Joseph Lee

CVE-2025-31324: An Actively Exploited Flaw Affecting SAP NetWeaver Visual Composer

CVE-2025-31324 (CVSS 9.8), published on April 24th 2025, allows unauthenticated attackers to upload executable files [CWE-434] via the NetWeaver Visual Composer component which can result in Remote Code Execution (RCE). The CVE presents a high degree of risk; many publicly available proof-of-concept (PoC) exploits [1][2][3][4][5] are available, and active attack campaigns have been alerted by multiple cybersecurity organizations [6][7][8]. Although CVE-2025-31324 was initially exploited as a zero-day vulnerability (before public disclosure), the Greenbone Enterprise Feed now includes a detection test, allowing organizations to identify vulnerable instances of SAP NetWeaver in their environment to apply mitigation.

In the past, critical severity vulnerabilities in SAP NetWeaver such as CVE-2020-6287 (aka RECON), have been exploited by initial access brokers (IAB) who then sell unauthorized access to ransomware operators. Let’s further examine the circumstances of CVE-2025-31324.

What Is SAP NetWeaver?

SAP NetWeaver is categorized as a Software Framework within SAP’s suite of enterprise technologies. It serves as the foundational integration and application platform for various SAP solutions, including SAP Enterprise Resource Planning (ERP), Customer Relationship Management (CRM), Supply Chain Management (SCM) and other core business processes. SAP NetWeaver supports a range of use cases, including running the SAP ERP Central Component (ECC), developing and deploying custom applications using ABAP (SAP’s proprietary coding language) or Java, integration of business processes and databases from SAP and non-SAP systems and integration of distributed services through Web Services or Remote Function Calls (RFCs).

Although SAP NetWeaver holds only a minute fraction of the global Software Frameworks category, with around 8,471 companies utilizing the platform, these are prominent enterprises such as Accenture, Baker Hughes, Jabil, Rockwell Automation and Wolters Kluwer. 41% of SAP NetWeaver customers are based in the United States, followed by 7% in India and 6% in Germany. Competitors to SAP NetWeaver include Oracle Fusion Middleware, MuleSoft Anypoint Platform and IBM WebSphere.

SAP NetWeaver Flaws: Hot Targets for Ransomware

CVE-2020-6287 (CVSS 10), known as RECON, is another high-profile vulnerability in SAP NetWeaver disclosed in 2020 that was actively exploited by ransomware threat actors. Following the public disclosure of the RECON vulnerability in July 2020, threat actors rapidly developed and disseminated exploit tools. A PoC exploit became available within a day, and mass scanning activities commenced shortly thereafter. Reports indicate that initial access brokers first exploited RECON and then sold access to ransomware operators and espionage actors resulting in the insolvency of at least one US company.

A Technical Description of CVE-2025-31324

CVE-2025-31324 impacts the Application Layer, specifically the Java stack of SAP NetWeaver, within the Visual Composer development environment. Exploiting CVE-2025-31324 follows a typical attack pattern for unauthenticated file upload vulnerabilities [CWE-434] to gain RCE; uploading a webshell. Attackers have been observed scanning for SAP NetWeaver Java instances to identify the presence of the /developmentserver/metadatauploader URL endpoint. If found, a specially crafted POST request is used to upload malicious executable files (e.g., .jsp webshells). Once the webshell has been uploaded, attackers can access it directly via web browser and proceed to execute arbitrary commands on the victim’s system with the privileges of the <sid>adm operating system user.

This allows access to the underlying database; attackers can modify business logic and potentially pivot to other internal systems, deploy ransomware, steal or alter financial data or exfiltrate sensitive business records. Evidence from analyzed attack campaigns also indicate that attackers are using living-off-the-land techniques (using native OS functionality) to establish persistent access without requiring the uploaded webshell.

Mitigating CVE-2025-31324 in SAP NetWeaver

SAP has issued only a brief reference to CVE-2025-31324 in their April 2025 Security Patch announcement. SAP follows a standard patch cycle for releasing updates similar to Microsoft’s monthly “Patch Tuesday”. To remediate CVE-2025-31324, ensure your SAP NetWeaver system is updated to the latest support package. If the security patch cannot be applied immediately, consider temporarily disabling the Visual Composer component to prevent exploitation until the updates can be installed.

Ideally, NetWeaver instances should not be directly exposed on the public Internet. Doing so poses significant security risks, including exposure to RCE vulnerabilities, authentication bypass flaws and unauthorized data access. In efforts to support remote work, outsourced operations or cloud hosted instances, adequate security gateways should be configured such as a secured reverse proxy, VPN or WAF controls.

It’s also important to check for Indicators of Compromise (IoC) to verify that attackers have not already exploited vulnerable NetWeaver instances. Researchers have observed webshells using filenames such as helper.jsp, cache.jsp, or other randomized filenames. Other measures to detect infection include scanning systems for the presence of malware or other unexpected files, analyzing access logs for suspicious POST requests to /developmentserver/metadatauploader and checking directories such as /irj/root, /irj/work and /irj/work/sync for unauthorized .jsp, .java or .class files. Also, scan for other IoCs related to maintaining persistence relevant to your SAP server operating system (OS).

Summary

CVE-2025-31324 is a critical vulnerability in SAP NetWeaver’s Visual Composer component that allows unauthenticated RCE via arbitrary file uploads. Exploited as a zero-day, the flaw has been used in attacks that initially infect NetWeaver instances with a webshell, then progress to total system compromise including lateral movement within enterprise network environments.

Organizations using SAP NetWeaver are strongly urged to apply SAP’s emergency patch or disable the Visual Composer component and assess systems for Indicators of Compromise to identify existing compromise and recover infected systems. The Greenbone Enterprise Feed includes a detection test, allowing organizations to identify vulnerable instances of SAP NetWeaver in their environment to apply mitigation.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

April 2025 Threat Report: The Consequences Are Real

In the early days of digital, hacking was often fame or prank driven. Fast forward to 2025; hacking has been widely monetized for illicit gains. Cybercrime is predicted to cost the global economy 10.5 trillion Dollar in 2025. Globally, the trend of increasing geocriminality is pushing individual countries and entire economic regions [1][2] to make deeper commitments to cyber defenses. An accelerating threat environment underscores the urgency for proactive, well-funded cybersecurity strategies across all sectors, in all regions of the world.

The continuous deluge of critical vulnerabilities, novel attack techniques, active ransomware and espionage campaigns signal the need for comprehensive cybersecurity measures to prevent the most catastrophic consequences. In this month’s threat report, we will review the post pressing threats from the cybersecurity landscape that emerged in April 2025. Without further ado, let’s get started!

Considering the Consequences

Dire consequences loom for those unprepared to weather sophisticated cyber attacks. Ransomware is widely considered the biggest existential cyber threat business, but data breach lawsuits are escalating dramatically. Breach related class action filings have risen more than 1,265% over six years, with filings in the U.S. more than doubling from 604 in 2022 to 1,320 in 2023. Robust backups can help a victim escape paying ransom, and a well executed incident response plan may minimize downtime, but breach victims have little recourse from costs related to regulatory or legal action.

Equifax’s 2019 settlements are the highest in history for a cybersecurity-related incident – with a total cost estimated at 1.5 billion Dollar. Failure to patch CVE-2017-5638 in Apache Struts, was implicated as the root cause of the breach. In April 2025, U.S. defense contractor Raytheon agreed to pay an 8.5 million Dollar settlement for failing to implement required security measures for 29 of their Department of Defense (DoD) contracts.

Healthcare providers are especially hard-hit because personal healthcare information fetches roughly 1,000 Dollar per record on darkweb marketplaces, compared to 5 Dollar per record for payment card data due to its effective use in identifying fraud. In 2023, the U.S. healthcare sector reported 725 data breaches, exposing over 133 million records. Most recently, on April 23, 2025, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a 600,000 Dollar settlement with PIH Health, Inc. due to inadequate technical safeguards. However, legal consequences for cyber breaches are impacting organizations across all industries. Data breach-related securities class actions have also seen substantial settlements, with three of the top ten largest settlements occurring in 2024, totaling 560 million Dollar.

Considering the consequences, organizations should carefully assess their posture to cyber hygiene, paying special attention to core IT security best practices such as implementing multi-factor authentication (MFA), vulnerability management and network segmentation.

