Overview
Description
Statistics
- 7 Posts
- 26 Interactions
Fediverse

Unauthenticated SQL injection in GUI in FortiWeb - CVE-2025-25257
#vulnerabilitymanagement #cybersecurity #fortinet #vulnerability
đ https://vulnerability.circl.lu/vuln/CVE-2025-25257#comments

đ¨ Critical alert: A pre-auth RCE exploit (CVE-2025-25257) targeting Fortinet FortiWeb is now public. Patch to 7.6.4+/7.4.8+ immediately or disable HTTP admin interfaces. Unpatched systems are at high risk. Details: https://redteamnews.com/red-team/cve/critical-pre-auth-rce-exploit-released-for-fortinet-fortiweb-patch-immediately/

Critical SQL Injection Flaw in FortiWeb: Urgent Patch Required
Fortinet's Latest Security Challenge Fortinet has disclosed a critical SQL injection vulnerability affecting its FortiWeb product, posing a significant risk to unpatched systems. The flaw, identified as CVE-2025-25257, carries a CVSS severity score of 9.6/10, making it one of the most serious vulnerabilities reported this year. This vulnerability allows unauthenticated attackers to execute arbitrary SQLâŚ
https://undercodenews.com/critical-sql-injection-flaw-in-fortiweb-urgent-patch-required/

đ¨CVE-2025-25257: Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector
PoC: https://github.com/watchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257
Overview
Description
Statistics
- 8 Posts
- 50 Interactions
Fediverse

In a rare move, CISA gave federal agencies just one day to patch Citrix Netscaler bug CVE-2025-5777
Patch ASAP #CitrixBleed2 #2Citrix2Bloody
https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2

If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - theyâve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.

Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

Critical Flaw in Citrix NetScaler Exposes Enterprise Systems to Potential Exploits
Enterprises at Risk: A New Security Flaw Uncovered in Citrix NetScaler A dangerous new vulnerability has surfaced, targeting one of the most trusted tools in enterprise cybersecurityâCitrix NetScaler. Identified as CVE-2025-5777, this flaw compromises the integrity of Citrix NetScaler ADC and Gateway devices, platforms widely used for secure remote access and authentication services.âŚ

CitrixBleed 2: A Critical Threat Returns with CVE-2025-5777
A New Exploit Echoes an Old Danger In a major alert that echoes past cybersecurity alarms, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered vulnerability in Citrix NetScaler systemsâCVE-2025-5777, nicknamed CitrixBleed 2âto its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, with a CVSS v4.0 Base Score of 9.3, is considered critical, enablingâŚ
https://undercodenews.com/citrixbleed-2-a-critical-threat-returns-with-cve-2025-5777/

