Tag Archive for: SonicWall

Joseph Lee

July 2025 Threat Report: Cisco, CrushFTP, HPE IRS and Others Face Active Exploitation

The July 2025 Threat Report takes a broad approach, covering some of the top cyber threats from the past month. The Microsoft SharePoint flaw titles “ToolShell” dominated the headlines; see our alert on ToolShell for a detailed analysis. Over 4,000 CVEs were published last month; almost 500 of them were rated Critical, with CVSS over 9.0. Managing this volume of risk is truly a battle of attrition for defenders. In response, Greenbone published almost 5,000 new detection tests. These detection tests allow defenders to find known software flaws in their environment, confirm patch levels, and prevent cyber attackers from gaining the upper hand.

Blog Banner Threat - report July 2025

Critical Cisco ISE Flaws Offer Unauthenticated RCE as Root and More

Cisco has confirmed active exploitation of Cisco Identity Services Engine (ISE) and Cisco ISE-PIC (Passive Identity Connector) versions 3.3 and 3.4. The highest severity CVEs are: CVE-2025-20281, CVE-2025-20337, and CVE-2025-20282; all CVSS 10. CVE-2025-20281 and CVE-2025-20337 have been added to CISA KEV (catalog of known exploited vulnerabilities). Each flaw can be exploited to execute code with root privileges by submitting a malicious API request. Several national CERT agencies have issued alerts: EU-CERT, CSA Singapore, NHS UK, and NCSC Ireland. Cisco advises immediate patching; no workarounds are available. Version detection tests are included in the OPENVAS ENTERPRISE FEED [1][2][3].

Another critical severity CVE in Cisco Unified Communications Manager made waves in early July. CVE-2025-20309 (CVSS 10) allows remote root account access via static SSH credentials. Alerts were issued from Belgium’s CERT.be, NSSC Ireland, and the flaw was featured on the AUSCERT Week in Review.

CrushFTP and WingFTP Servers Under Active Attack

High severity CVEs in CrushFTP and WingFTP were published and quickly added to CISA KEV, with global CERT advisories being issued [1][2][3]. FTP servers are often exposed to the public Internet, but instances within a local network could also offer hackers an opportunity for persistence and lateral movement [4]. Also, FTP servers often store sensitive data, which could represent a high risk of being ransomed.

  • CVE-2025-54309 (CVSS 9.8, EPSS ≥ 91st pctl): If the DMZ proxy feature is not used, CrushFTP is susceptible to an unprotected alternate channel vulnerability [CWE-420]. The software mishandles AS2 validation allowing remote HTTPS admin access. The OPENVAS ENTERPRISE FEED includes a remote banner detection test to identify vulnerable instances. Users should upgrade to CrushFTP 10.8.5_12 (or later) or 11.3.4_23 (or later).
  • CVE-2025-47812 (CVSS 10, EPSS ≥ 99th pctl): Unsanitized null-byte characters in the web-interface of WingFTP prior to version 7.4.4 allow remote execution of arbitrary Lua code with the privileges of the FTP service (root or SYSTEM by default). Greenbone includes an active check and version check to identify vulnerable instances. Users are urged to update to version 7.4.4 or later.

Node.js Patch Bypass Exposes Arbitrary File Access

CVE-2025-27210 (CVSS 7.5) is a bypass for CVE-2025-23084 (CVSS 5.6), a previously patched flaw in Node.js Windows platforms, published in January 2025. An estimated 4.8% of global web servers run Node.js, which also powers many on-premises and cloud-native applications. National CERT advisories have been released warning of high risk [1][2]. At least one proof-of-concept (PoC) has been published [3]. OPENVAS ENTERPRISE FEED and COMMUNITY FEED both include a version detection check.

The flaw, classified as path traversal [CWE-22], is due to built-in functions path.join() and path.normalize() not properly filtering Windows device names like CON, PRN, and AUX, which are reserved names for special system devices [4]. This can be exploited remotely to bypass path protections when user input is passed into these functions. Node.js versions 20.x prior to 20.19.4, as well as 22.x before 22.17.1 and 24.x before 24.4.1 are affected.

CVE-2025-37099: Total Remote Compromise for HPE Insight Remote Support

New vulnerabilities in HPE Insight Remote Support pose an extreme risk of full system compromise within enterprise infrastructure. IRS is used in enterprise local network environments to automate hardware health checks, infrastructure monitoring, and support ticket generation.