Verizon: Increase in Exploited Vulnerabilities for Initial Access

Verizon’s 2025 Data Breach Investigations Report (DBIR), released in April, reported a 34% increase in exploited vulnerabilities (CVEs) as a root cause of cyberbreaches occurring in between October 2023 and December 2024. Exploited vulnerabilities served as the initial access vector in 20% data breaches studied. While the report indicates that ransom payments are down – 64% of victim organizations did not pay the ransoms, compared to 50% two years ago – the rate of ransomware attacks increased by 37%.

Edge devices and VPNs accounted for 22% of exploitation actions – a sharp rise from just 3% the year before. Despite the growing threat, organizations fully remediated only about 54% of these vulnerabilities, with a median time to remediation of 32 days. Furthermore, edge exploitation for initial access reached 70% in espionage-motivated breaches. This trend of edge device exploitation shows no signs of abating; proactive vulnerability management is more critical than ever to reduce exposure and limit the impact of breaches.

Newly Emerging Threats on the Edge in April 2025

The message from cyber landscape reports is clear: organizations need to be acutely aware of their publicly exposed assets. Detection and remediation of vulnerabilities is critical. Below are the highlights of emerging threat activity affecting network edge devices in April 2025. Greenbone is able to detect all emerging threats referenced below and more.

  • SonicWall SMA100 Appliances: CVE-2023-44221 (CVSS 7.2) and CVE-2021-20035 (CVSS 6.5), both OS Command Injection Vulnerabilities [CWE-78] were added to CISA KEV (Cybersecurity and Infrastructure Security Agency; Known Exploited Vulnerabilities). In April, SonicWall also reported that Proof-of-Concept (PoC) exploits are now publicly available for another vulnerability: CVE-2024-53704 (CVSS 9.8).
  • Ivanti Connect Secure, Policy Secure, and ZTA Gateways: CVE-2025-22457 (CVSS 9.8) is a Stack-Based Buffer Overflow [CWE-121] vulnerability now being actively exploited. Google’s Mandiant threat research group attributed attacks to UNC5221, a Chinese (state sponsored) threat actor. Security firm GreyNoise also observed a 9X increase in bots scanning for exposed Connect Secure endpoints.
  • Fortinet FortiOS and FortiProxy: CVE-2025-24472 (CVSS 9.8) is an Authentication Bypass [CWE-288] flaw that could allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests. The CVE is considered actively exploited. Fortinet also detailed new exploitation activity against older critical vulnerabilities in FortiGate devices, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 (all CVSS 9.8).
  • Juniper Junos OS: CVE-2025-21590 (CVSS 6.7) is an actively exploited flaw that allows a local attacker with high privileges to compromise the integrity of the device. Classified as an Improper Isolation or Compartmentalization [CWE-653] weakness, a local attacker with access to the Juniper CLI shell can inject arbitrary code to compromise an affected device.
  • Multiple Cisco Flaws Exploited: Analysts confirmed targeted attacks against unpatched Cisco infrastructure, especially in telecom environments [1][2]. Chinese state-sponsored group Salt Typhoon continues to exploit CVE-2018-0171 (CVSS 9.8) in Smart Install RCE and CVE-2023-20198 (CVSS 10) in Web UI Privilege Escalation.
  • DrayTek Routers: Three CVEs have been observed in exploitation campaigns, including CVE-2020-8515 (CVSS 9.8), CVE-2021-20123 (CVSS 7.5) and CVE-2021-20124 (CVSS 7.5).
  • Microsoft Remote Desktop Gateway Service: CVE-2025-27480 is a Use After Free [CWE-416] flaw that allows an unauthorized attacker to execute code over a network. While active threats have not been observed yet, Microsoft tracks the vulnerability with an “Exploitation More Likely” status.
  • Erlang/OTP SSH has Public PoC Exploit: Multiple PoC exploits [1][2][3] are now publicly available for CVE-2025-32433 (CVSS 10), a new maximum-severity vulnerability in the Erlang/OTP SSH server. Erlang/OTP is a widely used platform for building scalable and fault-tolerant distributed systems and is in use by large technology companies such as Ericsson, Cisco, Broadcom, EMQ Technologies and Apache Software Foundation, among others.
  • Broadcom Brocade Fabric OS (FOS): CVE-2025-1976 (CVSS 6.7) is a Code Injection Vulnerability [CWE-94] both disclosed and actively exploited in April. FOS is a specialized firmware designed for managing Fibre Channel switches within Storage Area Networks (SANs). The flaw allows a local user with administrative privileges to execute arbitrary code with full root privileges.

New Windows Common Log File System Flaw Used in Ransomware Attacks

A new high severity vulnerability, CVE-2025-29824 (CVSS 7.8) identified in the Microsoft Windows Common Log File System (CLFS) driver allows privilege escalation for local authenticated attackers to gain SYSTEM level access. Furthermore, the vulnerability is being exploited globally in ransomware attacks [1][2], particularly by Storm-2460, to deploy PipeMagic malware payloads.

The Windows CLFS driver has a series of critical privilege escalation vulnerabilities that span multiple years and versions making it a persistent high-value target for attackers. Eight CVEs from 2019 through 2025 have been cataloged in the CISA KEV list with at least four – CVE-2023-28252, CVE-2023-23376, CVE-2022-24521 and CVE-2025-29824 mentioned above – known to be leveraged in ransomware campaigns.

Due to active exploitation of critical vulnerabilities in Microsoft products, it’s essential for organizations to verify that the latest Microsoft security updates have been applied across their IT infrastructure and monitor systems for Indicators of Compromise (IoC). Greenbone can detect vulnerability to all CLFS CVEs mentioned above and missing patch-levels for Microsoft Windows 10 (32-bit & x64), Windows 11 (x64) and Windows Server 2012–2025 endpoints via authenticated Local Security Checks (LSC).

Remote Code Execution Flaw Impacts Craft CMS

CVE-2025-32432 (CVSS 10) is a high impact Remote Code Execution (RCE) vulnerability in Craft CMS (Content Management System) that is considered trivial to exploit. Craft CMS is a website creation framework built on top of the Yii PHP framework. The CVE was reported by Orange Cyberdefense’s CSIRT who discovered it during an incident response. The flaw has been exploited in the wild. Also, technical details and PoC exploits [1][2] including a Metasploit module are publicly available, greatly increasing the threat. Craft CMS is used by prominent organizations including The New York Times, Amazon, Intel, Tesla, NBC, Bloomberg and JPMorgan Chase for creating custom e-commerce and content-driven websites.

Greenbone is able to detect web applications vulnerable to CVE-2025-32432 with an active check that sends a specially crafted POST request and analyzes the response. Craft CMS versions 3.x through 3.9.14, 4.x through 4.14.14, and 5.x through 5.6.16 are affected and users should upgrade to a patched version as soon as possible. If upgrade is not possible the vendor proposes implementing firewall rules to block POST requests to the `actions/assets/generate-transform` endpoint or installing the Craft CMS Security Patches library.

Dualing CVEs in CrushFTP Leveraged by Ransomware

CVE-2025-31161 (CVSS 9.8) poses a severe threat to CrushFTP users. The flaw is an authentication bypass vulnerability [CWE-287] in the HTTP Authorization header that allows remote unauthenticated attackers to authenticate as any existing user account (e.g., crushadmin). The flaw is being leveraged by the Kill threat actor among others in ongoing ransomware attacks.

CVE-2025-31161 affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vendor has released an advisory with updated instructions. Greenbone is able to detect CVE-2025-31161 with both an active check, and a version detection test.

Initially, this vulnerability was tracked with another identifier (CVE-2025-2825). When a third party CNA published it before, CrushFTP had the opportunity to assess the details. The premature disclosure forced CrushFTP to respond publicly before they had developed a patch. This incident highlights a significant risk: because CrushFTP was not a CVE Numbering Authority (CNA), it lacked the authority to assign CVE identifiers to its own products. Instead CrushFTP needed to rely on the third-party researchers who discovered the flaw to manage CVE disclosure.

In the CVE Program, a CNA can define its scope such that it may assign CVE IDs to vulnerabilities affecting its own products and restrict other parties from doing so. If an application’s vendor is a registered CNA, third-party security researchers must disclose their findings to the vendor directly, allowing more control over the timeline of events and a more strategic disclosure. Considering the risks, software vendors should consider becoming a registered CNA with MITRE’s CVE program.

