Aggregator

A vulnerability was found in Netgear WNR1000V4 up to 1.1.0.54 and classified as problematic. This issue affects some unknown processing of the file setup.cgi?todo=save_htp_account of the component Web Management Console. The manipulation as part of GET Request leads to cross-site request forgery. The identification of this vulnerability is CVE-2019-20487. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as problematic was found in WPForms Contact Form up to 1.5.8 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting (Stored). This vulnerability was named CVE-2020-10385. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Netgear WNR1000V4 1.1.0.54 and classified as problematic. This vulnerability affects unknown code of the file setup.cgi of the component Web Management Console. The manipulation leads to cross site scripting (Stored). This vulnerability was named CVE-2019-20486. The attack can be initiated remotely. There is no exploit available.

Moldovan authorities have detained a 45-year-old suspect linked to DoppelPaymer ransomware attacks targeting Dutch organizations in 2021. [...]

Сказал «алло» — и попал в реестр нетрезвых.

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update 194, packed with security enhancements, performance improvements, and new features to safeguard networks of all sizes. Renowned for its robust feature set, IPFire continues to deliver a secure, high-performance platform focused on usability and reliability. It’s been a month since […]

The post Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New! appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A vulnerability classified as critical has been found in quantumcloud AI ChatBot Plugin up to 5.3.4 on WordPress. This affects the function openai_file_list_callback. The manipulation leads to improper authorization. This vulnerability is uniquely identified as CVE-2024-0451. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as critical was found in quantumcloud AI ChatBot Plugin up to 5.3.4 on WordPress. This vulnerability affects the function openai_file_upload_callback. The manipulation leads to improper authorization. This vulnerability was named CVE-2024-0452. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in quantumcloud AI ChatBot Plugin up to 5.3.4 on WordPress. Affected is the function openai_file_delete_callback. The manipulation leads to improper authorization. This vulnerability is traded as CVE-2024-0453. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability has been found in Appleple A-Blog CMS up to 3.1.11 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to path traversal. This vulnerability is known as CVE-2024-31394. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Appleple A-Blog CMS up to 3.1.11 and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to code injection. This vulnerability is handled as CVE-2024-31396. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Appleple A-Blog CMS up to 3.1.11. It has been declared as problematic. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-30419. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in PHPJabbers Cleaning Business Software 1.0 and classified as problematic. This issue affects some unknown processing. The manipulation of the argument c_name/name leads to cross site scripting. The identification of this vulnerability is CVE-2023-51328. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in Freeebird Hotel 酒店管理系统 API up to 1.2. Affected by this issue is some unknown functionality of the file /src/main/java/cn/mafangui/hotel/tool/SessionInterceptor.java. The manipulation leads to permissive cross-domain policy with untrusted domains. This vulnerability is handled as CVE-2025-4542. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, was found in LyLme Spage 2.1. This affects an unknown part of the file lylme_spage/blob/master/admin/ajax_link.php. The manipulation of the argument sort leads to sql injection. This vulnerability is uniquely identified as CVE-2025-4543. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Secret Net он не сломал, но свою жизнь — почти да.

Google has agreed to a $1.375 billion settlement with the state of Texas over a 2022 lawsuit that alleged it had been collecting and using biometric data of millions of Texans without properly acquiring their consent. [...]

Following up on last year’s LOLDriver plugin, Tenable Research is releasing detection plugins for the top Remote Monitoring and Management (RMM) tools that attackers have been more frequently leveraging in victim environments.

Background

In August 2024, Tenable Research released a detection plugin for Nessus, Tenable Security Center and Tenable Vulnerability Management to help customers identify risky third-party Windows drivers utilized by attackers for privilege escalation on victim hosts. As part of our continued research into living off the land (LOTL) tooling utilized by attackers, we’re releasing new detection plugins for popular Remote Monitoring and Management (RMM) applications.

Increased risk from RMM tools

IT operations and information security staff often need to remotely connect to machines dozens, perhaps even hundreds, of times per day to troubleshoot a problem or make a system function well. An administrator or support technician must reach a terminal on a server in a datacenter a continent away, or a user’s workstation in their home. As the role of the remote worker has dramatically expanded across organizations over the last 20 years, it has led to the introduction of RMM products in enterprise environments.

The architecture of these products is fairly straightforward: a listener on the user’s machine, often referred to as an agent, host, or server, and an application to connect to, and control, the machine, often referred to as a viewer or client. In many cases this connection is facilitated by a proxy system, which maintains an inventory of the available machines in the environment, allowing an administrator to select one from a list, use stored credentials and track the health of the listeners. This proxy system might be on-premises, in the cloud, or hosted by the RMM vendor as a SaaS application.

Source: Tenable, May 2025

While these tools may sound handy, attackers also know that these tools are present. They can use them for direct graphical control of a victim’s machines, often at a privilege level that is elevated by design. So, how do attackers get their hands on such a valuable resource?

