#FortiWeb Pre-Auth #RCE (CVE-2025-25257)

https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce

Unauthenticated SQL injection in GUI in FortiWeb - CVE-2025-25257

#vulnerabilitymanagement #cybersecurity #fortinet #vulnerability

🔗 https://vulnerability.circl.lu/vuln/CVE-2025-25257#comments

watchTowr has an even better write-up on CVE-2025-25257 in Fortinet FortiWeb.

https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/

🚨 Critical alert: A pre-auth RCE exploit (CVE-2025-25257) targeting Fortinet FortiWeb is now public. Patch to 7.6.4+/7.4.8+ immediately or disable HTTP admin interfaces. Unpatched systems are at high risk. Details: https://redteamnews.com/red-team/cve/critical-pre-auth-rce-exploit-released-for-fortinet-fortiweb-patch-immediately/

@christopherkunz

Fortinet episode 65535

https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/

Critical SQL Injection Flaw in FortiWeb: Urgent Patch Required

Fortinet's Latest Security Challenge Fortinet has disclosed a critical SQL injection vulnerability affecting its FortiWeb product, posing a significant risk to unpatched systems. The flaw, identified as CVE-2025-25257, carries a CVSS severity score of 9.6/10, making it one of the most serious vulnerabilities reported this year. This vulnerability allows unauthenticated attackers to execute arbitrary SQL…

https://undercodenews.com/critical-sql-injection-flaw-in-fortiweb-urgent-patch-required/

🚨CVE-2025-25257: Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector

PoC: https://github.com/watchtowrlabs/watchTowr-vs-FortiWeb-CVE-2025-25257

Write-up: https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/

In a rare move, CISA gave federal agencies just one day to patch Citrix Netscaler bug CVE-2025-5777

Patch ASAP #CitrixBleed2 #2Citrix2Bloody

https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2

If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - they’ve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.

Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

Critical Flaw in Citrix NetScaler Exposes Enterprise Systems to Potential Exploits

Enterprises at Risk: A New Security Flaw Uncovered in Citrix NetScaler A dangerous new vulnerability has surfaced, targeting one of the most trusted tools in enterprise cybersecurity—Citrix NetScaler. Identified as CVE-2025-5777, this flaw compromises the integrity of Citrix NetScaler ADC and Gateway devices, platforms widely used for secure remote access and authentication services.…

https://undercodenews.com/critical-flaw-in-citrix-netscaler-exposes-enterprise-systems-to-potential-exploits/

CitrixBleed 2: A Critical Threat Returns with CVE-2025-5777

A New Exploit Echoes an Old Danger In a major alert that echoes past cybersecurity alarms, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered vulnerability in Citrix NetScaler systems—CVE-2025-5777, nicknamed CitrixBleed 2—to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, with a CVSS v4.0 Base Score of 9.3, is considered critical, enabling…

https://undercodenews.com/citrixbleed-2-a-critical-threat-returns-with-cve-2025-5777/

This Week in Security: Bitchat, CitrixBleed Part 2, Opossum, and TSAs

@jack is back with a weekend project. Yes, that Jack. [Jack Dorsey] spent last weekend learning about Bluetooth meshing, and built Bitchat, a BLE mesh encrypted messaging application. It uses X25519 for key exchange, and AES-GCM for message encryption. [Alex Radocea] took a look at the current state of the project, suspects it was vibe coded, and points out a glaring problem with the cryptography.

So let’s take a quick look at the authentication and encryption layer of Bitchat. The whitepaper is useful, but still leaves out some of the important details, like how the identity key is tied to the encryption keys. The problem here is that it isn’t.

Bitchat has, by necessity, a trust-on-first-use authentication model. There is intentionally no authentication central authority to verify the keys of any given user, and the application hasn’t yet added an out-of-band authentication method, like scanning QR codes. Instead, it has a favorites system, where the user can mark a remote user as a favorite, and the app saves those keys forever. There isn’t necessarily anything wrong with this approach, especially if users understand the limitations.

The other quirk is that Bitchat uses ephemeral keys for each chat session, in an effort to have some forward secrecy. In modern protocols, it’s desirable to have some protection against a single compromised encryption key exposing all the messages in the chain. It appears that Bitchat accomplishes this by generating dedicated encryption keys for each new chat session. But those ephemeral keys aren’t properly verified. In fact, they aren’t verified by a user’s identity key at all!

The attack then, is to send a private message to another user, present the public key of whoever your’re trying to impersonate, and include new ephemeral encryption keys. Even if your target has this remote user marked as a favorite, the new encryption keys are trusted. So the victim thinks this is a conversation with a trusted person, and it’s actually a conversation with an attacker. Not great.

