Critical RCE flaw impacts over 115,000 WatchGuard firewalls
https://www.bleepingcomputer.com/news/security/over-115-000-watchguard-firewalls-vulnerable-to-ongoing-rce-attacks/

Over 115,000 WatchGuard Firebox devices exposed online remain unpatched
against a critical remote code execution (RCE) vulnerability actively
exploited in attacks.

The security flaw, tracked as CVE-2025-14733, affects Firebox firewalls
running Fireware OS 11.x and later (including 11.12.4_Update1), 12.x or later
(including 12.11.5), and 2025.1 up to and including 2025.1.3.

Successful exploitation enables unauthenticated attackers to execute arbitrary
code remotely on vulnerable devices, following low-complexity attacks that
don't require user interaction.

As WatchGuard explained in a Thursday advisory, when it released
CVE-2025-14733 security updates and tagged it as exploited in the wild,
unpatched Firebox firewalls are only vulnerable to attacks if configured for
IKEv2 VPN. It also warned that even if vulnerable configurations are removed,
the firewall may still be at risk if a Branch Office VPN (BOVPN) to a static
gateway peer is still configured.

RT @TheHackersNews
⚠️ ALERT — A critical RCE flaw (CVSS 9.9) was found in the n8n workflow automation platform.

CVE-2025-68613 lets authenticated users execute arbitrary code, enabling full instance takeover, data access, and system-level actions.

More than 103k exposed instances are observed globally.

🔗 Details → https://thehackernews.com/2025/12/critical-n8n-flaw-cvss-99-enables.html

🚨 CISA has added on vulnerability to the KEV Catalog

CVE-2023-52163: Digiever DS-2105 Pro Missing Authorization Vulnerability

CVSS: 5.9

https://darkwebinformer.com/cisa-kev-catalog/

Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Revisión de CVE-2025-50165: Un fallo crítico en Windows Imaging Component

Vía: @ESET

https://www.welivesecurity.com/es/investigaciones/revision-de-cve-2025-50165-fallo-critico-windows-imaging-component/

Very good question! I hope you’ll forgive me for a long response, it is something I have a lot of thoughts on.

I used to think newer is better, but after plenty of distro-hopping (I had a real good time on Arch), I realized that Debian’s version of "stability" is actually its greatest feature. Here is how I’ve come to see it, using your Fedora experience as a comparison:

Fist, with Debian, stable means unchanging. Fedora is a fast-moving target. It was an early adopter for Wayland and Pipewire. That is exciting, but it can feel like a version of whiplash. Debian is the opposite. Once a version is released, the APIs, file locations, and package behaviors are locked in. Its predictability means my system feels the same on Day 1 as it does on Day 300.

Debian prioritizes reliability over cutting-edge performance. While Fedora pushes the new thing, Debian’s conservative defaults ensure maximum compatibility. It is the "just works" philosophy. It is not just that it doesn't crash, it is that it doesn't surprise you.

I also find APT to be incredibly satisfying compared to DNF. The sheer size of the repositories is massive, but APT Pinning is THE feature for me. Being able to set numeric priorities in /etc/apt/preferences allows me to do things like pull a specific package from Backports while keeping the rest of the system on the Stable branch. It gives you control over dependency resolution that is hard to match.

Regarding your question on security, Debian is unique because it is a 100% community-led project. Unlike Fedora (Red Hat) or Ubuntu (Canonical), there is no corporate entity at the top. This is one of the most important traits to me. If Red Hat wanted to, Fedora could start showing ads in the application menu with the next update. I don’t think that will happen with Fedora, but who knows, Canonical is now showing ads in the cli. Enough is enough.

I also appreciate Debian’s focus on inclusion. It is one of the most inclusive projects in tech. As a member of the queer community, it is important to me to use tools that are created and supported by those who do not hate me for being different. To quote their Diversity Statement: “No matter how you identify yourself or how others perceive you: we welcome you. We welcome contributions from everyone as long as they interact constructively with our community.” They forbid discrimination against any person or group. Because it is a global meritocracy, you have contributors from every corner of the world. This diversity is actually a security feature because with so many different eyes on the code, it is much harder for a backdoor or a bias to slip through unnoticed.