CVE-2025-37099 (CVSS 9.8) permits unauthenticated remote code execution (RCE) at SYSTEM level due to improper input validation [CWE-20] in processAttachmentDataStream logic, allowing malicious payloads to be executed as code [CWE‑94][1]. This allows attackers to execute malware across managed systems. While not explicitly documented, SYSTEM-level access could also enable attackers to manipulate or delete monitoring logs to conceal activity. Since the affected service often communicates with devices like servers and iLO controllers, compromise may facilitate pivoting laterally within a network. [2]

Users should upgrade immediately to 7.15.0.646 or newer. The coordinated disclosure also included two additional CVEs; CVE-2025-37098 and CVE-2025-37097, both CVSS 7.5. OPENVAS ENTERPRISE FEED includes a version detection test to identify vulnerable instances and verify patch level to meet compliance.

Critical Patches for DELL CVEs with Elevated EPSS Scores

Cumulative patches for a wide number of Dell Technologies products were released to patch various component vulnerabilities. Canadian Cyber CSE has issued three alerts in July addressing these updates [1][2][3]. Here are some of the most critical CVEs from this batch, all of which can be detected with the OPENVAS ENTERPRISE FEED [1][2][3][4][5]:

  • CVE-2024-53677 (CVSS 9.8, EPSS 99th pctl): Dell Avamar Data Store and Avamar Virtual Edition have received updates to address a flaw in Apache Struts. No mitigations or workarounds are available. See the vendor’s advisory for affected product lists.
  • CVE-2025-24813 (CVSS 9.8, EPSS 99pctl): Dell Secure Connect Gateway versions prior to 5.30.0.14 are affected by an Apache Tomcat flaw and other critical CVEs. Dell has classified this update as critical.
  • CVE-2004-0597 (CVSS 10, EPSS 99pctl): Dell Networker is affected by critical buffer overflow flaws in libpng that allow remote attackers to execute arbitrary code via maliciously manipulated PNG images among other vulnerabilities. See vendor advisories for more information [1][2][3][4].
  • CVE-2016-2842 (CVSS 9.8, EPSS ≥ 98pctl): Dell Data Protection Advisor is affected by flaws in numerous components including CVE-2016-2842 in OpenSSL which does not properly verify memory allocation, allowing DoS or possibly RCE. See the vendor advisory for more information.
  • CVE-2025-30477 (CVSS 4.4): Dell PowerScale uses a risky cryptographic algorithm, potentially leading to information disclosure. In June 2025, PowerScale patched critical severity flaws. See vendor advisories for more information [1][2].

A Cumulative Summary of 2025 D-Link Flaws

OPENVAS ENTERPRISE FEED and COMMUNITY FEED currently include 27 vulnerability tests covering the majority of CVEs affecting D-Link products published so far in 2025. Given the importance of network edge security, users should pay particular attention to vulnerabilities in routers and other gateway devices. After the settlement of a U.S. regulatory action involving D‑Link and the Federal Trade Commission, in 2019 D‑Link agreed to implement a comprehensive security program. However, proponents for accountability may ask whether intervention should be more widespread. Ivanti products, for example, have been inundated with numerous high severity flaws in recent years [1][2][3][4][5], many leveraged in ransomware attacks.

Adobe Patches Critical Flaws for ColdFusion

Security updates for ColdFusion 2025, 2023, and 2021 address 13 new CVEs; five critical severity issues including XXE (CVE-2025-49535, CVSS 9.3), hard-coded credentials (CVE-2025-49551, CVSS 8.8), OS command injection, XML injection, and SSRF. In 2023, the ColdFusion flaw CVE‑2023‑26360 (CVSS 9.8) was used by threat actors to gain initial access to US federal civilian agencies.

OPENVAS ENTERPRISE FEED includes a remote version check to identify unpatched instances. Immediate patching to Update 3 (ColdFusion 2025), Update 15 (2023), or Update 21 (2021) is strongly recommended.

