24h | 7d | 30d

CVE-2025-52891

Overview

  • owasp-modsecurity
  • ModSecurity
02 Jul 2025
Published
02 Jul 2025
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
0.05%
KEV

Description

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

Statistics

  • 1 Post

Fediverse

Profile picture
Undercode News @undercodenews

CVE-2025-52891: New ModSecurity2 Bug Exposes Servers to DoS via Empty XML Tags

A Subtle but Dangerous XML Parsing Flaw A newly discovered vulnerability in ModSecurity2, a widely adopted open-source web application firewall (WAF), has raised concerns among developers and cybersecurity professionals. Tracked as CVE-2025-52891, the flaw affects versions 2.9.8 through 2.9.10 and has been rated as moderate severity. This issue can cause the WAF process to crash whenever…

undercodenews.com/cve-2025-528

  • 0
  • 0
  • 17 hours ago

CVE-2025-34071

Overview

  • GFI Software
  • Kerio Control
02 Jul 2025
Published
03 Jul 2025
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
0.28%
KEV

Description

A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attackers with administrative access to upload and execute arbitrary code through the firmware upgrade feature. The system upgrade mechanism accepts unsigned .img files, which can be modified to include malicious scripts within the upgrade.sh or disk image components. These modified upgrade images are not validated for authenticity or integrity, and are executed by the system post-upload, enabling root access.

Statistics

  • 1 Post

Fediverse

Profile picture
Offensive Sequence @offseq

⚠️ CRITICAL: CVE-2025-34071 in Kerio Control 9.4.5 lets admins upload unsigned firmware, executing code as root. Restrict admin access, monitor uploads, and await patch. High risk for perimeter devices! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 16 hours ago

CVE-2025-32897

Overview

  • Apache Software Foundation
  • Apache Seata (incubating)
28 Jun 2025
Published
30 Jun 2025
Updated
CVSS
Pending
EPSS
0.04%
KEV

Description

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue.

Statistics

  • 1 Post

Fediverse

Profile picture
Undercode News @undercodenews

Critical Apache Seata Vulnerability CVE-2025-32897 Exposes Distributed Systems to RCE Attacks

Rising Threat in Distributed Transaction Systems A serious security flaw, CVE-2025-32897, has been discovered in Apache Seata, a popular open-source framework used for managing distributed transactions across microservices and cloud-native systems. This newly uncovered vulnerability highlights a deserialization weakness that opens the door to remote code execution (RCE) — a…

undercodenews.com/critical-apa

  • 0
  • 0
  • 14 hours ago

CVE-2024-3721

Overview

  • TBK
  • DVR-4104
13 Apr 2024
Published
01 Aug 2024
Updated
CVSS v3.1
MEDIUM (6.3)
EPSS
57.40%
KEV

Description

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260573 was assigned to this vulnerability.

Statistics

  • 1 Post
  • 5 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Oh, goodie. Another botnet. This one is exploiting CVE-2024-3721 and CVE-2024-12856 in DVRs and routers to launch DDoS attacks.

fortinet.com/blog/threat-resea

IOCs

Hosts

45[.]135[.]194[.]34
83[.]150[.]218[.]93
14[.]103[.]145[.]202
14[.]103[.]145[.]211
154[.]91[.]254[.]95
78[.]153[.]149[.]90

Files

Downloader

c88f60dbae08519f2f81bb8efa7e6016c6770e66e58d77ab6384069a515e451c
eb3e2a6a50f029fc646e2c3483157ab112f4f017406c3aabedaae0c94e0969f6
f4cd7ab04b1744babef19d147124bfc0e9e90d557408cc2d652d7192df61bda9

