Vulnerability

Security Advisory

Jenkins Security Patch Fixed HTTP/2 DoS and Permission Issues  

Security advisory: Jenkins addressed critical security flaws in its built-in HTTP server related to the handling of HTTP/2 connections, where attackers could overwhelm servers causing denial of service. This mainly impacts Jenkins instances running with HTTP/2 enabled, which is not the default setting.

Severity High 
CVSS Score 7.7 
CVEs CVE-2025-5115, CVE-2025-59474, CVE-2025-59475, CVE-2025-59476 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Jenkins, a popular open-source automation server used for building and deploying software, recently patched several high & medium security flaws.

The high severity issue is a Denial-of-Service (DoS) vulnerability that could allow attackers to overwhelm the server and make it stop working properly even without needing to log in.

Other issues included the risk of unauthorized users viewing sensitive configuration information and the possibility of attackers inserting fake log entries to confuse system administrators. Jenkins released updates to fix these issues and strongly recommends users upgrade to the latest versions to stay protected. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
HTTP/2 Denial of Service in bundled Jetty  CVE-2025-5115 Jenkins (bundled Jetty)  High Weekly 2.524+, LTS 2.516.3+ 
Missing permission check – agent names CVE-2025-59474 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 
Missing permission check – user profile menu CVE-2025-59475 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 
Log Message Injection Vulnerability CVE-2025-59476 Jenkins core Medium Weekly 2.528+, LTS 2.516.3+ 

Technical Summary 

Additionally, permission checks in some user interface areas were incomplete, allowing unauthorized users to access sensitive information such as agent names and configuration details.

There was also a vulnerability in log message processing that could let attackers insert misleading entries to confuse administrators. All the issues are fixed in Jenkins latest version. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-5115 Jenkins instances with embedded Jetty server with HTTP/2 enabled It causes the Jetty server to repeatedly reset HTTP/2 streams (RST_STREAM) in response to malicious or malformed frames, leading to resource exhaustion and potential denial of service.  Denial of service 
CVE-2025-59474 Jenkins automation server Permission check flaw allowing unauthorized users to view Jenkins agent/executor names via the side panel executor’s widget Information Disclosure 
CVE-2025-59475 Jenkins automation server Permission check flaw allowing authenticated users without Overall/Read permission to view sensitive configuration details via the Jenkins user profile dropdown menu. Information Disclosure 
CVE-2025-59476 Jenkins automation server An attacker can inject line breaks into Jenkins log messages, leading to forged or misleading log entries. Misleading administrators 

Remediation

  • Users should immediately install the latest, patched version of Jenkins on all servers: 
  • Weekly Release: Update to Jenkins v2.528 or later. 
  • Long-Term Support (LTS): Update to Jenkins v2.516.3 or later 

Here are some recommendations below. 

  • If immediate upgrade is not possible, users should disable HTTP/2 to mitigate the Denial-of-Service vulnerability. 
  • Always keep Jenkins core and plugins up to date with the latest security patches. 
  • Regularly audit and monitor access logs and system activity 
     

Conclusion: 
These security flaws could seriously impact Jenkins users, especially those relying on it for continuous integration and deployment. The DoS vulnerability is particularly dangerous because it can be triggered by anyone over the internet, even if they don’t have an account.

Enterprise admins & users should upgrade immediately to the patched versions or disable HTTP/2 to reduce the risk. Keeping Jenkins up to date and following good security practices along with restricting user permissions and monitoring logs is essential to prevent attacks and maintain the stability and safety of software delivery pipelines. 

References

Blogs

Fake ChatGPT Desktop App used to deliver PipeMagic Malware

Microsoft finds that a fake ChatGPT Desktop App Delivering PipeMagic Backdoor,a part of sophisticated malware framework. The PipeMagic campaign represents a dangerous evolution in the global cybercrime landscape. The malicious campaign, powered by a new backdoor called PipeMagic, targets multiple industries including IT, finance, and real estate. The PipeMagic attack is centered around CVE-2025-29824, a critical Windows Common Log File System (CLFS) vulnerability

The PipeMagic campaign a malware to technical threat exploiting trust globally

As per Microsoft cybercriminals are disguising malware as widely popular ChatGPT Desktop Application to launch ransomware attacks across the globe.  