Splunk Enterprise Updates Critical Severity Components

Cumulative updates for Splunk Enterprise patch several third-party components in Splunk Enterprise including golang, postgres, aws-sdk-java, idna, and others. Some of these were Critical CVSS severity flaws such as CVE-2024-45337 (CVSS 9.1) with an EPSS percentile of ≥ 97%, indicating a high likelihood of exploit activity. CERT-FR and the Canadian Cyber CSE have published alerts related to Splunk’s July advisories. Users can verify patch status with a version check in the OPENVAS ENTERPRISE FEED. The feed also includes vulnerability checks for previous Splunk security advisories and CVEs.

Oracle Patches Row of High Severity VirtualBox Flaws

Several CVEs published in mid‑July 2025 affecting Oracle VM VirtualBox version 7.1.10 permit a high‑privileged local attacker (with access to the host infrastructure or guest VM execution environment) to compromise VirtualBox, potentially escalating privileges or achieving full control of the hypervisor core component. CVE‑2025‑53024 (CVSS 8.2) is an integer overflow bug in the VMSVGA virtual device due to insufficient validation of user‑supplied data, leading to memory corruption with potential for full hypervisor compromise. [1] OPENVAS ENTERPRISE FEED and COMMUNITY FEED include version detection tests for Windows, Linux, and macOS.

Post Authentication Flaw Allows RCE in SonicWall SMA100

CVE-2025-40599 (CVSS 9.1) is an authenticated arbitrary file upload vulnerability in SonicWall SMA 100 series appliances. It allows a remote attacker with administrative privileges to gain arbitrary code execution and persistent access. The risk posed by this flaw is increased by weak or stolen credentials. The flaw affects models SMA 210, 410, and 500v, versions 10.2.1.15-81sv and earlier. As per the vendor advisory, no workaround is effective. OPENVAS ENTERPRISE FEED includes a remote version check to identify the affected devices.

New MySQL CVEs Allow Authenticated DoS Attacks

Amidst the abundance of vulnerabilities offering unauthorized RCE, it’s easy to overlook ones that merely cause Denial of Service (DoS). A swath of DoS vulnerabilities and related patches were issued for MySQL 8 and MySQL 9 in July [1]. Although the flaws require privileged access to exploit, Managed Service Providers (MSP) may provide shared MySQL hosting for small-to-medium businesses (SMBs), government agencies, or non-profits that don’t want the overhead of managing their own database infrastructure. In this scenario, tenants are given access to separate databases on the same MySQL server instance. When that happens, an unpatched instance could allow a user to impact other organizations. These flaws also highlight the importance of strong passwords and mitigating the threat from brute-force and password spraying attacks.

Remote version detection tests are available for all CVEs referenced below. These are included in both the OPENVAS ENTERPRISE FEED and COMMUNITY FEED. Tests cover both Linux and Windows MySQL installations.

CVE ID Affected Versions Impact Access Vector Patch Status

CVE-2025-50078

(CVSS 6.5)

 8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (hang/crash) Remote authenticated access Patched (July 2025)

CVE-2025-50082

(CVSS 6.5)

 8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (crash) Remote authenticated access Patched (July 2025)

CVE-2025-50083

(CVSS 6.5)

 8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (crash) Remote authenticated access Patched (July 2025)

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

February 2025 Threat Report: Tectonic Technology

Cyber threats are evolving at breakneck speed, but the fundamental weaknesses attackers exploit remain strikingly unchanged. So far in 2025, many analysts have published landscape reviews of 2024 and outlooks for 2025. The cost of cyber breaches is ticking upwards, but overall, cyber breach root-causes have not changed. Phishing [T1566] and exploiting known software vulnerabilities [T1190] continue to top the list. Another key observation is that attackers are weaponizing public information faster, converting CVE (Common Vulnerabilities and Exposures) disclosures into viable exploit code within days or even hours. Once inside a victim’s network, they are executing precision second-stage objectives faster too, deploying ransomware within minutes.

In this month’s edition of the Greenbone Threat Report, we will briefly review the disclosed chats of the Black Basta ransomware group and highlight Greenbone’s coverage of their now exposed techniques. We will also review a report from Greynoise about mass exploitation attacks, a new actively exploited vulnerability in Zimbra Collaboration Suite and new threats to edge networking devices.

The Era of Tectonic Technology

If security crises are like earthquakes, then the global tech ecosystem is the underlying tectonic plates. The global technology ecosystem would be best represented as the Paleozoic Era of geological history. Rapid innovative and competitive market forces are pushing and pulling at the fabric of IT security like the colliding supercontinents of Pangea; continuous earthquakes constantly forcing continental shift.

