Wednesday, April 30, 2025
Follow us On Linkedin
Home Blog Page 5

Google Chrome Vulnerability Allows Attackers to Bypass Sandbox Restrictions – Technical Details Revealed

By
Aman Mishra
-
Google Chrome Vulnerability

A severe vulnerability, identified as CVE-2025-2783, has been discovered in Google Chrome, specifically targeting the Mojo inter-process communication (IPC) component on Windows systems.

This high-impact flaw, with a CVSS score of 8.8, stems from improper handle validation and management within Mojo, enabling remote attackers to craft malicious payloads that, when triggered through user interaction like clicking a phishing link or visiting a malicious website, allow them to escape Chrome’s tightly controlled sandbox environment.

Discovered during a targeted attack campaign dubbed “Operation ForumTroll,” which compromised systems in Russia’s media, education, and government sectors, this zero-day exploit chain underscores the critical risks posed by sandbox escape vulnerabilities.

The flaw facilitates arbitrary command execution outside the sandbox, granting attackers the ability to achieve persistence, move laterally across networks, and deploy malicious payloads on the host machine with potentially devastating consequences.

Rapid Response and Detailed Patch Analysis

Reported to Google by Kaspersky researchers Boris Larin and Igor Kuznetsov on March 25, 2025, CVE-2025-2783 was addressed with remarkable speed, with a patch rolled out within just five days in Chrome version 134.0.6998.177.

Technical analysis of the patch, conducted through reverse engineering tools like Ghidra and IDA Free, alongside BinDiff comparisons between the vulnerable (v134.0.6998.142) and patched versions, reveals significant fortifications.

Key improvements include stringent input validation to reject NULL or malformed Mojo handles, new conditional checks to gate escape functionality behind a safe list of codes, and early return mechanisms in IPC handlers to abort processing of unexpected message types.

Additionally, sanitization of incoming message content and enhanced crash prevention logging have been integrated to thwart crafted payloads and monitor handler misuse.

Chromium Git commits further highlight security-focused updates, such as rejecting suspicious Mojo transfers and applying rigorous filters to renderer processes, effectively neutralizing the exploit paths exploited in the wild.

The implications of CVE-2025-2783 are profound, as it exposes even sandboxed environments to full system compromise, data theft, and malware deployment with relatively low attack complexity, despite requiring user interaction.

Google has automatically deployed fixes via Chrome Updater, but users and organizations must remain vigilant.

Ensuring auto-updates are enabled, blocking suspicious domains at the firewall or DNS level, and educating users on phishing risks are critical defensive measures.

Google Chrome Vulnerability
Directory listing of phishing server

On the detection front, monitoring for anomalous Chrome renderer behavior, such as unauthorized child process spawning, and leveraging memory-based Endpoint Detection and Response (EDR) solutions can help identify exploitation attempts.

As this vulnerability was actively exploited in targeted attacks, it serves as a stark reminder of the evolving sophistication of threat actors and the importance of robust security practices.

CVE-2025-2783 not only highlights the fragility of IPC mechanisms when improperly validated but also reinforces the need for continuous vigilance and proactive patching to safeguard against such high-severity threats in widely used software like Chrome.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Threat Actors Accelerate Transition from Reconnaissance to Compromise – New Report Finds

By
Aman Mishra
-
Reconnaissance

Cybercriminals are leveraging automation across the entire attack chain, drastically reducing the time from reconnaissance to compromise.

The data shows a staggering 16.7% global increase in scans, with over 36,000 scans per second targeting not just exposed ports but delving into operational technology (OT), cloud APIs, and identity layers.

Sophisticated tools probe SIP-based VoIP systems, RDP servers, and industrial protocols like Modbus TCP, mapping vulnerabilities continuously.

This industrial-scale automation extends to phishing and malware creation, with AI-driven platforms like FraudGPT and ElevenLabs enabling the production of hyper-realistic phishing lures, deepfake videos, and cloned executive voices.

The rise of Cybercrime-as-a-Service (CaaS) marketplaces further lowers the entry barrier, allowing even novice attackers to purchase access, tools, and infrastructure, thus amplifying the volume and success rate of cyberattacks.