PipeMagic’s evolution from malware to technical threat exploiting trust globally

The malware allows hackers to escalate privileges once inside a system, by leveraging the immense popularity of ChatGPT, attackers have successfully weaponized user trust.

Microsoft has linked the operation to Storm-2460, a financially motivated cybercrime group known for deploying ransomware through stealthy backdoors.

PipeMagic is a malware first detected in December 2022 while investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia. To penetrate the infrastructure, the attackers exploited the CVE-2017-0144 vulnerability.

The backdoor’s loader was a trojanized version of Rufus, a utility for formatting USB drives. PipeMagic supported two modes of operation – as a full-fledged backdoor providing remote access, and as a network gateway – and enabled the execution of a wide range of commands.

Pipemagic’s technique of attack

PipeMagic also reflects a growing trend where attackers combine fileless malware techniques with modular frameworks.

By running directly in memory, it avoids detection from traditional signature-based tools. The modular design means it can expand its functionality much like commercial software — essentially transforming cybercrime into a scalable business model.

Another key point is the use of cloud infrastructure for command-and-control. By hosting their servers on Azure, the hackers blend into normal enterprise traffic, making malicious communications far less suspicious. This tactic underscores the need for behavioral monitoring instead of relying solely on blacklists.

Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. This is a warning sign for future attacks in the broader cybersecurity landscape.

PipeMagic’s modus operandi could be an inspiration for future malware families and its modular framework could fuel a wave of ransomware-as-a-service operations. That possibility raises the stakes not just for enterprises but also for small businesses and even government institutions.

The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source for chat GPT application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.

The embedded payload is the PipeMagic malware, a modular backdoor that communicates with its C2 server over TCP. Once active, PipeMagic receives payload modules through a named pipe and its C2 server.

The malware self-updates by storing these modules in memory using a series of doubly linked lists.

These lists serve distinct purposes for staging, execution, and communication, enabling the threat actor to interact and manage capabilities of backdoor throughout its lifecycle.

By offloading network communication and backdoor tasks to discrete modules, PipeMagic maintains a modular, stealthy, and highly extensible architecture, making detection and analysis significantly challenging.

Microsoft Threat Intelligence encountered PipeMagic as part of research on an attack chain involving the exploitation of CVE-2025-29824, an elevation of privilege vulnerability in Windows Common Log File System (CLFS).

Blogs

Firmware Vulnerabilities affecting Dell Laptops Could allow attackers to achieve persistent access 

A set of vulnerabilities affecting millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide. The vulnerability known as “ReVault,” mainly target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware.

This subsequently create opportunities for attackers to steal passwords, biometric data, and maintain persistent access to compromised systems.

How does the vulnerability work

Most of the flaws reside in the firmware for ControlVault3 and ControlVault3+, which are hardware security components that store passwords, biometric templates, and security codes.

The lists includes:

  • Two out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050)
  • An arbitrary free (CVE-2025-25215) flaw
  • A stack-overflow bug (CVE-2025-24922)
  • An unsafe-deserialization flaw (CVE-2025-24919)

According to the researchers, the vulnerabilities can be exploited in so-called ReVault attacks by:

  • Attackers who have achieved non-administrative access/privileges on a vulnerable target laptop. The vulnerabilities may allow them to interact with the ControlVault firmware and leak key material that would allow them to permanently modify the firmware (i.e., effectively creating a potential backdoor into the system)
  • Attackers that have physical access to the laptop. They could pry the device open, use a custom connector to access the Unified Security Hub board (which runs ControlVault) over USB, and exploit those vulnerabilities – all without having to log into the system beforehand or having knowledge of the full-disk encryption password.

“Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint,” as per researchers.

Technical details have not been publicly shared, but they have, of course, been privately reported to Dell and Broadcom.