Summary

April 2025 highlighted ongoing threats from edge device vulnerabilities, ransomware activity and newly exploited flaws in widely used software like Craft CMS, Microsoft CLFS and CrushFTP. These developments reinforce the need for organizations to maintain visibility over exposed assets, apply timely patches and stay vigilant against emerging threats that can escalate quickly from initial access to full compromise.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

CVE-2025-34028: Commvault Command Center Actively Exploited for RCE

CVE-2025-34028 (CVSS 10) is a maximum severity flaw in Commvault Command Center, a popular admin console for managing IT security services such as data protection and backups across enterprise environments. As of April 28th, CVE-2025-34028 has been flagged as actively exploited. CVE-2025-34028 also presents heightened risk due to the existence of publicly available proof-of-concept (PoC) exploit code and the fact that Command Center manages the backups and other security configurations for many prominent organizations.

The flaw allows unauthenticated attackers to perform Remote Code Execution (RCE) and to take complete control of a Command Center environment. Given the sensitivity and criticality of IT tasks managed by Commvault, forfeiting complete control has a high potential for disastrous impacts. For example, if backups are disabled, an organization could lose their ability to recover from a ransomware attack. This makes CVE-2025-34028 an attractive target for ransomware operators and financially motivated attackers.

The vulnerability, discovered by Sonny Macdonald of watchTowr Labs, exploits a server-side request forgery (SSRF) [CWE-918] weakness in Command Center’s deployWebpackage.do endpoint. In a successful attack, an adversary uploads a poisoned ZIP archive to a publicly accessible path. The malicious ZIP file is automatically extracted allowing attackers to trigger execution via HTTP GET request to the extracted payload.

CVE-2025-34028 affects versions 11.38.0 to 11.38.19 on both Linux and Windows platforms. Greenbone is able to detect CVE-2025-34028 with an active check that sends a crafted HTTP POST request and checks if the target connects back to the scanner host indicating that it is vulnerable to exploitation. Users of affected versions are urged to apply patches immediately. Let’s further examine the risk posed by CVE-2025-34028.

What is Commvault Command Center?

Commvault Command Center is a web-based interface written in Java that enables organizations to manage data protection, backup, and recovery operations across enterprise environments. Commvault markets itself as a single platform with modular components such as Commvault Complete Backup & Recovery, Commvault HyperScale X and Commvault Disaster Recovery. Most of Commvault’s products rely on the Command Center as their primary management interface. As such, Command Center is used to configure backup jobs, monitor systems, restore data and administer user roles and access.

As of 2025, Commvault maintains roughly 6.2% of the Backup And Recovery market share category, serving over 10,000 organizations globally, across various industries such as banking, healthcare, government and technology. Most of its customers are large enterprises, with 42% having more than 1,000 employees. With Commvault’s adoption among critical sectors including healthcare, government and Fortune 500 companies, the potential impact of this vulnerability is widespread and significant.

A Technical Description of CVE-2025-34028

The discovery and disclosure of CVE-2025-34028 was accompanied by a full technical description and PoC code. Here is a brief summary of the root cause and attack vector for CVE-2025-34028:

The root cause of CVE-2025-34028 is classified as Server-Side Request Forgery (SSRF) [CWE-918]. SSRF vulnerabilities arise when an application is tricked into accessing a remote resource without properly validating it. By exploiting SSRF flaws, an attacker can potentially bypass access controls [CWE-284] such as firewalls that prevent the attackers from accessing the URLs directly. You can think of it as “bouncing” a request off the target in order to bypass security measures. In the case of CVE-2025-34028, the SSRF flaw allows an Unrestricted Upload of File with Dangerous Type [CWE-434].

Here is how the exploit process for CVE-2025-34028 works:

Mixed among the Command Center application endpoints, the researcher found 58 that do not require any form of authentication. Inspecting these unrestricted APIs, researchers discovered the deployWebpackage.do endpoint included a parameter named commcellName, which was used to define the hostname of a URL and which was not filtered for scope. Another parameter, servicePack, defines the local path where the HTTP response to that URL should be stored.

Using a simple directory traversal technique, i.e. prepending the servicePack parameter with “../../” the researcher was able to achieve arbitrary file upload to a custom destination. The Command Center application used a hardcoded filename dist-cc.zip, indicating that the program was expecting a ZIP archive.

When supplying a ZIP archived Java executable (.jsp file), and specifying an unauthenticated route via the servicePack param, a malicious .jsp payload was uploaded, automatically extracted, where it could be accessed directly via an HTTP GET request. This results in execution of the .jsp file by Command Center’s Apache Tomcat web server and unauthenticated, arbitrary RCE on behalf of the attacker.

Mitigating CVE-2025-34028

CVE-2025-34028 affects Commvault Command Center versions 11.38.0 through 11.38.19 on both Linux and Windows platforms and has been resolved in versions 11.38.20 and 11.38.25, with patches released on April 10, 2025. For those unable to update immediately, Commvault recommends isolating the Command Center installation from external network access as a temporary mitigation.

Commvault’s Innovation releases, which are frequent, feature-rich update tracks, are typically updated automatically by the system on a predefined schedule without requiring user action. This is in contrast to Long Term Support (LTS) versions which require manual updates.

Summary

CVE-2025-34028 is a critical severity unauthenticated RCE flaw in Commvault Command Center that doesn’t require user interaction. The vulnerability has been flagged as actively exploited by CISA as of April 2025. CVE-2025-34028 affects Command Center versions 11.38.0–11.38.19 and enables attackers to take full control of backup systems. Commvault is relied upon by many large companies globally for key backup and restoration capabilities making CVE-2025-34028 a hot target for ransomware threat actors. Greenbone is able to detect affected Command Center instances with an active test that uses an HTTP POST request to verify vulnerability.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Intuitive and Clear: Complete Overview of the Security Situation of Your IT Infrastructure – for all Decision-Making Levels

Our newly developed product OPENVAS REPORT integrates the data from practically any number of Greenbone Enterprise Appliances and brings it into a clearly structured dashboard. The user-friendly and comprehensive interface considerably simplifies the protection and safeguarding of even large networks.

Greenbone AG has been developing leading open source technologies for automated vulnerability management since 2008. More than 100,000 installations worldwide rely on the Greenbone community and enterprise editions to strengthen their cyber resilience.

“OPENVAS REPORT stands for innovation from the open source market leader.”

With our new product, we are decisively shortening the path from current security knowledge to the ability to act – faster, clearer and more flexible than ever before,” explains Dr. Jan-Oliver Wagner, CEO of Greenbone AG.

Recognize Hazardous Situations Faster and More Effectively

To protect your digital infrastructures, it is crucial to keep up to date with security-relevant events and to keep the response time to critical incidents as short as possible.

OPENVAS REPORT provides a daily updated, complete overview of the security situation of your IT infrastructure – for all decision-making levels.

Thanks to the connected Greenbone Enterprise Appliances, OPENVAS REPORT automatically recognizes computers and software in the company. Users can mark these with keywords and group and sort them as required – thus maintaining an overview even in very large networks.

Modern, User-friendly Dashboard

The OPENVAS REPORT Dashboard offers modern, user-friendly and highly flexible access for users who work with it on a daily basis. For example, filtering or sorting according to the general severity or specific risk of the vulnerabilities is possible. Companies can thus put together their own customized views, which always show an up-to-date picture of the risk situation in the company network.

Complete Overview

OPENVAS REPORT allows you to record and evaluate your company’s security situation at a glance. Thanks to its simple, clear user guidance, it prepares even the most complex data in a readable and understandable way, thus speeding up decision-making in critical situations.

With flexible and customizable filter options, OPENVAS REPORT considerably simplifies the day-to-day work of administrators and security officers.

Flexible Interfaces

The extensive export functions allow OPENVAS REPORT to be integrated even more deeply into the infrastructure, for example to process external data with OPENVAS REPORT.