Credentials and Cloud Misconfigurations Drive Exploits

The report highlights a 42% surge in stolen credentials on darknet forums, totaling over 100 billion unique records including emails, passwords, and multifactor bypass data.

Infostealer malware such as Redline and Vidar has fueled a 500% spike in credential log activity, harvested in real-time by Initial Access Brokers (IABs) for turnkey infiltration into corporate VPNs and admin panels.

These credentials underpin ransomware and espionage, making brute force obsolete as attackers simply buy their way into networks.

Simultaneously, cloud environments remain a critical attack vector due to over-permissioned identities and credential leaks in public code repositories.

FortiCNAPP telemetry reveals that 25% of cloud incidents start with reconnaissance like API enumeration, followed by privilege escalation and lateral movement via legitimate services, often within hours of legitimate user activity, blending seamlessly into normal traffic.

Exploitation and Post-Breach Precision Define Modern Threats

Exploitation attempts are rampant, with Fortinet’s sensors logging over 97 billion attempts in the latter half of 2024, targeting outdated vulnerabilities like CVE-2017-0147 and CVE-2021-44228.

IoT devices, including routers and cameras with default credentials, account for over 20% of exploits, often recruited into botnets or used for persistence.

Post-breach, attackers demonstrate surgical precision, with 88% of lateral movement cases involving RDP and Remote Access Trojans (RATs) like Xeno RAT enabling data exfiltration.

Techniques like living-off-the-land, using legitimate tools such as PowerShell and WMI, alongside Active Directory manipulation via DCSync, render traditional detection ineffective.

Encrypted command-and-control channels and DNS tunneling further cloak malicious activity, underscoring the need for a paradigm shift in defense strategies.

The report urges a move toward Continuous Threat Exposure Management (CTEM), emphasizing real-time monitoring across cloud, OT, and IoT, risk-based vulnerability prioritization, and automated detection to shrink dwell times.

As threat actors optimize for speed and stealth, defenders must match their pace, leveraging integrated solutions like the Fortinet Security Fabric to unify threat intelligence and response across digital infrastructures.

This is no longer just a technical challenge but a critical business continuity imperative in the face of an evolving global threat landscape.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

ResolverRAT Targets Healthcare and Pharmaceutical Sectors Through Sophisticated Phishing Attacks

By
Aman Mishra
-
ResolverRAT

A previously undocumented remote access trojan (RAT) named ResolverRAT has surfaced, specifically targeting healthcare and pharmaceutical organizations worldwide.

First observed as recently as March 10, 2025, this malware distinguishes itself from related threats like Rhadamanthys and Lumma through its sophisticated in-memory execution and multi-layered evasion techniques.

Morphisec, a leading cybersecurity firm, has detailed the malware’s operations, while PolySwarm analysts classify ResolverRAT as an emerging threat with unique capabilities.

Deployed through localized phishing campaigns, the malware leverages fear-based lures in languages such as Czech, Hindi, Indonesian, Italian, Portuguese, and Turkish, often citing legal or copyright violations to trick users into downloading a seemingly legitimate executable that initiates the infection via DLL side-loading.

Technical Sophistication and Stealthy Operations

ResolverRAT’s infection chain begins with a .NET-based loader that employs advanced anti-analysis methods, utilizing the System.Security.Cryptography namespace for AES-256 encryption in CBC mode with obfuscated keys decoded at runtime.

The payload, compressed using GZip, operates entirely in memory to minimize disk footprints and evade traditional security monitoring.

A standout feature is its use of .NET ResourceResolve event hijacking, which intercepts legitimate resource requests to inject malicious assemblies without altering PE headers or triggering suspicious API calls-a technique Morphisec describes as “malware evolution at its finest.”

Further complicating detection, the payload decryption within the RunVisibleHandler() method uses a complex state machine with control flow flattening and system fingerprinting to thwart static analysis and sandbox environments.