RondoDox

e3c080e322862d065649c468d20f620c3670d841c30c3fe5385e37f4f10172e7
e62df17150fcb7fea32ff459ef47cdd452a21269efe9252bde70377fd2717c10
53e2c2d83813d1284ddb8c68b1572b17cca95cfc36a55a7517bf45ff40828be5
43d4847bf237c445ed2e846a106e1f55abefef5c3a8545bd5e4cad20f5deb9a4
4c2429fc8b8ec61da41cbba1b8184ec45fa93a9841b4ca48094bba7741b826b8
694d729d67f1b0c06702490bfab1df3a96fe040fe5d07efa5c92356c329757be
edae3b75deb8013bd48ac4534cca345b90938a2abb91672467c2bf9ae81ff683
0814a0781ab30fca069a085dba201d6fd0f414498fafa4bb42859786d91d4781
59b4deee977e9e27b60e7e179d54a1ce8e56624e73b799523416eee828bfaf76
9f916a552efc6775367a31357a633dc0be01879830d3fddccdf3c40b26e50afd
0a9ebbecc8ec58c253039520304ca373cfb8d1674d67993e6485e244a77d6ec9
6c81fd73b4bef6fef379cbefdcce7f374ea7e6bf1bf0917cf4ca7b72d4cee788
a55a3859a203ca2bae7399295f92aeae61d845ffa173c1938f938f5c148eef99
57573779f9a62eecb80737d41d42165af8bb9884579c50736766abb63d2835ba
3daa53204978b7797bd53f5c964eed7a73d971517a764785ce3ab65a9423c2e7
8bf8928bc255e73e0b5b0ce13747c64d82d5f2647da129f189138773733ac21f
20a24b179bdbbdcc0053838c0484ea25eff6976f2b8cb5630ab4efb28b0f06b5
42aa715573c7d2fca01914504cb7336db715d73d1e20d23e4bd37f2e4f4fe389
c9278ce988343606350a94156ca28ee28bd605d1d95c810a16866eee1f997598
a197f60d5f5641f2c56576b4c867d141612c6e00db29c512f266835510b8a62d
8250d289c5ec87752cec1af31eed0347cf2dd54dc0fbeea645319c4dae238ee2
d02414a54e97ad26748812002610f1491a2a746e9ba0f9d05de3d47d7bab4f5e
c123a91fdacd9a4c0bcf800d6b7db5162cfd11cb71e260647ef0f2c60978ebfc
ef708fec1afbea4fb32b586e0dacf0d228c375a532008d81453c367256afea5a
305507f34c14c72cab35715b7f7b25b32352a8e19b8a283003aaf539d12ca517
937e6ab0dfcedfa23eced7b52d3899b0847df3fcb7a9c326b71027a7ab5f5b93

cc: @Dio9sys @da_667 since this seems like the kind of thing you might want to sig / tag.

  • 3
  • 2
  • 10 hours ago

CVE-2024-12856

Overview

  • Four-Faith
  • F3x24
27 Dec 2024
Published
28 Jan 2025
Updated
CVSS v3.1
HIGH (7.2)
EPSS
77.16%
KEV

Description

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

Statistics

  • 1 Post
  • 5 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Oh, goodie. Another botnet. This one is exploiting CVE-2024-3721 and CVE-2024-12856 in DVRs and routers to launch DDoS attacks.

fortinet.com/blog/threat-resea

IOCs

Hosts

45[.]135[.]194[.]34
83[.]150[.]218[.]93
14[.]103[.]145[.]202
14[.]103[.]145[.]211
154[.]91[.]254[.]95
78[.]153[.]149[.]90

Files

Downloader

c88f60dbae08519f2f81bb8efa7e6016c6770e66e58d77ab6384069a515e451c
eb3e2a6a50f029fc646e2c3483157ab112f4f017406c3aabedaae0c94e0969f6
f4cd7ab04b1744babef19d147124bfc0e9e90d557408cc2d652d7192df61bda9

