Most recent comment.

Formal Vulnerability Disclosure for iPhone 15 Pro Max (iOS 18.3.1)

2025-04-25T11:11:23.297652+00:00

### Executive Summary This report updates the findings on CVE-2025-24085, a use-after-free vulnerability affecting Apple's IDS subsystem and iMessage's BlastDoor sandboxing. Findings (As of February 20, 2025) iOS 18.3.1 remains vulnerable despite Apple's February 19, 2025, mitigation deadline. BlastDoor is bypassed, enabling unsandboxed iMessage processing. Privilege escalation attempts detected, suggesting a possible kernel exploit. Unauthorized decryption and authentication tampering observed, raising concerns about iMessage interception and data exposure. The exploit remains active in the wild, requiring immediate action. https://github.com/orgs/community/discussions/152523

PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices

2025-04-25T11:11:23.297582+00:00

French cybersecurity company Sekoia observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices. CVE-2023-20118 is leading to a webshell installation.

Apache Pinot Improper Neutralization of Special Elements Authentication Bypass Vulnerability

2025-04-25T11:11:23.297512+00:00

CVE ID CVE-2024-56325 CVSS SCORE 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H AFFECTED VENDORS Apache AFFECTED PRODUCTS Pinot VULNERABILITY DETAILS This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability. The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system. ADDITIONAL DETAILS Fixed in version 1.3.0

Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks

2025-04-25T11:11:23.297437+00:00

Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks. The vulnerability is tracked as CVE-2025-24201 and was found in the WebKit cross-platform web browser engine used by Apple's Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows.

Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure

2025-04-25T11:11:23.297361+00:00

- [Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure](https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwarded-for-and-ivanti-connect-secure-cve-2025-22457/)

Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457)