For persistence, ResolverRAT scatters up to 20 obfuscated registry entries across multiple locations and installs itself in various directories, ensuring it remains embedded in compromised systems.

According to the Report, the malware’s command-and-control (C2) infrastructure is equally robust, utilizing a custom protocol over standard ports to blend with legitimate traffic.

Certificate pinning and a parallel trust system bypass SSL inspection, while IP rotation maintains connectivity even if primary servers are disrupted.

Data serialization via Protocol Buffers (ProtoBuf) enhances efficiency and obfuscation, and random-interval connection attempts via timer callbacks add to its stealth.

ResolverRAT’s multi-threaded architecture processes commands concurrently with error handling to prevent crashes, and for data exfiltration, it splits files exceeding 1MB into 16KB chunks, transmitting them only when sockets are ready to minimize detection and recover from network interruptions.

While it shares phishing tactics and binary reuse with Rhadamanthys and Lumma, its distinct loader and payload architecture cement its status as a standalone threat family.

Organizations in the healthcare and pharmaceutical sectors are urged to bolster defenses against phishing campaigns and deploy advanced endpoint detection to counter this evolving threat.

Indicators of Compromise (IOCs)

The following table lists known ResolverRAT samples identified by PolySwarm for reference and threat hunting purposes:

SHA256 Hash
c3028a3c0c9b037b252c046b1b170116e0edecf8554931445c27f0ddb98785c1
80625a787c04188be1992cfa457b11a166e19ff27e5ab499b58e8a7b7d44f2b9

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Europol Launches Taskforce to Combat Violence-as-a-Service Networks

By
Divya
-
Europol Launches Taskforce to Combat Violence-as-a-Service Networks

Europol has announced the launch of a powerful new Operational Taskforce (OTF), codenamed GRIMM, to confront the alarming rise of “violence-as-a-service” (VaaS) and the growing recruitment of young people by organised crime groups across Europe.

Spearheaded by Sweden and joined by law enforcement from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway, this multinational effort aims to disrupt a shadowy underworld where violence is offered on demand-and young lives are put at risk.

A Fast-Evolving Threat

The move comes in direct response to alarming findings in the European Union Serious and Organised Crime Threat Assessment 2025 (EU-SOCTA).

The report revealed a disturbing strategy: criminal organisations are systematically recruiting young people-often minors-both to commit crimes and to shield their adult masterminds from law enforcement.

 By manipulating and exploiting vulnerable youths, gangs hope to evade prosecution and expand their reach with lower risks.

“Violence-as-a-service” is the term for this chilling business model. Criminals outsource brutal acts-including assaults, threats, and even contract killings service providers who hire and deploy young perpetrators for a fee.

Many of these crimes are orchestrated online, with recruitment, training, and payment all happening digitally.

Criminal recruiters are exploiting social media platforms and encrypted messaging apps, luring in young targets with promises of money, status, or a sense of belonging.

Tactics include coded messages, memes, and gamified criminal challenges. The methods are shrewd and calculated-offering not just quick cash, but the allure of a glamorous outlaw lifestyle.

Four-Pronged Approach to Disrupting VaaS Networks

The OTF GRIMM task force’s strategy includes:

  1. Intelligence Sharing and Joint Investigations: Securing seamless cross-border cooperation.
  2. Mapping Criminal Methods: Tracking recruitment, roles, and monetisation tactics.
  3. Targeting Service Providers: Dismantling core groups enabling violence-on-demand.
  4. Partnering with Tech Companies: Preventing online groomers from reaching new victims.

Europol is central to this effort, offering analytical, strategic, and operational support to ensure a unified European response.

Europol urges parents to remain vigilant. Warning signs of involvement may include unexplained wealth, sudden behavioural changes, or a new secrecy around finances.

If your child stops asking for money but appears to have it, consider it a potential red flag. Europol’s newly published awareness guide provides practical tips to help families identify risks early.

The fight against violence-as-a-service is a fight for the future of vulnerable youth.