Now when you read the write-up, you’ll notice it ends with [Alex] opening an issue on the Bitchat GitHub repository, asking how to do security reports. The issue was closed without comment, and that’s about the end of the write-up. It is worth pointing out that the issue has been re-opened, and updated with some guidance on how to report flaws.

Post-Quantum Scanning

There’s a deadline coming. Depending on where you land on the quantum computing skepticism scale, it’s either the end of cryptography as we know it, or a pipe dream that’s always going to be about 10 years away. My suspicion happens to be that keeping qubits in sync is a hard problem in much the same way that factoring large numbers is a hard problem. But I don’t recommend basing your cryptography on that hunch.

Governments around the world are less skeptical of the quantum computer future, and have set specific deadlines to migrate away from quantum-vulnerable algorithms. The issue here is that finding all those uses of “vulnerable” algorithms is quite the challenge. TLS, SSH, and many more protocols support a wide range of cryptography schemes, and only a few are considered Post Quantum Cryptography (PQC).

Anvil Secure has seen this issue, and released an Open Source tool to help. Pqcscan is a simple idea: Scan a list of targets and collect their supported cryptography via an SSH and TLS scan. At the end, the tool generates a simple report of how many of the endpoints support PQC. This sort of compliance is usually no fun, but having some decent tools certainly helps.

Citrixbleed 2

Citrix devices have a problem. Again. The nickname for this particular issue is CitrixBleed 2, which hearkens all the way back to Heartbleed. The “bleed” here refers to an attack that leaks little bits of memory to attackers. We know that it’s related to an endpoint called doAuthentication.do.

The folks at Horizon3 have a bit more detail, and it’s a memory management issue, where structures are left pointing to arbitrary memory locations. The important thing is that an incomplete login message is received, the code leaks 127 bytes of memory at a time.

What makes this vulnerability particularly bad is that Citrix didn’t share any signs of attempted exploitation. Researchers have evidence of this vulnerability being used in the wild back to July 1st. That’s particularly a problem because the memory leak is capable of revealing session keys, allowing for further exploitation. Amazingly, in an email with Ars Technica, Citrix still refused to admit that the flaw was being used in the wild.

Opossum

We have a new TLS attack, and it’s a really interesting approach. The Opossum Attack is a Man in the Middle (MitM) attack that takes advantage of of opportunistic TLS. This TLS upgrade approach isn’t widely seen outside of something like email protocols, where the StartTLS command is used. The important point here is that these connections allow a connection to be initiated using the plaintext protocol, and then upgrade to a TLS protocol.

The Opossum attack happens when an attacker in a MitM position intercepts a new TCP connection bound for a TLS-only port. The attacker then initiates a plaintext connection to that remote resource, using the opportunistic port. The attacker can then issue the command to start a TLS upgrade, and like an old-time telephone operator, patch the victim through to the opportunistic port with the session already in progress.

The good news is that this attack doesn’t result in encryption compromise. The basic guarantees of TLS remain. The problem is that there is now a mismatch between exactly how the server and client expect the connection to behave. There is also some opportunity for the attacker to poison that connection before the TLS upgrade takes place.

TSAs

AMD has announced yet another new Transient Execution attack, the Transient Scheduler Attack. The AMD PDF has a bit of information about this new approach. The newly discovered leak primitive is the timing of CPU instructions, as instruction load timings may be affected by speculative execution.

The mitigation for this attack is similar to others. AMD recommends running the VERW instruction when transitioning between Kernel and user code. The information leakage is not between threads, and so far appears to be inaccessible from within a web browser, cutting down the real-world exploitability of this new speculative execution attack significantly.

Bits and Bytes

The majority of McDonald’s franchises uses the McHire platform for hiring employees, because of course it’s called “McHire”. This platform uses AI to help applicants work through the application process, but the issues found weren’t prompt injection or anything to do with AI. In this case, it was a simple default username and password 123456:123456 that gave access to a test instance of the platform. No real personal data, but plenty of clues to how the system worked: an accessible API used a simple incrementing ID, and no authentication to protect data. So step backwards through all 64 million applications, and all that entered data was available to peruse. Yikes! The test credentials were pulled less than two hours after disclosure, which is an impressive turn-around to fix.

When you’ve been hit by a ransomware attack, it may seem like the criminals on the other side are untouchable. But once again, international law enforcement have made arrests of high-profile ransomeware gangs. This time it’s members of Scattered Spider that were arrested in the UK.