Attack scenarios for RMM tools

There are several ways an attacker can obtain access to an organization’s RMM tools:

• Credential reuse. The attacker steals credentials belonging to a privileged user, either through social engineering, theft from the user’s workstation or control of an identity service. These credentials are used to authenticate to the RMM central service or to simply connect directly to a listener.
• Exploitation of a vulnerability in the RMM product. Many RMM applications have highly publicized vulnerabilities that allow elevation of privilege or remote code execution.
• Elevation of privilege. An attacker may gain control of a workstation or server used by an administrator and launch the RMM client application from there using the legitimate access of that administrator.

And, of course, attackers with sufficient privileges can simply deploy a RMM tool of their choice on a compromised asset, allowing them to achieve persistence and remote command and control. The nature of modern RMM tool design allows attackers, in some cases, to do monitor and control an asset without formally installing a software package, which might trigger an alert to the organization’s security team.

Defensive strategies for unauthorized RMM tool use

A mature security program will update the organization’s protective, monitoring and response approach to address the risk presented by RMM tools. Some of these strategies include:

• Selecting an authorized RMM product or suite for the organization. This will allow security teams that inventory software on their assets to quickly spot the use of unauthorized RMM tools, which might have been introduced by an attacker.
• Auditing the use of the authorized RMM product. Have administrators that use the tools regularly review reports of sessions performed to ensure no unauthorized activity has occurred. Investigate these unauthorized sessions as soon as possible after detection.
• Reviewing network traffic between assets (especially remote assets) and the internet. Identify connections to known RMM tool websites, e.g., downloading of the tools or access to a proxy or management site.
• Scanning the environment to look for listening services. This strategy can be used to identify services belonging to RMM tools.

How can Tenable customers mitigate the risk of RMM tools?

Tenable has several existing plugins that can detect several different varieties of RMM tools. These include:

• Intelligent Platform Management Interface (IPMI) tools like iDRAC, iLO, ILOM and CIMC, as well as broader detection for any service running the IPMI protocol
• Systems management suites like Microsoft Configuration Manager, BigFix, Altiris, Tanium, LanDesk / Ivanti EM, Workspace ONE UEM / AirWatch, ManageEngine Endpoint Central and JAMF.
• Collaboration tools (yes, attackers use these, too) like Zoom, Teams and WebEx.

Tenable is also releasing a number of Nessus plugins to detect many commonly used commercial and open source RMM or Remote Access Tool products:

Product Plugins TeamViewer 52715, 206009 105111,121245 RemotePC 232745, 232746, 232747 Pritunl 232836, 232837, 232838, 232839 Google Chrome Remote Desktop 232692, 232693, 232694 Duet Display 232296, 232295 Connectwise ScreenConnect 192391, 190883, 190894 Apache Guacamole 232291 JumpDesktop 232297, 232298 TSplus Remote Access 232591 AnyViewer 232316, 232315 Parsec Remote Access 232649, 232651, 232650, VNC Connect 232582, 232580, 232581 Termius 232292, 232293, 232294 LogMeIn 232654, 122754 GoodAccess 233552, 233553, 233554 ISL Light 232853, 232854, 232855 OpenVPN 154346, 191048, 125356, 56022, 107073, 232856, 232857 NoMachine Remote Access 233323, 233324, 233325 RustDesk Remote Desktop 233292, 233291, 233288, 233289, 233290 Remote Utilities 233555, 233556, 233557 WinGate 234718 AirDroid 233774, 233775, 233776 AnyDesk 189953, 189955, 189973

There are also Nessus Web App Scanning plugins for many of these applications, which can help detect the applications’ web UI when detecting the service locally isn’t an option.

A new scan template, Remote Monitoring and Management, has been created in Tenable Nessus to check for this set of RMM products. Customers can use the scan template to ensure that the instances they find are authorized for use in the organization. It is strongly recommended to scan with credentials, so that more exhaustive searches for these products can be performed.

Future development

IT operations and support teams will continue to rely on RMM tools for productivity benefits even as attackers increasingly exploit them. Tenable anticipates that new RMM solutions will emerge and major systems management suites will further integrate remote-control capabilities directly into their platforms.

Meanwhile, vulnerability and threat intelligence researchers will keep their focus on the tools, identifying weaknesses and opportunities for exploitation as well as attacker-usage of such tools. As additional vulnerabilities are discovered and new threat intelligence reports reveal usage of new and existing tools, Tenable plans to publish detection and vulnerability plugins to find them. Given this growing space, organizations must remain vigilant, ensuring continuous monitoring, timely patching and strong security practices around RMM tools.

The post Detecting Remote Monitoring and Management Tools Used by Attackers appeared first on Security Boulevard.

Authors/Presenters: Krity Kharbanda, Harini Ramprasad

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Proving Ground – Demystifying SBOMs: Strengthening Cybersecurity Defenses appeared first on Security Boulevard.

The criminal proxy network infected thousands of IoT and end-of-life devices, creating dangerous botnet