Firefox developers reported CVE-2025-2857, a sandbox vulnerability similar to a zero-day reported this week in Google Chrome.

https://therecord.media/firefox-sandbox-vulnerability-similar-chrome-zero-day

#Firefox に深刻なサンドボックス脱出 #脆弱性 Windows版に限定し修正版を緊急公開 - Reinforz

FirefoxとChromeを繋ぐ脅威の系譜と国家を巻き込む標的型攻撃. 今回のCVE-2025-2857が注目を集める理由のひとつは、Google Chromeのゼロデイ脆弱性「CVE-2025 ...

https://reinforz.co.jp/bizmedia/76890/

The root cause of the Chrome 0-day logical vulnerability CVE-2025-2783, which we discovered used in attacks with sophisticated malware, also affects the Firefox! New CVE-2025-2857 has just been fixed in Firefox 136.0.4 https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/

malicious npm packages (again) targeting cryptocurrency projects, CEOs cranky over CVEs, and BlackLock gets pantsed - here's your Friday wrap up in Infosec News 👇

🔗 https://opalsec.io/daily-news-update-friday-march-28-2025-australia-melbourne/

Here's a quick rundown of what's inside:

📦 npm Package Nightmare: 10 packages compromised by an infostealer campaign targeting developer environments. Sensitive data was siphoned off to a remote host. Most of the packages are still available on npm, so be careful!
🦊 Firefox Flaw: A critical sandbox escape vulnerability (CVE-2025-2857) patched in Firefox 136.0.4. Windows users, update ASAP! This one's similar to a Chrome zero-day used in espionage campaigns.
🏥 Ransomware Reckoning: Advanced, a UK healthcare IT provider, slapped with a £3.1 million fine after a LockBit ransomware attack. Lack of vulnerability scanning and poor patch management were key factors.
🌐 Extension Exploitation: Browser extensions can be bought and repurposed, posing a sneaky threat to enterprises. An extension was bought for $50 and was quickly repurposed to redirect traffic.
⚡ Solar Scare: Dozens of vulnerabilities in solar inverters could let attackers disrupt power grids. Remote code execution, device takeover, and more are possible.
😠 CrushFTP Clash: CEO responds aggressively to VulnCheck after critical unauthenticated access vulnerability (CVE-2025-2825) is released. Vulnerability disclosure and patching processes need to be improved!
🕵️‍♀️ Pegasus in Serbia: Journalists targeted with Pegasus spyware, marking the third time in two years that Amnesty has found Pegasus deployed against Serbian civil society.
🤖 Mamont Malware: Russian authorities arrest three for developing the Mamont Android banking trojan. This malware steals financial data and spreads through Telegram.
🦹 Ransomware Reverse: Resecurity infiltrates the BlackLock ransomware gang, gathering intel to help victims. LFI vulnerability exploited, and data shared with authorities.

Stay vigilant out there, folks! 🛡️

#Cybersecurity #InfoSec #Vulnerability #Ransomware #Malware #npm #Firefox #Pegasus #SolarInverters #DataBreach #ThreatIntel #CyberThreats #SecurityNews #WebAppSec #ZeroDay #PatchManagement #infostealer #blacklock #crushftp #mamont

Nuova minaccia su Firefox e Chrome: scoperta un’altra falla critica, aggiornate subito!

Mozilla ha rilasciato aggiornamenti di sicurezza per correggere una vulnerabilità critica che ha interessato il browser Firefox su Windows. Questo intervento arriva pochi giorni dopo che Google ha risolto una falla simile su Chrome, precedentemente sfruttata attivamente come zero-day.

Un attacco riuscito potrebbe consentire a un processo figlio compromesso di ottenere privilegi elevati dal processo principale, determinando l’uscita dalla sandbox. La vulnerabilità, che ha interessato sia Firefox che Firefox ESR, è stata risolta con le versioni Firefox 136.0.4, Firefox ESR 115.21.1 e Firefox ESR 128.8.1.

Al momento, non ci sono evidenze di exploit attivi della CVE-2025-2857.

La vulnerabilità, identificata come CVE-2025-2857, è stata descritta come un errore nella gestione dei permessi, il quale potrebbe portare a una fuga dalla sandbox di sicurezza.