These are 5 critical vulnerabilities of ReVault found by Cisco Talos researcher

ReVault Attack – Five Critical Vulnerabilities

ControlVault3 and ControlVault3+ systems:

  • CVE-2025-24311: An out-of-bounds read vulnerability that enables information leakage
  • CVE-2025-25050: An out-of-bounds write flaw allowing code execution
  • CVE-2025-25215: An arbitrary memory free vulnerability
  • CVE-2025-24922: A stack-based buffer overflow enabling arbitrary code execution
  • CVE-2025-24919: An unsafe deserialization flaw in ControlVault’s Windows APIs

Importance of device security posture/Endpoint security

The incident highlight how device posture check is designed to evaluate threat that a device poses to an organization and its systems.

The persistent nature of these attacks represents a significant escalation in firmware-based threats, as the malicious code resides below the operating system level.

Here traditional antivirus solutions cannot detect or remove it. Now sophistication of cyber threats means that organizations need to become more proactive in terms of defense.

The identification and mitigation of a threat early on, via an effective and clearly defined security posture, reduces costs, lessens downtime, and minimizes reputational damage.

Periodic security audits are essential to have a complete check on all the security features of the organization. Such audits identify vulnerabilities in the current security controls and allow for ensuring things align properly with industry standards. 

Importance of Endpoint security

End point security detect and prevent security threats like file-based malware attacks among other malicious activities. It also provides investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.

Conclusion:

Protecting against endpoint attacks is challenging for organisation because endpoints exist where humans and machines intersect. With the increasing number of adversaries trying to breach organizations using sophisticated cyberattacks, quickly detecting potential threats will help speed the remediation process and keep data protected.

(Source: https://www.helpnetsecurity.com/2025/08/05/dell-laptops-firmware-vulnerabilities-revault-attacks/)

Security Advisory

Linux Local Privilege Escalation via udisksd and libblockdev (CVE-2025-6019) PoC released 

Summary : A local privilege escalation vulnerability poc has been released, tracked as CVE-2025-6019, discovered in the udisksd daemon and its backend libblockdev library, affecting widely used Linux distributions including Fedora and SUSE.

Severity High 
CVSS Score 7.0 
CVEs CVE-2025-6019 
POC Available Yes 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

CVE-2025-6019 is a local privilege escalation (LPE) vulnerability affecting systems where: 

  • udisksd is installed and running (e.g., Fedora, SUSE) 
  • Users in the allow active group are trusted to execute disk-related actions 
  • libblockdev fails to validate privileged backend operations under unprivileged contexts 

This flaw allows unprivileged users in the “allow_active” group to escalate privileges and execute commands as root by exploiting insecure trust boundaries in D-Bus IPC communication. 

Vulnerability Name CVE ID Product Affected Severity 
​Local Privilege Escalation Vulnerability  CVE-2025-6019 udisksd / libblockdev  High 

Technical Summary 

This vulnerability is triggered when an attacker in the “allow_active” group issues a crafted D-Bus request to the udisksd daemon using tools like udisksctl. Because the daemon improperly relies on group membership alone (without UID validation), it mistakenly grants root-level mount permissions. 

An attacker can exploit this by  

  • Crafting a malicious disk image (like XFS with a SUID-root shell). 
  • Using “udisksctl mount -b /dev/loop0” to mount it as root. 
  • Escalating privileges and compromising the system. 
CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-6019 Fedora, SUSE, and other Linux distros using udisks2/libblockdev Improper user validation in D-Bus authorization allows unprivileged users to perform privileged disk operations.  Local privilege escalation to root 

Remediation

Here are the recommendations below 

  • Update “udisks2” and “libblockdev” to the latest versions provided by your distribution. 
  • Audit and restrict membership of the “allow_active” group. 
  • Disable unsafe or legacy D-Bus actions in system services where possible. 

Conclusion: 
CVE-2025-6019 highlights a breakdown in privilege boundary enforcement within a core system component used by many Linux desktop environments.

The availability of a public PoC, combined with the low complexity of exploitation, makes this vulnerability highly dangerous, particularly in multi-user or shared computing environments. 