Function Added value for your company
Comprehensive asset visibility Complete overview of all IT assets and their vulnerabilities in a single interface – for a complete assessment of your current security situation.
User-friendly dashboards A clearly structured, interactive dashboard makes complex vulnerability information understandable at a glance and accelerates well-founded decisions.
Flexible data processing A wide range of export, API and automation options can be seamlessly integrated into existing workflows and adapted to individual operational requirements.
Efficient data consolidation Aggregates results from multiple scanners and locations in a central database – reduces administrative effort and improves response time.
Customizable classification of vulnerabilities The severity levels and freely definable tags make it possible to precisely map internal compliance and risk models.
Extended reporting functions Target group-specific reports (C-Level, Audit, Operations) can be generated at the touch of a button: filters and drill-down links provide focused insights into critical security problems.

Learn More

Are you interested in a demo or a quote? Contact our sales team and find out more about OPENVAS REPORT. Write to us:sales@greenbone.net or contact us directly. We will be happy to help you!

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Detection Stays Strong Despite NIST NVD Outage

Despite the NVD (National Vulnerability Database) outage of the NIST (National Institute of Standards and Technology), Greenbone’s detection engine remains fully operational, offering reliable, vulnerability scanning without relying on missing CVE enrichment data.

Since 1999 The MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) has provided free public vulnerability intelligence by publishing and managing information about software flaws. NIST has diligently enriched these CVE reports since 2005; adding context to enhance their use for cyber risk assessment. In early 2024, the cybersecurity community was caught off guard as the NIST NVD ground to a halt. Now roughly one year later, the outage had not been fully resolved [1][2]. With an increasing number of CVE submissions each year, NIST’s struggles have left a large percentage without context such as a severity score (CVSS), affected product lists (CPE) and weakness classifications (CWE).

Recent policy shifts pushed by the Trump administration have created further uncertainty about the future of vulnerability information sharing and the many security providers that depend upon it. The FY 2025 budget for CISA includes notable reductions in specific areas such as a 49.8 million Dollar decrease in Procurement, Construction and Improvements and a 4.7 million Dollar cut in Research and Development. In response to the funding challenges, CISA has taken actions to reduce spending, including adjustments to contracts and procurement strategies.

​To be clear, there has been no outage of the CVE program yet. On April 16, the CISA issued a last minute directive to extend its contract with MITRE to ensure the operation of the CVE Program for an additional 11 months just hours before the contract was set to expire. However, nobody can predict how future events will unfold. The potential impact to intelligence sharing is alarming, perhaps signaling a new dimension to a “Cold Cyberwar” of sorts.

This article includes a brief overview of how the CVE program operates, and how Greenbone’s detection capabilities remain strong throughout the NIST NVD outage.

An Overview of the CVE Program Operations

The MITRE Corporation is a non-profit tasked with supporting US homeland security on multiple fronts including defensive research to protect critical infrastructure and cybersecurity. MITRE operates the CVE program, acting as the Primary CNA (CVE Numbering Authority) and maintaining the central infrastructure for CVE ID assignment, record publication, communication workflows among all CNAs and ADPs (Authorized Data Publishers) and program governance. MITRE provides CVE data to the public through its CVE.org website and the cvelistV5 GitHub repository, which contains all CVE Records in structured JSON format. The result has been highly efficient, standardized vulnerability reporting and seamless data sharing across the cybersecurity ecosystem.

After a vulnerability description is submitted to MITRE by a CNA, NIST has historically added:

  • CVSS (Common Vulnerability Scoring System): A severity score and detailed vector string that includes the risk context for Attack Complexity (AC), Impact to Confidentiality (C), Integrity (I), and Availability (A), as well as other factors.
  • CPE (Common Platform Enumeration): A specially formatted string that acts to identify affected products by relaying the product name, vendor, versions, and other architectural specifications.
  • CWE (Common Weakness Enumeration): A root-cause classification according to the type of software flaw involved.

CVSS allows organizations to more easily determine the degree of risk posed by a particular vulnerability and strategically conduct remediation accordingly. Also, because initial CVE reports only require a non-standardized affected product declaration, NIST’s addition of CPE allows vulnerability management platforms to conduct CPE matching as a fast, although somewhat unreliable way to determine whether a CVE exists within an organization’s infrastructure or not.

For a more detailed perspective on how the vulnerability disclosure process works and how CSAF 2.0 offers a decentralized alternative to MITRE’s CVE program, check out our article: How CSAF 2.0 Advances Automated Vulnerability Management. Next, let’s take a closer look at the NIST NVD outage and understand what makes Greenbone’s detection capabilities resilient against the NIST NVD outage.

The NIST NVD Outage: What Happened?

Starting on February 12, 2024, the NVD drastically reduced its enrichment of Common Vulnerabilities and Exposures (CVEs) with critical metadata such as CVSS, CPE and CWE product identifiers. The issue was first identified by Anchore’s VP of Security. As of May 2024, roughly 93% of CVEs added after February 12 were unenriched. By September 2024, NIST had failed to meet its self-imposed deadline; 72.4% of CVEs and 46.7% of new additions to CISA’s Known Exploited Vulnerabilities (KEVs) were still unenriched [3].

The slowdown in NVD’s enrichment process had significant repercussions for the cybersecurity community not only because enriched data is critical for defenders to effectively prioritize security threats, but also because some vulnerability scanners depend on this enriched data to implement their detection techniques.

As a cybersecurity defender, it’s worthwhile asking: was Greenbone affected by the NIST NVD outage? The short answer is no. Read on to find out why Greenbone’s detection capabilities are resilient against the NIST NVD outage.

Greenbone Detection Strong Despite the NVD Outage

Without enriched CVE data, some vulnerability management solutions become ineffective because they rely on CPE matching to determine if a vulnerability exists within an organization’s infrastructure.  However, Greenbone is resilient against the NIST NVD outage because our products do not depend on CPE matching. Greenbone’s OPENVAS vulnerability tests can be built from un-enriched CVE description. In fact, Greenbone can and does include detection for known vulnerabilities and misconfigurations that don’t even have CVEs such as CIS compliance benchmarks [4][5].

To build Vulnerability Tests (VT) Greenbone employs a dedicated team of software engineers who identify the underlying technical aspects of vulnerabilities. Greenbone does include a CVE Scanner feature capable of traditional CPE matching. However, unlike solutions that rely solely on CPE data from NIST NVD to identify vulnerabilities, Greenbone employs detection techniques that extend far beyond basic CPE matching. Therefore, Greenbone’s vulnerability detection capabilities remain robust even in the face of challenges such as the recent outage of the NIST NVD.

To achieve highly resilient, industry leading vulnerability detection, Greenbone’s OPENVAS Scanner component actively interacts with exposed network services to construct a detailed map of a target network’s attack surface. This includes identifying services that are accessible via network connections, probing them to determine products, and executing individual Vulnerability Tests (VT) for each CVE or non-CVE security flaw to actively verify whether they are present. Greenbone’s Enterprise Vulnerability Feed contains over 180,000 VTs, updated daily, to detect the latest disclosed vulnerabilities, ensuring rapid detection of the newest threats.

In addition to its active scanning capabilities, Greenbone supports agentless data collection via authenticated scans. Gathering detailed information from endpoints, Greenbone evaluates installed software packages against issued CVEs. This method provides precise vulnerability detection without depending on enriched CPE data from the NVD.

Key Takeways:

  • Independence from enriched CVE data: Greenbone’s vulnerability detection does not rely on enriched CVE data provided by NIST’s NVD, ensuring uninterrupted performance during outages. A basic description of a vulnerability allows Greenbone’s vulnerability test engineers to develop a detection module.
  • Detection beyond CPE matching: While Greenbone includes a CVE Scanner feature for CPE matching, its detection capabilities extend far beyond this basic approach, utilizing several methods that actively interact with scan targets.
  • Attack surface mapping: The OPENVAS Scanner actively interacts with exposed services to map network attack surface, identifying all network reachable services. Greenbone also performs authenticated scans to gather data directly from endpoint internals. This information is processed to identify vulnerable packages. Enriched CVE data such as CPE is not required.
  • Resilience to NVD enrichment outages: Greenbone’s detection methods remain effective even without NVD enrichment, leveraging CVE descriptions provided by CNAs to create accurate active checks and version-based vulnerability assessments.