And finally, the MCP protocol is once again making security news. As quickly as the world of AI is changing, it’s not terribly surprising that bugs and vulnerabilities are being discovered in this very new code. This time it’s mcp-remote, which can be coerced to run arbitrary code when connecting to a malicious MCP server. Connect to server, pop calc.exe. Done.

hackaday.com/2025/07/11/this-w…

CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch

[...] Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes. The U.S.

https://www.bleepingcomputer.com/news/security/cisa-tags-citrix-bleed-2-as-exploited-gives-agencies-a-day-to-patch/

#Cybersecurity

Critical CVE-2025-5777 Vulnerability in Citrix NetScaler ADC: What It Means for Your Security Posture

A New Threat Emerges in Enterprise VPN Infrastructure A newly disclosed security vulnerability, CVE-2025-5777, has sent waves through the cybersecurity landscape, especially among enterprises using Citrix NetScaler ADC and Gateway products. This flaw exposes organizations to serious risks tied to remote access and authentication tools, which are often at the core of…

https://undercodenews.com/critical-cve-2025-5777-vulnerability-in-citrix-netscaler-adc-what-it-means-for-your-security-posture/

Just published a proof-of-concept exploit for CVE-2025-32463, a new Linux privilege escalation vulnerability affecting sudo discovered and disclosed by Stratascale about 2 weeks ago.

The PoC is available on GitHub. A full technical writeup will be published on my blog soon.

GitHub: https://github.com/morgenm/sudo-chroot-CVE-2025-32463

#CyberSecurity #ExploitDev #Linux #CVE #PrivilegeEscalation #Infosec #Exploit #Rust #PrivEsc

https://www.cve.org/CVERecord?id=CVE-2025-32463

Security experts warn: the new "Count(er) Strike" flaw (CVE-2025-3648) in #ServiceNow could let even low-privileged or anonymous users infer and steal sensitive table data 😱🔓. 85% of Fortune 500 firms may be at risk. Patch now & review your ACLs! Read more 👉 https://www.techradar.com/pro/security/worrying-servicenow-security-flaw-could-let-hackers-steal-private-table-data #cybersecurity #infosec
#newz

ServiceNow Flaw CVE-2025-3648 Could Lead to Data Exposure via Misconfigured ACLs https://thehackernews.com/2025/07/servicenow-flaw-cve-2025-3648-could.html

🚨 CVE-2025-52950 (CRITICAL, CVSS 9.6): Juniper Security Director 24.4.1 has a missing authorization flaw letting unauthenticated attackers read/tamper with sensitive resources via the web UI. Patch ASAP, restrict access, and monitor logs! https://radar.offseq.com/threat/cve-2025-52950-cwe-862-missing-authorization-in-ju-cd4c5f5d #OffSeq #Juniper #CVE202552950 #Infosec

Juniper has published a bunch of security advisories since Wednesday:

https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sortCriteria=date%20descending&f-sf_primarysourcename=Knowledge&f-sf_articletype=Security%20Advisories&numberOfResults=50

These two are the only ones they rated as sev:CRIT but I haven't had time to actually read through any of them yet:

https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Juniper-Security-Director-Insufficient-authorization-for-multiple-endpoints-in-web-interface-CVE-2025-52950

https://supportportal.juniper.net/s/article/2025-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Vulnerability-in-the-RADIUS-protocol-for-Subscriber-Management-Blast-RADIUS-CVE-2024-3596

CRITICAL: CVE-2025-30023 in AXIS Camera Station Pro (<6.9) allows authenticated RCE via deserialization flaw (CWE-502). Upgrade to 6.9+ ASAP! Restrict access & monitor logs. https://radar.offseq.com/threat/cve-2025-30023-cwe-502-deserialization-of-untruste-0f79b87c #OffSeq #RCE #Axis #Vuln

Axis published some interesting advisories.

Here's a sev:CRIT post-auth RCE:

https://www.axis.com/dam/public/9b/a5/72/cve-2025-30023pdf-en-US-485733.pdf

and an LPE:

https://www.axis.com/dam/public/40/0e/03/cve-2025-30025pdf-en-US-485736.pdf

But since those are post-auth, you first need access, right? Well you're in luck because here's an auth bypass:

https://www.axis.com/dam/public/a3/42/92/cve-2025-30026pdf-en-US-485735.pdf

And an AitM attack that the description is vague on:

https://www.axis.com/dam/public/01/d9/24/cve-2025-30024pdf-en-US-485734.pdf

No PoCs here but they were reported by Team82 so maybe there will be a write-up soon.

SSRF in JGM Pandoc.

https://github.com/jgm/pandoc/issues/10682

A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe.

https://www.cve.org/CVERecord?id=CVE-2025-51591

A Friday advisory from Facebook? Nice.

https://www.facebook.com/security/advisories/cve-2025-30402

Description: A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f

And another one.

https://www.facebook.com/security/advisories/cve-2025-30403

A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00.

sev:MED 4.1 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of \"Member name contains '..'\" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain \"x -> ../../../../../home/victim/.ssh\" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal.

https://www.cve.org/CVERecord?id=CVE-2025-45582