Through OTF GRIMM, European authorities are determined to intercept criminal recruiters and reclaim young lives targeted for exploitation.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

JokerOTP Platform Linked to 28,000+ Phishing Attacks Dismantled

By
Divya
-
JokerOTP Platform Linked to 28,000+ Phishing Attacks Dismantled

Law enforcement agencies from the UK and the Netherlands have dismantled the notorious JokerOTP cybercrime platform, which is allegedly linked to more than 28,000 phishing attacks across 13 countries.

A 24-year-old man was apprehended this morning by Cleveland Police at a residence in Middlesbrough, England.

He is currently being held in police custody on suspicion of a slew of serious offenses, including supplying articles for use in fraud, conspiracy to supply articles for use in fraud, multiple counts of fraud by false representation, unauthorized access to computer material, money laundering, and blackmail.

Simultaneously, a 30-year-old man was arrested by Dutch National Police in the Oost-Brabant region.

Law enforcement sources say these synchronized arrests mark the culmination of a three-year, cross-border investigation led by Cleveland Police’s Cyber Crime Unit, with crucial support from the North East Regional Organised Crime Unit (NEROCU), the National Crime Agency (NCA), Europol, and the Dutch National Police.

27,800+ Victims and £7.5 Million in Losses

Authorities allege that over two years, the JokerOTP platform was used to trick thousands of victims into revealing authentication codes and sensitive personal information, facilitating fraudulent bank transactions and compromising financial accounts.

The reported financial losses linked to these activities total an estimated £7.5 million.

Detective Sergeant Kevin Carter, who leads the Cyber Crime Unit at Cleveland Police, described the operation as one of the largest in the force’s history.

Carter highlighted the painstaking work involved: “Over three years, the team has been working closely with various law enforcement agencies to establish what activity has taken place, the number of victims believed to have been affected, and the identity of the individuals suspected of being involved.”

Today’s operation also saw law enforcement collaborating with international hosting companies to dismantle the JokerOTP platform crucial first step in broader enforcement against its user base.

“Users of the JokerOTP bot platform can rest assured that law enforcement has been watching and will be in touch,” warned Detective Sergeant Carter, signaling potential legal consequences for individuals who utilized the service.

Dutch police joined the investigation in 2024, bringing vital expertise that helped bring down what authorities describe as a sophisticated and far-reaching cybercrime network.

Carter praised the cross-border effort, saying, “Our collaborative efforts with international partners demonstrate that we can, and will, track down individuals who we believe to be exploiting technology for criminal gain.”

As the investigation continues, authorities urge victims and potential users of such platforms to come forward and assist with inquiries, underscoring that cybercriminals are not beyond the reach of the law.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Windows Server 2025 Gets Hotpatching Support Beginning July 1, 2025

By
Divya
-
Windows Server 2025 Gets Hotpatching Support Beginning July 1, 2025

Microsoft announced that hotpatching support for Windows Server 2025 will become generally available as a subscription service starting July 1, 2025.

This move expands a key feature-previously exclusive to Azure-based servers-for broader use in on-premises and multicloud environments via Azure Arc.

What is Hotpatching?

Hotpatching is a revolutionary update mechanism that patches the in-memory code of running processes, eliminating the need for immediate server reboots.

Unlike traditional updates that require scheduled downtime and post-update restarts, hotpatching allows administrators to deploy crucial security and feature patches while maintaining higher server availability.

The benefits are clear:

  • Higher uptime: Fewer service disruptions, as most updates don’t require a reboot.
  • Faster deployment: Smaller update packages and streamlined orchestration through Azure Update Manager enable quicker rollouts.
  • Reduced vulnerability window: Immediate patching means threats are neutralized sooner.

Administrators can currently preview hotpatching free of charge. However, with the official launch, subscription pricing will begin at USD 1.50 per CPU core per month.

Hotpatching has been utilized for years in Windows Server Datacenter: Azure Edition, where even Microsoft’s Xbox team has leveraged it to reduce weeks of work to mere days.

With the upcoming release, organizations running Windows Server 2025 Standard or Datacenter editions can now access hotpatching outside Azure, provided their servers are connected through Azure Arc.