Greenbone’s Approach is Practical, Effective and Resilient

Greenbone exemplifies the gold standard of practicality, effectiveness and resilience, achieving a benchmark that IT security teams should be striving to achieve. By leveraging active network mapping, authenticated scans and actively interacting with target infrastructure, Greenbone ensures reliable, resilient detection capabilities in diverse environments.

This higher standard enables organizations to confidently address vulnerabilities, even in complex and dynamic threat landscapes. Even in the absence of NVD enrichment, Greenbone’s detection methods remain effective. With only a general description Greenbone’s VT engineers can develop accurate active checks and product version-based vulnerability assessments.

Through a fundamentally resilient approach to vulnerability detection, Greenbone ensures reliable vulnerability management, setting itself apart in the cybersecurity landscape.

NVD / NIST / MITRE Alternatives

The MITRE issue is a wake-up call for digital sovereignty, and the EU has already (and fast) reacted. A long-awaited alternative, the EuVD by the ENISA, the European Union Agency for Cybersecurity, is there, and will be covered in one of our upcoming blog posts.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

March 2025 Threat Report: Who Do You Trust?

When it comes to protecting your organization from digital threats, who should you trust? Reality dictates that high-resilience IT security is forged from a network of strong partnerships, defense in depth; layered security controls, and regular auditing. Defensive posture needs to be monitored, measured and continuously improved. While vulnerability management has always been a core security control, it is nonetheless a fast moving target. In 2025, continuous and prioritized mitigation of security threats can have a big impact on security outcomes as adversarial time-to-exploit diminishes.

In March 2025’s monthly Threat Report, we will highlight the importance of vulnerability management and Greenbone’s industry leading vulnerability detection by reviewing the most recent critical threats. But these new threats only scratch the surface. In March 2025, Greenbone added 5,283 new vulnerability tests to our Enterprise Feed. Let’s jump into some of the important insights from a highly active threat landscape.

The US Treasury Breach: How Did It Happen?

In late December 2024, the U.S. Treasury Department disclosed that its network was breached by Chinese state-backed hackers and subsequently leveraged sanctions in early January 2025. Forensic investigations have tracked the root-cause to a stolen BeyondTrust API key. The vendor has acknowledged 17 other customers breached by this flaw. Deeper investigation has revealed that the API key was stolen via a flaw in a PostgreSQL built-in function for escaping untrusted input.

When invalid two-byte UTF-8 characters are submitted to a vulnerable PostgreSQL function, only the first byte is escaped, allowing a single quote to pass through unsanitized which can be leveraged to trigger an SQL Injection [CWE-89] attack. The exploitable functions are PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() und PQescapeStringConn(). All versions of PostgreSQL before 17.3, 16.7, 15.11, 14.16, and 13.19 are affected as well as numerous products that depend on these functions.

CVE-2024-12356, (CVSS 9.8) and CVE-2024-12686, (CVSS 7.2) have been issued for BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) and CVE-2025-1094 (CVSS 8.1) addresses the flaw in PostgreSQL. The issue is the subject of several national CERT advisories including Germany’s BSI Cert-Bund (WID-SEC-2024-3726) and the Canadian Centre for Cybersecurity (AV25-084). The flaw has been added to CISA’s known exploited vulnerabilities (KEV) list, and a Metasploit module that exploits vulnerable BeyondTrust products is available, increasing the risk. Greenbone is able to detect the CVEs (Common Vulnerabilities and Exposures) discussed above both in BeyondTrust products or instances of PostgreSQL vulnerable to CVE-2025-1094.

Advanced fined 3.1 Million Pound for Lack of Technical Controls

This month, the UK’s Information Commissioner’s Office (ICO) imposed a 3.07 million Pound fine on Advanced Computer Software Group Ltd. under the UK GDPR for security failures. The case is evidence of how the financial damage caused by a ransomware attack can be further exacerbated by regulatory fines. The initial proposed amount was even higher at 6.09 million Pound. However, since the victim exhibited post-incident cooperation with the NCSC (National Cyber Security Centre), NCA (National Crime Agency) and NHS (National Health Service), a voluntary settlement of 3,076,320 Pound was approved. While operational costs and extortion payments have not been publicly disclosed, they likely add between 10 to 20 million Pound to the incident’s total costs.

Advanced is a major IT and software provider to healthcare organizations including the NHS. In August 2022, Advanced was compromised, attackers gained access to its health and care subsidiary resulting in a serious ransomware incident. The breach disrupted critical services including NHS 111 and prevented healthcare staff from accessing personal data on 79,404 individuals, including sensitive care information.

The ICO concluded that Advanced had incomplete MFA coverage, lacked comprehensive vulnerability scanning and had deficient patch management practices at the time of the incident – factors that collectively represented a failure to implement appropriate technical and organizational measures. Organizations processing sensitive data must treat security controls as non-negotiable. Inadequate patch management remains one of the most exploited gaps in modern attack chains.

Double Trouble: Backups Are Critical to Ransomware Mitigation

Backups are an organization’s last defense against ransomware and most sophisticated advanced persistent threat (APT) actors are known to target their victim’s backups. If a victim’s backups are compromised, submission to ransom demands is more likely. In 2025, this could mean multi-million Dollar losses. In March 2025, two new significant threats to backup services were revealed; CVE-2025-23120, a new critical severity flaw in Veeam was disclosed, and campaigns targeting CVE-2024-48248 in NAKIVO Backup & Replication were observed. Identifying affected systems and patching them is therefore an urgent matter.

In October 2024, our threat report alerted about another vulnerability in Veeam (CVE-2024-40711) being used in ransomware attacks. Overall, CVEs in Veeam Backup and Replication have a high conversion rate for active exploitation, PoC (Proof of Concept) exploits, and use in ransomware attacks. Here are the details for both emerging threats:

  • CVE-2024-48248 (CVSS 8.6): Versions of NAKIVO Backup & Replication before 11.0.0.88174 allow unauthorized Remote Code Execution (RCE) via a function called getImageByPath which allows files to be read remotely. This includes database files containing cleartext credentials for each system that NAKIVO connects to and backs up. A full technical description and proof-of-concept is available and this vulnerability is now tracked as actively exploited.
  • CVE-2025-23120 (CVSS 9.9): Attackers with domain user access can trigger deserialization of attacker-controlled data through the .NET Remoting Channel. Veeam attempts to restrict dangerous types via a blacklist, but researchers discovered exploitable classes (xmlFrameworkDs and BackupSummary) not on the list. These extend .NET’s DataSet class – a well-known RCE vector – allowing arbitrary code execution as SYSTEM on the backup server. The flaw is the subject of national CERT alerts globally including HK, CERT.be, and CERT-In. As per Veeam’s advisory, upgrading to version 12.3.1 is the recommended way to mitigate the vulnerability.

Greenbone is able to detect vulnerable NAKIVO and Veeam instances. Our Enterprise Feed has an active check [1] and version check [2] for CVE-2024-48248 in NAKIVO Backup & Replication, and a remote version check [3] for the Veeam flaw.

IngressNightmare: Unauthenticated Takeover in 43% of Kubernetes Clusters

Kubernetes is the most popular enterprise container orchestration tool globally. Its Ingress feature is a networking component that manages external access to services within a cluster, typically HTTP and HTTPS traffic. A vulnerability dubbed IngressNightmare has exposed an estimated 43% of Kubernetes clusters to unauthenticated remote access – approximately 6,500 clusters, including Fortune 500 companies.

The root-cause is excessive default privileges [CWE-250] and unrestricted network accessibility [CWE-284] in the Ingress-NGINX Controller tool, based on NGINX reverse proxy. IngressNightmare allows attackers to gain complete unauthorized control over workloads, APIs or sensitive resources in multi-tenant and production-grade clusters. A full technical analysis is available from the researchers at Wiz, who pointed out that K8 Admission Controllers are directly accessible without authentication by default, presenting an appealing attack surface to hackers.

The full attack trajectory to achieve arbitrary RCE against an affected K8 instance requires exploiting Ingress-NGINX. First, CVE-2025-1974 (CVSS 9.8) to upload a binary payload as the request body. It should be larger than 8kb in size while specifying a Content-Length header larger than the actual content size. This triggers NGINX to store the request body as a file, and the incorrect Content-Length header means the file will not be deleted as the server waits for more data [CWE-459].

