AirBorne: Wormable Zero-Click RCE in Apple AirPlay Puts Billions of Devices at Risk | Oligo Security

｢ The vulnerabilities enable an array of attack vectors and outcomes, including:
Zero-Click RCE
One-Click RCE
Access control list (ACL) and user interaction bypass
Local Arbitrary File Read
Sensitive information disclosure
Man-in-the-middle (MITM) attacks
Denial of service (DoS) ｣

https://www.oligo.security/blog/airborne

Python Dirty Arbitrary File Write to RCE via Writing Shared Object Files Or Overwriting Bytecode Files:

https://siunam321.github.io/research/python-dirty-arbitrary-file-write-to-rce-via-writing-shared-object-files-or-overwriting-bytecode-files/

Fake GIF Leveraged in Multi-Stage Reverse-Proxy Card Skimming Attack

A sophisticated multi-stage carding attack on a Magento eCommerce website has been uncovered. The malware used a fake gif image file, local browser sessionStorage data, and a malicious reverse-proxy server to steal credit card data, login details, cookies, and other sensitive information. The attack targeted an outdated Magento 1.9.2.4 installation, exploiting its lack of support and security vulnerabilities. The malware injected JavaScript code disguised as Bing tracking code and utilized a tampered payment file to create a user-specific attack. This advanced technique allowed the attackers to intercept and manipulate all website traffic while remaining undetected by victims and administrators.

Pulse ID: 680c5278fbbef40e36ef3f9f
Pulse Link: https://otx.alienvault.com/pulse/680c5278fbbef40e36ef3f9f
Pulse Author: AlienVault
Created: 2025-04-26 03:26:48

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Critical Remote Code Execution Vulnerability Discovered in Active! Mail: Urgent Updates Required

A severe remote code execution (RCE) vulnerability in the Active! Mail web-based email client is currently being exploited against major organizations in Japan. With a CVSS score of 9.8, this flaw pos...

https://news.lavx.hu/article/critical-remote-code-execution-vulnerability-discovered-in-active-mail-urgent-updates-required

Whoa, heads up cybersecurity folks! There's a particularly nasty bug making the rounds: **CVE-2025-32433** in Erlang/OTP SSH. And yes, it scored a perfect CVSS 10.0 .

We're talking potential **unauthorized remote code execution** here. Basically, an attacker can sneak SSH messages through *before* any authentication even happens. Think about that for a second. If your SSH daemon happens to be running as root... well, that's pretty much game over for the system.

This isn't just a minor issue; it impacts *anyone* using the Erlang/OTP SSH implementation.

**The good news?** Patches are available! You'll want to update to one of these versions ASAP:
* OTP-27.3.3
* OTP-26.2.5.11
* OTP-25.3.2.20

Speaking as a pentester, gotta say, that's a clever (and worrying!) vulnerability path . Another thing to keep in mind: your typical automated vulnerability scanners might completely miss this one due to the pre-auth nature.

So, what's your take? Have any of you run into this yet or started testing for it? Curious to know what tools you're finding effective for detection or exploitation testing! Let's discuss

Atomic and Exodus crypto wallets targeted in malicious npm campaign

A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wallet. The campaign shows persistence, as removing the malicious package doesn't remove the injected code from the wallets. Multiple versions of both wallets were targeted, with the attackers adapting their code accordingly. This incident highlights the growing scope of software supply chain risks, particularly in the cryptocurrency industry, and emphasizes the need for improved monitoring of both source code repositories and locally deployed applications.

Pulse ID: 67fd41f7af4b02a0fd75fb69
Pulse Link: https://otx.alienvault.com/pulse/67fd41f7af4b02a0fd75fb69
Pulse Author: AlienVault
Created: 2025-04-14 17:12:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Max severity RCE flaw discovered in widely used Apache Parquet
https://www.bleepingcomputer.com/news/security/max-severity-rce-flaw-discovered-in-widely-used-apache-parquet/
#ycombinator #computers #windows #linux #mac #support #tech_support #spyware #malware #virus #security #Apache #Apache_Parquet #Big_Data #RCE #Remote_Code_Execution #Vulnerability #virus_removal #malware_removal #computer_help #technical_support

Bin vorfreudig gespannt auf #RCE nach dem Roman von @SibylleBerg in den Münchner Kammerspielen!
Das Buch mag ich, also ganz gute Voraussetzungen.

