LMAO. It's an older vuln and was added to CNVD in 2020 but just got a CVE last week. 🥳

https://www.sangfor.com/blog/cybersecurity/sangfor-endpoint-secure-remote-command-execution-vulnerability

sev:CRIT 10.0 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. The vulnerability allows unauthenticated attackers to construct and send malicious HTTP requests to the EDR Manager interface, leading to arbitrary command execution with elevated privileges. This flaw only affects the Chinese-language EDR builds.

https://www.cnvd.org.cn/flaw/show/CNVD-2020-46552

https://nvd.nist.gov/vuln/detail/CVE-2025-34041

And FWIW, ShadowServer shows EITW in CN.

https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?date_range=other_value&day=2025-03-07&host_type=src&vulnerability=cnvd-2020-46552&data_set=count&scale=log

Not yet evaluated means no risk yet, right?

https://medium.com/@mrcnry/cve-2025-26074-remote-code-execution-in-conductor-oss-via-inline-javascript-injection-5ce3cb651cfb

Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes.

⚠️ CRITICAL: CVE-2025-6934 in Opal Estate Pro plugin (<=1.7.5) lets unauth attackers register as admins on WordPress sites. Disable plugin, restrict registrations, and review accounts ASAP! https://radar.offseq.com/threat/cve-2025-6934-cwe-269-improper-privilege-managemen-c1a44303 #OffSeq #WordPress #Infosec #PrivilegeEscalation

CVE Record: CVE-2025-49144 - Notepad++ Privilege Escalation In Installer Via Uncontrolled Executable Search Path #SuggestedRead #devopsish https://www.cve.org/CVERecord?id=CVE-2025-49144

🛡️ CRITICAL CSRF vuln in LizardByte Sunshine (<2025.628.4510): attackers can trigger admin-level OS commands via web UI if users visit malicious links. Patch to 2025.628.4510+ ASAP! CVE-2025-53095 https://radar.offseq.com/threat/cve-2025-53095-cwe-352-cross-site-request-forgery--44568b1d #OffSeq #CSRF #Vulnerability #GameStreaming #PatchNow

🚨CVE-2025-20281 & CVE-2025-20282: Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC

• CVSS: 10
• ZoomEye Dork: app="Cisco ISE"
• Results: 1,937
• Advisory:
github.com/advisories/GHSA-rc4f-42xm-hvjwgithub.com/advisories/GHSA-w8p2-wjjr-hr24

• PoC: github.com/abrewer251/CVE-2025-20281-2-Citrix-ISE-RCE

• ZoomEye Search: zoomeye.ai/searchResult?q=YXBwPSJDaXNjbyBJU0Ui

—————

Follow @zoomeye_team's official Twitter/X account and send the message “Dark Web Informer” via DM to receive an extra 15-day membership. 💙

Cisco centra il bersaglio: 9,8 su 10 per due RCE su Identity Services Engine e Passive Identity Connector

Cisco ha segnalato due vulnerabilità RCE critiche che non richiedono autenticazione e interessano Cisco Identity Services Engine (ISE) e Passive Identity Connector (ISE-PIC). Alle vulnerabilità sono stati assegnati gli identificatori CVE-2025-20281 e CVE-2025-20282 e hanno ottenuto il punteggio massimo di 9,8 punti su 10 sulla scala CVSS. Il primo problema riguarda le versioni 3.4 e 3.3 di ISE e ISE-PIC, mentre il secondo riguarda solo la versione 3.4.

La causa principale dell’errore CVE-2025-20281 era l’insufficiente convalida dell’input utente in un’API esposta. Ciò consentiva a un aggressore remoto e non autenticato di inviare richieste API contraffatte per eseguire comandi arbitrari come utente root. Il secondo problema, CVE-2025-20282, era causato da una convalida dei file insufficiente nell’API interna, che consentiva la scrittura di file in directory privilegiate. Questo bug consentiva ad aggressori remoti non autenticati di caricare file arbitrari sul sistema di destinazione ed eseguirli con privilegi di root.

La piattaforma Cisco Identity Services Engine (ISE) è progettata per gestire le policy di sicurezza di rete e il controllo degli accessi e in genere funge da motore di controllo degli accessi alla rete (NAC), gestione delle identità e applicazione delle policy. Questo prodotto è un elemento chiave della rete aziendale ed è spesso utilizzato da grandi aziende, enti governativi, università e fornitori di servizi.

Gli esperti Cisco segnalano che finora non si sono verificati casi di sfruttamento attivo di nuove vulnerabilità (né exploit resi pubblici), ma si consiglia a tutti gli utenti di installare gli aggiornamenti il prima possibile. Gli utenti dovrebbero aggiornare alla versione 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4) e alla versione 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1) o successive. Non esistono soluzioni alternative per risolvere i problemi senza applicare patch.

E’ ovvio che con vulnerabilità di tale entità, sia necessario procedere con urgenza all’aggiornamento delle patch, al fine di prevenire possibili tentativi di violazione. Il fornitore raccomanda pertanto di effettuare tempestivamente gli aggiornamenti necessari.

L'articolo Cisco centra il bersaglio: 9,8 su 10 per due RCE su Identity Services Engine e Passive Identity Connector proviene da il blog della sicurezza informatica.

💣 Actively exploited vulnerability gives extraordinary control over server fleets • Ars Technica

｢ The vulnerability, carrying a severity rating of 10 out of a possible 10, resides in the AMI MegaRAC, a widely used firmware package that allows large fleets of servers to be remotely accessed and managed even when power is unavailable or the operating system isn't functioning ｣

https://arstechnica.com/security/2025/06/active-exploitation-of-ami-management-tool-imperils-thousands-of-servers/

#CVE202454085 #vulnerability #cybersecurity

Okay, I spent some time going through some of my MOVEit logs and I think I see at least part of what's going on with the increase in MOVEit scans noted by @greynoise.

One thing I have noticed is a group of GCP hosts performing high volume scans against the MOVEit servers every seven days, but not against adjacent servers or other servers for the same orgs. This kind of makes it look targeted but the scans are generic kitchen sink vuln scans.

I did notice that some of these and other scanners I've seen over the past few months now have a couple requests that appear to be testing for CVE-2023-34362 mixed in to their other requests. It's like they loaded their automated scanners with updated payload lists.

There are a lot of Cloudflare and AWS IPs in the logs, as indicated by GreyNoise in their blog post. There are not a lot of unique Google IPs but I'm seeing a ton of noise from the ones I do see. But only every seven days. The servers I have logs for all block Tencent so I can't confirm the activity from their infrastructure.

I have also put my juicy eyes on every single GET and POST sent to these MOVEit Transfer servers for the past 60 days and I do not see any payloads that appear to be new or novel. That's not to say there isn't anything new going on, but I'm now comfortable with treating MOVEit servers with the same concern as before the GreyNoise blog post as I don't see any indication of impending action. There may be some WAF or rate limit or geolocation filter testing going on that's disguised as generic scans, but I have no evidence to suggest that's the case.

Caveat: I have relatively low visibility into what's going on at scale like GreyNoise does so take this with a grain of salt and if it's of interest, go confirm it yourself. This is intended to be informational, not actionable.

#threatIntel #MOVEit

Woohoo! Another perfect 10 from last week. And this could hit hard. 🥳

https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

https://nvd.nist.gov/vuln/detail/CVE-2024-56731

Woohoo! Another perfect 10 from last week. And this could hit hard. 🥳

https://github.com/gogs/gogs/security/advisories/GHSA-wj44-9vcg-wjq7

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3.

https://nvd.nist.gov/vuln/detail/CVE-2024-56731