE via malformed TIFF files in image processing. (Critical)
- CVE-2025-59291 & CVE-2025-59292: Azure Container Instances/Compute Gallery EoP – External file path control for local privilege escalation. (Critical)
Key Affected Products and Services
- Windows Core and Security Components
Updates for Windows Kernel, NTFS, BitLocker, NTLM, SMB, WinSock, PrintWorkflowUserSvc and Remote Desktop Services, with several vulnerabilities rated CVSS 7.8 or higher.
- Microsoft Office Suite
Patches for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, particularly via malicious file execution.
- Azure and Cloud Services
Fixes for Azure Entra ID, Monitor Agent, Connected Machine Agent, PlayFab and Confidential Container Instances.
- Virtualization and Hyper-V
Vulnerabilities in Hyper-V and Virtual Secure Mode, including privilege escalation and DoS risks.
- Developer and Management Tools
Updates for PowerShell, Visual Studio and Configuration Manager addressing local privilege escalation.
- Communication & File Services
Patches for SMB, WSUS, and Connected Devices Platform with critical RCE and lateral movement risks.
- Browsers and Web Technologies
Microsoft Edge (Chromium-based) updates, including republished Chrome CVEs.
Remediation:
- Install the October 2025 security updates immediately to mitigate risks.
Here are some recommendations below
- Use EDR tools to monitor any indicators like Office crashes or logs.
- Disable unused services to prevent any remote access or other exploitation.
- Apply least privilege access in Office and Azure environments.
- Segment networks to reduce any lateral movement.
Conclusion:
Critical RCE flaws in Office and WSUS, along with privilege escalation bugs, pose significant risks for ransomware, data theft and lateral movement. Administrator, users & security teams should deploy patches immediately, enhance monitoring and apply mitigations to reduce exposure.
References:
Jenkins Security Patch Fixed HTTP/2 DoS and Permission Issues
Security advisory: Jenkins addressed critical security flaws in its built-in HTTP server related to the handling of HTTP/2 connections, where attackers could overwhelm servers causing denial of service. This mainly impacts Jenkins instances running with HTTP/2 enabled, which is not the default setting.
| Severity | High |
| CVSS Score | 7.7 |
| CVEs | CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Jenkins, a popular open-source automation server used for building and deploying software, recently patched several high & medium security flaws.
The high severity issue is a Denial-of-Service (DoS) vulnerability that could allow attackers to overwhelm the server and make it stop working properly even without needing to log in.
Other issues included the risk of unauthorized users viewing sensitive configuration information and the possibility of attackers inserting fake log entries to confuse system administrators. Jenkins released updates to fix these issues and strongly recommends users upgrade to the latest versions to stay protected.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| HTTP/2 Denial of Service in bundled Jetty | CVE-2025-5115 | Jenkins (bundled Jetty) | High | Weekly 2.524+, LTS 2.516.3+ |
| Missing permission check – agent names | CVE-2025-59474 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
| Missing permission check – user profile menu | CVE-2025-59475 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
| Log Message Injection Vulnerability | CVE-2025-59476 | Jenkins core | Medium | Weekly 2.528+, LTS 2.516.3+ |
Technical Summary
Additionally, permission checks in some user interface areas were incomplete, allowing unauthorized users to access sensitive information such as agent names and configuration details.
There was also a vulnerability in log message processing that could let attackers insert misleading entries to confuse administrators. All the issues are fixed in Jenkins latest version.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5115 | Jenkins instances with embedded Jetty server with HTTP/2 enabled | It causes the Jetty server to repeatedly reset HTTP/2 streams (RST_STREAM) in response to malicious or malformed frames, leading to resource exhaustion and potential denial of service. | Denial of service |
| CVE-2025-59474 | Jenkins automation server | Permission check flaw allowing unauthorized users to view Jenkins agent/executor names via the side panel executor’s widget | Information Disclosure |
| CVE-2025-59475 | Jenkins automation server | Permission check flaw allowing authenticated users without Overall/Read permission to view sensitive configuration details via the Jenkins user profile dropdown menu. | Information Disclosure |
| CVE-2025-59476 | Jenkins automation server | An attacker can inject line breaks into Jenkins log messages, leading to forged or misleading log entries. | Misleading administrators |
Remediation:
- Users should immediately install the latest, patched version of Jenkins on all servers:
- Weekly Release: Update to Jenkins v2.528 or later.
- Long-Term Support (LTS): Update to Jenkins v2.516.3 or later
Here are some recommendations below.
- If immediate upgrade is not possible, users should disable HTTP/2 to mitigate the Denial-of-Service vulnerability.
- Always keep Jenkins core and plugins up to date with the latest security patches.
- Regularly audit and monitor access logs and system activity
Conclusion:
These security flaws could seriously impact Jenkins users, especially those relying on it for continuous integration and deployment. The DoS vulnerability is particularly dangerous because it can be triggered by anyone over the internet, even if they don’t have an account.
Enterprise admins & users should upgrade immediately to the patched versions or disable HTTP/2 to reduce the risk. Keeping Jenkins up to date and following good security practices along with restricting user permissions and monitoring logs is essential to prevent attacks and maintain the stability and safety of software delivery pipelines.
References:
Fake ChatGPT Desktop App used to deliver PipeMagic Malware
Microsoft finds that a fake ChatGPT Desktop App Delivering PipeMagic Backdoor,a part of sophisticated malware framework. The PipeMagic campaign represents a dangerous evolution in the global cybercrime landscape. The malicious campaign, powered by a new backdoor called PipeMagic, targets multiple industries including IT, finance, and real estate. The PipeMagic attack is centered around CVE-2025-29824, a critical Windows Common Log File System (CLFS) vulnerability
The PipeMagic campaign a malware to technical threat exploiting trust globally
As per Microsoft cybercriminals are disguising malware as widely popular ChatGPT Desktop Application to launch ransomware attacks across the globe.
PipeMagic’s evolution from malware to technical threat exploiting trust globally
The malware allows hackers to escalate privileges once inside a system, by leveraging the immense popularity of ChatGPT, attackers have successfully weaponized user trust.
Microsoft has linked the operation to Storm-2460, a financially motivated cybercrime group known for deploying ransomware through stealthy backdoors.
PipeMagic is a malware first detected in December 2022 while investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia. To penetrate the infrastructure, the attackers exploited the CVE-2017-0144 vulnerability.
The backdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. PipeMagic supported two modes of operation – as a full-fledged backdoor providing remote access, and as a network gateway – and enabled the execution of a wide range of commands.
Pipemagic’s technique of attack
PipeMagic also reflects a growing trend where attackers combine fileless malware techniques with modular frameworks.
By running directly in memory, it avoids detection from traditional signature-based tools. The modular design means it can expand its functionality much like commercial software — essentially transforming cybercrime into a scalable business model.
Another key point is the use of cloud infrastructure for command-and-control. By hosting their servers on Azure, the hackers blend into normal enterprise traffic, making malicious communications far less suspicious. This tactic underscores the need for behavioral monitoring instead of relying solely on blacklists.
Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. This is a warning sign for future attacks in the broader cybersecurity landscape.
PipeMagic’s modus operandi could be an inspiration for future malware families and its modular framework could fuel a wave of ransomware-as-a-service operations. That possibility raises the stakes not just for enterprises but also for small businesses and even government institutions.
The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source for chat GPT application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.
The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server.
The malware self-updates by storing these modules in memory using a series of doubly linked lists.
These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage capabilities of backdoor throughout its lifecycle.
By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.
Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS).
Recent Comments