“In seguito alla recente violazione della sandbox di Chrome (CVE-2025-2783), diversi sviluppatori di Firefox hanno individuato un problema analogo nel nostro sistema di comunicazione inter-processo (IPC)”, ha dichiarato Mozilla in un comunicato.

Anche il team del progetto Tor ha rilasciato un aggiornamento di sicurezza per Tor Browser (versione 14.0.8) per proteggere gli utenti Windows dalla stessa falla.

Nel frattempo, Google ha distribuito la versione 134.0.6998.177/.178 di Chrome per correggere CVE-2025-2783, che è stata sfruttata in attacchi mirati contro media, istituzioni accademiche e enti governativi in Russia.

la Cybersecurity and Infrastructure Security Agency (CISA) degli Stati Uniti ha aggiunto la falla al suo catalogo delle vulnerabilità note sfruttate (KEV), richiedendo alle agenzie federali di applicare le misure di mitigazione necessarie entro il 17 aprile 2025.

L'articolo Nuova minaccia su Firefox e Chrome: scoperta un’altra falla critica, aggiornate subito! proviene da il blog della sicurezza informatica.

#Google has released software updates to address a high-severity vulnerability in #Chrome that is being actively exploited

The vulnerability is tracked as CVE-2025-2783, and when exploited, allows an attacker to bypass Chrome's sandbox protections

Users are advised to patch ASAP

#cybersecurity #vulnerability

https://www.bleepingcomputer.com/news/security/google-fixes-chrome-zero-day-exploited-in-espionage-campaign/

Patchez Google Chrome : cette faille zero-day est exploitée par une campagne d’espionnage https://www.it-connect.fr/google-chrome-faille-zero-day-est-exploitee-campagne-espionnage-cve-2025-2783/ #ActuCybersécurité #Cybersécurité #Vulnérabilité #Google

The root cause of the Chrome 0-day logical vulnerability CVE-2025-2783, which we discovered used in attacks with sophisticated malware, also affects the Firefox! New CVE-2025-2857 has just been fixed in Firefox 136.0.4 https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/

Nuova minaccia su Firefox e Chrome: scoperta un’altra falla critica, aggiornate subito!

Mozilla ha rilasciato aggiornamenti di sicurezza per correggere una vulnerabilità critica che ha interessato il browser Firefox su Windows. Questo intervento arriva pochi giorni dopo che Google ha risolto una falla simile su Chrome, precedentemente sfruttata attivamente come zero-day.

Un attacco riuscito potrebbe consentire a un processo figlio compromesso di ottenere privilegi elevati dal processo principale, determinando l’uscita dalla sandbox. La vulnerabilità, che ha interessato sia Firefox che Firefox ESR, è stata risolta con le versioni Firefox 136.0.4, Firefox ESR 115.21.1 e Firefox ESR 128.8.1.

Al momento, non ci sono evidenze di exploit attivi della CVE-2025-2857.

La vulnerabilità, identificata come CVE-2025-2857, è stata descritta come un errore nella gestione dei permessi, il quale potrebbe portare a una fuga dalla sandbox di sicurezza.

“In seguito alla recente violazione della sandbox di Chrome (CVE-2025-2783), diversi sviluppatori di Firefox hanno individuato un problema analogo nel nostro sistema di comunicazione inter-processo (IPC)”, ha dichiarato Mozilla in un comunicato.

Anche il team del progetto Tor ha rilasciato un aggiornamento di sicurezza per Tor Browser (versione 14.0.8) per proteggere gli utenti Windows dalla stessa falla.

Nel frattempo, Google ha distribuito la versione 134.0.6998.177/.178 di Chrome per correggere CVE-2025-2783, che è stata sfruttata in attacchi mirati contro media, istituzioni accademiche e enti governativi in Russia.

la Cybersecurity and Infrastructure Security Agency (CISA) degli Stati Uniti ha aggiunto la falla al suo catalogo delle vulnerabilità note sfruttate (KEV), richiedendo alle agenzie federali di applicare le misure di mitigazione necessarie entro il 17 aprile 2025.

L'articolo Nuova minaccia su Firefox e Chrome: scoperta un’altra falla critica, aggiornate subito! proviene da il blog della sicurezza informatica.