The second stage of this attack requires exploiting CVE-2025-1097, CVE-2025-1098, or CVE-2025-24514 (CVSS 8.8). These CVEs all similarly fail to properly sanitize input [CWE-20] submitted to Admission Controllers. Ingress-NGINX converts Ingress objects to configuration files and validates them with the nginx -t command, allowing attackers to execute a limited set of NGINX configuration directives. Researchers found the ssl_engine module can be triggered to load the shared library binary payload uploaded in the first stage. Although exploitation is not trivial and no public PoC code exists yet, sophisticated threat actors will easily convert the technical analysis into effective exploits.

The Canadian Centre for Cyber Security has issued a CERT advisory (AV25-161) for IngressNightmare. Patched Ingress-NGINX versions 1.12.1 and 1.11.5 are available and users should upgrade as soon as possible. If upgrading the Ingress NGINX Controller is not immediately possible, temporary workarounds can help reduce risk. Strict network policies can restrict access to a cluster’s Admission Controllers allowing access to only the Kubernetes API Server. Alternatively, the Admission Controller component of Ingress-NGINX can be disabled entirely.

Greenbone is able to detect IngressNightmare vulnerabilities with an active check that verifies the presence of all CVEs mentioned above [1][2].

CVE-2025-29927: Next.js Framework Under Attack

A new vulnerability in Next.js, CVE-2025-29927 (CVSS 9.4) is considered high risk due the framework’s popularity and the simplicity of exploitation [1][2]. Adding to the risk, PoC exploit code is publicly available and Akamai researchers have observed active scans probing the Internet for vulnerable apps. Several national CERTs (Computer Emergency Response Teams) have issued alerts for the issue including CERT.NZ, Australian Signals Directorate (ASD), Germany’s BSI Cert-Bund (WID-SEC-2025-062), and the Canadian Centre for Cyber Security (AV25-162).

Next.js is a React middleware framework for building full-stack web applications. Middleware refers to components that sit between two or more systems and handle communication and orchestration. For web-applications, middleware converts incoming HTTP requests into responses and is often also responsible for authentication and authorization. Due to CVE-2025-29927, attackers can bypass Next.js middleware authentication and authorization simply by setting a malicious HTTP header.

If using HTTP headers seems like a bad idea for managing a web application’s internal process flow, CVE-2025-29927 is the evidence. Considering user-provided headers were not correctly distinguished from internal ones, this vulnerability should attain the status of egregious negligence. Attackers can bypass authentication by simply adding the `x‑middleware‑subrequest` header to a request and overloading it with at least as many values as the MAX_RECURSION_DEPTH which is 5. For example:

`x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware`

The flaw is fixed in Next.js versions 15.2.3, 14.2.25, 13.5.9 and 12.3.5, and users should follow the vendor’s upgrade guide. If upgrading is infeasible, it is recommended to filter the `x-middleware-subrequest` header from HTTP requests. Greenbone is able to detect vulnerable instances of Next.js with an active check and a version check.

Summary

The March 2025 threat landscape was shaped by vulnerable and actively exploited backup systems, unforgivably weak authentication logic, high-profile regulatory fines and numerous other critical software vulnerabilities. From the U.S. Treasury breach to the Advanced ransomware fallout, the theme is clear: trust doesn’t grow on trees. Cybersecurity resilience must be earned; forged through layered security controls and backed up by accountability.

Greenbone continues to play a vital role by providing timely detection tests for new emerging threats and standardized compliance audits that support a wide array of enterprise architectures. Organizations that want to stay ahead of cyber crime need to proactively scan their infrastructure and close security gaps as they appear.

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

The CPU as a Weakness: how to Manage Hardware Risks with Confidence

Vulnerabilities in IT environments appear in different forms. The most common ones are likely software vulnerabilities that have not been patched. Then there are weak passwords, misconfigurations or network switches that have been EOL for five years. However, another type of security gap sometimes causes significant confusion during the scans: hardware vulnerabilities.

We have become accustomed to the continuous emergence of software vulnerabilities, and hopefully, it is now standard practice for every company to regularly scan its network for vulnerabilities and apply patches. Unfortunately, mistakes are not limited to software developers – CPU developers are not immune either. CPU vulnerabilities often arise from design flaws, allowing malicious actors to exploit unintended side effects to access sensitive data. Unlike software vulnerabilities, which can often be resolved through patches or updates, hardware vulnerabilities require either microcode updates or fundamental architectural changes in future processor designs.

Microcode Updates

The only way to mitigate CPU vulnerabilities is by applying microcode updates, which are typically distributed through the operating system or sometimes even through firmware (UEFI/BIOS). Microcode is a low-level software layer within the processor that translates higher-level machine instructions into specific internal operations.

While end users do not traditionally update microcode themselves, manufacturers like Intel provide relevant updates to patch certain vulnerabilities without requiring a full hardware replacement. However, these updates often introduce performance loss, as they disable or modify certain CPU optimizations to prevent exploitation. In some cases, this can even lead to performance reductions of up to 50%.

Flaws on different levels

Since these vulnerabilities exist at the CPU level, tools like the Greenbone Enterprise Appliance detect and report them. However, this can lead to misconceptions, as users might mistakenly believe that the reported vulnerabilities originate from the operating system. It is crucial to understand that these are not OS vulnerabilities; rather, they are architectural flaws in the processor itself. The vulnerabilities are detected by checking for the absence of appropriate microcode patches when an affected CPU is identified. For example, if a scan detects a system that lacks Intel’s microcode update for Downfall, it will be reported as vulnerable. However, this does not mean that the OS itself is insecure or compromised.

Performance or safety?

In the end, mitigating CPU vulnerabilities always involves trade-offs, and users must decide which approach best suits their needs. In principle, there are three options to choose from:

  • Apply microcode updates and accept significant performance degradation in compute-heavy workloads.
  • Forego certain microcode updates and accept the risks if the probability of exploitation is low in their environment.
  • Replace the affected hardware with CPUs that are not vulnerable to these issues.

Ultimately, the decision depends on the specific use case and risk tolerance of the organization or individual responsibles.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

AMI BMC Flaw: Remote Takeover and DoS of Server Infrastructure

A new critical vulnerability of the highest possible severity score – CVE-2024-54085, CVSS 10 – has just been disclosed. It is found in the widely used American Megatrends’ (AMI) MegaRAC BMC (Baseboard Management Controller) software allowing authentication bypass and exploitation. Due to AMI’s dominant role in the motherboard supply chain, dozens of major hardware vendors are likely impacted. The vulnerability has a full technical explanation and proof-of-concept (PoC) further increasing the risk.

The PoC can effectively create a service account for the Redfish management console, and thus allows unauthenticated access to all remote BMC features. The exploit was verified against HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack. Other analysts have noted that although this CVE was released in 2025 its ID (CVE-2024-54085) was likely reserved in 2024.

CVE-2024-54085 allows an attacker to:

  • Exploit and remotely control a server
  • Install malware on the server including ransomware
  • Modify firmware for tampering
  • Potentially brick motherboard components (BMC or potentially BIOS/UEFI)
  • Cause physical damage via over-voltage
  • Induce indefinite reboot loops causing DoS conditions

Greenbone is able to detect affected servers with a remote vulnerability test that actively probes for a vulnerable BMC.

Potential Scope of the Impact

The particular interface for the MegaRAC BMC (Baseboard Management Controller), called Redfish, is just one of several BMCs that support remote server management. The Redfish standard has seen significant adoption in the enterprise server market as a modern replacement for legacy management interfaces like IPMI. This scope of the impact will include all products including OT, IoT or IT devices using AMI’s MegaRAC. When similar flaws were previously discovered in MegaRAC, the scope included products from Asus, Dell, Gigabyte, Hewlett Packard Enterprise, Lanner, Lenovo, NVIDIA and Tyan. AMI released patches on March 11, 2025, with HPE and Lenovo already issuing updates for affected.

A Technical Description of CVE-2024-54085

CVE-2024-54085 is a flaw in AMI’s SPx (Service Processor) firmware stack. More specifically SPx is part of AMI’s MegaRAC BMC solution. BMCs are microcontrollers embedded on a server’s motherboard that enable remote management and monitoring of the server, even when the system is powered off or unresponsive.

