Aggregator

Multiple critical zero‑day vulnerabilities in PickleScan, a popular open‑source tool used to scan machine learning models for malicious code. PickleScan is widely used in the AI world, including by Hugging Face, to check PyTorch models saved with Python’s pickle format. Pickle is flexible but dangerous, because loading a pickle file can run arbitrary Python code. That means a model […]

The post PickleScan 0-Day Vulnerabilities Enable Arbitrary Code Execution via Malicious PyTorch Models appeared first on Cyber Security News.

A critical vulnerability (CVE-2025-55182) in React Server Components (RSC) may allow unauthenticated attackers to achieve remote code exection on the application server, the React development team warned on Wednesday. The maximum-severity vulnerability was privately reported by Lachlan Davidson and has been fixed. At this moment, there are no public reports of it being exploited by attackers and no confirmed public PoC exploits (for now). Nevertheless, affected users have been advised to upgrade to a non-vulnerable … More →

The post Max-severity vulnerability in React, Node.js patched, update ASAP (CVE-2025-55182) appeared first on Help Net Security.

You must login to view this content

CISA released nine Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. 

• ICSA-25-338-01 Mitsubishi Electric GX Works2
• ICSA-25-338-02 MAXHUB Pivot
• ICSA-25-338-03 Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace
• ICSA-25-338-04 Johnson Controls iSTAR
• ICSA-25-338-05 Sunbird DCIM dcTrack and Power IQ
• ICSA-25-338-06 SolisCloud Monitoring Platform
• ICSA-25-338-07 Advantech iView
• ICSA-25-148-03 Consilium Safety CS5000 Fire Panel (Update A)
• ICSA-25-219-02 Johnson Controls FX Server, FX80 and FX90 (Update A) 

CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations. 

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of ongoing intrusions by People’s Republic of China (PRC) state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere1,2 and Windows environments.3 Victim organizations are primarily in the Government Services and Facilities and Information Technology Sectors. BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command and control. The malware employs advanced functionality, including multiple layers of encryption (e.g., HTTPS, WebSockets, and nested TLS), DNS-over-HTTPS (DoH) to conceal communications, and a SOCKS proxy to facilitate lateral movement and tunneling within victim networks. BRICKSTORM also incorporates long-term persistence mechanisms, such as a self-monitoring function that automatically reinstalls or restarts the malware if disrupted, ensuring its continued operation.

The initial access vector varies. In one confirmed compromise, PRC state-sponsored cyber actors accessed a web server inside the organization’s demilitarized zone (DMZ), moved laterally to an internal VMware vCenter server, then implanted BRICKSTORM malware. See CISA, the National Security Agency, and Canadian Cyber Security Centre’s (Cyber Centre’s) joint Malware Analysis Report (MAR) BRICKSTORM Backdoor for analysis of the BRICKSTORM sample CISA obtained during an incident response engagement for this victim. The MAR also discusses seven additional BRICKSTORM samples, which exhibit variations in functionality and capabilities, further highlighting the complexity and adaptability of this malware.

After obtaining access to victim systems, PRC state-sponsored cyber actors obtain and use legitimate credentials by performing system backups or capturing Active Directory database information to exfiltrate sensitive information. Cyber actors then target VMware vSphere platforms to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden rogue VMs to evade detection.

CISA recommends that network defenders hunt for existing intrusions and mitigate further compromise by taking the following actions:

• Scan for BRICKSTORM using CISA-created YARA and Sigma rules; see joint MAR BRICKSTORM Backdoor.
• Block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic to reduce unmonitored communications.
• Take inventory of all network edge devices and monitor for any suspicious network connectivity originating from these devices.
• Ensure proper network segmentation that restricts network traffic from the DMZ to the internal network.

See joint MAR BRICKSTORM Backdoor for additional detection resources. If BRICKSTORM, similar malware, or potentially related activity is detected, report the incident to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.

Disclaimer: The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

1 Matt Lin et al., “Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies,” Google Cloud Blog, April 4, 2024, https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement.

2 Maxime, “NVISO analyzes BRICKSTORM espionage backdoor,” NVISO, April 15, 2025, https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor.

3 Sarah Yoder et al., “Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors,” Google Cloud Blog, September 24, 2025, https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign.

Editor’s note: This work is a collaboration between Mauro Eldritch from BCA LTD, a company dedicated to threat intelligence and hunting, Heiner García from NorthScan, a threat intelligence initiative uncovering North Korean IT worker infiltration, and ANY.RUN, the leading company in malware analysis and threat intelligence. The article was written by Mauro and Heiner. In this article, we’ll uncover an entire North Korean infiltration operation aimed […]

The post Smile, You’re on Camera: A Live Stream from Inside Lazarus Group’s IT Workers Scheme  appeared first on ANY.RUN's Cybersecurity Blog.