Aggregator

Researcher Found Unsecured Database Server Containing 1,864 GB of OrthoMinds' Data
An orthodontic practice software vendor is notifying an undisclosed number of patients that their data was exposed to the internet for 10 days last November. The security researcher who discovered the data leak said the incident appears to have lasted longer and affected more than 200,000 patients.

UAT-5918 Breaches Taiwan's Critical Sectors Using N-Day Flaws for Cyberespionage
Hackers with ties to China-based hacking groups including Volt Typhoon are breaching Taiwan's critical infrastructure by exploiting unpatched web and application servers as entry points for a cyberespionage campaign. Cisco Talos threat hunters identified the new threat actor as UAT-5918.

Dave DeWalt's NightDragon and HSBC to Back New Product Rollouts and Global Growth
Dataminr received $85 million in convertible pre-IPO funding from Dave DeWalt’s NightDragon and HSBC. The investment will support the rollout of context agents and pre-generative AI capabilities, and enable the company to scale internationally ahead of its planned initial public offering.

IntroductionCVE-2025-24813 was originally published on March 10 with a medium severity score of 5.5, and Apache Tomcat released an update to fix it. On March 12, the first attack was detected in Poland by Wallarm researchers, even before a Proof-of-Concept (PoC) was made public. After the PoC was released on March 13 on GitHub and gained attention, the NVD raised the severity score to 9.8 (critical) on March 18.The vulnerability stems from a path equivalence issue where files containing an internal dot (e.g. file.Name) can lead to remote code execution (RCE), information disclosure, or malicious content injection if uploaded via a write-enabled default servlet in Apache Tomcat. Exploiting this vulnerability could allow attackers to take control of compromised servers, access sensitive data, and disrupt normal operations for an organization.RecommendationsZscaler ThreatLabz recommends users on Apache Tomcat software, upgrade to any of the following versions to avoid this vulnerability:Apache Tomcat 11.0.3 or laterApache Tomcat 10.1.35 or laterApache Tomcat 9.0.99 or laterAffected VersionsThe following versions of Apache Tomcat are affected by the vulnerability and should be updated immediately: Apache Tomcat 11.0.0-M1 to 11.0.2Apache Tomcat 10.1.0-M1 to 10.1.34Apache Tomcat 9.0.0-M1 to 9.0.98BackgroundApache Tomcat is an open-source, widely used Java-based web server and servlet container developed by the Apache Software Foundation. It serves as a platform for deploying web applications that use Java Servlets and JavaServer Pages (JSP).Threat actors have been observed attempting to exploit CVE-2025-24813 in the wild. No authentication is required for exploitation, and attackers can use Base-64 encoded payloads to avoid detection by traditional security systems. However, successful exploitation relies on specific configurations within the victim’s environment.Criteria for Assessing VulnerabilityYour environment is only vulnerable if ALL of the following conditions are true:For the DefaultServlet to allow PUT requests, the readonly parameter in conf/web.xml must be changed to false, as it is set to true by default.The server must have Partial PUT requests enabled, which is typically on by default, allowing attackers to manipulate uploaded files.Tomcat needs to be configured to use file-based session storage, which is not enabled by default, with session files saved in the standard storage location.The application must include deserialization libraries that are vulnerable and can be exploited during an attack.How It WorksAssuming all the conditions in the section above are true, the exploit process involves two steps, as shown in the figure below.Figure 1: Attack chain depicting an attacker exploiting CVE-2025-24813.Step 1: Uploading malicious files The attacker sends a PUT request to the vulnerable server to upload a malicious Java payload file as a session entry. This file is then stored in Tomcat’s session storage directory, waiting to be deserialized. The PUT request is shown in the figure below.Figure 2: Malicious PUT request that uploads the payload to the Apache Tomcat server.Step 2: Triggering deserialization The attacker sends a GET request with a specially crafted JSESSIONID cookie pointing to the uploaded session file. During deserialization, the malicious Java code executes, allowing the attacker to steal sensitive data and execute arbitrary commands on the server.The GET request and special session cookie can be seen in the figure below.Figure 3: GET request with JSESSIONID session cookie that triggers CVE-2025-24813.The rce command in the initial PUT request is executed, as shown in the figure below.Figure 4: RCE command from malformed request is executed.ConclusionTo protect against CVE-2025-24813, update Apache Tomcat systems to versions 11.0.3 or later, 10.1.35 or later, or 9.0.99 or later. Failure to upgrade increases the risk of exploitation, potentially allowing attackers to upload malicious session files and achieve RCE on compromised servers. Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection for CVE-2025-24813.Zscaler Private Access AppProtection6000004: Remote Command Execution: Unix Command Injection944250: Remote Command Execution: Suspicious Java method detected944110: Remote Command Execution: Java Process SpawnDetails related to these signatures can be found in the Zscaler Threat Library.

The post CVE-2025-24813: Apache Tomcat Vulnerable to RCE Attacks appeared first on Security Boulevard.

Major cybersecurity breaches continue to plague the US healthcare industry, and on December 27, 2024, the U.S. Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking (NPRM) to amend the HIPAA Security Rule, titled "The HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information". Comments were requested and over 4000 were received before the comment period ended on March 7 2025. This blog summarizes what the comments covered - and what comes next.

The post HIPAA Security Rule Amendment: Key Public Comments and Next Steps appeared first on Security Boulevard.

What Do You Mean, Hospital-Targeting Sociopath Ransomware Wielders Continue to Lie?
A ransomware group reusing the Babuk ransomware brand claims to have stolen data from the likes of Amazon, Delta and US Bank. Just one problem: Security experts found a startling overlap between its claimed victims and previous attacks scored by the likes of Clop, LockBit and RansomHub.

Supposed Taiwanese State Hackers Unmasked by China's Ministry of State Security
Nothing beats messing with your adversaries' heads than taking a page from their psychological operations playbook. Witness China's Ministry of State Security unmasking four Taiwanese government hackers in a move borrowed from the U.S. government's playbook.

Google Aims to Match Microsoft Defender With $32B Buy of Wiz's Cloud Security Tech
Google's plan to buy cloud security firm Wiz for $32 billion highlights its drive to compete with Microsoft Defender and expand multi-cloud protection, and will put pressure on AWS to respond. Forrester Analyst Andras Cser says Wiz will likely remain independent for now, easing integration hurdles.

Open Power AI Consortium Members Include Nvidia and Microsoft
Tech giants and utility providers on Thursday formed an alliance to harness artificial intelligence for a more resilient power grid. More than two dozen organizations are participating in the Open Power AI Consortium led by the Electric Power Research Institute.

Researcher Found Unsecured Database Server Containing 1,864 GB of OrthoMinds' Data
An orthodontic practice software vendor is notifying an undisclosed number of patients that their data was exposed to the internet for 10 days last November. The security researcher who discovered the data leak said the incident appears to have lasted longer and affected more than 200,000 patients.

UAT-5918 Breaches Taiwan's Critical Sectors Using N-Day Flaws for Cyberespionage
Hackers with ties to China-based hacking groups including Volt Typhoon are breaching Taiwan's critical infrastructure by exploiting unpatched web and application servers as entry points for a cyberespionage campaign. Cisco Talos threat hunters identified the new threat actor as UAT-5918.

Could Your Legacy IAM Be The Achilles Heel of Your Cybersecurity? When security breaches and data leaks proliferate, organizations grapple with the rising challenge of protecting their digital assets. This is particularly true for organizations with legacy Identity and Access Management (IAM) systems. While these systems have served us well in the past, could they […]

The post How can legacy IAM systems be updated to support NHIs? appeared first on Entro.

The post How can legacy IAM systems be updated to support NHIs? appeared first on Security Boulevard.

How Vital is the Role of Non-Human Identities in Identity and Access Management (IAM)? Have you ever wondered how digital machinery and applications gain access to our systems? The answer lies in Non-Human Identities (NHIs), a critical, yet often overlooked aspect of Identity and Access Management (IAM). But how significant is the role of NHIs […]

The post What role do NHIs play in modern identity and access management? appeared first on Entro.

The post What role do NHIs play in modern identity and access management? appeared first on Security Boulevard.

Is Your IAM System Adequately Protecting Non-Human Identities? Non-Human Identities (NHIs) are one such intricacy that has increasingly made its way into IAM (Identity Access Management) systems. However, the question remains: How do we ensure secure authentication for NHIs in an IAM system? Peeling Back the Layers of NHI NHIs, essentially, are machine identities used […]

The post How do I ensure secure authentication for NHIs in an IAM system? appeared first on Entro.

The post How do I ensure secure authentication for NHIs in an IAM system? appeared first on Security Boulevard.

A vulnerability was found in Concept Intermedia SAM CMS up to 3.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-3801. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in OpenPLC up to 9cd8f1b. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Profile Picture Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2024-37741. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in Floating Social Buttons Plugin up to 1.5 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2024-6405. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as problematic was found in scidsg hushline. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-38521. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Events Manager Plugin up to 6.4.8 on WordPress and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. This vulnerability is known as CVE-2024-5889. The attack can be launched remotely. There is no exploit available.