CVE-2024-54085 is classified as a “Authentication Bypass by Spoofing” [CWE-290] flaw. Using a client’s IP address for authentication is a typical scenario when CWE-290 occurs, since the source IP address can often be spoofed by the sender. Although AMI’s advisory is thin on details, Eclypsium researchers, attributed with the discovery, have provided a detailed article explaining the root cause. CVE-2024-54085 in fact does stem from using an IP address as a means for authentication. Redfish’s Lua-based access control logic uses HTTP headers, either the X-Server-Addr header or Host specification to determine whether an HTTP request is internal or external; automatically trusting internal requests as authenticated.

In BMC systems like MegaRAC, the “host interface” refers to a logical and physical connection between the BMC and the main server system (the host). For simplicity, this could be compared to the loopback interface (often named lo) with the IP address 127.0.0.1 and hostname localhost. In this case, the interface that communicates between the BMC chip and the host is assigned an address from the link-local IP range (169.254.0.0 to 169.254.255.255). Furthermore, this IP address is included in a list of trusted addresses during MegaRAC’s HTTP authentication process and successfully spoofing it results in authentication bypass. By reverse engineering the MegaRAC firmware, researchers discovered the link-local address 169.254.0.17 being used across several BMC chips.

The flaw also depends on the implementation of a regular expression that extracts all text from the X-Server-Addr header before the first colon character, and verifies if this text matches the trusted IPs stored in a Redis database. The BMC chips use Lighttpd as an embedded web server which was found to automatically add its own X-Server-Addr value. If a request already includes this header supplied by the client, Lighttpd appends its value after the user supplied one, allowing the attacker to provide a specially crafted header and control the value extracted by the regex. By supplying an X-Server-Addr value that matches the Host system’s link-local address, followed by a colon, (such as 169.254.0.17:) an attacker can trick the BMC into treating the request as though it comes from the internal host interface, bypassing authentication entirely.

Once authentication is bypassed, the rest of the HTTP request is processed, allowing the attacker to execute arbitrary API actions such as creating privileged accounts to gain full remote control over the server’s BMC and access its admin web-interface.

Steps for Mitigating CVE-2024-54085

Organizations must track their hardware vendor’s advisories closely and download the correct firmware updates when they become available. As a temporary safeguard, organizations can inspect their device manuals to determine if Redfish can be disabled if it’s not in use. Since BMCs can remain active even when the main server is powered down, affected systems must be treated as persistently exposed until the firmware is patched, unless Redfish is disabled, or the system is also air-gapped (disconnected from the network). Security teams may also develop new firewall rules or IPS rules to block attempts to exploit this flaw and protect vulnerable BMC management interfaces.

Because the flaw lies in an embedded proprietary firmware, patching is more complex than simply applying a routine operating system or application update. Unlike conventional software, BMC firmware resides on the motherboard’s dedicated chip. Therefore, BMC updates typically require a specialized software utility provided by the device vendor to “flash” the updated firmware. This process also results in downtime since administrators may need to boot into a special environment and reboot the system after the firmware update has been completed.

Summary

CVE-2024-54085 poses an extreme risk to enterprise infrastructure, allowing unauthenticated remote control of servers from major vendors like HPE and Lenovo. Given AMI’s dominant presence in data centers, exploitation could lead to mass outages, bricked hardware, or persistent downtime – making urgent detection and firmware patching essential for all affected systems.

Greenbone is able to detect affected servers with a remote vulnerability test that actively probes for an exploitable BMC interface.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Escalating Attacks Targeting CVE-2024-4577 in PHP-CGI for Windows

CVE-2024-4577 (CVSS 9.8 Critical) is currently climbing the winners’ podium of the most malicious security vulnerabilities. Disclosed in early June 2024 by Devcore security researchers, weaponization began within a mere 48 hours. It is a PHP-CGI OS Command Injection vulnerability [CWE-78] impacting PHP for Windows. Attacks distributing “TellYouThePass” ransomware were immediately observed and the CVE added to CISA’s KEV list (Known Exploited Vulnerabilities of the Cybersecurity and Infrastructure Security Agency). Several months later, exploitation of CVE-2024-4577 suddenly continues to escalate.

Greenbone provided vulnerability tests (VTs) to detect systems impacted by CVE-2024-4577 since it was released in June 2024. This allows defenders to identify affected systems across public-facing or internal network infrastructure. Let’s look deeper into the threat of CVE-2024-4577.

Exploiting CVE-2024-4577 for RCE and Lateral Movement

Proof of concept (PoC) exploit code and a full technical breakdown has long been published by watchTowr Labs, and a Metasploit module was also released in mid-2024. National CERT advisories have recently been issued by CERT New Zealand (CERT NZ) and the Canadian Center for Cyber Security. However, the flaw had already been alerted by CERT-EU, and CERT-FR (French Government CERT) back in June 2024.

Due to CVE-2024-4577, the PHP-CGI (Common Gateway Interface) may misinterpret certain characters as PHP options, which may allow a malicious user to pass options to the php.exe binary. This trick can reveal the source code of scripts or run arbitrary PHP code on the server. CVE-2024-4577 is considered a bypass of a long-ago patched vulnerability in PHP, CVE-2012-1823.

In the case that attackers gain initial access to a victim’s network through social engineering or a different software vulnerability, CVE-2024-4577 can provide an attacker with the opportunity for lateral movement, or covert persistence, penetrating deeper into a victim’s infrastructure and increasing the blast radius of a cyber attack.

A Brief Technical Explanation of CVE-2024-4577

In a nutshell, exploitation of CVE-2024-4577 works by leveraging Unicode character conversion to inject malicious command-line arguments to the php.exe process. On a high-level, web servers behave differently when CGI mode is enabled. A webserver will normally parse HTTP requests and pass them to a PHP script for processing. However, when CGI mode is enabled, attributes are extracted from the URL and passed as arguments to the executable PHP binary (php.exe on Windows). This PHP-CGI process is known to introduce distinct security risks.

Although PHP-GCI is supposed to sanitize shell meta characters (such as hyphens, double-hyphens, ampersands, and equal signs) before being passed, this still opens a pathway to command injection if attackers can find a way to bypass the sanitization process. PHP-CGI encoding was also the target of exploiting CVE-2012-1823. Furthermore, similar character encoding battles are continuously waged resulting in new ways for attackers to execute XSS and SQL injection vulnerabilities.

In the current iteration of this attack, using a soft hyphen (0xAD) instead of a standard hyphen (0x2D), attackers can initiate PHP directives to achieve Remote Code Execution (RCE). This is because Windows uses the UCS-2 character set, converts all characters to the UCS-2 code-point value and also executes an additional “best-fit” conversion. In the case of CVE-2024-4577, it is the best-fit schema that converts soft hyphens into standard hyphens. This allows injecting php.exe with arguments to prepend and execute the HTTP request body itself by adding the command “-d allow_url_include=1 -d auto_prepend_file=php://input” using URL encoded soft hyphens to the HTTP GET string. Soft hyphens are typically invisible UTF-8 characters used to specify locations word breaks, but only when necessary to fit the text on the line. Thanks to Windows’ best-fit conversion, they are effectively converted into command line flags.

CVE-2024-4577 is Being Leveraged Globally in 2025

According to new reports released in March 2025, attacks leveraging CVE-2024-4577 are ongoing,  widespread and escalating. Cisco detected exploitation of CVE-2024-4577 in January 2025, targeting Japanese education, ecommerce and telecommunications companies. After gaining initial access via PHP, attackers installed Cobalt Strike’s ‘TaoWu’ plugins and modified Windows registry keys to establish persistent access through scheduled tasks.

Another recent report from GreyNoise reveals that mass exploitation of CVE-2024-4577 has extended to targets in the US, UK, Singapore, Indonesia, Taiwan, Hong Kong, India, Spain and Malaysia. Germany and China were reportedly the primary sources of attacks, accounting for 43% globally. GreyNoise also maintains a honeynet that detected over 1,089 unique IPs attempting exploitation in January 2025 alone, and counted 79 publicly available, specialized exploit kits. The cybersecurity firm warned of growing attack volume in February 2025, driven by automated scanning and signaling a rapidly escalating cyber threat.