Organizations must act swiftly to patch vulnerable systems, reassess group-based privilege models and implement stricter D-Bus and Polkit rules to reduce attack surface. 

References

Security Advisory

Citrix NetScaler ADC/Gateway Vulnerability Exploited in the Wild (CVE-2025-6543) 

Summary : Security Advisory;

Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition.

The flaw impacts NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.

OEM Citrix 
Severity Critical 
CVSS Score 9.2 
CVEs CVE-2025-6543 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

A critical memory overflow vulnerability, CVE-2025-6543, has been discovered in NetScaler ADC and NetScaler Gateway products, potentially leading to denial-of-service and unintended control flow. The issue affects deployments configured as Gateway services. Active exploitation in the wild has been reported. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Memory overflow vulnerability  CVE-2025-6543 NetScaler ADC and NetScaler Gateway  Critical  14.1-47.46 / 13.1-59.19 / 13.1-37.236 

Technical Summary 

CVE-2025-6543 is a memory overflow vulnerability in NetScaler ADC and Gateway products that can result in denial-of-service (DoS) or arbitrary control flow, particularly when the system is configured as a Gateway or AAA virtual server.

The flaw stems from improper restriction of operations within memory buffer bounds (CWE-119). This vulnerability has been exploited in real-world attacks. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-6543 NetScaler ADC & Gateway 14.1 before 14.1-47.46, 13.1 before 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP Memory overflow due to improper memory boundary restrictions when configured as Gateway or AAA virtual servers  Denial-of-Service and Unintended control flow 

Remediation

  • Immediate Action: Affected customers are strongly advised to upgrade to the fixed versions: 
Product Version Recommended Fixed Build 
NetScaler ADC / Gateway 14.1 14.1-47.46 or later 
NetScaler ADC / Gateway 13.1 13.1-59.19 or later 
NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.236 or later 

Note: Versions 12.1 and 13.0 are End-of-Life (EOL) and remain vulnerable. These should be replaced with supported, patched builds. 

Customers using FIPS or NDcPP variants should contact Citrix Support directly for access to the fixed builds. 

Conclusion: 
CVE-2025-6543 represents a highly critical risk to organizations utilizing NetScaler Gateway or ADC for secure access and application delivery.

Organizations still using outdated or end-of-life (EOL) versions are especially vulnerable and should prioritize upgrading to supported builds. 

This flaw follows a pattern of severe vulnerabilities affecting NetScaler products, including the recently disclosed CVE-2025-5777 (CVSS score: 9.3), which also posed a significant threat to enterprise infrastructure.

Together these issues highlight the urgent need for timely patching, continuous monitoring, and defense-in-depth strategies to safeguard critical network assets. 

With both flaws being critical bugs, administrators are advised to apply the latest patches from Citrix as soon as possible.

Companies should also monitor their NetScaler instances for unusual user sessions, abnormal behavior, and to review access controls.

References

Security Advisory

Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited 

Summary :

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.

OEM Fortinet 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-32756 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices. 

Vulnerability Name CVE ID Product Affected Severity 
Remote Code Execution Vulnerability  CVE-2025-32756 Fortinet Products  Critical 

Technical Summary 

CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.

This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication. 

The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-32756  FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate.   Remote Code Execution, Full device takeover, persistence, data theft, log erasure. 

Remediation

  • Update Immediately: Apply the latest security patches provided by Fortinet. 
  • FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+ 
  • FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+ 
  • FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+ 
  • FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+ 
  • FortiCamera: 2.1.4+ 
  • Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround 

Indicator of Compromise 

For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:  

IP Addresses FileHash-MD5 
156.236.76.90 2c8834a52faee8d87cff7cd09c4fb946 
198.105.127.124 4410352e110f82eabc0bf160bec41d21 
218.187.69.244 489821c38f429a21e1ea821f8460e590 
218.187.69.59 ebce43017d2cb316ea45e08374de7315 
43.228.217.173 364929c45703a84347064e2d5de45bcd 
43.228.217.82   

Conclusion: 
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.

Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss. 

These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.

Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.

References

Security Advisory

Google Chrome Patches Actively Exploited Zero-Day Vulnerability 

Summary : Security Advisory

Google has released a critical out-of-band security update for its Chrome browser to address CVE-2025-5419.

Rated as high-severity zero-day vulnerability in the V8 JavaScript engine that is currently being actively exploited in the wild.

OEM Google 
Severity HIGH 
CVSS Score 8.8 
CVEs CVE-2025-5419 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This vulnerability allows attackers to execute arbitrary code on users’ systems through specially crafted web content, making it a serious threat requiring immediate attention. 

In addition to the zero-day fix, this update also includes a patch for CVE-2025-5068, a medium severity use-after-free vulnerability in Blink, chrome’s rendering engine.

While less critical, such flaws can still result in memory corruption and possible code execution. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Out-of-bounds memory access vulnerability  CVE-2025-5419 Google Chrome  High  137.0.7151.68/.69 (Win/Mac), 137.0.7151.68 (Linux) 

Technical Summary 

This high-severity vulnerability is caused by an out-of-bounds read and write weakness in Chrome’s V8 JavaScript engine, reported one week ago by Clement Lecigne and Benoît Sevens of Google’s Threat Analysis Group.

This flaw affects the V8 JavaScript engine and allows attackers to execute arbitrary code via crafted web content.

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-5419  Chrome (all platforms) Out-of-bounds read and write in the V8 JavaScript engine; triggered via malicious HTML   Arbitrary code execution, memory compromise, remote attack 

Remediation

Apply Patches Promptly: Upgrade to Chrome version 137.0.7151.68/.69 or later for Windows and macOS, and 137.0.7151.68 or later for Linux to mitigate the vulnerabilities. 

General Recommendation: 

  • Prioritize Zero-Day Fixes: Treat this patch as high priority due to confirmed in-the-wild exploitation. Immediate action is critical to prevent potential system compromise. 
  • Update Chromium-Based Browsers: Ensure Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi are updated as soon as vendor-specific patches are released. 
  • Automate Browser Updates: Enable automatic updates in Chrome and Chromium environments to maintain timely patching against emerging threats. 
  • Enterprise Patch Rollout: Administrators should fast-track deployment of the fixed version across all endpoints, particularly in high-risk or externally exposed environments. 
  • Monitor for Threat Activity: Continuously monitor browser and network activity for signs of exploitation attempts targeting vulnerable versions. 

Conclusion: 
CVE-2025-5419 poses a significant security risk with confirmed active exploitation in the wild.

Google’s swift action highlights the urgency of this threat. All users are strongly advised to update their Chrome browsers immediately. Delaying this update could expose systems to compromise through malicious web content exploiting this zero-day vulnerability. 

While Chrome will automatically update when new security patches are available, users can speed up the process by going to the Chrome menu > Help > About Google Chrome, letting the update finish, and clicking the ‘Relaunch’ button to install it immediately.

References

Security Advisory

RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials

Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.

If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.

OEMD-link
SeverityMedium
CVSS Score6.5
CVEsCVE-2025-46176
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.

The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.

Vulnerability NameCVE IDProduct AffectedSeverityFixed Version
Hardcoded Telnet Credentials vulnerability  CVE-2025-46176D-Link Router  MediumNo official fix available

Technical Summary

The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.

Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.

Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-46176D-Link DIR-605L v2.13B01, DIR-816L v2.06B01Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords.      RCE

Recommendations:

As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :

  • Disable Telnet access via the router’s web interface.
  • Block Telnet port (23) using firewall rules:

“iptables -A INPUT -p tcp –dport 23 -j DROP”

  • Restrict WAN access to management interfaces.
  • Monitor D-Link’s official support page for firmware updates.

Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users. 

While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.

Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.

Threat from Legacy Devices:

The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.

Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.

References:

Security Advisory

WordPress Ultimate CSV Importer Flaws Put 20,000+ Sites at Risk

Threat researchers discovered an arbitrary File Upload vulnerability and an Arbitrary File Deletion vulnerability within the WP Ultimate CSV Importer plugin. This is affecting versions 7.19 and earlier.