Seriously, EncryptHub isn't messing around! 🤯 They've jumped *right* on that Windows bug (CVE-2025-26633) that literally *just* got fixed. Talk about moving fast...

So, the exploit? It involves the Microsoft Management Console (MMC), those MSC files, and something called MUIPath. Sounds pretty techy, right? But basically, it's a clever workaround. EncryptHub crafts two MSC files – same name, one legit, one malicious. Windows doesn't double-check properly and ends up loading the nasty one. Boom! 💥

You see, as a pentester, I constantly witness attackers twisting legitimate system functions just like this. Your automated scanners? Yeah, they'll likely miss it completely. This kind of thing really needs hands-on analysis to catch. And yeah, updates are crucial, folks! Make sure you get CVE-2025-26633 patched ASAP. Oh, and those random MSI installers from sources you don't know? Big nope. Steer clear! ☝️

Have you run into attacks like this before? Or maybe you've got some other sneaky Windows tricks up your sleeve? Drop 'em in the comments!

#Pentest #Infosec #ZeroDay

(trendmicro.com) A Deep Dive into Water Gamayun's Arsenal and Infrastructure https://www.trendmicro.com/en_us/research/25/c/deep-dive-into-water-gamayun.html

Executive Summary:
This research provides a comprehensive analysis of Water Gamayun (also known as EncryptHub and Larva-208), a suspected Russian threat actor exploiting the MSC EvilTwin zero-day vulnerability (CVE-2025-26633) in Microsoft Management Console. The threat actor employs sophisticated delivery methods including malicious provisioning packages, signed MSI files, and Windows MSC files to deploy multiple custom payloads. Their arsenal includes custom backdoors (SilentPrism and DarkWisp), multiple variants of the EncryptHub Stealer, and known malware like Stealc and Rhadamanthys. The research details the C&C infrastructure, data exfiltration techniques, and persistence mechanisms used by the group. Trend Micro researchers gained access to the C&C server components, enabling them to analyze the architecture, functionality, and evasion techniques employed by the threat actor.

#Cybersecurity #ThreatIntel #PowerShell #DarkWisp #SilentPrism #APT #WaterGamayun #EncryptHub #Russia #Rhadamanthys

Fortinet published another CVE for a vuln from 2019. Just something to keep in mind when people blame Fortinet shops when they get popped by unpatched vulns.

https://nvd.nist.gov/vuln/detail/CVE-2019-16149

En las últimas 24 horas, una vulnerabilidad en CrushFTP y el malware 'SparrowDoor' de FamousSparrow amenazan la seguridad digital; además, un dominio de Microsoft Stream ha sido secuestrado para enviar spam. Evita riesgos revisando tus configuraciones y actualizaciones. Descubre estos y más detalles en el siguiente listado de noticias sobre seguridad informática:

🗞️ ÚLTIMAS NOTICIAS EN SEGURIDAD INFORMÁTICA 🔒
====| 🔥 LO QUE DEBES SABER HOY 28/03/25 📆 |====

🔒 CRUSHFTP AUTENTICACIÓN BYPASS: IOCs
La vulnerabilidad de bypass de autenticación en CrushFTP (CVE-2025-2825) podría permitir a los atacantes obtener acceso administrativo. Es crucial conocer los Indicadores de Compromiso (IoCs) relacionados con esta amenaza y probar la exposición utilizando NodeZero. ¡No olvides aplicar el parche ahora para proteger tu sistema! 👉 https://djar.co/yGYTw

🌐 HACKERS FAMOUSSPARROW DESPLIEGAN MALWARE MEJORADO EN ATACOS
Un grupo de ciberespionaje vinculado a China, conocido como 'FamousSparrow', ha sido observado usando una nueva versión de su puerta trasera característica 'SparrowDoor' para atacar a una organización comercial en EE.UU. Mantente alerta y actualiza tus defensas ante este tipo de amenazas. Descubre más aquí 👉 https://djar.co/c68w

⚠️ DOMINIO SECUESTRADO DE MICROSOFT STREAM ENVÍA SPAM A SITIOS SHAREPOINT
El dominio heredado de Microsoft Stream ha sido secuestrado para mostrar un sitio falso de Amazon que promociona un casino en Tailandia, lo que afecta a todos los sitios de SharePoint con videos antiguos incrustados. Asegúrate de revisar las configuraciones de tu dominio para evitar ser víctima de este tipo de ataques. Más información 👉 https://djar.co/c2ZXsF

🔍 ESTRATEGIA SHELBY: LABORATORIOS DE SEGURIDAD ELÁSTICA
Un análisis profundo del abuso de REF8685 en GitHub revela cómo los atacantes están utilizando esta técnica para establecer comunicaciones no autorizadas (C2) y evadir defensas. Conocer estas tácticas puede ayudarte a reforzar la seguridad de tus sistemas. Conoce más detalles aquí 👉 https://djar.co/BORI

🖥️ ACTUALIZACIONES RECIENTES DE WINDOWS SERVER 2025 CAUSAN CONGELAMIENTOS EN ESCRITORIO REMOTO
Microsoft ha confirmado que los sistemas de Windows Server 2025 están experimentando congelamientos de escritorio remoto tras instalar actualizaciones de seguridad desde febrero de 2025. Se recomienda a los administradores que evalúen el impacto de estas actualizaciones en sus entornos de trabajo. Infórmate mejor aquí 👉 https://djar.co/Btn2i

📶 DENTRO DE UN REPETIDOR FAKE DE WIFI
La proliferación de dispositivos electrónicos falsos es un fenómeno creciente. Este artículo explora los peligros asociados con dispositivos como repetidores de WiFi falsos y sus implicaciones para la seguridad personal y de red. Protege tus datos y equipos aprendiendo sobre este problema. Lee más aquí 👉 https://djar.co/nLx0u

🖼️ EL PELIGRO DE LAS FOTOS MANIPULADAS CON IA: ACOSO Y SUICIDIO
La difusión de fotos alteradas con inteligencia artificial se ha convertido en una grave amenaza para la salud mental y la privacidad de las personas. Es importante estar conscientes de las repercusiones y tomar medidas para protegerse y apoyar a quienes han sido afectados. Explora el tema aquí 👉 https://djar.co/NXGXEV

malicious npm packages (again) targeting cryptocurrency projects, CEOs cranky over CVEs, and BlackLock gets pantsed - here's your Friday wrap up in Infosec News 👇

🔗 https://opalsec.io/daily-news-update-friday-march-28-2025-australia-melbourne/

Here's a quick rundown of what's inside:

📦 npm Package Nightmare: 10 packages compromised by an infostealer campaign targeting developer environments. Sensitive data was siphoned off to a remote host. Most of the packages are still available on npm, so be careful!
🦊 Firefox Flaw: A critical sandbox escape vulnerability (CVE-2025-2857) patched in Firefox 136.0.4. Windows users, update ASAP! This one's similar to a Chrome zero-day used in espionage campaigns.
🏥 Ransomware Reckoning: Advanced, a UK healthcare IT provider, slapped with a £3.1 million fine after a LockBit ransomware attack. Lack of vulnerability scanning and poor patch management were key factors.
🌐 Extension Exploitation: Browser extensions can be bought and repurposed, posing a sneaky threat to enterprises. An extension was bought for $50 and was quickly repurposed to redirect traffic.
⚡ Solar Scare: Dozens of vulnerabilities in solar inverters could let attackers disrupt power grids. Remote code execution, device takeover, and more are possible.
😠 CrushFTP Clash: CEO responds aggressively to VulnCheck after critical unauthenticated access vulnerability (CVE-2025-2825) is released. Vulnerability disclosure and patching processes need to be improved!
🕵️‍♀️ Pegasus in Serbia: Journalists targeted with Pegasus spyware, marking the third time in two years that Amnesty has found Pegasus deployed against Serbian civil society.
🤖 Mamont Malware: Russian authorities arrest three for developing the Mamont Android banking trojan. This malware steals financial data and spreads through Telegram.
🦹 Ransomware Reverse: Resecurity infiltrates the BlackLock ransomware gang, gathering intel to help victims. LFI vulnerability exploited, and data shared with authorities.