RondoDox

e3c080e322862d065649c468d20f620c3670d841c30c3fe5385e37f4f10172e7
e62df17150fcb7fea32ff459ef47cdd452a21269efe9252bde70377fd2717c10
53e2c2d83813d1284ddb8c68b1572b17cca95cfc36a55a7517bf45ff40828be5
43d4847bf237c445ed2e846a106e1f55abefef5c3a8545bd5e4cad20f5deb9a4
4c2429fc8b8ec61da41cbba1b8184ec45fa93a9841b4ca48094bba7741b826b8
694d729d67f1b0c06702490bfab1df3a96fe040fe5d07efa5c92356c329757be
edae3b75deb8013bd48ac4534cca345b90938a2abb91672467c2bf9ae81ff683
0814a0781ab30fca069a085dba201d6fd0f414498fafa4bb42859786d91d4781
59b4deee977e9e27b60e7e179d54a1ce8e56624e73b799523416eee828bfaf76
9f916a552efc6775367a31357a633dc0be01879830d3fddccdf3c40b26e50afd
0a9ebbecc8ec58c253039520304ca373cfb8d1674d67993e6485e244a77d6ec9
6c81fd73b4bef6fef379cbefdcce7f374ea7e6bf1bf0917cf4ca7b72d4cee788
a55a3859a203ca2bae7399295f92aeae61d845ffa173c1938f938f5c148eef99
57573779f9a62eecb80737d41d42165af8bb9884579c50736766abb63d2835ba
3daa53204978b7797bd53f5c964eed7a73d971517a764785ce3ab65a9423c2e7
8bf8928bc255e73e0b5b0ce13747c64d82d5f2647da129f189138773733ac21f
20a24b179bdbbdcc0053838c0484ea25eff6976f2b8cb5630ab4efb28b0f06b5
42aa715573c7d2fca01914504cb7336db715d73d1e20d23e4bd37f2e4f4fe389
c9278ce988343606350a94156ca28ee28bd605d1d95c810a16866eee1f997598
a197f60d5f5641f2c56576b4c867d141612c6e00db29c512f266835510b8a62d
8250d289c5ec87752cec1af31eed0347cf2dd54dc0fbeea645319c4dae238ee2
d02414a54e97ad26748812002610f1491a2a746e9ba0f9d05de3d47d7bab4f5e
c123a91fdacd9a4c0bcf800d6b7db5162cfd11cb71e260647ef0f2c60978ebfc
ef708fec1afbea4fb32b586e0dacf0d228c375a532008d81453c367256afea5a
305507f34c14c72cab35715b7f7b25b32352a8e19b8a283003aaf539d12ca517
937e6ab0dfcedfa23eced7b52d3899b0847df3fcb7a9c326b71027a7ab5f5b93

cc: @Dio9sys @da_667 since this seems like the kind of thing you might want to sig / tag.

  • 3
  • 2
  • 10 hours ago

CVE-2025-27636

Overview

  • Apache Software Foundation
  • Apache Camel
  • org.apache.camel:camel
09 Mar 2025
Published
17 Mar 2025
Updated
CVSS
Pending
EPSS
43.34%
KEV

Description

Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, to call another method on the bean, than was coded in the application. In the camel-jms component, then a malicious header can be used to send the message to another queue (on the same broker) than was coded in the application. This could also be seen by using the camel-exec component The attacker would need to inject custom headers, such as HTTP protocols. So if you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include malicious HTTP headers in the HTTP requests that are send to the Camel application. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. In these conditions an attacker could be able to forge a Camel header name and make the bean component invoking other methods in the same bean. In terms of usage of the default header filter strategy the list of components using that is: * camel-activemq * camel-activemq6 * camel-amqp * camel-aws2-sqs * camel-azure-servicebus * camel-cxf-rest * camel-cxf-soap * camel-http * camel-jetty * camel-jms * camel-kafka * camel-knative * camel-mail * camel-nats * camel-netty-http * camel-platform-http * camel-rest * camel-sjms * camel-spring-rabbitmq * camel-stomp * camel-tahu * camel-undertow * camel-xmpp The vulnerability arises due to a bug in the default filtering mechanism that only blocks headers starting with "Camel", "camel", or "org.apache.camel.".  Mitigation: You can easily work around this in your Camel applications by removing the headers in your Camel routes. There are many ways of doing this, also globally or per route. This means you could use the removeHeaders EIP, to filter out anything like "cAmel, cAMEL" etc, or in general everything not starting with "Camel", "camel" or "org.apache.camel.".

Statistics

  • 2 Posts
  • 4 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Unit42 has a good write-up on some ITW Tomcat and Camel shenanigans exploiting CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891. IOCs in the post.

But does anyone know if this is a typo by the article or if there are actual files with the .sesson extension? Seems like a good indicator to search on if it's not a typo.

As noted in our earlier analysis, exploits for CVE-2025-24813 use a name appended by .sesson in the initial HTTP request. This .session file contains the code the vulnerable host will run if an exploit is successful.