The vulnerabilities have been addressed in version 7.19.1 of the plugin.

Summary 

OEM WordPress 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-2008, CVE- 2025-2007 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The security flaw WordPress plugin, Ultimate CSV Importer, affecting over 20,000 websites. The vulnerabilities, identified as CVE-2025-2008 and CVE-2025-2007, can lead to catastrophic consequences, including complete site compromise. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Arbitrary File Upload  CVE-2025-2008 WordPress  High  8.8 
Arbitrary File Deletion  CVE-2025-2007 WordPress  High  8.1 

Technical Summary 

A critical security vulnerability has been discovered in the WP Ultimate CSV Importer plugin (versions ≤ v7.19). This flaw allows attackers with only Subscriber level access to exploit the system in two dangerous ways: 

  1. Malicious File Upload: Attackers can upload malicious files, potentially enabling remote code execution and granting full control over the affected site. This allows for complete site compromise, including the ability to install backdoors or steal sensitive information. 
  1. Critical File Deletion: Attackers can delete crucial files, such as wp-config.php, which can reset the WordPress site and give attackers the ability to take full control over the site. 
CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-2008  WP Ultimate CSV Importer plugin (versions ≤ 7.19) A critical flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to upload malicious files due to improper file type validation.
This can lead to remote code execution (RCE) and full site takeover. 		  Remote code execution (RCE) 
 CVE-2025-2007 WP Ultimate CSV Importer plugin (versions ≤ 7.19) A serious flaw in the WP Ultimate CSV Importer plugin (≤ v7.19) allows attackers with Subscriber access to delete critical files, like wp-config.php, due to weak file path validation.
This can reset the site, letting attackers take control. 		 Arbitrary file deletion leading to site reset 

Remediation

Install version 7.19.1 or later to fix the security flaws. Keeping all plugins and WordPress updated helps prevent attacks. 

General Recommendations 

  • Update the Plugin – Install the latest version (7.19.1+) to fix security issues and keep your site safe. 
  • Limit User Access – Allow only trusted users to upload or delete files to prevent hackers from exploiting vulnerabilities. 
  • Use Security Plugins – Install tools to block threats, monitor activity, and protect your site. 
  • Backup Your Website – Regularly save backups so you can restore your site if it gets hacked or files are deleted. 

Conclusion: 

A major security issue in a popular WordPress plugin put over 20,000 websites at risk of being taken over by hackers.

Attackers could upload harmful files or delete important ones, making websites vulnerable. This incident shows why keeping plugins updated, limiting user access, and using security tools is crucial. Updating to version 7.19.1 is necessary to stay protected. 

References

Security Advisory

Palo Alto Firewall Vulnerabilities Under Active Exploitation 

An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.

Summary 

OEM Palo Alto 
Severity High 
Date of Announcement 2025-02-19 
CVEs CVE-2025-0108 
CVSS Score 8.8 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.

This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
 Authentication Bypass Vulnerability  CVE-2025-0108  Pan OS         High PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 

Technical Summary 

This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations. 

Vulnerability Name Details Severity Impact 
 Authentication Bypass Vulnerability  This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111.         High Root access of the affected system, unauthorized file exfiltration. 

Recommendations 

  • Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately. 

Here are the details of the required upgrades: 

Version Updated Version 
PAN-OS 11.2 Upgrade to 11.2.4-h4 or later 
PAN-OS 11.1 Upgrade to 11.1.6-h1 or later 
PAN-OS 10.2 Upgrade to 10.2.13-h3 or later 
PAN-OS 10.1 Upgrade to 10.1.14-h9 or later 

General Recommendations 

  • Restrict access to PAN-OS management interfaces to trusted IPs only. 
  • Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions. 
  • Follow best practices for firewall security, including network segmentation and regular vulnerability assessments. 
  • Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity. 

Conclusion 

The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat. 

The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.

References

  • https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/ 
  • https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise   

Scroll to top