Entirely new paradigms of computing such as generative AI and quantum computing are creating advantages and risks; volcanoes of value and unstable ground. Global governments and tech giants are wresting for access to citizen’s sensitive personal data, adding gravity. These struggles have significant implications for privacy, security and how society will evolve. Here are some of the major forces destabilizing IT security today:

  • Rapidly evolving technologies are driving innovation, forcing technical change.
  • Organizations are both forced to change as technologies and standards depreciate and motivated to change to remain competitive.
  • Fierce market competition has accelerated product development and release cycles.
  • Strategic planned obsolescence has been normalized as a business strategy for reaping financial gain.
  • Pervasive lack of accountability for software vendors has led to prioritization of performance over “security-first” design principles.
  • Nation-states weaponize technology for Cyber Warfare, Information Warfare and Electronic Warfare.

Due to these forces, well-resourced and well-organized cyber criminals find a virtually unlimited number of security gaps to exploit. The Paleozoic Era lasted 300 million years. Hopefully, we won’t have to wait that long for product vendors to show accountability and employ secure design principles [1][2][3] to prevent so-called “unforgivable” vulnerabilities of negligence [4][5]. The takeaway is that organizations need to develop technical agility and efficient patch management programs. Continuous prioritized vulnerability management is a must.

Black Basta Tactics Revealed: Greenbone Has Coverage

Leaked internal chat logs belonging to Black Basta ransomware group have provided insight into the group’s tactics and inner workings. The logs were leaked by an individual using the alias “ExploitWhispers” who claimed the release was in response to Black Basta’s controversial targeting of Russian banks, allegedly creating internal conflicts within the group. Since its emergence in April 2022, Black Basta has reportedly amassed over $100 million in ransom payments from more than 300 victims worldwide. 62 CVEs referenced in leaked documents reveal the group’s tactics for exploiting known vulnerabilities. Of these 62, Greenbone maintains detection tests for 61, covering 98% of the CVEs.

The Greynoise 2025 Mass Exploitation Report

Mass exploitation attacks are fully automated network attacks against services that are accessible via internet. This month, Greynoise published a comprehensive report summarizing the mass exploitation landscape including the top CVEs attacked by the largest botnets (unique IPs), the most exploited product vendors and top CVEs included in the CISA’s (Cybersecurity and Infrastructure Security Agency) KEV (Known Exploited Vulnerabilities) catalog and exploited by botnets. Greenbone Enterprise Feed has detection tests for 86% of all CVEs (86 total) referenced in the report. When considering only CVEs issued in 2020 or later (66 total), our Enterprise Feed has 90% detection coverage.

Additional findings include:

  • 60% of CVEs exploited in mass exploitation attacks were published in 2020 or later.
  • Attackers are exploiting vulnerabilities within hours of disclosure.
  • 28% of vulnerabilities in CISA KEV are exploited by ransomware threat actors.

Zimbra Collaboration Suite

CVE-2023-34192 (CVSS 9.0) is a high-severity Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) version 8.8.15. The flaw allows authenticated remote attackers to execute arbitrary code via crafted scripts targeting the `/h/autoSaveDraft` function. CISA added CVE-2023-34192 to its KEV catalog, indicating that it has been actively exploited in real-world attacks. Proof-of-concept (PoC) exploit code is publicly available, allowing low-skilled attackers to join the fray. CVE-2023-34192 has held a very high EPSS since its disclosure in 2023. For defenders leveraging EPSS for remediation prioritization, this indicates a high priority to patch.

Zimbra Collaboration Suite (ZCS) is an open-source office productivity platform that integrates email, calendar, contacts, tasks and collaboration tools but holds a niche market share of less than 1% of all email and messaging platforms.

Living on the Edge: New Critical Networking Device Flaws

In our monthly threat report we have been tracking the persistent threat to edge network devices. Earlier this-month, we reported on a perfect security storm affecting end-of-life (EOL) Zyxel routers and firewalls. In this section we will review new security risks that fall into the “edge networking” category. Greenbone has detection capabilities for all CVEs discussed below.