This Week in Security: Bitchat, CitrixBleed Part 2, Opossum, and TSAs
@jack is back with a weekend project. Yes, that Jack. [Jack Dorsey] spent last weekend learning about Bluetooth meshing, and built Bitchat, a BLE mesh encrypted messaging application. It uses X25519 for key exchange, and AES-GCM for message encryption. [Alex Radocea] took a look at the current state of the project, suspects it was vibe coded, and points out a glaring problem with the cryptography.
So letâs take a quick look at the authentication and encryption layer of Bitchat. The whitepaper is useful, but still leaves out some of the important details, like how the identity key is tied to the encryption keys. The problem here is that it isnât.
Bitchat has, by necessity, a trust-on-first-use authentication model. There is intentionally no authentication central authority to verify the keys of any given user, and the application hasnât yet added an out-of-band authentication method, like scanning QR codes. Instead, it has a favorites system, where the user can mark a remote user as a favorite, and the app saves those keys forever. There isnât necessarily anything wrong with this approach, especially if users understand the limitations.
The other quirk is that Bitchat uses ephemeral keys for each chat session, in an effort to have some forward secrecy. In modern protocols, itâs desirable to have some protection against a single compromised encryption key exposing all the messages in the chain. It appears that Bitchat accomplishes this by generating dedicated encryption keys for each new chat session. But those ephemeral keys arenât properly verified. In fact, they arenât verified by a userâs identity key at all!
The attack then, is to send a private message to another user, present the public key of whoever yourâre trying to impersonate, and include new ephemeral encryption keys. Even if your target has this remote user marked as a favorite, the new encryption keys are trusted. So the victim thinks this is a conversation with a trusted person, and itâs actually a conversation with an attacker. Not great.
Now when you read the write-up, youâll notice it ends with [Alex] opening an issue on the Bitchat GitHub repository, asking how to do security reports. The issue was closed without comment, and thatâs about the end of the write-up. It is worth pointing out that the issue has been re-opened, and updated with some guidance on how to report flaws.
Post-Quantum Scanning
Thereâs a deadline coming. Depending on where you land on the quantum computing skepticism scale, itâs either the end of cryptography as we know it, or a pipe dream thatâs always going to be about 10 years away. My suspicion happens to be that keeping qubits in sync is a hard problem in much the same way that factoring large numbers is a hard problem. But I donât recommend basing your cryptography on that hunch.
Governments around the world are less skeptical of the quantum computer future, and have set specific deadlines to migrate away from quantum-vulnerable algorithms. The issue here is that finding all those uses of âvulnerableâ algorithms is quite the challenge. TLS, SSH, and many more protocols support a wide range of cryptography schemes, and only a few are considered Post Quantum Cryptography (PQC).
Anvil Secure has seen this issue, and released an Open Source tool to help. Pqcscan is a simple idea: Scan a list of targets and collect their supported cryptography via an SSH and TLS scan. At the end, the tool generates a simple report of how many of the endpoints support PQC. This sort of compliance is usually no fun, but having some decent tools certainly helps.
Citrixbleed 2
Citrix devices have a problem. Again. The nickname for this particular issue is CitrixBleed 2, which hearkens all the way back to Heartbleed. The âbleedâ here refers to an attack that leaks little bits of memory to attackers. We know that itâs related to an endpoint called doAuthentication.do
.
The folks at Horizon3 have a bit more detail, and itâs a memory management issue, where structures are left pointing to arbitrary memory locations. The important thing is that an incomplete login message is received, the code leaks 127 bytes of memory at a time.
What makes this vulnerability particularly bad is that Citrix didnât share any signs of attempted exploitation. Researchers have evidence of this vulnerability being used in the wild back to July 1st. Thatâs particularly a problem because the memory leak is capable of revealing session keys, allowing for further exploitation. Amazingly, in an email with Ars Technica, Citrix still refused to admit that the flaw was being used in the wild.
Opossum
We have a new TLS attack, and itâs a really interesting approach. The Opossum Attack is a Man in the Middle (MitM) attack that takes advantage of of opportunistic TLS. This TLS upgrade approach isnât widely seen outside of something like email protocols, where the StartTLS command is used. The important point here is that these connections allow a connection to be initiated using the plaintext protocol, and then upgrade to a TLS protocol.
The Opossum attack happens when an attacker in a MitM position intercepts a new TCP connection bound for a TLS-only port. The attacker then initiates a plaintext connection to that remote resource, using the opportunistic port. The attacker can then issue the command to start a TLS upgrade, and like an old-time telephone operator, patch the victim through to the opportunistic port with the session already in progress.
The good news is that this attack doesnât result in encryption compromise. The basic guarantees of TLS remain. The problem is that there is now a mismatch between exactly how the server and client expect the connection to behave. There is also some opportunity for the attacker to poison that connection before the TLS upgrade takes place.
TSAs
AMD has announced yet another new Transient Execution attack, the Transient Scheduler Attack. The AMD PDF has a bit of information about this new approach. The newly discovered leak primitive is the timing of CPU instructions, as instruction load timings may be affected by speculative execution.
The mitigation for this attack is similar to others. AMD recommends running the VERW instruction when transitioning between Kernel and user code. The information leakage is not between threads, and so far appears to be inaccessible from within a web browser, cutting down the real-world exploitability of this new speculative execution attack significantly.
Bits and Bytes
The majority of McDonaldâs franchises uses the McHire platform for hiring employees, because of course itâs called âMcHireâ. This platform uses AI to help applicants work through the application process, but the issues found werenât prompt injection or anything to do with AI. In this case, it was a simple default username and password 123456:123456
that gave access to a test instance of the platform. No real personal data, but plenty of clues to how the system worked: an accessible API used a simple incrementing ID, and no authentication to protect data. So step backwards through all 64 million applications, and all that entered data was available to peruse. Yikes! The test credentials were pulled less than two hours after disclosure, which is an impressive turn-around to fix.
When youâve been hit by a ransomware attack, it may seem like the criminals on the other side are untouchable. But once again, international law enforcement have made arrests of high-profile ransomeware gangs. This time itâs members of Scattered Spider that were arrested in the UK.
And finally, the MCP protocol is once again making security news. As quickly as the world of AI is changing, itâs not terribly surprising that bugs and vulnerabilities are being discovered in this very new code. This time itâs mcp-remote, which can be coerced to run arbitrary code when connecting to a malicious MCP server. Connect to server, pop calc.exe. Done.

CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
[...] Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes. The U.S.

Critical CVE-2025-5777 Vulnerability in Citrix NetScaler ADC: What It Means for Your Security Posture
A New Threat Emerges in Enterprise VPN Infrastructure A newly disclosed security vulnerability, CVE-2025-5777, has sent waves through the cybersecurity landscape, especially among enterprises using Citrix NetScaler ADC and Gateway products. This flaw exposes organizations to serious risks tied to remote access and authentication tools, which are often at the core ofâŚ
Overview
- Sudo project
- Sudo
Description
Statistics
- 2 Posts
- 16 Interactions
Fediverse

Just published a proof-of-concept exploit for CVE-2025-32463, a new Linux privilege escalation vulnerability affecting sudo discovered and disclosed by Stratascale about 2 weeks ago.
The PoC is available on GitHub. A full technical writeup will be published on my blog soon.
GitHub: https://github.com/morgenm/sudo-chroot-CVE-2025-32463
#CyberSecurity #ExploitDev #Linux #CVE #PrivilegeEscalation #Infosec #Exploit #Rust #PrivEsc
Overview
- ServiceNow
- Now Platform
Description
Statistics
- 2 Posts
- 2 Interactions
Fediverse

Security experts warn: the new "Count(er) Strike" flaw (CVE-2025-3648) in #ServiceNow could let even low-privileged or anonymous users infer and steal sensitive table data đąđ. 85% of Fortune 500 firms may be at risk. Patch now & review your ACLs! Read more đ https://www.techradar.com/pro/security/worrying-servicenow-security-flaw-could-let-hackers-steal-private-table-data #cybersecurity #infosec
#newz

ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs https://thehackernews.com/2025/07/servicenow-flaw-cve-2025-3648-could.html
Overview
- Juniper Networks
- Juniper Security Director
Description
Statistics
- 2 Posts
Fediverse

đ¨ CVE-2025-52950 (CRITICAL, CVSS 9.6): Juniper Security Director 24.4.1 has a missing authorization flaw letting unauthenticated attackers read/tamper with sensitive resources via the web UI. Patch ASAP, restrict access, and monitor logs! https://radar.offseq.com/threat/cve-2025-52950-cwe-862-missing-authorization-in-ju-cd4c5f5d #OffSeq #Juniper #CVE202552950 #Infosec
Overview
- Axis Communications AB
- AXIS Camera Station Pro
Description
Statistics
- 2 Posts
- 1 Interaction
Fediverse

CRITICAL: CVE-2025-30023 in AXIS Camera Station Pro (<6.9) allows authenticated RCE via deserialization flaw (CWE-502). Upgrade to 6.9+ ASAP! Restrict access & monitor logs. https://radar.offseq.com/threat/cve-2025-30023-cwe-502-deserialization-of-untruste-0f79b87c #OffSeq #RCE #Axis #Vuln

Axis published some interesting advisories.
Here's a sev:CRIT
post-auth RCE:
https://www.axis.com/dam/public/9b/a5/72/cve-2025-30023pdf-en-US-485733.pdf
and an LPE:
https://www.axis.com/dam/public/40/0e/03/cve-2025-30025pdf-en-US-485736.pdf
But since those are post-auth, you first need access, right? Well you're in luck because here's an auth bypass:
https://www.axis.com/dam/public/a3/42/92/cve-2025-30026pdf-en-US-485735.pdf
And an AitM attack that the description is vague on:
https://www.axis.com/dam/public/01/d9/24/cve-2025-30024pdf-en-US-485734.pdf
No PoCs here but they were reported by Team82 so maybe there will be a write-up soon.
Overview
Description
Statistics
- 1 Post
- 3 Interactions
Fediverse

SSRF in JGM Pandoc.
https://github.com/jgm/pandoc/issues/10682
A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.
Overview
- Meta Platforms, Inc
- ExecuTorch
Description
Statistics
- 1 Post
- 2 Interactions
Fediverse

A Friday advisory from Facebook? Nice.
https://www.facebook.com/security/advisories/cve-2025-30402
Description: A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f
Overview
Description
Statistics
- 1 Post
- 2 Interactions
Fediverse

And another one.
https://www.facebook.com/security/advisories/cve-2025-30403
A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00.
Overview
Description
Statistics
- 1 Post
- 2 Interactions
Fediverse

sev:MED 4.1 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal.