Programmer’s Digest #148
08/21/2025-08/27/2025 Citrix Vulnerabilities, Docker Fixes Critical Desktop Flaw, Linux Malware Delivered via Malicious RAR Filenames And More.
1. CISA Adds Citrix Vulnerabilities to KEV Catalog as New Flaws Emerge
CISA has added two Citrix flaws to its KEV catalog as new NetScaler issues emerge—one already under active attack.
Added on August 25, the medium-severity bugs patched in November 2024 are CVE-2024-8069 (deserialization of untrusted data) and CVE-2024-8068 (improper privilege management) in Citrix Session Recording. CISA also listed CVE-2025-48384, an 8.0 Git link-following flaw.
On August 26, Citrix disclosed three NetScaler vulnerabilities: CVE-2025-7775 (CVSS 9.2), a memory overflow enabling remote code execution/DoS; CVE-2025-7776 (CVSS 8.8), another memory overflow causing instability; and CVE-2025-8424 (CVSS 8.7), improper access control on the management interface. Exploits of CVE-2025-7775 have already been observed, with reports of attackers dropping webshells to backdoor systems.
Patches are available in NetScaler ADC/Gateway versions 14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, and 12.1-FIPS/NDcPP 12.1-55.330+. Older 12.1 and 13.0 builds are end-of-life.
2. Docker Fixes Critical Desktop Flaw Allowing Container Escapes
Docker has patched a critical flaw (CVE-2025-9074, CVSS 9.3) in Docker Desktop for Windows and macOS that could allow attackers to escape containers and compromise the host.
The bug let Linux containers access the Docker Engine API via the default subnet 192.168.65.7:2375, even with Enhanced Container Isolation (ECI) or TLS disabled. Attackers could issue privileged API commands, control other containers, or mount host drives. A proof-of-concept showed containers binding the Windows C:\ drive with read/write access, enabling full host takeover.
Researcher Felix Boulet called it a “simple oversight,” as Docker’s internal API was reachable without authentication. Philippe Dugre found Windows particularly exposed—allowing filesystem access, DLL tampering, and data theft—while macOS had reduced impact due to isolation. Linux was unaffected, as it uses named pipes.
Exploitation is possible via malicious containers or Server-Side Request Forgery (SSRF). The flaw has been fixed in Docker Desktop 4.44.3, and users are urged to update immediately.
3. GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets
Researchers are warning of multiple campaigns abusing exposed Redis servers and known vulnerabilities to build botnets, proxies, and cryptomining networks.
One wave exploits CVE-2024-36401 (CVSS 9.8) in OSGeo GeoServer to deploy binaries disguised as legitimate SDKs. These apps covertly monetize victims’ bandwidth by acting as residential proxies, consuming few resources and avoiding detection. Over 7,100 GeoServer instances remain exposed worldwide.
Separately, Censys tracked the PolarEdge IoT botnet, active since 2023, with about 40,000 devices—routers, firewalls, and IP cameras—infected mainly in South Korea, the U.S., and Hong Kong. It installs a TLS backdoor for encrypted C2 and likely functions as an Operational Relay Box (ORB) network to proxy attacker traffic.
Another campaign deploys a Mirai variant dubbed gayfemboy, spreading across industries in multiple countries and adding persistence, evasion, and powerful DDoS functions.
Finally, threat actor TA-NATALSTATUS is hijacking unauthenticated Redis servers for cryptojacking, using cron jobs, defense evasion, mass scanning, and rootkit-like tricks to hide miners.
4. Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection
Cybersecurity researchers have uncovered a novel phishing campaign that delivers the VShell backdoor, a Go-based remote access tool widely used by Chinese hacking groups.
The attack begins with a spam email posing as a beauty product survey offering a cash reward. The message carries a RAR archive (“yy.rar”) containing a file with a maliciously crafted name:
ziliao2.pdf\{echo,
Unlike typical malware hidden in content or macros, the payload is encoded directly in the filename. When a shell script or command processes it, the embedded Base64 Bash downloader executes, fetching an ELF binary tailored for the host’s architecture. This binary retrieves and runs the encrypted VShell payload, enabling remote control, file operations, process management, and encrypted C2 communications—all while operating in memory to evade detection.
The discovery highlights an emerging Linux threat vector that exploits shell command injection via filenames. In parallel, Picus Security detailed RingReaper, a stealthy Linux post-exploit tool abusing the io_uring framework to bypass security monitoring.