Tag Archive for: CVE 2025

Joseph Lee

Threat Report June 2025: A Cyber Combat of Attrition

The 2025 IOCTA report from Europol warns that demand for data on the cybercrime underground is surging. How much data has been stolen exactly? Determining exact numbers is impossible. However, the personal information of 190 million individuals including Social Security Numbers (SSN), was stolen from Change Healthcare in a single breach. That’s more than half of the total US population exposed in one incident. That incident pales in comparison to the 2024 National Public Data Breach, which included 272 million distinct SSNs, 420 million distinct addresses, and 161 million distinct phone numbers. In 2024, Europe saw approximately 363 breach notifications per day across surveyed EEA countries. Now, new strains of destructive wiper malware are emerging. In comparison, victims of data theft may soon be considered the “lucky” ones.

Cyber defenders are in a battle of attrition. Managing the continuous onslaught of new threats is a monumental and critical task. In this month’s threat report, we provide insight into the latest wave of wiper malware, new actively exploited vulnerabilities, and emerging threats shaping the global cyber conflict.

New Wave of Wipers Enter the Cyber Combat

Cisco Talos just observed a previously unknown wiper malware dubbed “PathWiper”, leveraged in a destructive attack against Ukrainian critical infrastructure. Wiper most often gets deployed during Cyber Warfare (CW) campaigns, when financial gain is not the primary motive. Whereas ransomware coerces victims into paying for the return of their encrypted data, wipers simply destroy it. Wipers have been used since the start of the Russia-Ukraine war. HermeticWiper was deployed against Ukraine in 2022, crippling government agencies and critical services hours before Russia first invaded.

Cybersecurity analysts also recently noted an emerging ransomware-as-a-service (RaaS) group, Anubis, which has added a wiper option to their custom ransomware payload. Amidst heightened geopolitical tensions, it’s plausible that nation-state threat actors will incentivize willing RaaS operators and hacktivists to carry out destructive attacks for impact.

Wiper attacks themselves aren’t new. Shamoon (aka Disttrack), discovered in 2012, was the first major Wiper malware. Suspected to be developed by Iranian threat actors, it was used to attack Saudi Aramco and other Gulf state organizations. Masquerading as ransomware, NotPetya was another prominent wiper strain that emerged in 2017 with global impact.

Organizations, especially critical infrastructure, need to consider the potential impact that wiper malware could have on their resilience. What if paying ransom is not an option? A well designed backup strategy can enable full or partial data recovery, but downtime also has a financial impact and has even recently resulted in loss of life. Ensuring that mean-time-to-recovery (MTTR) objectives can be realized is key to operational continuity. Of course, diligently closing security gaps before threat actors can exploit them is also essential to a proactive cyber strategy.

Sorting True Risk from “AI-Slop”: Linux CVEs in Flux

The days when Linux attracted fewer cyber attacks have long passed. Linux systems are increasingly targeted by sophisticated actors. Last year, the number of Linux kernel CVEs (Common Vulnerabilities and Exposures) also exploded: the Kernel CNA (CVE Numbering Authority) assigned an average of 55 new CVEs per week in 2024. This growth is sometimes attributed to AI uncovering bugs which are not actually security risks – dubbed “AI slop”. Curl’s creator, Daniel Stenberg, even posted a notice banning “AI slop” bug reports. A related bug report discussion raised the concern of “an attack on our resources to handle security issues”.

On the risk and patch management side of the coin, many defenders don’t have the luxury of conducting a deep investigation into each CVE’s technical feasibility. Conducting technical assessments and analyzing “patch diffs” takes enormous amounts of time. The resulting battle of attrition pits security teams against the clock. To prioritize remediation, they rely on CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System), exploit status, and environmental factors such as compliance requirements and operational criticality. Security leaders want to see evidence that progress is continuous and that security gaps are closed. This is truly the benefit of using a vulnerability management platform such as Greenbone.

