Aggregator

A vulnerability, which was classified as problematic, has been found in HDF5 up to 1.14.6. Affected by this issue is the function H5F_addr_encode_len of the file src/H5Fint.c. The manipulation of the argument pp leads to heap-based buffer overflow. This vulnerability is handled as CVE-2025-2923. Attacking locally is a requirement. Furthermore, there is an exploit available.

Palo Alto, USA, 28th March 2025, CyberNewsWire

The post SquareX Discloses Browser-Native Ransomware that Puts Millions at Risk appeared first on Security Boulevard.

CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands: 

• Create a web shell, manipulate integrity checks, and modify files. 

• Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions. 

• Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image. 

RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.  

For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.

For a downloadable copy of the SIGMA rule associated with this MAR, see: AR25-087A SIGMA YAML.

CISA urges users and administrators to implement the following actions in addition to the Mitigation Instructions for CVE-2025-0282: 

• For the highest level of confidence, conduct a factory reset.
  • For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device. 

• See Ivanti’s Recommended Recovery Steps for more information, including how to conduct a factory reset. 

• Reset credentials of privileged and non-privileged accounts.  

• Reset passwords for all domain users and all local accounts, such as Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account is responsible for handling Kerberos ticket requests as well as encrypting and signing them. The krbtgt account should be reset twice because the account has a two-password history. The first account reset for the krbtgt needs to be allowed to replicate prior to the second reset to avoid any issues. See CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise for more information. Although tailored to Federal Civilian Executive Branch (FCEB) agencies compromised in the 2020 SolarWinds Orion supply chain compromise, the steps are applicable to organizations with Windows AD compromise. 

• Review access policies to temporarily revoke privileges/access for affected devices. If it is necessary to not alert the attacker (e.g., for intelligence purposes), then privileges can be reduced for affected accounts/devices to “contain” them. 

• Reset the relevant account credentials or access keys if the investigation finds the threat actor’s access is limited to non-elevated permissions. 

• Monitor related accounts, especially administrative accounts, for any further signs of unauthorized access. 

Organizations should report incidents and anomalous activity related to information found in the malware analysis report to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870. Malware submissions can be made directly to Malware Nextgen at https://malware.cisa.gov. 

See the following resources for more guidance: 

• Ivanti: Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283) 

Expert speakers discussed the impact of reported cutbacks to CISA on the ability of local officials to protect against surging cyber-attacks on US election infrastructure

Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads. The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader.  "The purpose of the malware is to download and execute second-stage payloads while evading

Submit #521246 / VDB-301901

Submit #521193 / VDB-301900

Submit #521170 / VDB-301899

Submit #521151 / VDB-301898

A vulnerability classified as problematic was found in Netis WF-2404 1.1.124EN. Affected by this vulnerability is an unknown functionality of the component BusyBox Shell. The manipulation leads to cleartext storage of sensitive information. This vulnerability is known as CVE-2025-2922. It is possible to launch the attack on the physical device. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in Netis WF-2404 1.1.124EN. Affected is an unknown function of the file /etc/passwd. The manipulation with the input Realtek leads to use of default password. This vulnerability is traded as CVE-2025-2921. It is possible to launch the attack on the physical device. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Netis WF-2404 1.1.124EN. It has been rated as problematic. This issue affects some unknown processing of the file /еtc/passwd. The manipulation leads to use of weak hash. The identification of this vulnerability is CVE-2025-2920. It is possible to launch the attack on the physical device. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Netis WF-2404 1.1.124EN. It has been declared as critical. This vulnerability affects unknown code of the component UART. The manipulation leads to hardware allows activation of test or debug logic at runtime. This vulnerability was named CVE-2025-2919. It is possible to launch the attack on the physical device. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

「责任越大，能力越强」的产品思路。

60 多岁的人，一直能做出让年轻人追逐的科技潮牌，靠的是什么？

Submit #521039 / VDB-301897

Submit #521038 / VDB-301896

Submit #521037 / VDB-301895

Submit #521036 / VDB-301894

A recent scoping review has revealed that red team tactics are becoming increasingly sophisticated as artificial intelligence (AI) technologies advance. The study, which analyzed 11 articles published between 2015 and 2023, identified a wide array of AI methods being employed in cyberattacks, including classification, regression, and clustering techniques. Among the most prominent AI methods utilized […]

The post Red Team Tactics Grow More Sophisticated with Advancements in Artificial Intelligence appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.