Chinese Hackers Exploit Palo Alto’s PAN-OS for Ransomware

CVE-2024-0012 (CVSS 9.8), a vulnerability in Palo Alto PAN-OS disclosed last November, is considered one of the most exploited vulnerabilities of 2024. The CVE is also reportedly being used by Chinese state-backed threat actors for ransomware attacks. Another new flaw affecting PAN-OS, CVE-2025-0108 (CVSS 9.1), was just disclosed this month and immediately tagged as actively exploited by CISA. CVE-2025-0108 is an authentication bypass in the management web-interface and can be chained together with CVE-2024-9474 (CVSS 7.2), a separate privilege escalation vulnerability to gain unauthenticated root control over an unpatched PAN-OS device.

SonicWall Patches a Critical Actively Exploited CVE in SonicOS

CVE-2024-53704, a critical severity vulnerability in SonicWall devices, has been recently added to CISA’s KEV list. Astoundingly, CISA lists 8 SonicWall CVEs that are known to be actively exploited in ransomware attacks. CVE-2024-53704 (CVSS 9.8) is an Improper Authentication vulnerability [CWE-287] in the SSLVPN authentication mechanism of SonicWall’s SonicOS versions 7.1.1-7058 and older, 7.1.2-7019, and 8.0.0-8035. It allows remote attackers to bypass authentication and and hijack active SSL VPN sessions, potentially gaining unauthorized network access. A full technical analysis is available from BishopFox. An advisory from SonicWall also names additional high severity CVEs in SonicOS that have been patched along with CVE-2024-53704.

Sophos’ CyberroamOS and EOL XG Firewalls Actively Exploited

Sophos, which acquired Cyberoam in 2014, has issued an alert and patch for CVE-2020-29574. CyberoamOS is part of Sophos’ product ecosystem. Aside from this CVE, Sophos XG Firewall, soon to be EOL, is also the subject of an active exploitation alert.

  • CVE-2020-29574 (CVSS 9.8): A critical SQL injection [CWE-89] vulnerability identified in the WebAdmin interface of CyberoamOS versions up to December 4, 2020. This flaw allows unauthenticated attackers to remotely execute arbitrary SQL statements, potentially gaining complete administrative access to the device. A hotfix patch has been issued, which also extends to some affected end-of-life (EOL) products.
  • CVE-2020-15069 (CVSS 9.8) is a critical Buffer Overflow vulnerability in Sophos XG Firewall versions 17.x through v17.5 MR12, allowing unauthenticated RCE via the HTTP/S Bookmarks feature for clientless access. This vulnerability, published in 2020 is now being actively exploited and has been added to CISA KEV indicating heightened risk. Sophos released an advisory in 2020 when the vulnerability was disclosed, along with a hotfix affected firewalls. The XG Series hardware appliances are soon scheduled to reach end-of-life (EOL) on March 31, 2025.

PrivEsc and Auth Bypasses in Fortinet FortiOS and FortiProxy

Fortinet disclosed two critical vulnerabilities, both affecting FortiOS and FortiProxy. The Canadian Center for Cybersecurity and the Belgian Center for Cybersecurity have issued advisories. Fortinet acknowledges active exploitation of CVE-2024-55591 and has released official guidance that includes details on affected versions and recommended updates. ​

  • CVE-2024-55591 (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. Multiple PoC exploits are available [1][2] increasing the risk of exploitation by low-skilled attackers.
  • CVE-2024-40591 (CVSS 8.8): Allows an authenticated administrator with Security Fabric permissions to escalate their privileges to super-admin by connecting the targeted FortiGate device to a malicious upstream FortiGate under their control.

Cisco Flaws Implicated as Initial Access Vectors in Telecom Hacks

In the past few months, China’s Salt Typhoon espionage group has routinely exploited at least two critical vulnerabilities in Cisco IOS XE devices to gain persistent access to telecommunications networks. Victims include Italian ISP, a South African telecom, and a large Thai telecom, and twelve universities worldwide including UCLA, Indonesia’s Universitas Negeri Malang and Mexico’s UNAM among others. Previously, Salt Typhoon had compromised at least nine U.S. telecoms, including Verizon, AT&T and Lumen Technologies. U.S. authorities claim Salt Typhoon’s goal is surveilling high-profile individuals, political figures and officials related to Chinese political interests.

CVEs exploited by Salt Typhoon include:

  • CVE-2023-20198 (CVSS 10): A privilege escalation flaw in Cisco IOS XE’s web interface. Used for initial access, allowing attackers to create an admin account.
  • CVE-2023-20273 (CVSS 7.2): Another privilege escalation flaw, used after gaining admin access to escalate privileges to root and establish a GRE (Generic Routing Encapsulation) tunnel for persistence.

Also, two other CVEs in Cisco products entered the radar in February 2025:

  • CVE-2023-20118 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers allows authenticated, remote attackers to execute arbitrary commands with root-level privileges by sending crafted HTTP requests. CISA added CVE-2023-20118 to its KEV catalog, indicating evidence of active exploitation.
  • CVE-2023-20026 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers RV042 Series allows authenticated, remote attackers with valid administrative credentials to execute arbitrary commands on the device. The flaw is due to improper validation of user input within incoming HTTP packets. While CVE-2023-20026 is not known to be exploited in any active campaigns, Cisco’s Product Security Incident Response Team (PSIRT) is aware that PoC exploit code for this vulnerability exists.

Ivanti Patches Four Critical Flaws

Four critical vulnerabilities were identified, affecting Ivanti Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA). No reports of active attacks in the wild or PoC exploits have emerged yet. Ivanti advises users to promptly update to the newest versions to address these critical vulnerabilities.

Here is a brief technical summary:

  • CVE-2025-22467 (CVSS 8.8): Attackers with credentials can achieve remote code execution (RCE) due to a stack-based buffer overflow [CWE-121] flaw in ICS versions prior to 22.7R2.6.
  • CVE-2024-38657 (CVSS 9.1): Attackers with credentials can write arbitrary files due to an external control of file name vulnerability in ICS versions before 22.7R2.4 and IPS versions before 22.7R1.3.
  • CVE-2024-10644 (CVSS 9.1): A code injection flaw in ICS (pre-22.7R2.4) and IPS (pre-22.7R1.3), allows arbitrary RCE to authenticated administrators. ​
  • CVE-2024-47908 (CVSS 7.2): An operating system command injection vulnerability [CWE-78] in CSA’s admin web console (versions before 5.0.5), allows arbitrary RCE to authenticated administrators.

Summary

This month’s Threat Report highlights key cybersecurity developments, including the evolving tactics of ransomware groups like Black Basta and the pervasive critical threat to edge network devices. With the support of AI tools, attackers are exploiting vulnerabilities faster-sometimes within hours of disclosure. Organizations must remain vigilant by adopting proactive security measures, continuously updating their defenses and leveraging threat intelligence to stay ahead of emerging threats.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

January 2025 Threat Report: Fortune Favors the Prepared

This year, many large organizations around the world will be forced to reckon with the root-cause of cyber intrusions. Many known vulnerabilities are an open gateway to restricted network resources. Our first Threat Report of 2025 reviews some disastrous breaches from 2024 and then dives into some pressing cybersecurity vulnerabilities from this past month.

However, to be clear, the vulnerabilities discussed here merely scratch the surface. In January 2025, over 4,000 new CVEs (Common Vulnerabilities and Exposures) were published; 22 with the maximum CVSS score of 10, and 375 rated critical severity. The deluge of critical severity flaws in edge networking devices has not abated. Newly attacked flaws in products from global tech giants like Microsoft, Apple, Cisco, Fortinet, Palo Alto Networks, Ivanti, Oracle and others have been appended to CISA’s (Cybersecurity and Infrastructure Security Agency) Known Exploited Vulnerabilities (KEV) catalog.

Software Supply Chain: the User’s Responsibility

We are all running software we didn’t design ourselves. This places a huge emphasis on trust. Where trust is uncertain – whether due to fears of poor diligence, malice or human error – cybersecurity responsibility still rests on the end-user. Risk assurances depend heavily on technical knowledge and collective effort. Defenders need to remember these facts in 2025.

When supply chain security fails, ask why! Did the software vendor provide the required tools to take control of your own security outcomes? Is your IT security team executing diligent vulnerability discovery and remediation? Are your resources segmented with strong access controls? Have employees been trained to identify phishing attacks? Are other reasonable cybersecurity measures in place? Organizations need to mature their ransomware-readiness, implement regular vulnerability assessments and prioritized patch management. And they should verify reliable backup strategies can meet recovery targets and prioritize other fundamental security controls to protect sensitive data and prevent downtime.