Edit: Confirmed typo per this response: infosec.exchange/@0xThiebaut/1

unit42.paloaltonetworks.com/ap

  • 1
  • 2
  • 12 hours ago
Profile picture
LCSC-IE, Cyber Threat Intel News 🇮🇪 @LCSC_IE

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

  • 0
  • 1
  • 13 hours ago

CVE-2025-29891

Overview

  • Apache Software Foundation
  • Apache Camel
  • org.apache.camel:camel
12 Mar 2025
Published
19 Mar 2025
Updated
CVSS
Pending
EPSS
0.09%
KEV

Description

Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's default incoming header filter, that allows an attacker to include Camel specific headers that for some Camel components can alter the behaviours such as the camel-bean component, or the camel-exec component. If you have Camel applications that are directly connected to the internet via HTTP, then an attacker could include parameters in the HTTP requests that are sent to the Camel application that get translated into headers.  The headers could be both provided as request parameters for an HTTP methods invocation or as part of the payload of the HTTP methods invocation. All the known Camel HTTP component such as camel-servlet, camel-jetty, camel-undertow, camel-platform-http, and camel-netty-http would be vulnerable out of the box. This CVE is related to the CVE-2025-27636: while they have the same root cause and are fixed with the same fix, CVE-2025-27636 was assumed to only be exploitable if an attacker could add malicious HTTP headers, while we have now determined that it is also exploitable via HTTP parameters. Like in CVE-2025-27636, exploitation is only possible if the Camel route uses particular vulnerable components.

Statistics

  • 2 Posts
  • 4 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Unit42 has a good write-up on some ITW Tomcat and Camel shenanigans exploiting CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891. IOCs in the post.

But does anyone know if this is a typo by the article or if there are actual files with the .sesson extension? Seems like a good indicator to search on if it's not a typo.

As noted in our earlier analysis, exploits for CVE-2025-24813 use a name appended by .sesson in the initial HTTP request. This .session file contains the code the vulnerable host will run if an exploit is successful.

Edit: Confirmed typo per this response: infosec.exchange/@0xThiebaut/1

unit42.paloaltonetworks.com/ap

  • 1
  • 2
  • 12 hours ago
Profile picture
LCSC-IE, Cyber Threat Intel News 🇮🇪 @LCSC_IE

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

  • 0
  • 1
  • 13 hours ago

CVE-2025-24813

Overview

  • Apache Software Foundation
  • Apache Tomcat
10 Mar 2025
Published
02 Apr 2025
Updated
CVSS
Pending
EPSS
93.76%
KEV

Description

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Statistics

  • 2 Posts
  • 4 Interactions

Fediverse

Profile picture
cR0w :cascadia: @cR0w

Unit42 has a good write-up on some ITW Tomcat and Camel shenanigans exploiting CVE-2025-24813, CVE-2025-27636, and CVE-2025-29891. IOCs in the post.

But does anyone know if this is a typo by the article or if there are actual files with the .sesson extension? Seems like a good indicator to search on if it's not a typo.

As noted in our earlier analysis, exploits for CVE-2025-24813 use a name appended by .sesson in the initial HTTP request. This .session file contains the code the vulnerable host will run if an exploit is successful.

Edit: Confirmed typo per this response: infosec.exchange/@0xThiebaut/1

unit42.paloaltonetworks.com/ap

  • 1
  • 2
  • 12 hours ago
Profile picture
LCSC-IE, Cyber Threat Intel News 🇮🇪 @LCSC_IE

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

  • 0
  • 1
  • 13 hours ago

CVE-2025-49493

Overview

  • Akamai
  • CloudTest
30 Jun 2025
Published
30 Jun 2025
Updated
CVSS v3.1
MEDIUM (5.8)
EPSS
0.04%
KEV

Description

Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.

Statistics

  • 1 Post

Fediverse

Profile picture
DragonJAR @dragonjar

Cisco alerta sobre credenciales SSH inseguras y una vulnerabilidad crítica en Unified CM que permite acceso root. Además, un incremento preocupante del malware LNK en Windows, problemas de inicio de sesión en Citrix tras parches, y un criminal condenado por smishing resaltan la necesidad de mantener la seguridad actualizada. Descubre estos y más detalles en el siguiente listado de noticias sobre seguridad informática:

🗞️ ÚLTIMAS NOTICIAS EN SEGURIDAD INFORMÁTICA 🔒
====| 🔥 LO QUE DEBES SABER HOY 03/07/25 📆 |====

🔒 CISCO ADVIERTE SOBRE CREDENCIALES SSH INSEGURAS

Cisco ha identificado y eliminado una cuenta de puerta trasera en su Administrador de Comunicaciones Unificadas (Unified CM). Esta vulnerabilidad podría haber permitido a atacantes remotos acceder a dispositivos no actualizados con privilegios de root, lo que representa un grave riesgo de seguridad. No te arriesgues, infórmate sobre cómo proteger tu sistema. 👉 djar.co/56baTT

📷 ANALIZANDO VULNERABILIDAD EN WHATSAPP

Investigadores de IBM han profundizado en la vulnerabilidad CVE-2019-11932 relacionada con WhatsApp, afectando a una biblioteca de procesamiento de imágenes utilizada por la aplicación. Esta vulnerabilidad podría permitir ataques en dispositivos Android a través de archivos GIF manipulados. Descubre los detalles para mantener tus aplicaciones seguras. 👉 djar.co/mnNT

🦠 AUMENTO EN EL USO DE MALWARE LNK EN WINDOWS

Un nuevo informe revela un crecimiento alarmante en el uso del malware de acceso directo (LNK) en sistemas Windows. Este tipo de ataque aprovecha archivos LNK para introducir malware en las máquinas. Aprende a reconocer y prevenir estas amenazas emergentes para proteger mejor tu entorno digital. 👉 djar.co/0QjsAe

⚠️ VULNERABILIDAD CRÍTICA EN CISCO UNIFIED CM

La vulnerabilidad CVE-2025-20309 en Cisco Unified CM puede otorgar acceso root a atacantes, permitiendo la ejecución arbitraria de comandos en el sistema. Es crucial que los administradores de red tomen acciones inmediatas para mitigar este riesgo. Obtén más información sobre cómo defenderte de esta amenaza. 👉 djar.co/0NDwaw

🌐 EXPLOTACIÓN DE VULNERABILIDAD XXE EN AKAMAI

Explora cómo se descubrió y explotó una vulnerabilidad de Inyección de Entidad Externa XML (CVE-2025-49493) en Akamai CloudTest, una aplicación utilizada ampliamente. Conoce los métodos de ataque y refuerza tus estrategias de seguridad para prevenir incidentes similares. 👉 djar.co/t5Ovo

🔑 CITRIX Y PROBLEMAS DE INICIO DE SESIÓN TRAS PARCHES

Citrix alerta sobre problemas de inicio de sesión en dispositivos NetScaler ADC y Gateway tras aplicar parches a vulnerabilidades que podrían ser explotadas para eludir la autenticación. Es vital que las organizaciones estén atentas a estos cambios para garantizar el acceso seguro a sus sistemas. Más detalles sobre la situación actual: 👉 djar.co/zw9E

👮 CONDENADO POR CAMPAÑA MASIVA DE SMISHING

Un criminal ha sido sentenciado a más de un año de prisión por operar un Blaster SMS, llevando a cabo una campaña masiva de smishing. Este caso es un recordatorio sobre la importancia de educar a los usuarios para evitar caer en fraudes que buscan robar información personal. Aprende cómo protegerte de estas estafas. 👉 djar.co/7yX8Oo

  • 0
  • 0
  • 14 hours ago

CVE-2025-53110

Overview

  • modelcontextprotocol
  • servers
02 Jul 2025
Published
02 Jul 2025
Updated
CVSS v4.0
HIGH (7.3)
EPSS
0.06%
KEV

Description

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve.

Statistics

  • 1 Post
  • 1 Interaction

Fediverse

Profile picture
LCSC-IE, Cyber Threat Intel News 🇮🇪 @LCSC_IE

🟥𝐋𝐂𝐒𝐂-𝐈𝐄 𝐃𝐚𝐢𝐥𝐲 𝐂𝐲𝐛𝐞𝐫 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐅𝐢𝐧𝐝𝐢𝐧𝐠𝐬-𝟑 𝐉𝐮𝐥𝐲 𝟐𝟎𝟐𝟓🟥

𝐍𝐞𝐰𝐬:

1. Microsoft to Lay Off 9,000 Employees, Affecting 4% of Workforce

reuters.com/business/world-at-

2. Hunters International Ransomware Shuts Down, Offers Free Decryptors to Victims

cyberinsider.com/hunters-inter

3. UK charity bank branded a 'disaster' after platform migration goes wrong

theregister.com/2025/07/03/uk_

4. Police warn of SMS scams following prison sentence for criminal who conducted smishing campaign

ukfinance.org.uk/news-and-insi

5. Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

netcraft.com/blog/large-langua

6. Russia’s Cyber Warriors Assail NATO-Linked Private Companies

cepa.org/article/russias-cyber

7. US probes negotiator suspected of taking crypto ransomware money

cointelegraph.com/news/digital

8. Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen

iranwire.com/en/news/142915-cy

9. Spain arrests hackers who targeted politicians and journalists

policia.es/_es/comunicacion_pr

10. A third of organisations take more than 90 days to remediate threats

itsecurityguru.org/2025/07/02/

---

𝐆𝐥𝐨𝐛𝐚𝐥 𝐁𝐫𝐞𝐚𝐜𝐡 𝐍𝐞𝐰𝐬 𝐚𝐧𝐝 𝐃𝐚𝐭𝐚 𝐋𝐞𝐚𝐤𝐬:

1. Irish Eyecare software firm Ocuco investigating cyber-attack

thecurrency.news/articles/1946

---

𝐓𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐑𝐞𝐩𝐨𝐫𝐭𝐬 𝐰𝐢𝐭𝐡 𝐈𝐎𝐂𝐬:

1. Apache Under the Lens: Tomcat’s Partial PUT and Camel’s Header Hijack

unit42.paloaltonetworks.com/ap

2. Snake Keyloggers Exploit Java Tools to Bypass Security – Active IOCs

rewterz.com/threat-advisory/sn

3. Who are DragonForce Ransomware Group?

bridewell.com/insights/blogs/d

4. Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands

silentpush.com/blog/fake-marke

5. Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

wiz.io/blog/exposed-jdwp-explo

6. Malvertising Campaign Delivers Oyster/Broomstick Backdoor via SEO Poisoning and Trojanized Tools

arcticwolf.com/resources/blog/

7. North Korean APT Kimsuky aka Black Banshee – Active IOCs

rewterz.com/threat-advisory/no

8. DarkTortilla Malware – Active IOCs

rewterz.com/threat-advisory/da

---

𝐀𝐏𝐓 𝐈𝐎𝐂𝐬:

1. Lazarus: Source VT
yourdomainhost[.]store
api[.]yourdomainhost[.]store

2. Kimsuky: Source Validin
Accounts-mysticete[.]servepics[.]com
freedrive[.]servehttp[.]com
login-accounts[.]servehttp[.]com
myaccounts-profile[.]servehttp[.]com
mydocs[.]onthewifi[.]com
securedrive-mofa[.]servehttp[.]com
translate[.]onthewifi[.]com
undocs[.]ddns[.]net
undocs[.]myvnc[.]com
undocs[.]servehttp[.]com

---

𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 / 𝐃𝐅𝐈𝐑 / 𝐌𝐚𝐥𝐰𝐚𝐫𝐞:

1. Automating macOS Incident Response: DFIR-as-Code in Action Against AppleProcessHub

abstract.security/blog/automat

2. Using Staging Folders For Threat Hunting

knowyouradversary.ru/2025/07/1

3. PDFs: Portable documents, or perfect deliveries for phish?

blog.talosintelligence.com/pdf

4. EscapeRoute: Breaking the Scope of Anthropic’s Filesystem MCP Server
(CVE-2025-53109 & CVE-2025-53110)

cymulate.com/blog/cve-2025-531

5. Yet another ZIP trick

hackarcana.com/article/yet-ano

6. Malware development trick 48: leveraging Office macros for malware. Simple VBA example.

cocomelonc.github.io/malware/2

7. Hijacked by a Text: Understanding and Preventing SIM Swapping Attack

bitsight.com/blog/what-is-sim-

8. CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

crowdstrike.com/en-us/blog/cro

9. DanaBot Lab Analysis

omer-secure.medium.com/danabot

10. ClickFix Campaign: How Clipboard Injection Leads to RAT Infection (Part 1)

h3xstone.medium.com/clickfix-c

11. Release Notes: Detonation Actions, Enhanced QR Extraction, and 1,400+ New Detection Rules

any.run/cybersecurity-blog/rel

12. Inside Android Malware Development: Building a C2 Exfiltrator from the UI to the Network

medium.com/@lord_murak/inside-

---

𝐋𝐢𝐠𝐡𝐭 𝐑𝐞𝐚𝐝𝐢𝐧𝐠:

1. Pro-Russian hacktivism: Shifting alliances, new groups and risks

intel471.com/blog/pro-russian-

2. Insider Risk Lessons from the DPRK IT Worker Crackdown

dtexsystems.com/blog/insider-r

3. Calling Out Russia: France’s Shift on Public Attribution

warontherocks.com/2025/07/call

4. Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

reco.ai/blog/coinbase-breach

---

  • 0
  • 1
  • 13 hours ago
Showing 21 to 30 of 50 CVEs