This hybrid and multicloud capability supports Microsoft’s adaptive cloud approach, giving organizations more flexibility and control.

Key Restrictions and Enrollment Details

To take advantage of hotpatching outside Azure, administrators must:

  • Run Windows Server 2025 Standard or Datacenter
  • Connect servers to Azure Arc
  • Subscribe to the hotpatching service beginning in July

If you’re currently using the preview via Azure Arc, Microsoft recommends disenrolling by June 30 if you do not wish to continue with a paid subscription.

For Azure IaaS, Azure Local, or Azure Stack users, hotpatching remains bundled with Windows Server Datacenter: Azure Edition at no extra cost.

Hotpatching will deliver up to eight patches per year, following a three-month cycle-one “baseline” month requiring a reboot, followed by two months of in-memory hotpatches. The baseline months for 2025 are January, April, July, and October.

Microsoft encourages all administrators to trial this feature during its free preview and experience the future of secure, seamless server updates.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Critical Linux Kernel Flaw (CVE-2025-21756) Allows Privilege Escalation

By
Divya
-
Critical Linux Kernel Flaw (CVE-2025-21756) Allows Privilege Escalation

A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2025-21756 and dubbed “Attack of the Vsock,” has sent ripples through the cybersecurity community.

The flaw enables attackers to escalate privileges to root, potentially gaining full control over affected Linux systems.

According to the Hoefler report, Researchers warn that exploitation is feasible and demonstrated in real-world conditions, putting millions of systems at risk.

Understanding CVE-2025-21756

This critical vulnerability lies in the Linux kernel’s implementation of the vsock (Virtual Socket) subsystem, specifically within the VMware vsock driver (net/vmw_vsock/af_vsock.c).

Vsocks are used for inter-virtual machine communication-a common feature in cloud and virtualization platforms.

Patch Analysis
Patch Analysis

The flaw results from an error in reference counting during the transport reassignment of vsock sockets.

The kernel patch addressing the issue modifies the vsock_remove_sock() function to ensure that the binding is only removed under certain conditions, preventing the reference counter from being incorrectly decremented:

void vsock_remove_sock(struct vsock_sock *vsk)
{
    /* Transport reassignment must not remove the binding. */
    if (sock_flag(sk_vsock(vsk), SOCK_DEAD))
        vsock_remove_bound(vsk);
    vsock_remove_connected(vsk);
}

Before the patch, vsock objects could have their reference count reduced to zero erroneously, leading to what’s known as a Use-After-Free (UAF) vulnerability.

Attackers can exploit this to take control of freed kernel memory, allowing arbitrary code execution with kernel privileges.

How Can Attackers Exploit CVE-2025-21756?

Research reveals that the vulnerability is not merely theoretical. A detailed proof-of-concept exploit has been published, showing the following attack chain:

  1. Trigger Use-After-Free: By manipulating vsock sockets and triggering specific connection attempts, attackers can force the kernel to free a vsock object prematurely.
  2. Memory Reclamation: The attacker reclaims the freed memory with malicious, user-controlled data (using techniques like pipe or message sprays).
  3. Leak Kernel Addresses: Utilizing features like vsock_diag_dump, which is not protected by standard security modules (e.g., AppArmor), attackers can brute-force and leak sensitive kernel addresses-bypassing Kernel Address Space Layout Randomization (KASLR).
  4. Hijack Control Flow: By crafting fake kernel structures, the attacker redirects execution to a privileged instruction chain, ultimately gaining root access.

Mitigations and Recommendations

  • Patch Immediately: Linux distributions have issued security advisories, with patches now available for all maintained branches. It is essential to update systems running kernel versions vulnerable to CVE-2025-21756.
  • Restrict Vsock Usage: Where possible, disable or restrict vsock features, especially in shared or multi-tenant environments.
  • Monitor for Suspicious Activity: Increased monitoring of vsock-related operations and kernel crashes can help detect exploitation attempts.
  • Review Security Modules: Ensure that security modules like AppArmor and SELinux are correctly configured, although some exploit paths may bypass them.