2025-04-25T11:11:23.297277+00:00

# Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) | Google Cloud Blog Written by: John Wolfram, Michael Edie, Jacob Thompson, Matt Lin, Josh Murchie * * * On Thursday, April 3, 2025, Ivanti [disclosed](https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457) a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation would result in remote code execution. Mandiant and Ivanti have identified evidence of active exploitation in the wild against ICS 9.X (end of life) and 22.7R2.5 and earlier versions. Ivanti and Mandiant encourage all customers to upgrade as soon as possible. The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025. Following successful exploitation, we observed the deployment of two newly identified malware families, the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor. Additionally, deployment of the previously reported [SPAWN ecosystem of malware](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement) attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023. A patch for CVE-2025-22457 was released in ICS 22.7R2.6 on February 11, 2025. The vulnerability is a buffer overflow with a limited character space, and therefore it was initially believed to be a low-risk denial-of-service vulnerability. We assess it is likely the threat actor studied the patch for the vulnerability in ICS 22.7R2.6 and uncovered through a complicated process, it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution. Ivanti released [patches](https://portal.ivanti.com/) for the exploited vulnerability and Ivanti customers are urged to follow the actions in the [Security Advisory](https://forums.ivanti.com/s/article/April-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-22457) to secure their systems as soon as possible. Post-Exploitation Tactics, Techniques, and Procedures ----------------------------------------------------- Following successful exploitation, Mandiant observed the deployment of two newly identified malware families tracked as TRAILBLAZE and BRUSHFIRE through a shell script dropper. Mandiant has also observed the deployment of the [SPAWN ecosystem of malware](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement). Additionally, similar to previously [observed](https://cloud.google.com/blog/topics/threat-intelligence/investigating-ivanti-zero-day-exploitation/) behavior, the actor attempted to modify the Integrity Checker Tool (ICT) in an attempt to evade detection. ### Shell-script Dropper Following successful exploitation of CVE-2025-22457, Mandiant observed a shell script being leveraged that executes the TRAILBLAZE dropper. This dropper injects the BRUSHFIRE passive backdoor into a running `/home/bin/web` process. The first stage begins by searching for a `/home/bin/web` process that is a child process of another `/home/bin/web` process (the point of this appears to be to inject into the `web` process that is actually listening for connections). It then creates the the following files and associated content: * `/tmp/.p`: contains the PID of the `/home/bin/web` process. * `/tmp/.m`: contains a memory map of that process (human-readable). * `/tmp/.w`: contains the base address of the `web` binary from that process * `/tmp/.s`: contains the base address of `libssl.so` from that process * `/tmp/.r`: contains the BRUSHFIRE passive backdoor * `/tmp/.i`: contains the TRAILBLAZE dropper The shell script then executes `/tmp/.i`, which is the second stage in-memory only dropper tracked as TRAILBLAZE. It then deletes all of the temporary files previously created (except for `/tmp/.p`), as well as the contents of the `/data/var/cores` directory. Next, all child processes of the `/home/bin/web` process are killed and the `/tmp/.p` file is deleted. All of this behavior is non-persistent, and the dropper will need to be re-executed if the system or process is rebooted. ### TRAILBLAZE TRAILBLAZE is an in-memory only dropper written in bare C that uses raw syscalls and is designed to be as minimal as possible, likely to ensure it can fit within the shell script as Base64. TRAILBLAZE injects a hook into the identified `/home/bin/web` process. It will then inject the BRUSHFIRE passive backdoor into a code cave inside that process. ### BRUSHFIRE BRUSHFIRE is a passive backdoor written in bare C that acts as an `SSL_read` hook. It first executes the original `SSL_read` function, and checks to see if the returned data begins with a specific string. If the data begins with the string, it will XOR decrypt then execute shellcode contained in the data. If the received shellcode returns a value, the backdoor will call `SSL_write` to send the value back. ### SPAWNSLOTH As detailed in our [previous blog post](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement#:~:text=to%20three%20times.-,SPAWNSLOTH,-SPAWNSLOTH%20is%20a), SPAWNSLOTH acts as a log tampering component tied to the SPAWNSNAIL backdoor. It targets the `dslogserver` process to disable both local logging and remote syslog forwarding. ### SPAWNSNARE SPAWNSNARE is a utility that is written in C and targets Linux. It can be used to extract the uncompressed linux kernel image (vmlinux) into a file and encrypt it using AES without the need for any command line tools. ### SPAWNWAVE SPAWNWAVE is an evolved version of SPAWNANT that combines capabilities from other members of the [SPAWN](https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement#:~:text=SLIVER%20and%20CrackMapExec.-,SPAWN%20Malware%20Family,-During%20analysis%20of)\* malware ecosystem. SPAWNWAVE overlaps with the publicly reported [SPAWNCHIMERA](https://blogs.jpcert.or.jp/en/2025/02/spawnchimera.html) and [RESURGE](https://www.cisa.gov/news-events/analysis-reports/ar25-087a) malware families. Attribution ----------- Google Threat Intelligence Group (GTIG) attributes the exploitation of CVE-2025-22457 and the subsequent deployment of the SPAWN ecosystem of malware to the suspected China-nexus espionage actor UNC5221. GTIG has previously reported UNC5221 conducting zero-day exploitation of CVE-2025-0282, as well as the exploitation CVE-2023-46805 and CVE-2024-21887. Furthermore, GTIG has also previously observed UNC5221 conducting zero-day exploitation of CVE-2023-4966, impacting NetScaler ADC and NetScaler Gateway appliances. UNC5221 has targeted a wide range of countries and verticals during their operations, and has leveraged an extensive set of tooling, spanning passive backdoors to trojanized legitimate components on various edge appliances. GTIG assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo. Additionally, as noted in our prior blog post detailing CVE-2025-0282 exploitation, GTIG has observed UNC5221 leveraging an obfuscation network of compromised Cyberoam appliances, QNAP devices, and ASUS routers to mask their true source during intrusion operations. Conclusion ---------- This latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally. This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws. This activity aligns with the broader strategy GTIG has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure. Recommendations ---------------- Mandiant recommends organizations immediately apply the available patch by upgrading Ivanti Connect Secure (ICS) appliances to version 22.7R2.6 or later to address CVE-2025-22457. Additionally organizations should use the external and internal Integrity Checker Tool (“ICT”) and contact Ivanti Support if suspicious activity is identified. To supplement this, defenders should actively monitor for core dumps related to the web process, investigate ICT statedump files, and conduct anomaly detection of client TLS certificates presented to the appliance. Acknowledgements ---------------- We would like to thank Daniel Spicer and the rest of the team at Ivanti for their continued partnership and support in this investigation. Additionally, this analysis would not have been possible without the assistance from analysts across Google Threat Intelligence Group and Mandiant’s FLARE, we would like to specifically thank Christopher Gardner and Dhanesh Kizhakkinan of FLARE for their support. Indicators of Compromise ------------------------ To assist the security community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a [GTI Collection](https://www.virustotal.com/gui/collection/c1437b752a4bece143f3584eef40b00cb72f9281068bd1c235cf76f94d744024/iocs) for registered users. |Code Family|MD5 |Filename |Description | |-----------|--------------------------------|--------------------|----------------------------| |TRAILBLAZE |4628a501088c31f53b5c9ddf6788e835|/tmp/.i |In-memory dropper | |BRUSHFIRE |e5192258c27e712c7acf80303e68980b|/tmp/.r |Passive backdoor | |SPAWNSNARE |6e01ef1367ea81994578526b3bd331d6|/bin/dsmain |Kernel extractor & encryptor| |SPAWNWAVE |ce2b6a554ae46b5eb7d79ca5e7f440da|/lib/libdsupgrade.so|Implant utility | |SPAWNSLOTH |10659b392e7f5b30b375b94cae4fdca0|/tmp/.liblogblock.so|Log tampering utility | YARA Rules ---------- ``` rule M_APT_Installer_SPAWNANT_1 { meta: author = "Mandiant" description = "Detects SPAWNANT. SPAWNANT is an Installer targeting Ivanti devices. Its purpose is to persistently install other malware from the SPAWN family (SPAWNSNAIL, SPAWNMOLE) as well as drop additional webshells on the box." strings: $s1 = "dspkginstall" ascii fullword $s2 = "vsnprintf" ascii fullword $s3 = "bom_files" ascii fullword $s4 = "do-install" ascii $s5 = "ld.so.preload" ascii $s6 = "LD_PRELOAD" ascii $s7 = "scanner.py" ascii condition: uint32(0) == 0x464c457f and 5 of ($s*) } ``` ``` rule M_Utility_SPAWNSNARE_1 { meta: author = "Mandiant" description = "SPAWNSNARE is a utility written in C that targets Linux systems by extracting the uncompressed Linux kernel image into a file and encrypting it with AES." strings: $s1 = "\x00extract_vmlinux\x00" $s2 = "\x00encrypt_file\x00" $s3 = "\x00decrypt_file\x00" $s4 = "\x00lbb_main\x00" $s5 = "\x00busybox\x00" $s6 = "\x00/etc/busybox.conf\x00" condition: uint32(0) == 0x464c457f and all of them } ``` ``` rule M_APT_Utility_SPAWNSLOTH_2 { meta: author = "Mandiant" description = "Hunting rule to identify strings found in SPAWNSLOTH" strings: $dslog = "dslogserver" ascii fullword $hook1 = "g_do_syslog_servers_exist" ascii fullword $hook2 = "ZN5DSLog4File3addEPKci" ascii fullword $hook3 = "funchook" ascii fullword condition: uint32(0) == 0x464c457f and all of them } ``` Posted in * [Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence)

PoC for CVE-2025-22457

2025-04-25T11:11:23.297174+00:00

# PoC for CVE-2025-22457 _A remote unauthenticated stack based buffer overflow affecting Ivanti Connect Secure, Pulse Connect Secure, Ivanti Policy Secure, and ZTA Gateways_ ## Overview This is a proof of concept exploit to demonstrate exploitation of CVE-2025-22457. For a complete technical analysis of the vulnerability and exploitation strategy, please see our Rapid7 Analysis here: https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis Available at https://github.com/sfewer-r7/CVE-2025-22457

CVE-2025-24054, NTLM Exploit in the Wild - Checkpoint Research

2025-04-25T11:11:23.296152+00:00

- CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused. - Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes. - Initial reports suggested that exploitation occurred once the .library-ms file was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities. For more details: [CVE-2025-24054, NTLM Exploit in the Wild](https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/)

Path Traversal Vulnerability in Surveillance Software - Luxembourg and Belgium notified

2025-04-25T11:11:23.294962+00:00

Numerous law enforcement agencies worldwide have been affected by a zero-day exploit (path traversal) in reconnaissance software. This apparently also includes body cameras used by special forces, surveillance equipment, and police drones. The „Media Relay Service (MRS)“ (web server) software for reconnaissance devices from the Israeli manufacturer Infodraw is affected by a serious security vulnerability (Path Traversal Vulnerability). Security experts from Mint Secure discovered the vulnerability and initially reported it to the manufacturer and – due to a lack of response – subsequently to operators and CERTs worldwide in order to rule out further risks and responsibly disclose the vulnerability. This blog post describes technical details, cases from various countries, and the approach behind the discovery. Recommendations for affected organizations are also provided.

PH65941:IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907 CVSS 4.1)

2025-04-25T11:11:23.293398+00:00

**Abstract** IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907 CVSS 4.1) **Download Description** PH65941 resolves the following problem: ERROR DESCRIPTION: IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907 CVSS 4.1) PROBLEM SUMMARY: IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907 CVSS 4.1) PROBLEM CONCLUSION: Confidential for CVE-2025-27907. The fix for this APAR is targeted for inclusion in 8.5.5.28, 9.0.5.24. For more information, see Recommended Updates for WebSphere Application Server: https://www.ibm.com/support/pages/node/715553 **Prerequisites** None **Problems Solved** PH65941 Source: https://www.ibm.com/support/pages/node/7231182