That being said, here are some new high-risk Linux privilege escalation CVEs that gained attention this month:

  • CVE-2023-0386 (CVSS 7.8): Now deemed actively exploited, the Linux kernel’s OverlayFS subsystem allows escalation to root-level by abusing how files with special privileges are copied between certain mounted filesystems.
  • CVE-2025-6019 (CVSS 7.0): A flaw found in Fedora and SUSE distros allows non-root users in the “allow_active” group to execute privileged disk operations such as mounting, unlocking, and formatting devices via D-Bus calls to udisksd”. The vulnerability is considered easy to exploit, and a public PoC (Proof of Concept) is available, increasing the risk.
  • CVE-2025-32462 and CVE-2025-32463: Two local privilege escalation vulnerabilities were fixed in Sudo 1.9.17p1, released on June 30, 2025. CVE-2025-32462 allows local users to abuse the –host option to escalate privileges on permitted hosts, while CVE-2025-32463 permits unauthorized root access via the chroot option, even when not explicitly allowed in the sudoers file.
  • CVE-2025-40908 (CVSS 9.1): Unauthenticated attackers can modify existing files simply by processing a crafted YAML file as input, due to improper use of the two-argument open call. Vulnerable systems include any Perl applications or distributions (like Amazon Linux, SUSE, Red Hat, Debian) using YAML‑LibYAML before version 0.903.0.

CVE-2025-49113: A Critical Severity CVE in RoundCube Webmail

A recently disclosed vulnerability tracked as CVE-2025-49113 (CVSS 9.9) in RoundCube Webmail allows authenticated attackers to execute arbitrary code on a RoundCube server. A poorly designed PHP deserialization operation [CWE-502] fails to properly validate user input, allowing the “_from” parameter to carry malicious serialized code. Attackers who successfully exploit the bug can potentially gain full control over the RoundCube server to steal data and install command and control (C2) tools for persistent access.

Although CVE-2025-49113 requires valid credentials for exploitation, admin credentials are not required. Technical analysis [1][2], PoC exploits [3][4], and a Metasploit module are available, increasing the potential risk for abuse. An EPSS score of 81 indicates an extremely high probability of exploitation in the near future. Meanwhile, the researcher who discovered the flaw claims that exploit kits are already for sale on underground cybercrime forums. Numerous national CERT agencies have issued alerts for the flaw [5][6][7][8][9], while Shadowserver reported over 84,000 exposed Roundcube services existed in early June.

Greenbone Enterprise Feed includes remote version detection [10][11] and Linux Local Security Checks (LSC) [12][13][14][15][16][17] to identify vulnerable instances of RoundCube Webmail (versions prior to 1.5.10 and 1.6.11). Users are encouraged to apply updates with urgency.

New Critical CVE in Cisco ISE Cloud Has PoC Exploit

CVE-2025-20286 (CVSS 10) is a new flaw affecting Cisco Identity Services Engine (ISE) cloud deployments on AWS, Azure, and Oracle Cloud Infrastructure (OCI). The bug could allow unauthenticated, remote attackers to access sensitive data, perform some limited administrative operations, modify system configurations, and disrupt services. Due to poor software design, identical access credentials [CWE-259] are generated and shared across all connected ISE instances running the same release and platform.

Cisco has acknowledged the existence of a publicly available exploit. The vendor also stated that the vulnerability is only exploitable when the Primary Administration Node is deployed in the cloud. On-premises deployments and several hybrid/cloud VM solutions are not affected. Overall, the widespread use of Cisco ISE in enterprise networks and the availability of exploit code make CVE-2025-20286 a high-risk vulnerability for those with affected configurations. Greenbone includes a version detection test to identify instances that may be vulnerable.

CitrixBleed 2 and Another Actively Exploited Flaw in Citrix NetScaler ADC and Gateway

Dubbed CitrixBleed 2”, CVE-2025-5777 (CVSS 9.3) is an out-of-bounds read [CWE-125] vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway, which allows unauthenticated, remote attackers to steal valid session tokens from memory by sending malformed HTTP requests. CVE-2025-5777 is due to insufficient input validation – unfortunately, a common, yet easily preventable root cause of software bugs. Exposure of session tokens allows impersonation of legitimate users, resulting in unauthorized access. Security experts speculate that exploitation is imminent, drawing parallels to the original CitrixBleed (CVE-2023-4966) vulnerability leveraged by ransomware groups in high-profile breaches.