Given the widespread use of virtualized environments running Linux, the flaw has far-reaching implications.

Cloud providers, enterprise IT, and container platforms are urged to assess their exposure and apply fixes promptly.

Security researcher “midas,” who developed the exploit, described the process in a comprehensive write-up after discovering the bug in KernelCTF submissions.

The journey from initial patch analysis to successful privilege escalation underscores the importance of vigilant kernel security practices.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Massive Attack: 4,800+ IPs Used to Target Git Configuration Files

By
Divya
-
Massive Attack: 4,800+ IPs Used to Target Git Configuration Files

A recent surge in cyber reconnaissance has put thousands of organizations at risk after GreyNoise, a global threat intelligence platform, detected an alarming spike in attempts to access sensitive Git configuration files.

Between April 20 and 21, GreyNoise observed the daily count of unique IPs targeting these files soar past 4,800-a record-breaking figure and a clear sign of intensifying interest from malicious actors.

CVE Spotlight: CVE-2021-23263

While this wave of activity is not tied to a newly discovered zero-day, threat researchers are warning that attackers could exploit known vulnerabilities like CVE-2021-23263 weakness in certain web server configurations that can inadvertently expose .git directories.

If exploited, attackers can download the entire Git repository, including its configuration files, commit history, and sensitive credentials.

Malicious IPs and Regional Targeting

The vast majority-95%-of IPs engaged in this behavior in the past 90 days are categorized as malicious, emphasizing the critical threat facing exposed sites.

The activity is globally distributed but has a pronounced concentration in Asia. Singapore notably emerged as both the top source and destination for these scanning sessions, with the U.S. and Germany also featuring prominently.

Top Source Countries (Unique IPs):

  • Singapore: 4,933
  • U.S.: 3,807
  • Germany: 473
  • U.K.: 395
  • Netherlands: 321

Top Destination Countries (Unique IPs):

  • Singapore: 8,265
  • U.S.: 5,143
  • Germany: 4,138
  • U.K.: 3,417
  • India: 3,373

Many of these IPs are linked to major cloud infrastructure providers- Cloudflare, Amazon, and DigitalOcean- highlighting attackers’ use of scalable resources to amplify reconnaissance.

GreyNoise notes that this is the fourth and largest spike in Git configuration file crawling since September 2024, far surpassing previous surges involving about 3,000 unique IPs.

Git configuration file crawling since September 2024
Git configuration file crawling since September 2024

Each spike reveals shifting patterns in regional activity and illustrates the persistence and adaptability of threat actors.

Exposing a Git configuration file (or, worse, the entire .git/ directory) can reveal:

  • Remote repository URLs (e.g., GitHub, GitLab)
  • Branch structures and naming conventions
  • Insider metadata about development processes
  • Credentials embedded in commit history

This is no theoretical threat: In 2024, a similar misconfiguration led to the exposure of 15,000 credentials and the cloning of 10,000 private repositories.

To prevent such breaches:

  • Ensure .git/ directories are not web-accessible.
  • Block access to hidden files/folders in web server configs.
  • Monitor server logs for repeated requests to .git/config.
  • Immediately rotate any exposed credentials.

Blocking malicious IPs and closing these gaps should be a top priority for any organization relying on Git for source code management.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

CISA Adds Broadcom Brocade Fabric OS Flaw to Known Exploited Vulnerabilities List

By
Divya
-
CISA Adds Broadcom Brocade Fabric OS Flaw to Known Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent security advisory after adding a critical Broadcom Brocade Fabric OS vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.

The flaw, tracked as CVE-2025-1976, affects Broadcom’s widely deployed Brocade Fabric OS and has drawn increased concern from government and enterprise security teams due to its potential impact.

CVE-2025-1976: Overview and Technical Details

CVE-2025-1976 describes a code injection vulnerability in Broadcom Brocade Fabric OS.

According to Broadcom and CISA, this flaw allows a local user with administrative privileges to inject and execute arbitrary code with full root privileges.

The vulnerability is classified under the Common Weakness Enumeration as CWE-94: Improper Control of Generation of Code (‘Code Injection’), highlighting the risk of attackers gaining complete control over affected systems.