Mitigation for CVE-2024-4577

CVE-2024-4577 affects all PHP versions (including PHP 5 and PHP 7 which are end-of-life) before 8.1.29, 8.2.20 and 8.3.8 on Windows. The best mitigation is to upgrade to a patched version with urgency. For environments where immediate patching isn’t feasible, defenders may disable the execution of PHP-CGI mode in favor of PHP-FPM (FastCGI Process Manager) or alternatively, utilize a web-application firewall (WAF) to filter and block exploitation attempts. PHP system administrators should also note several additional security risks associated with CGI and review them for optimal security.

Greenbone has provided vulnerability tests (VTs) to detect systems impacted by CVE-2024-4577 since it was first disclosed in June 2024. This early detection capability allows defenders to identify affected systems across public facing or internal network infrastructure. Greenbone’s detection tests include remote version detections [1][2], and a remote active check [3].

Summary

CVE-2024-4577 is a critical PHP-CGI vulnerability affecting PHP installations on Windows, that allows remote code execution (RCE). The flaw was weaponized within 48 hours of disclosure and used in TellYouThePass ransomware attacks. According to reports from Cisco and GreyNoise, mass exploitation of CVE-2024-4577 has been escalating globally, and multiple national CERT advisories have been issued. Defenders need to identify where affected products are operating within their infrastructure, and immediately update to a fixed version of PHP, disable PHP-CGI completely or switch to PHP-FPM (FastCGI Process Manager).

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Apache Camel Case-Sensitive Flaw May Forfeit Remote Command Execution

Two new CVEs in Apache Camel have been disclosed warranting immediate attention from users. On March 9, 2025, Apache disclosed CVE-2025-27636 (CVSS 5.6), a Remote Code Execution (RCE) flaw. Two days later, on March 11th, Akamai’s Security Intelligence Group (SIG) reported a bypass technique for the original patch, resulting in CVE-2025-29891 (CVSS 4.2) being published on March 12th.

Green graphic with stylised camel in a desert landscape. To the right is a button with the inscription ‘RCE in Apache Camel’.

Although the two vulnerabilities have only been assigned moderate CVSS severity scores by CISA-ADP (CISA’s Authorized Data Publisher), they could be severe impact vulnerabilities depending on the targeted Camel instance’s configuration. Both CVEs have the same root cause: improper filtering of HTTP headers or HTTP parameters when communicating to an Apache Camel instance. As the article’s title suggests, parameters were filtered using case-sensitive methods, while the arguments themselves were being applied in a non-case-sensitive manner.

Furthermore, publicly available proof-of-concept (PoC) code and a relatively complete technical description adds to the risk. Greenbone can detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints. Let’s review the details.

What Is Apache Camel?

Apache Camel is a popular open-source Java library for integrating different components of a distributed enterprise system architecture such as APIs or microservices. In a nutshell, Camel is a versatile platform for routing and mediation based on the Enterprise Integration Patterns (EIPs) concept of enterprise system architecture design. Apache Camel is heavily based on EIPs and provides an implementation of these patterns via its domain-specific languages (DSL) that include Java, XML, Groovy, YAML and others.

As of 2021, Apache Camel held approximately 3.03% of the Enterprise Application Integration market. The software is used by over 5,600 companies, roughly half being US-based. Camel’s market share is predominantly in the Information Technology and Services industry (33%), Computer Software industry (12%) and Financial Services industry (6%).

Two New CVEs in Apache Camel May Allow RCE

When any of Camel’s HTTP-based components handle requests, a default filter is supposed to prevent exposure of sensitive data or execution of internal commands. However, due to a flawed case-sensitive filtering rule, only exactly matched headers were filtered. However, downstream in the program logic, these headers were being applied in a non-case-sensitive manner, allowing filter bypass. Changing the case of the first character of the header name, an attacker could bypass the filter to inject arbitrary headers.

The good news is that either the camel-bean or camel-exec component must be enabled in combination with an http-based component such as such as camel-http, camel-http4, camel-rest, camel-servlet or others. Also, exploitation is limited to internal methods within the scope declared in the HTTP request URI. One final saving grace is that this flaw has not been implicated as an unauthenticated vulnerability. Therefore, unless the system designers have implemented any authentication and authorization for a Camel HTTP API, it is not exploitable.

At the high-end of the risk spectrum, if the Camel Exec component is enabled and targeted, an attacker can achieve arbitrary RCE as the user controlling the Camel process. RCE is achieved by sending the CamelExecCommandExecutable header to specify an arbitrary shell command, overriding the commands configured on the back-end. If exploitable Camel HTTP APIs are Internet accessible, the risk is especially high, however, this flaw could also be used for lateral movement within a network by an insider, or by attackers who have gained initial access to an organization’s internal network.

A technical description of the exploit chain and proof-of-concept (PoC) has been provided by Akamai.

What Is the Appropriate CVSS Score?

Although CVE-2025-27636 (CVSS 5.6) and CVE-2025-29891 (CVSS 4.2) have been assigned moderate severity scores, they could have a critical impact if either the camel-bean or camel-exec components are enabled in combination with http-based components. The situation highlights some limitations of the scoring by CVSS (Common Vulnerability Scoring System).

Akamai researchers report that the flaw is trivial to exploit and have published proof-of-concept (PoC) code, increasing the risk. This implies that the CVSS Attack Complexity (AC) metric should be set to Low (L). However, CISA-ADP has assessed attack complexity as high (AC:H) given these facts. Red Hat has accounted for these factors and increased the CVSS for CVE-2025-27636 to 6.3.

Also, the CISA-ADP assessed no impact to confidentiality for CVE-2025-29891, despite the potential for arbitrary RCE. However, if an Apache Camel instance has a vulnerable configuration, a high impact assessment for Confidentiality (C), Integrity (I) and Availability (A), is justified further increasing the criticality to CVSS 9.8.

On the other hand, the CISA-ADP assigned a Privileges Required (PR) value of None (N). However, although Akamai’s PoC does not use an HTTPS connection or authentication, it would be extremely negligent to operate an unencrypted and unauthenticated API. Apache Camel supports Java Secure Socket Extension (JSSE) API for Transport Layer Security (TLS) or using a KeyCloak Single Sign-On (SSO) authorization server. Camel instances with some form of client authentication enabled would be protected against exploitation. For most cases, the PR value should be adjusted to Low (L) or High (H) resulting in a diminished CVSS of 7.3 or 8.8.

Furthermore, the CVEs were assigned a Scope value Unchanged (UC). According to the CVSS v3.1 specification: “The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.” Execution of arbitrary shell commands on the compromised system is typically assigned the value of Changed (C). If the Camel process is owned by the Linux/Unix root or a Windows administrator user, an attacker would have virtually unlimited control of a compromised system. Accounting for the variety of possible CVSS assessments, CVE-2025-27636 and CVE-2025-29891 should be considered critical severity vulnerabilities if an instance meets the configuration requirements and does not apply authentication.

Mitigating the CVEs in Apache Camel

CVE-2025-27636 and CVE-2025-29891 affect Apache Camel version 4.10 before 4.10.2, version 4.8 before 4.8.5 and version 3 before 3.22.4. Users should upgrade to 4.10.2, 4.8.5 or 3.22.4 or implement custom header filtering using removeHeader or removeHeaders in Camel routes. It should be noted that Camel versions 4.10.0, 4.10.1, 4.8.0 to 4.8.4, and 3.10.0 to 3.22.3 are still vulnerable although they were considered security updates that addressed the flaw.

Also, it is strongly recommended that all HTTP endpoints in a distributed architecture employ strong authentication. For Apache Camel, options include: using Java Secure Socket Extension (JSSE) API for TLS with Camel components or using a KeyCloak OAuth 2.0 SSO authorization server. For legacy systems, a minimum of HTTP Basic Authentication should be configured.

Summary

Apache Camel users should immediately upgrade to versions 4.10.2, 4.8.5 or 3.22.4 to mitigate the newly published CVEs affecting Apache Camel. Alternatively, implement custom header filtering using removeHeader or removeHeaders in Camel routes. Strong authentication on all HTTP endpoints is also highly recommended for security best-practices. Apache Camel supports the JSSE API for TLS or KeyCloak SSO solutions. Greenbone is able to detect both CVE-2025-27636 and CVE-2025-29891 with vulnerability tests that actively check for exploitable HTTP endpoints.

Contact Test Now Buy Here Back to Overview

/by