Another flaw, CVE-2025-6543 (CVSS 9.8), also affecting Citrix NetScaler ADC and Gateway, was added to CISA KEV, indicating that active exploitation is already underway. CVE-2025-6543 is a memory overflow vulnerability [CWE-119]. While the impact has been officially described as DoS, researchers believe it may come to arbitrary code execution or device takeover, as seen in similar past cases.

Both flaws only impact devices configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA (Authentication, Authorization, and Accounting) virtual servers. Both flaws are the subject of widespread national CERT advisories [1][2][3][4][5][6][7]. Greenbone provides a remote version check to detect CitrixBleed 2 and a remote version check for CVE-2025-6543. Users should patch with urgency.

A Trio of Exploitable Sitecore CMS Flaws

Three new CVEs affecting Sitecore Experience Platform can be chained to allow unauthenticated Remote Code Execution (RCE) . The flaws were disclosed with a full technical description and PoC guidance, making their exploitation highly likely. In the attack chain, CVE-2025-34509 provides initial authenticated access, while CVE-2025-34510 or CVE-2025-34511 are both post-auth RCE flaws. Attackers can first exploit hardcoded credentials to generate a valid session token, then upload a malicious “.aspx” web shell and proceed to execute arbitrary shell commands on the victim’s system. Alternatively, CVE-2025-34511 could be used to execute PowerShell commands instead of uploading a web shell.

Here are brief descriptions of each:

  • CVE-2025-34509 (CVSS 8.2): Hardcoded credentials [CWE-798] allow remote attackers to authenticate using this account to access the admin API.
  • CVE-2025-34510 (CVSS 8.8): A relative path traversal vulnerability [CWE-23] known as “Zip Slip” allows an authenticated attacker to extract malicious files from a ZIP archive into the webroot directory, which could lead to RCE via .aspx web shell.
  • CVE-2025-34511 (CVSS 8.8): An unrestricted file upload vulnerability [CWE-434] in the PowerShell Extensions module allows an attacker to upload arbitrary files, including executable scripts, to any writable location. Although CVE-2025-34511 requires the Sitecore PowerShell Extension to be installed, this is considered a common configuration.

Sitecore is a popular enterprise Content Management System (CMS) used by major global organizations across industries. While it is estimated that Sitecore represents between 0.45% and 0.86% of the global CMS market share [1][2], this user base consists of high-value targets. Greenbone is able to detect vulnerable instances of Sitecore with an active check and a remote version detection test. Patches were released in Sitecore version 10.4 and backported to earlier supported versions, allowing users to upgrade.

Bypass of CVE-2025-23120 in Veeam Backups

CVE-2025-23121 (CVSS 9.9) is a deserialization flaw [CWE-502] that allows authenticated domain users to execute arbitrary code [CWE-94] on Veeam Backup & Replication servers. The vulnerability arises from insecure data processing and is considered a bypass of a previously patched flaw, CVE-2025-23120.

No public PoC exploit is currently available. However, CVEs in Veeam Backup & Replication are often targeted by attackers. Furthermore, the vulnerability only applies to organizations using domain-joined backup servers. However, it presents a serious threat given the importance of backups in ransomware recovery. Attackers may gain valid credentials for authentication via credential theft or use password spraying to target re-used credentials.

Greenbone can remotely detect affected Veeam products and prompt patching to version 12.3.2.3617, which is strongly recommended.

Summary

June 2025 saw the emergence of at least two new wiper malware strains, threatening to impact critical infrastructure and enterprises. Widespread massive data breaches are escalating, impacting organizations and individuals as stolen data gets used for various malicious ends. This month also saw a deluge of newly discovered, critical-severity vulnerabilities in enterprise-grade products, most of which were not covered in this report. Many with PoCs or full exploit kits available within hours of their disclosure. From RoundCube and Cisco ISE to Citrix and Linux systems, high-risk digital weaknesses that demand attention are escalating the cyber war of attrition for defenders worldwide.

It’s not “unauthenticated” because the first step is to gain authentication, right?

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Threat Report May 2025: Hack, Rinse, Repeat

May 2025 was a volcanic month for cybersecurity news, including several large breaches and new critical severity vulnerabilities. The Greenbone blog has already covered some major events, such as new actively exploited vulnerabilities in SAP Netweaver, Commvault Command Center and Ivanti EPMM. In total 4,014 new vulnerabilities were added to MITRE’s CVE (Common Vulnerabilities and Exposures) program. Greenbone added over 2,500 vulnerability tests to the Enterprise Feed, many capable of detecting multiple CVEs.