For your "backdoor-proof" concern, Debian’s Social Contract and strict adherence to free software guidelines mean every line of code is scrutinized by volunteers around the world. It is transparent by design. While no distro/OS is unhackable, Debian’s slow and steady release cycle means security patches are thoroughly vetted before they hit your machine, reducing the risk of zero day regressions. Fedora has been vulnerable to zero day attacks in the past and will probably continue to be in the future. For instance, because Fedora is always on the latest versions, Fedora Users are often vulnerable to new attack. Earlier in 2025, the latest kernel which Fedora had pushed to users had a zero day vulnerability. Debian stable users did not have that vulnerability because they would not see that update for quite some time.

Sources:

Ubuntu Showing Ads in Terminal - https://linuxiac.com/ubuntu-once-again-angered-users-by-placing-ads/

Debian Social Contract - https://www.debian.org/social_contract

Debian Diversity Statement - https://www.debian.org/intro/diversity

Zero day vulnerability mentioned -https://www.cve.org/CVERecord?id=CVE-2025-37899

#Debian

University of Phoenix confirms massive data breach via Oracle EBS zero-day (CVE-2025-61882), exposing names, DOBs, SSNs, and bank details of 3.5M people. Attackers hit Aug 13-22, 2025; notifications started Dec 22 with free credit monitoring. Stay vigilant! 🔒💻⚠️ https://cyberinsider.com/breach-at-university-of-phoenix-exposed-data-of-3-5-million-people/ #DataBreach #CyberSecurity #UniversityOfPhoenix
#Newz

Windows RasMan DoS-Lücke: 0patch bietet kostenlosen Schutz vor aktuellem 0-Day

Sicherheitslücke in Windows Remote Access Connection Manager entdeckt

Bei der Analyse der im Oktober 2025 von Microsoft geschlossenen Schwachstelle CVE-2025-59230 im Windows Remote Access Connection Manager stieß das Team von 0patch auf eine bislang ungepatchte Sicherheitslücke.

https://www.all-about-security.de/windows-rasman-dos-luecke-0patch-bietet-kostenlosen-schutz-vor-aktuellem-0-day/

#windows #zeroday #CVE

From cheats to exploits: Webrat spreading via GitHub

In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field.

Distribution and the malicious sample

In October, we uncovered a campaign that had been distributing Webrat via GitHub repositories since at least September. To lure in victims, the attackers leveraged vulnerabilities frequently mentioned in security advisories and industry news. Specifically, they disguised their malware as exploits for the following vulnerabilities with high CVSSv3 scores:

This is not the first time threat actors have tried to lure security researchers with exploits. Last year, they similarly took advantage of the high-profile RegreSSHion vulnerability, which lacked a working PoC at the time.

In the Webrat campaign, the attackers bait their traps with both vulnerabilities lacking a working exploit and those which already have one. To build trust, they carefully prepared the repositories, incorporating detailed vulnerability information into the descriptions. The information is presented in the form of structured sections, which include:

• Overview with general information about the vulnerability and its potential consequences
• Specifications of systems susceptible to the exploit
• Guide for downloading and installing the exploit
• Guide for using the exploit
• Steps to mitigate the risks associated with the vulnerability

Contents of the repository

In all the repositories we investigated, the descriptions share a similar structure, characteristic of AI-generated vulnerability reports, and offer nearly identical risk mitigation advice, with only minor variations in wording. This strongly suggests that the text was machine-generated.

The Download Exploit ZIP link in the Download & Install section leads to a password-protected archive hosted in the same repository. The password is hidden within the name of a file inside the archive.

The archive downloaded from the repository includes four files:

1. pass – 8511: an empty file, whose name contains the password for the archive.
2. payload.dll: a decoy, which is a corrupted PE file. It contains no useful information and performs no actions, serving only to divert attention from the primary malicious file.
3. rasmanesc.exe (note: file names may vary): the primary malicious file (MD5 61b1fc6ab327e6d3ff5fd3e82b430315), which performs the following actions:
   
   • Escalate its privileges to the administrator level (T1134.002).
   • Disable Windows Defender (T1562.001) to avoid detection.
   • Fetch from a hardcoded URL (ezc5510min.temp[.]swtest[.]ru in our example) a sample of the Webrat family and execute it (T1608.001).