Stay vigilant out there, folks! 🛡️

#Cybersecurity #InfoSec #Vulnerability #Ransomware #Malware #npm #Firefox #Pegasus #SolarInverters #DataBreach #ThreatIntel #CyberThreats #SecurityNews #WebAppSec #ZeroDay #PatchManagement #infostealer #blacklock #crushftp #mamont

This has been a busy month for Malcolm! I pushed hard to get v25.03.0 out earlier this month, as it contained pretty much just the Keycloak integration one of our partners (and major funding sources) was waiting for. Rather than wait until April for the other stuff that would have gone into the regular end-of-the-month release, I decided to pull those items into this smaller release just a week and a half after the last one.

Malcolm v25.03.1 contains a few enhancements, bug fixes, and several component version updates, including one that addresses a CVE that may affect Hedgehog Linux Kiosk mode and Malcolm's API container.

NOTE: If you have not already upgraded to v25.03.0, read the notes for v25.02.0 and v25.03.0 and follow the Read Before Upgrading instructions on those releases.

Changes in this release

• ✨ Features and enhancements
  • Incorporate new S7comm device identification log, s7comm_known_devices.log (#622)
  • Display current PCAP, Zeek, and Suricata capture results in Hedgehog Linux Kiosk mode (#566)
  • Keycloak authentication: configurable group or role membership restrictions for login (#633) (see Requiring user groups and realm roles)
  • Mark newly-discovered and uninventoried devices in logs during NetBox enrichment (#573)
  • Added "Apply recommended system tweaks automatically without asking for confirmation?" question to install.py to allow the user to accept changes to sysctl.conf, grub kernel parameters, etc., without having to answer "yes" to each one.
• ✅ Component version updates
  • Arkime to v5.6.2
  • evtx to v0.9.0
  • Fluent Bit to v3.2.10
  • gunicorn to v23.0.0 to address CVE-2024-6827, "Gunicorn HTTP Request/Response Smuggling vulnerability"
  • Zeek to v7.1.1
• 🐛 Bug fixes
  • Fix install.py error when answering yes to "Pull Malcolm images?" with podman (#604)
  • Order of user-provided tags from PCAP upload interface not preserved (#624)
• 📄 Configuration changes (in environment variables in ./config/) for Malcolm and in control_vars.conf for Hedgehog Linux
  • added NGINX_REQUIRE_GROUP and NGINX_REQUIRE_ROLE to auth-common.env to support Requiring user groups and realm roles for Keycloak authentication
• 🧹 Code and project maintenance
  • Ensure Malcolm's NetBox configuration Python scripts are baked into the image in addition to bind-mounting them in docker-compose.yml at runtime.

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #NetBox #OpenSearch #Elasticsearch #Suricata #SSO #OIDC #Keycloak #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL #DHS #CISA #CISAgov

Critical Kubernetes controller flaws: 4,000 IPs exposed, with patch urgency increasing due to code to exploit CVE-2025-1974 vulnerability being published https://www.databreachtoday.com/critical-kubernetes-controller-flaws-4000-ips-exposed-a-27868

Ingress-NGINX Kubernetes RCE

IngressNightmare vulnerability (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974)

We've released the #Netty incubator QUIC codec version 0.0.71.Final.
This fixes the CVE-2025-29908 hash collision DoS vulnerability.
Release notes: https://netty.io/news/2025/03/28/quic-0-0-71-Final.html

(recordedfuture.com) Apache Tomcat: Critical Path Equivalence Vulnerability (CVE-2025-24813) NOT (yet) under active exploitation

https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis

Insikt Group notes specifically that this vulnerability has not yet been observed as being actively exploited in the wild.

Summary:
This article details CVE-2025-24813, a critical path equivalence vulnerability in Apache Tomcat that allows unauthenticated remote code execution under specific conditions. The vulnerability affects multiple Tomcat versions (11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0-M1 to 9.0.98, and most 8.5.x versions). Greynoise has identified six malicious IP addresses attempting to exploit this vulnerability, targeting systems in the US, Japan, Mexico, South Korea, and Australia. Multiple proof-of-concept exploits have been published, increasing the risk of exploitation. Organizations are advised to upgrade to patched versions (11.0.3, 10.1.35, or 9.0.99) or implement network-level controls if immediate patching isn't possible.

#Cybersecurity #ThreatIntel #Tomcat #ActiveExploitation #ITW #Exploitation #Vulnerability #CVE202524813