1/ War heute im @blnensemble und habe mir #RCE angesehen. Ich hatte den Roman von Sibylle Berg ja letztes Jahr gelesen. War sehr gut. Wir waren auch bei der Einführung:

Aus dem 700seitigen Roman wurde mit KI eine 50seitige Zusammenfassung erzeugt. Diese wurde dann mit Text to Speech vorgelesen. Ein Mensch hat Musik darufgepackt. Mehrere Videokünstler aus verschiedenen europäischen Ländern haben dann mit KI Videos und Bilder dazu gemacht.

Das Stück ist ein dystopisches mit Revolution durch Nerds. Alles ist digitalisiert und dadurch angreifbar. Stromnetze, Transport, Lebensmittelversorgung, Heizung im #Smarthome.

Laut Aussage des Einführenden gab es auch bei den Proben Stromausfälle. Das Buch ist der Bauplan für die Weltrevolution.

Paar so Fetzen aus dem Stück:

„Es braucht eine Revolution zu der man tanzen kann.“

„Nerds retten die Welt.“

„Verzichten kann wieder Spass machen.“

Nach dem Stück haben alle geklatscht und sind dann nach Hause gefahren.

Sie träumen davon, dass die Nerds demnächst Revolution machen.

Vielleicht träumen sie auch nichts, weil sie zu viel Alkohol trinken oder zu starke Schlaftabletten nehmen.

Wenn Ihr weder träumt noch schlaft, dann lest mal #RemoteCodeExecution. Ist lustig. Oder traurig. Je nachdem, wie Ihr so seid.

Ach so: Wir waren uns nicht ganz einig, ob die erste Zusammenfassung mit KI gemacht wurde, oder per Hand. Vielleicht kann das BE das ja noch mal aufklären.

Ich finde es auf einer Meta-Ebene lustig, dass die Menschen, die Angst davor haben, von KI ersetzt zu werden, diese benutzen, um die dystopische Welt zu zeigen.

Unauthenticated Remote Code Execution vulnerabilities found in the Ingress NGINX Controller for Kubernetes could allow the stealing of data stored across all namespaces in the Kubernetes cluster.

Read more:
https://www.technadu.com/critical-kubernetes-vulnerability-in-ingress-nginx-controller-exposes-thousands-of-clusters-to-attack/581925/

Critical RCE Vulnerability in Veeam Backup & Replication: Urgent Patch Required

A newly discovered remote code execution vulnerability in Veeam Backup & Replication could allow domain users to compromise backup servers, raising alarms in the cybersecurity community. With ransomwa...

https://news.lavx.hu/article/critical-rce-vulnerability-in-veeam-backup-replication-urgent-patch-required

Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation

Dragon RaaS is a ransomware group that emerged in July 2024 as an offshoot of Stormous, part of a larger cybercrime syndicate known as 'The Five Families'. The group markets itself as a sophisticated Ransomware-as-a-Service operation but often conducts defacements and opportunistic attacks rather than large-scale ransomware extortion. Dragon RaaS primarily targets organizations in the US, Israel, UK, France, and Germany, exploiting vulnerabilities in web applications, using brute-force attacks, and leveraging stolen credentials. The group operates two ransomware strains: a Windows-focused encryptor based on StormCry and a PHP webshell. Despite claims of creating a unique ransomware variant, analysis reveals that Dragon RaaS's payloads are slightly modified versions of StormCry.

Pulse ID: 67db2bceaeb33fde1496fef2
Pulse Link: https://otx.alienvault.com/pulse/67db2bceaeb33fde1496fef2
Pulse Author: AlienVault
Created: 2025-03-19 20:40:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

(watchtowr.com) By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/

By Executive Order I hereby BAN deserialization issues. I don't know how many god damned times I've read about how critical software vulnerabilities have been rooted in deserialization issues, and here we go again. Thanks watchTowr for an entertaining read.

Summary
This research details two Remote Code Execution (RCE) vulnerabilities in Veeam Backup & Replication (CVE-2025-23120) discovered by watchTowr Labs. The vulnerabilities exploit deserialization flaws in Veeam's codebase, specifically targeting the product's reliance on blacklist-based security mechanisms rather than proper whitelisting. The researchers demonstrate how any domain user can exploit these vulnerabilities when the Veeam server is joined to an Active Directory domain, potentially allowing complete system compromise. The vulnerabilities were responsibly disclosed to Veeam, who patched them by simply adding the discovered gadget classes to their blacklist, a solution the researchers criticize as inadequate and likely to lead to similar vulnerabilities in the future.

Critical #RCE flaw in #Apache #Tomcat actively exploited in attacks

https://www.bleepingcomputer.com/news/security/critical-rce-flaw-in-apache-tomcat-actively-exploited-in-attacks/

#Tomcat: Apache Tomcat Vulnerability CVE-2025-24813 Actively Exploited Just 30 Hours After Public Disclosure!
Successful exploitation could permit attackers to view sensitive files, inject arbitrary content or even achieve Remote Code Execution(#RCE):

https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html

Critical RCE Vulnerability in Apache Tomcat Poses Severe Threat to Server Security

A newly disclosed remote code execution vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is being actively exploited by attackers, allowing them to take full control of affected servers with...

https://news.lavx.hu/article/critical-rce-vulnerability-in-apache-tomcat-poses-severe-threat-to-server-security

GitLab naprawia podatności związane z biblioteką ruby-saml

GitLab ogłosił wydanie nowych wersji oprogramowania. Aktualizacja dotyczy zarówno Community Edition, jak i Enterprise Edition. Poprawione wersje to  17.9.2, 17.8.5 oraz 17.7.7. Najważniejsza poprawka dotyczy dwóch podatności (CVE-2025-25291, CVE-2025-25292), zgłoszonych w bibliotece ruby-saml, która jest wykorzystywana przez GitLab do SAML SSO (security assertion markup language; single sign-on). W pewnych okolicznościach...

#WBiegu #Cve #Gitlab #Graphql #Podatności #Rce #Ruby #Saml

https://sekurak.pl/gitlab-naprawia-podatnosci-zwiazane-z-biblioteka-ruby-saml/

Cascading Redirects: Unmasking a Multi-Site JavaScript Malware Campaign

A recent investigation uncovered a malicious JavaScript injection affecting WordPress websites, redirecting visitors to unwanted third-party domains. The attack vector involves a two-stage redirection process, injecting code into theme files and loading external scripts. The malware creates hidden elements to force redirects, potentially leading to phishing pages, malvertising, exploit kits, or scam sites. At least 31 infected websites were identified, with domains like awards2today[.]top and chilsihooveek[.]net involved. The infection methods include compromised admin accounts, exploited vulnerabilities, inadequate file permissions, and hidden PHP backdoors. Impacts include traffic loss, reputation damage, SEO blacklisting, and risks of further infections. Detection involves inspecting network activity and file modifications, while prevention measures include regular security audits, updates, strong passwords, and web application firewalls.

Pulse ID: 67ca751fcb0a0f73661e1ad4
Pulse Link: https://otx.alienvault.com/pulse/67ca751fcb0a0f73661e1ad4
Pulse Author: AlienVault
Created: 2025-03-07 04:25:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

Unmasking the new persistent attacks on Japan

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, persistence establishment, and credential theft. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attack involves exploiting the vulnerability, executing PowerShell scripts, and using various tools for system compromise. The attacker's techniques are similar to those of the 'Dark Cloud Shield' group, but attribution remains uncertain. A pre-configured installer script found on the C2 server deploys multiple adversarial tools and frameworks, indicating potential for future attacks.

Pulse ID: 67c9f6c4232a8b4665784c45
Pulse Link: https://otx.alienvault.com/pulse/67c9f6c4232a8b4665784c45
Pulse Author: AlienVault
Created: 2025-03-06 19:25:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.