Fortune Favors the Prepared

Assessing 2024, the UK’s NCSC (National Cyber Security Center) annual review painted a grim picture; significant cyberattacks had increased three times compared to 2023. For a birds-eye view, CSIS (The Center for International Strategic & International Studies) has posted an extensive list of the most significant cyber incidents of 2024. The landscape has been shaped by the Russia Ukraine conflict and an accelerated shift from globalization to adversarialism.

Check Point Research found that 96% of all vulnerabilities exploited in 2024 were over a year old. These are positive findings for proactive defenders. Entities conducting vulnerability management will fare much better against targeted ransomware and mass exploitation attacks. One thing is clear: proactive cybersecurity reduces the cost of a breach.

Let’s review two of the most significant breaches from 2024:

  • The Change Healthcare Breach: Overall in 2024, breaches of healthcare entities were down from 2023’s record setting year. However, the ransomware attack against Change Healthcare set a new record for the number of affected individuals at 190 million, with total costs so far reaching 2,457 billion Dollar. The State of Nebraska has now filed a lawsuit against Change Healthcare for operating outdated IT systems that failed to meet enterprise security standards. According to IBM, breaches in the healthcare industry are the most costly, averaging 9.77 million Dollar in 2024.
  • Typhoon Teams Breach 9 US Telecoms: The “Typhoon” suffix is used by Microsoft’s threat actor naming convention for groups with Chinese origins. The Chinese state-sponsored adversary known as Salt Typhoon infiltrated the networks of at least nine major U.S. telecommunications companies, accessing user’s call and text metadata and audio recordings of high-profile government officials. Volt Typhoon breached Singapore Telecommunications (SingTel) and other telecom operators globally. The “Typhoons” exploited vulnerabilities in outdated network devices, including unpatched Microsoft Exchange Server, Cisco routers, Fortinet and Sophos Firewalls and Ivanti VPN appliances. Greenbone is able to detect all known software vulnerabilities associated with Salt Typhoon and Volt Typhoon attacks [1][2].

UK May Ban Ransomware Payments in Public Sector

The UK government’s framework to combat ransomware has proposed a ban on ransom payments by public sector entities and critical infrastructure operators with hopes to deter cyber criminals from targeting them in the first place. However, a new report from The National Audit Office (NAO), the UK’s independent public spending watchdog, says “cyber threat to UK government is severe and advancing quickly”.

The FBI, CISA and NSA all advise against paying ransoms. After all, paying a ransom does not guarantee the recovery of encrypted data or prevent the public release of stolen data, and may even encourage further extortion. On the flip side IBM’s security think-tank acknowledges that many SME organizations could not fiscally survive the downtime imposed by ransomware. While both sides make points here, could enriching cyber criminals while failing to shore-up local talent result in a positive outcome?

Vulnerability in SonicWall SMA 1000 Actively Exploited

Microsoft Threat Intelligence has uncovered active exploitation of SonicWall SMA 1000 gateways via CVE-2025-23006 (CVSS 9.8 Critical). The flaw is caused by improper handling of untrusted data during deserialization [CWE-502]. It could allow an unauthenticated attacker with access to the internal Appliance Management Console (AMC) or Central Management Console (CMC) interface to execute arbitrary OS commands. SonicWall has released hotfix version 12.4.3-02854 to address the flaw.

While no publicly available exploit code has been identified, numerous government agencies have issued alerts including Germany’s BSI CERT-Bund, Canadian Center for Cybersecurity, CISA, and the UK’s NHS (National Health Service). Greenbone is able to detect SonicWall systems impacted by CVE-2025-23006 by remotely checking the version identified from the service banner.

CVE-2024-44243 for Persistent Rootkit in macOS

January 2025 was a firestorm month for Apple security. Microsoft Threat Intelligence has found time to security test macOS, discovering a vulnerability that could allow installed apps to modify the OS System Integrity Protection (SIP). According to Microsoft, this could allow attackers to install rootkits, persistent malware and bypass Transparency, Consent and Control (TCC) which grants granular access permissions to applications on a per-folder basis. While active exploitation has not been reported, Microsoft has released technical details on their findings.

As January closed, a batch of 88 new CVEs, 17 with critical severity CVSS scores were published affecting the full spectrum of Apple products. One of these, CVE-2025-24085, was observed in active attacks and added to CISA’s KEV catalog. On top of these, dual speculative execution vulnerabilities in Apple’s M-series chips dubbed SLAP and FLOP were disclosed but have not yet been assigned CVEs. For SLAP, researchers leveraged chip flaws to exploit Safari WebKit’s heap allocation techniques and manipulated JavaScript string metadata to enable out-of-bounds speculative reads, allowing them to extract sensitive DOM content from other open website tabs. For FLOP, researchers demonstrated that sensitive data can be stolen from Safari and Google Chrome; bypassing Javascript type checking in Safari WebKit and Chrome’s Site Isolation via WebAssembly.

Furthermore, five high severity vulnerabilities were also published affecting Microsoft Office for macOS. Each potentially forfeiting Remote Code Execution (RCE) to an attacker. Affected products include Microsoft Word (CVE-2025-21363), Excel (CVE-2025-21354 and CVE-2025-21362) and OneNote (CVE-2025-21402) for macOS. While no technical details about these vulnerabilities are yet available, all have high CVSS ratings and users should update as soon as possible.

The Greenbone Enterprise Feed includes detection for missing macOS security updates and many other CVEs affecting applications for macOS including the five newly disclosed CVEs in Microsoft Office for Mac.

6 CVEs in Rsync Allow Both Server and Client Takeover

The combination of two newly discovered vulnerabilities may allow the execution of arbitrary code on vulnerable rsyncd servers while having only anonymous read access. CVE-2024-12084, a heap buffer overflow and CVE-2024-12085, an information leak flaw are the culprits. Public mirrors using rsyncd represent the highest risk since they inherently lack access control.

The researchers also found that a weaponized rsync server can read and write arbitrary files on connected clients. This can allow theft of sensitive information and potentially execution of malicious code by modifying executable files.

Here is a summary of the new flaws ordered by CVSS severity:

Collectively, these flaws present serious risk of RCE, data exfiltration and installing persistent malware on both rsyncd servers and unsuspecting clients. Users must update to the patched version, thoroughly look for any Indicators of Compromise (IoC) on any systems that have used rsync, and potentially redeploy file sharing infrastructure. Greenbone is able to detect all known vulnerabilities in rsync and non-compliance with critical security updates.

CVE-2025-0411: 7-Zip Offers MotW Bypass

On January 25, 2025, CVE-2025-0411 (CVSS 7.5 High) was published affecting 7-Zip archiver. The flaw allows bypassing the Windows security feature Mark of the Web (MotW) via specially crafted archive files. MoTW tags files downloaded from the internet with a Zone Identifier alternate data stream (ADS), warning when they originate from an untrusted source. However, 7-Zip versions before 24.09 do not pass the MotW flag to files within nested archives. Exploiting CVE-2025-0411 to gain control of a victim’s system requires human interaction. Targets must open a trojanized archive and then further execute a malicious file contained within.

Interestingly, research from Cofence found government websites around the world have been leveraged for credential phishing, malware delivery and command-and-control (C2) operations via CVE-2024-25608, a Liferay digital platform vulnerability. This flaw allows attackers to redirect users from trusted .gov URLs to malicious phishing sites. Combining redirection from a trusted .gov domain with the 7-Zip flaw has significant potential for stealthy malware distribution.

Considering the risks, users should manually upgrade to version 24.09, which has been available since late 2024. As discussed in the introduction above, software supply chain security often lies in a grey zone, we all depend on software beyond our control. Notably, prior to the publication of CVE-2025-0411, 7-Zip had not alerted users to a security flaw. Furthermore, although 7-Zip is open-source, the product’s GitHub account does not reveal many details or contact information for responsible disclosure.

Furthermore, the CVE has triggered DFN-CERT and BSI CERT-Bund advisories [1][2]. Greenbone is able to detect the presence of vulnerable versions of 7-Zip.

Summary

This edition of our monthly Threat Report reviewed major breaches from 2024 and newly discovered critical vulnerabilities in January 2025. The software supply chain presents elevated risk to all organizations large and small from both open-source and closed-source products. However, open-source software offers transparency and the opportunity for stakeholders to engage proactively in their own security outcomes, either collectively or independently. While cybersecurity costs are significant, advancing technical capabilities will increasingly be a determinant factor in both enterprise and national security. Fortune favors the prepared.

Contact Test Now Buy Here Back to Overview

/by