   
   

4. start_exp.bat: a file containing a single command: start rasmanesc.exe, which further increases the likelihood of the user executing the primary malicious file.

The execution flow and capabilities of rasmanesc.exe

Webrat is a backdoor that allows the attackers to control the infected system. Furthermore, it can steal data from cryptocurrency wallets, Telegram, Discord and Steam accounts, while also performing spyware functions such as screen recording, surveillance via a webcam and microphone, and keylogging. The version of Webrat discovered in this campaign is no different from those documented previously.

Campaign objectives

Previously, Webrat spread alongside game cheats, software cracks, and patches for legitimate applications. In this campaign, however, the Trojan disguises itself as exploits and PoCs. This suggests that the threat actor is attempting to infect information security specialists and other users interested in this topic. It bears mentioning that any competent security professional analyzes exploits and other malware within a controlled, isolated environment, which has no access to sensitive data, physical webcams, or microphones. Furthermore, an experienced researcher would easily recognize Webrat, as it’s well-documented and the current version is no different from previous ones. Therefore, we believe the bait is aimed at students and inexperienced security professionals.

Conclusion

The threat actor behind Webrat is now disguising the backdoor not only as game cheats and cracked software, but also as exploits and PoCs. This indicates they are targeting researchers who frequently rely on open sources to find and analyze code related to new vulnerabilities.

However, Webrat itself has not changed significantly from past campaigns. These attacks clearly target users who would run the “exploit” directly on their machines — bypassing basic safety protocols. This serves as a reminder that cybersecurity professionals, especially inexperienced researchers and students, must remain vigilant when handling exploits and any potentially malicious files. To prevent potential damage to work and personal devices containing sensitive information, we recommend analyzing these exploits and files within isolated environments like virtual machines or sandboxes.

We also recommend exercising general caution when working with code from open sources, always using reliable security solutions, and never adding software to exclusions without a justified reason.

Kaspersky solutions effectively detect this threat with the following verdicts:

• HEUR:Trojan.Python.Agent.gen
• HEUR:Trojan-PSW.Win64.Agent.gen
• HEUR:Trojan-Banker.Win32.Agent.gen
• HEUR:Trojan-PSW.Win32.Coins.gen
• HEUR:Trojan-Downloader.Win32.Agent.gen
• PDM:Trojan.Win32.Generic

Indicators of compromise

Malicious GitHub repositories
https://github[.]com/RedFoxNxploits/CVE-2025-10294-Poc
https://github[.]com/FixingPhantom/CVE-2025-10294
https://github[.]com/h4xnz/CVE-2025-10294-POC
https://github[.]com/usjnx72726w/CVE-2025-59295/tree/main
https://github[.]com/stalker110119/CVE-2025-59230/tree/main
https://github[.]com/moegameka/CVE-2025-59230
https://github[.]com/DebugFrag/CVE-2025-12596-Exploit
https://github[.]com/themaxlpalfaboy/CVE-2025-54897-LAB
https://github[.]com/DExplo1ted/CVE-2025-54106-POC
https://github[.]com/h4xnz/CVE-2025-55234-POC
https://github[.]com/Hazelooks/CVE-2025-11499-Exploit
https://github[.]com/usjnx72726w/CVE-2025-11499-LAB
https://github[.]com/modhopmarrow1973/CVE-2025-11833-LAB
https://github[.]com/rootreapers/CVE-2025-11499
https://github[.]com/lagerhaker539/CVE-2025-12595-POC

Webrat C2
http://ezc5510min[.]temp[.]swtest[.]ru
http://shopsleta[.]ru

MD5
28a741e9fcd57bd607255d3a4690c82f
a13c3d863e8e2bd7596bac5d41581f6a
61b1fc6ab327e6d3ff5fd3e82b430315

securelist.com/webrat-distribu…

ReDoS in Fedify.

https://www.cve.org/CVERecord?id=CVE-2025-68475