In this threat report for May 2025, we will round up some of the riskiest new CVEs disclosed this month, review a nation-state backed cyber campaign impacting tech companies around the world, and review how AI is poised to escalate cyber risk with intelligent automation at all stages of the Cyber Kill Chain.

The Inevitable AI-Enabled Attack Cycle: Hack, Rinse, Repeat

AI is now a force multiplier in the cyber attack lifecycle. Threat actors are leveraging AI in two fundamental ways; expediting the conversion of public vulnerability knowledge into exploit tools, and building more convincing social engineering content. Researchers have proposed a long list of additional capabilities that AI can further optimize, including automation of initial access attacks and command-and-control (C2) operations.

Even without AI, skilled human hackers can exfiltrate sensitive information within minutes of initial access. If significant vulnerabilities exist on the LAN side of a victim’s network, manual deployment of ransomware is trivial. In 2017, WannaCry demonstrated that ransomware attacks can be automated and wormable, i.e., capable of spreading between systems autonomously.

According to Norton’s latest Gen Threat Report, data-theft has increased 186% in Q1 2025. As discussed last month, data-theft-related class action filings have risen more than 1,265% over six years. When a victim’s cyber hygiene is non-compliant, multi-million dollar settlements are the norm. The top 10 data-breach class action settlements in 2023 totaled over 515 million dollars; the largest was a 350 million dollar settlement involving T-Mobile. This stolen data is often sold on the dark web, becoming fuel for subsequent cyber attacks. We should expect AI to reach full autonomy at all stages of the Cyber Kill Chain in the near future, resulting in a fully autonomous vicious cycle of exploitation; hack, rinse, repeat.

Russian GRU-Backed Espionage Campaign Hits Global Tech and Logistic Firms

CISA (Cybersecurity and Infrastructure Security Agency) and defense entities from nine other countries have warned of a cyber espionage-oriented campaign. The operation is being conducted by the Russian General Staff Main Intelligence Directorate (GRU), specifically the 85th Main Special Service Center (85th GTsSS), military unit 26165. The group is tracked under several aliases including the well-known FancyBear and APT28.

The full report outlines detailed Tactics, Techniques and Procedures (TTPs) leveraged in the campaign, which includes reconnaissance [TA0043], credential brute forcing [T1110.003], spearphishing to attain credentials and deliver malware [T1566], exploiting trust relationships to gain access [T1199], proxying attacks through compromised devices [T1665] and exploiting known software vulnerabilities – both for initial access [T1190] and privilege escalation [T1068]. The sheer diversity of attack techniques indicates a highly sophisticated threat.

The campaign targets a wide range of small office/home office (SOHO) devices, Microsoft Outlook, RoundCube Webmail and WinRAR as well as undisclosed CVEs in other internet-facing infrastructure – including corporate VPNs and SQL injection flaws. Greenbone includes detection tests for all CVEs referenced in the report. Those CVEs include:

  • CVE-2023-23397 (CVSS 9.8): A privilege escalation vulnerability in Microsoft Outlook that leverages replay of captured Net-NTLMv2 hashes.
  • CVE-2020-12641 (CVSS 9.8): Allows attackers to execute arbitrary code via shell metacharacters in a Roundcube Webmail configuration setting for `im_convert_path` or `im_identify_path`.
  • CVE-2020-35730 (CVSS 5.0): An XSS flaw in Roundcube Webmail via a plain text email message, containing a JavaScript link reference.
  • CVE-2021-44026 (CVSS 9.8): An SQL injection flaw in Roundcube via search or search_params.
  • CVE-2023-38831 (CVSS 7.8): Allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.

DragonForce Ransomware Spreads its Wings

Emerging in mid-2023, DragonForce transitioned from a hacktivist collective into a financially motivated Ransomware-as-a-Service (RaaS) operation. Fast forward to 2025, and DragonForce has established itself as an apex threat in the ransomware ecosystem.

DragonForce ransomware attacks impacted the following countries:

  • United States – 43 confirmed incidents
  • United Kingdom – including recent May 2025 breaches of Marks & Spencer, Co-op and Harrods
  • Saudi Arabia – a data leak from a major Riyadh construction firm
  • Australia – e.g., Yakult Australia
  • Singapore – Coca-Cola operations
  • Palau – a government breach in March 2024
  • Canada – among the top five most attacked nations
  • India – has faced increased targeting, particularly in the past month

Campaigns have included exploitation of SimpleHelp remote monitoring and management (RMM) [1], Confluence Server and Data Center [2], Log4Shell (aka Log4J), Microsoft Windows vulnerabilities, as well as various flaws in Ivanti products [3]. Greenbone provides multiple active check and version detection tests for all CVEs identified in DragonForce campaigns.

DragonForce has been observed exploiting:

In line with the attack trajectory of other prominent ransomware actors, DragonForce is known to use other techniques in addition to breaching public-facing vulnerabilities such as phishing emails, credential theft, brute-force, and credential stuffing attacks on exposed services and remote management (RMM) tools like AnyDesk, Atera, and TeamViewer, for persistence and lateral movement. Therefore, organizations need comprehensive cybersecurity programs that include user awareness training to prevent social engineering attacks and regular penetration testing to simulate real-world adversarial activity.

CVE-2025-32756: Stack-Based Buffer Overflow Vulnerability in Multiple Fortinet Products

CVE-2025-32756 (CVSS 9.8), published on May 13, 2025, is a critical severity stack-based buffer overflow vulnerability [CWE-12] affecting multiple Fortinet products. It allows remote, unauthenticated attackers to execute arbitrary code via a crafted HTTP cookie. The flaw is being actively exploited in the wild – primarily against FortiVoice systems – and is linked to attacks involving malware deployment, credential theft using cron job, and network reconnaissance. Proof-of-concept details are publicly available, and a full technical analysis has been published increasing the risk factor.

Fortinet flaws have a historically high conversion rate for use in ransomware attacks. A total of 18 vulnerabilities in Fortinet products have been added to CISA Known Exploited Vulnerabilities (KEV) list since late 2021 – 11 of these are known to be leveraged by ransomware operators. In addition to CISA, several other national CERT entities have issued alerts, including CERT-EU, the Centre for Cybersecurity Belgium (CCB), and Germany’s CERT-BUND.

The root cause is a missing length check in the `cookieval_unwrap()` function of libhttputil.so. A malicious AuthHash cookie can induce memory corruption to control the return memory address, allowing an attacker to hijack execution flow at the process level. Greenbone Enterprise Feed provides a vulnerability test to detect affected products and almost 1,000 other tests for detecting other vulnerabilities in Fortinet products.

CVE-2025-32756 affects dozens of firmware versions across multiple FortiNet products, including:

  • FortiVoice (6.4.0 – 7.2.0)
  • FortiMail (7.0.0 – 7.6.2)
  • FortiNDR (1.1 – 7.6.0)
  • FortiRecorder (6.4.0 – 7.2.3)
  • all versions of FortiCamera 1.1 and 2.0 as well as 2.1.0 – 2.1.3

Fortinet advises upgrading to the latest fixed versions immediately. If patching is not feasible, users should disable the HTTP/HTTPS administrative interface to prevent successful attacks.

Trio of SysAid Flaws Now Have CVEs and Public PoC

In May, three critical-severity vulnerabilities were disclosed affecting on-premises SysAid IT Service Management (ITSM) platform. These flaws can be chained, allowing unauthenticated Remote Code Execution (RCE). Full technical details and Proof-of-Concept (PoC) were published by watchTowr. Also, considering that SysAid vulnerabilities have been targeted by ransomware operators in the past, these flaws are especially high risk.

CVE-2025-2775, CVE-2025-2776, and CVE-2025-2777 (each CVSS 9.3) are unauthenticated XML External Entity (XXE) [CWE-611] vulnerabilities, found in the Checkin, Server URL and lshw functions respectively. All allow admin account takeover and arbitrary file read on the victim’s system. SysAid On-Prem versions ≤ 23.3.40 are affected. Notably, the flaws were patched by the vendor in March, but CVE IDs were not reserved or issued. This type of scenario contributes to a less transparent threat landscape for software users, reducing visibility and complicating operational vulnerability management. Greenbone offers detection tests for all aforementioned CVEs.

SysAid has a global presence of over 10,000 customers across 140 countries, including organizations such as Coca-Cola, Panasonic, Adobe, and LG. While it holds a smaller share of the ITSM market compared to larger competitors like ServiceNow or Jira Service Management, it remains a popular solution for mid-sized businesses.

A CVSS 10 in Cisco IOS XE Wireless Controller

CVE-2025-20188 is a new critical-severity (CVSS 10) vulnerability disclosed in May 2025. It affects Cisco’s flagship platform, the Catalyst 9800 Series. Although not known to be actively exploited yet, a full technical walkthrough is now available, which will provide less sophisticated threat actors with a head start.

The root cause of the vulnerability is a hard-coded JSON Web Token (JWT) which could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges via specially crafted HTTP request. Specifically, a hardcoded fallback secret – the string `notfound` – is used to verify the authenticity of a JWT if `/tmp/nginx_jwt_key` is not present.

Although this key file may be generated at certain times, such as when an administrator logs into the management console, it may not be present at certain times, such as immediately after a device reboot or service start.

Crucially, the flaw does not affect all HTTP endpoints – it is limited to the Out-of-Band Access Point (AP) Image Download feature of Cisco IOS XE Software for WLAN Controllers (WLCs). While Cisco’s advisory claims this service is not enabled by default, Horizon.ai researchers found that it was. Therefore, while there are several conditions affecting the exploitability of CVE-2025-20188, if those conditions are present, exploitation is trivial – and likely affects many organizations.

Cisco has released an advisory which recommends that affected users either upgrade to the patched version, or disable the Out-of-Band AP Image Download feature. Greenbone Enterprise Feed includes a version detection test for identifying affected devices and verifying patch level.

Summary

May 2025 delivered a surge of critical vulnerabilities, major breaches and escalating nation-state activity. It’s important to keep in mind that AI-enhanced attack cycles are destined to become a reality – the chaotic and urgent cybersecurity landscape shows no sign of easing any time soon.

New actively exploited flaws in Cisco, Fortinet, and SysAid products force organizations to maintain vigilant, continuous detection efforts, followed by prioritization and mitigation.

Greenbone’s Enterprise coverage helps security teams see vulnerabilities that threat actors can exploit to stay ahead in a fast-moving threat landscape.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

January 2025 Threat Report: Fortune Favors the Prepared

This year, many large organizations around the world will be forced to reckon with the root-cause of cyber intrusions. Many known vulnerabilities are an open gateway to restricted network resources. Our first Threat Report of 2025 reviews some disastrous breaches from 2024 and then dives into some pressing cybersecurity vulnerabilities from this past month.

However, to be clear, the vulnerabilities discussed here merely scratch the surface. In January 2025, over 4,000 new CVEs (Common Vulnerabilities and Exposures) were published; 22 with the maximum CVSS score of 10, and 375 rated critical severity. The deluge of critical severity flaws in edge networking devices has not abated. Newly attacked flaws in products from global tech giants like Microsoft, Apple, Cisco, Fortinet, Palo Alto Networks, Ivanti, Oracle and others have been appended to CISA’s (Cybersecurity and Infrastructure Security Agency) Known Exploited Vulnerabilities (KEV) catalog.

Software Supply Chain: the User’s Responsibility

We are all running software we didn’t design ourselves. This places a huge emphasis on trust. Where trust is uncertain – whether due to fears of poor diligence, malice or human error – cybersecurity responsibility still rests on the end-user. Risk assurances depend heavily on technical knowledge and collective effort. Defenders need to remember these facts in 2025.

When supply chain security fails, ask why! Did the software vendor provide the required tools to take control of your own security outcomes? Is your IT security team executing diligent vulnerability discovery and remediation? Are your resources segmented with strong access controls? Have employees been trained to identify phishing attacks? Are other reasonable cybersecurity measures in place? Organizations need to mature their ransomware-readiness, implement regular vulnerability assessments and prioritized patch management. And they should verify reliable backup strategies can meet recovery targets and prioritize other fundamental security controls to protect sensitive data and prevent downtime.

Fortune Favors the Prepared

Assessing 2024, the UK’s NCSC (National Cyber Security Center) annual review painted a grim picture; significant cyberattacks had increased three times compared to 2023. For a birds-eye view, CSIS (The Center for International Strategic & International Studies) has posted an extensive list of the most significant cyber incidents of 2024. The landscape has been shaped by the Russia Ukraine conflict and an accelerated shift from globalization to adversarialism.

Check Point Research found that 96% of all vulnerabilities exploited in 2024 were over a year old. These are positive findings for proactive defenders. Entities conducting vulnerability management will fare much better against targeted ransomware and mass exploitation attacks. One thing is clear: proactive cybersecurity reduces the cost of a breach.

Let’s review two of the most significant breaches from 2024:

  • The Change Healthcare Breach: Overall in 2024, breaches of healthcare entities were down from 2023’s record setting year. However, the ransomware attack against Change Healthcare set a new record for the number of affected individuals at 190 million, with total costs so far reaching 2,457 billion Dollar. The State of Nebraska has now filed a lawsuit against Change Healthcare for operating outdated IT systems that failed to meet enterprise security standards. According to IBM, breaches in the healthcare industry are the most costly, averaging 9.77 million Dollar in 2024.
  • Typhoon Teams Breach 9 US Telecoms: The “Typhoon” suffix is used by Microsoft’s threat actor naming convention for groups with Chinese origins. The Chinese state-sponsored adversary known as Salt Typhoon infiltrated the networks of at least nine major U.S. telecommunications companies, accessing user’s call and text metadata and audio recordings of high-profile government officials. Volt Typhoon breached Singapore Telecommunications (SingTel) and other telecom operators globally. The “Typhoons” exploited vulnerabilities in outdated network devices, including unpatched Microsoft Exchange Server, Cisco routers, Fortinet and Sophos Firewalls and Ivanti VPN appliances. Greenbone is able to detect all known software vulnerabilities associated with Salt Typhoon and Volt Typhoon attacks [1][2].

UK May Ban Ransomware Payments in Public Sector

The UK government’s framework to combat ransomware has proposed a ban on ransom payments by public sector entities and critical infrastructure operators with hopes to deter cyber criminals from targeting them in the first place. However, a new report from The National Audit Office (NAO), the UK’s independent public spending watchdog, says “cyber threat to UK government is severe and advancing quickly”.

The FBI, CISA and NSA all advise against paying ransoms. After all, paying a ransom does not guarantee the recovery of encrypted data or prevent the public release of stolen data, and may even encourage further extortion. On the flip side IBM’s security think-tank acknowledges that many SME organizations could not fiscally survive the downtime imposed by ransomware. While both sides make points here, could enriching cyber criminals while failing to shore-up local talent result in a positive outcome?

Vulnerability in SonicWall SMA 1000 Actively Exploited

Microsoft Threat Intelligence has uncovered active exploitation of SonicWall SMA 1000 gateways via CVE-2025-23006 (CVSS 9.8 Critical). The flaw is caused by improper handling of untrusted data during deserialization [CWE-502]. It could allow an unauthenticated attacker with access to the internal Appliance Management Console (AMC) or Central Management Console (CMC) interface to execute arbitrary OS commands. SonicWall has released hotfix version 12.4.3-02854 to address the flaw.

While no publicly available exploit code has been identified, numerous government agencies have issued alerts including Germany’s BSI CERT-Bund, Canadian Center for Cybersecurity, CISA, and the UK’s NHS (National Health Service). Greenbone is able to detect SonicWall systems impacted by CVE-2025-23006 by remotely checking the version identified from the service banner.

CVE-2024-44243 for Persistent Rootkit in macOS

January 2025 was a firestorm month for Apple security. Microsoft Threat Intelligence has found time to security test macOS, discovering a vulnerability that could allow installed apps to modify the OS System Integrity Protection (SIP). According to Microsoft, this could allow attackers to install rootkits, persistent malware and bypass Transparency, Consent and Control (TCC) which grants granular access permissions to applications on a per-folder basis. While active exploitation has not been reported, Microsoft has released technical details on their findings.

As January closed, a batch of 88 new CVEs, 17 with critical severity CVSS scores were published affecting the full spectrum of Apple products. One of these, CVE-2025-24085, was observed in active attacks and added to CISA’s KEV catalog. On top of these, dual speculative execution vulnerabilities in Apple’s M-series chips dubbed SLAP and FLOP were disclosed but have not yet been assigned CVEs. For SLAP, researchers leveraged chip flaws to exploit Safari WebKit’s heap allocation techniques and manipulated JavaScript string metadata to enable out-of-bounds speculative reads, allowing them to extract sensitive DOM content from other open website tabs. For FLOP, researchers demonstrated that sensitive data can be stolen from Safari and Google Chrome; bypassing Javascript type checking in Safari WebKit and Chrome’s Site Isolation via WebAssembly.

Furthermore, five high severity vulnerabilities were also published affecting Microsoft Office for macOS. Each potentially forfeiting Remote Code Execution (RCE) to an attacker. Affected products include Microsoft Word (CVE-2025-21363), Excel (CVE-2025-21354 and CVE-2025-21362) and OneNote (CVE-2025-21402) for macOS. While no technical details about these vulnerabilities are yet available, all have high CVSS ratings and users should update as soon as possible.

The Greenbone Enterprise Feed includes detection for missing macOS security updates and many other CVEs affecting applications for macOS including the five newly disclosed CVEs in Microsoft Office for Mac.

6 CVEs in Rsync Allow Both Server and Client Takeover

The combination of two newly discovered vulnerabilities may allow the execution of arbitrary code on vulnerable rsyncd servers while having only anonymous read access. CVE-2024-12084, a heap buffer overflow and CVE-2024-12085, an information leak flaw are the culprits. Public mirrors using rsyncd represent the highest risk since they inherently lack access control.

The researchers also found that a weaponized rsync server can read and write arbitrary files on connected clients. This can allow theft of sensitive information and potentially execution of malicious code by modifying executable files.

Here is a summary of the new flaws ordered by CVSS severity:

Collectively, these flaws present serious risk of RCE, data exfiltration and installing persistent malware on both rsyncd servers and unsuspecting clients. Users must update to the patched version, thoroughly look for any Indicators of Compromise (IoC) on any systems that have used rsync, and potentially redeploy file sharing infrastructure. Greenbone is able to detect all known vulnerabilities in rsync and non-compliance with critical security updates.

CVE-2025-0411: 7-Zip Offers MotW Bypass

On January 25, 2025, CVE-2025-0411 (CVSS 7.5 High) was published affecting 7-Zip archiver. The flaw allows bypassing the Windows security feature Mark of the Web (MotW) via specially crafted archive files. MoTW tags files downloaded from the internet with a Zone Identifier alternate data stream (ADS), warning when they originate from an untrusted source. However, 7-Zip versions before 24.09 do not pass the MotW flag to files within nested archives. Exploiting CVE-2025-0411 to gain control of a victim’s system requires human interaction. Targets must open a trojanized archive and then further execute a malicious file contained within.

Interestingly, research from Cofence found government websites around the world have been leveraged for credential phishing, malware delivery and command-and-control (C2) operations via CVE-2024-25608, a Liferay digital platform vulnerability. This flaw allows attackers to redirect users from trusted .gov URLs to malicious phishing sites. Combining redirection from a trusted .gov domain with the 7-Zip flaw has significant potential for stealthy malware distribution.

Considering the risks, users should manually upgrade to version 24.09, which has been available since late 2024. As discussed in the introduction above, software supply chain security often lies in a grey zone, we all depend on software beyond our control. Notably, prior to the publication of CVE-2025-0411, 7-Zip had not alerted users to a security flaw. Furthermore, although 7-Zip is open-source, the product’s GitHub account does not reveal many details or contact information for responsible disclosure.

Furthermore, the CVE has triggered DFN-CERT and BSI CERT-Bund advisories [1][2]. Greenbone is able to detect the presence of vulnerable versions of 7-Zip.

Summary

This edition of our monthly Threat Report reviewed major breaches from 2024 and newly discovered critical vulnerabilities in January 2025. The software supply chain presents elevated risk to all organizations large and small from both open-source and closed-source products. However, open-source software offers transparency and the opportunity for stakeholders to engage proactively in their own security outcomes, either collectively or independently. While cybersecurity costs are significant, advancing technical capabilities will increasingly be a determinant factor in both enterprise and national security. Fortune favors the prepared.

Contact Test Now Buy Here Back to Overview

/by