While there is currently no public evidence that this vulnerability is being actively used in ransomware or other cyberattack campaigns, CISA stresses the importance of immediate remediation.

The agency warns that vulnerabilities with characteristics like CVE-2025-1976 – particularly those granting root-level access, are often rapidly adopted by threat actors once disclosed.

Broadcom Brocade Fabric OS is a foundational component in many data centers, underpinning the management of storage area networks (SANs) for global enterprises and critical infrastructure sectors.

A successful exploitation of this vulnerability could allow an attacker to modify network configurations, disrupt operations, or exfiltrate sensitive data.

Given that the attack requires administrative access, CISA notes that organizations with robust access controls are at lower risk, but attackers may leverage stolen credentials or exploit other vulnerabilities to reach the necessary privilege level.

CISA advises organizations to apply mitigations per vendor instructions without delay. Broadcom has released guidance for security teams to address the vulnerability.

In cases where mitigations are unavailable or cannot be applied, CISA recommends discontinuing the use of vulnerable versions of the product.

Additionally, federal agencies are instructed to follow the procedures outlined in Binding Operational Directive 22-01 (BOD 22-01) for cloud services and network security, ensuring swift action. The deadline for compliance is May 19, 2025.

CISA will continue to monitor the threat landscape for any evidence of exploitation, especially in ransomware operations.

The agency recommends all organizations, especially those in critical infrastructure, audit their systems for affected versions and prioritize timely patching.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

CISA Issues Warning on Commvault Web Server Flaw Exploited in the Wild

By
Divya
-
CISA Issues Warning on Commvault Web Server Flaw Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert concerning a newly disclosed security flaw in the Commvault Web Server.

This vulnerability, now tracked as CVE-2025-3928, could allow remote, authenticated attackers to gain unauthorized access to systems, raising concerns across organizations worldwide that use Commvault’s data protection solutions.

CVE-2025-3928: Unspecified Vulnerability Sparks Concern

The Commvault Web Server has been found to contain an unspecified vulnerability, enabling attackers with authenticated access to create and execute webshells on affected servers.

While detailed technical information remains limited, experts warn that exploitation could lead to full system compromise, including unauthorized access, data theft, or deploying additional malicious payloads.

One of the more alarming factors is that the attack does not require privileged administrative rights; instead, any authenticated remote user could potentially leverage the flaw.

Currently, there is no public evidence linking this vulnerability to active ransomware campaigns, but the possibility cannot be ruled out, especially given the nature of webshell attacks historically tied to ransomware operators.

On April 28, 2025, CISA added CVE-2025-3928 to its Known Exploited Vulnerabilities (KEV) catalog, urging rapid action from federal and private sector organizations.

The agency’s advisory underscores the severity of the threat, emphasizing the need for immediate remediation.

CISA’s recommended actions are as follows:

  • Apply Vendor Mitigations: Organizations should implement patches or workaround instructions provided by Commvault as soon as they become available. Regularly check for updates to vendor advisories.
  • Follow Applicable Guidance: Agencies and businesses should adhere to Binding Operational Directive (BOD) 22-01 for cloud services, ensuring security protocols and monitoring are up to date.
  • Discontinue Use if Unpatched: If mitigations or patches are unavailable, CISA recommends discontinuing use of the vulnerable Commvault Web Server to avoid risk until a fix is implemented.

The deadline for addressing this vulnerability is May 17, 2025. CISA has highlighted that failure to act within this timeframe could expose networks to a significant risk of compromise.

Commvault, a leading provider of enterprise backup and recovery solutions, is reportedly working on a patch and has urged its customers to monitor official channels for updates.

In the interim, users are advised to audit system access, monitor for indicators of compromise, and support security controls around the Commvault environment.

Security analysts warn that as attackers move quickly to exploit newly disclosed flaws, immediate action is paramount.

Organizations should prioritize this vulnerability in their patching cycles and review system logs for suspicious activity.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

1...456...965Page 5 of 965

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved