Rose debug info
---------------

Human Factor Blog

how human behavior affects security

Programmer’s Digest #127

03/19/2025-03/26/2025 Update Next.js, Critical Ingress NGINX Controller Vulnerability, Authentication Bypass in VMware Windows Tools And More.

1. Warning For Developers, Web Admins: Update Next.js to Prevent Exploit

Developers using Next.js should install a security update to fix a critical vulnerability, CVE-2025-29927, which allows authorization bypass if the “middleware” function is enabled. This poses a serious risk for applications relying on middleware for security checks. This vulnerability allows a trivial authentication bypass. Attackers could exploit it by logging in as regular users and tampering with security controls, potentially gaining admin access. All Next.js versions from 11.1.4 onward are affected. Users should upgrade to 15.2.3 (for 15.x) or 14.2.25 (for 14.x).

Applications hosted on Vercel or Netlify, or those not using middleware, are unaffected. If patching isn’t possible, Vercel advises blocking external requests with the x-middleware-subrequest header. Ullrich noted that similar vulnerabilities have appeared in other commercial tools.

2. Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication

Five critical vulnerabilities, dubbed IngressNightmare, have been found in the Ingress NGINX Controller for Kubernetes, exposing over 6,500 clusters to unauthenticated remote code execution. Assigned a CVSS score of 9.8, these flaws allow attackers to access all secrets across namespaces, potentially leading to cluster takeover. The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-1974) exploit the admission controller, which lacks authentication and is accessible over the network. Attackers can inject arbitrary NGINX configurations via malicious ingress objects, executing code within the controller pod.

Cloud security firm Wiz warns that 43% of cloud environments are at risk. The Kubernetes Security Response Committee has patched the flaws in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.

Admins should update immediately and ensure the admission webhook endpoint is not publicly exposed to mitigate risks.

3. Broadcom Warns of Authentication Bypass in VMware Windows Tools

Broadcom released security updates to fix a high-severity authentication bypass flaw (CVE-2025-22230) in VMware Tools for Windows. This vulnerability, caused by improper access control, allows local attackers with low privileges to gain high privileges on vulnerable VMs. “A malicious actor with non-administrative privileges on a Windows guest VM may perform certain high-privilege operations,” VMware warned in a security advisory.

Earlier this month, Broadcom patched three VMware zero-days (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) exploited in attacks. Shortly after, over 37,000 VMware ESXi instances were found exposed to CVE-2025-22224.

4. Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories’ CI/CD Secrets Exposed

A supply chain attack on the GitHub Action “tj-actions/changed-files” initially targeted Coinbase’s open-source project, agentkit, before expanding. The attacker compromised the GitHub Action to leak repository secrets, earning CVE-2025-30066 (CVSS 8.6).

Endor Labs found 218 repositories exposed secrets, including credentials for DockerHub, npm, AWS, and GitHub tokens. Another compromised GitHub Action, “reviewdog/action-setup” (CVE-2025-30154), enabled attackers to modify “tj-actions/changed-files,” affecting all dependent repositories.

The attacker used obfuscation techniques, including dangling commits and temporary accounts, to evade detection. While GitHub found no evidence of a platform compromise, the attack suggests deep knowledge of CI/CD security.
Initially targeting Coinbase, the attacker may have shifted to a broader campaign after Coinbase mitigated the threat. The motive remains unclear but is likely financial, possibly involving cryptocurrency theft. Coinbase has since remediated the attack.

5. CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation

CISA has added a high-severity flaw in NAKIVO Backup & Replication (CVE-2024-48248, CVSS 8.6) to its Known Exploited Vulnerabilities (KEV) catalog. The path traversal bug allows unauthenticated attackers to read sensitive files, including stored credentials. It affects versions before 10.11.3.86570 and was patched in v11.0.0.88174.

Two other vulnerabilities were also added:

  • CVE-2025-1316 (CVSS 9.3): A remote code execution flaw in Edimax IC-7100 IP cameras, exploited to deploy Mirai botnet variants. (Unpatched)
  • CVE-2017-12637 (CVSS 7.5): A directory traversal flaw in SAP NetWeaver AS Java, used to steal sensitive SAP system files, potentially leading to full system compromise.

Federal agencies must apply mitigations by April 9, 2025. SAP cybersecurity firm Onapsis reports active exploitation of CVE-2017-12637, with attackers leveraging it to extract privileged credentials and gain full access to vulnerable SAP applications.

6 d   digest   programmers'

Programmer’s Digest #126

03/12/2025-03/19/2025 Critical mySCADA myPRO Flaws, GitHub Action Hack, Malicious PyPI Packages Stole Cloud Tokens And More.

1. Critical mySCADA myPRO Flaws Could Let Attackers Take Over Industrial Control Systems

Cybersecurity researchers have disclosed two critical flaws in mySCADA myPRO, a SCADA system used in operational technology (OT) environments. These vulnerabilities could allow attackers to take control of affected systems.

Swiss security firm PRODAFT warns that exploitation could lead to severe operational disruptions and financial losses. Both flaws, rated 9.3 on the CVSS v4 scale, involve OS command injection via specially crafted POST requests:

  • CVE-2025-20014 – Exploits a version parameter.
  • CVE-2025-20061 – Exploits an email parameter.

Successful attacks could enable arbitrary code execution. The flaws stem from improper input sanitization and have been patched in:

  • mySCADA PRO Manager 1.3
  • mySCADA PRO Runtime 9.2.1

PRODAFT stresses the need for stronger SCADA security. Organizations should apply patches, isolate SCADA from IT networks, enforce strong authentication, and monitor for threats.

2. GitHub Action Hack Likely Led to Another in Cascading Supply Chain Attack

A cascading supply chain attack started with the compromise of reviewdog/action-setup@v1, leading to the breach of tj-actions/changed-files, exposing CI/CD secrets.Attackers modified tj-actions/changed-files, writing secrets to workflow logs in 23,000 repositories. If public, these logs could have leaked critical credentials.

Wiz researchers believe the root cause was reviewdog/action-setup, which was compromised to inject base64-encoded payloads dumping secrets to logs. Since tj-actions/eslint-changed-files used this action, attackers likely stole its Personal Access Token (PAT).

Other potentially affected actions:

  • reviewdog/action-shellcheck
  • reviewdog/action-composite-template
  • reviewdog/action-staticcheck

Mitigation: Developers should check for reviewdog/action-setup@v1 references, remove affected actions, delete logs, and rotate secrets. To prevent future breaches, pin actions to commit hashes and use GitHub’s allow-listing feature.

Swift action is needed to minimize risk from leaked CI/CD secrets.

3. Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal

Cybersecurity researchers warn of a malicious campaign targeting PyPI users with fake “time”-themed packages designed to steal cloud access tokens.

ReversingLabs identified 20 such packages, downloaded over 14,100 times, including acloud-client (5,496 downloads) and snapshot-photo (2,448 downloads). These packages either upload stolen data or impersonate cloud service clients (AWS, Alibaba Cloud, Tencent Cloud) to exfiltrate secrets.

Three packages—acloud-client, enumer-iam, and tcloud-python-test—were dependencies of accesskey_tools, a GitHub project with 519 stars and 42 forks, suggesting a widespread impact. The malicious packages have now been removed from PyPI.

Meanwhile, Fortinet FortiGuard Labs found thousands of suspicious PyPI and npm packages embedding malicious install scripts or communicating with command-and-control (C&C) servers.

Mitigation: Developers should monitor dependencies for suspicious URLs and scrutinize package sources to prevent data theft and malware infections.

4. OBSCURE#BAT Malware Uses Fake CAPTCHA Pages to Deploy Rootkit r77 and Evade Detection

A new malware campaign, OBSCURE#BAT, uses social engineering to deploy the r77 rootkit, enabling persistence and evasion on infected systems. The attackers remain unidentified. The rootkit hides files, registry keys, and tasks with a specific prefix. It spreads through fake software downloads and CAPTCHA scams, mainly targeting users in the U.S., Canada, Germany, and the U.K.

Initial infection methods include:

  • Fake Cloudflare CAPTCHA pages (ClickFix strategy)
  • Malware disguised as legitimate tools like Tor Browser and VoIP software

Once executed, a batch script runs PowerShell commands to modify the Windows Registry, set up scheduled tasks, and install a stealthy rootkit (ACPIx86.sys). The malware also patches AMSI to bypass antivirus detection and monitors clipboard activity for potential data theft.

OBSCURE#BAT demonstrates advanced evasion techniques, making detection difficult. Security researchers warn that its persistence mechanisms ensure it survives reboots and injects into critical processes like winlogon.exe.

13 d   digest   programmers'

Programmer’s Digest #125

03/05/2025-03/12/2025 FreeType Vulnerability, Over 400 IPs Exploiting Multiple SSRF Vulnerabilities, 3 Ivanti Flaws And More.

1. FreeType Vulnerability Actively Exploited for Arbitrary Code Execution

A critical vulnerability (CVE-2025-27363) in FreeType (versions ≤2.13.0) is being actively exploited, potentially leading to arbitrary code execution.

Vulnerability Details
The flaw occurs when parsing TrueType GX and variable fonts, due to improper assignment of a signed short to an unsigned long, causing heap buffer overflow. This results in out-of-bounds writes, enabling attackers to execute malicious code.

Affected Versions: FreeType: Versions 0.0.0 – 2.13.0

Recommendations

  • Update FreeType to a version above 2.13.0
  • Monitor for suspicious activity indicating exploitation
  • Enhance security with firewalls and intrusion detection systems

This vulnerability poses a serious risk to affected systems, making immediate updates and security measures essential.

2. Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack

Threat intelligence firm GreyNoise warns of a coordinated surge in SSRF vulnerability exploitation across multiple platforms. At least 400 IPs have been observed attacking multiple SSRF CVEs simultaneously, starting March 9, 2025.

Targeted countries include the U.S., Germany, Singapore, India, Lithuania, Japan, and Israel, which saw a spike on March 11, 2025.

Exploited SSRF vulnerabilities include:

  • Zimbra Collaboration Suite (CVE-2020-7796, 9.8 CVSS)
  • GitLab CE/EE (CVE-2021-22175, 9.8 CVSS)
  • Ivanti Connect Secure (CVE-2024-21893, 8.2 CVSS)
  • And others from VMware, DotNetNuke, and ColumbiaSoft

Attackers are targeting multiple SSRF flaws simultaneously, suggesting automation and intelligence gathering. GreyNoise suspects Grafana reconnaissance precedes the attacks.

Users should apply patches, restrict outbound connections, and monitor for suspicious traffic as SSRF can expose internal networks and steal cloud credentials.

3. 3 Ivanti Flaws Added to CISA’s Vulnerabilities Catalogue

The Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its catalogue, including three Ivanti Endpoint Manager (EPM) flaws that pose a serious security risk.

Newly Listed Vulnerabilities:

  • Advantive VeraCore SQL Injection (CVE-2025-25181)
  • Advantive VeraCore Unrestricted File Upload (CVE-2024-57968)
  • Ivanti EPM Path Traversal (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161)

Experts warn that the Ivanti flaws allow remote, unauthenticated attackers to fully compromise servers. Organizations delaying patches risk domain compromise, credential theft, and lateral movement by attackers.

With Ivanti’s vast market share (400,000+ companies), unpatched systems remain prime targets. CISA urges immediate patching, assuming potential compromise and monitoring for indicators of attack.

4. This Malicious PyPI Package Stole Ethereum Private Keys via Polygon RPC Transactions

Cybersecurity researchers uncovered a malicious Python package, set-utils, on PyPI, designed to steal Ethereum private keys by impersonating popular libraries. The package, downloaded 1,077 times, has since been removed.

Set-utils mimics widely used libraries like python-utils (712M+ downloads) to trick developers, particularly those working with Ethereum wallets and blockchain applications.

The malware intercepts private keys during wallet creation functions like “from_key()” and “from_mnemonic()”, then encrypts and exfiltrates them via blockchain transactions using Polygon’s RPC endpoint to evade detection.
By running in a background thread, the attack remains stealthy, ensuring stolen keys are sent unnoticed. Socket warns that even successfully created Ethereum accounts are compromised.

Developers should verify package authenticity before installation and monitor for unexpected network activity to protect sensitive data.

5. Over 1,000 WordPress Sites Infected with JavaScript Backdoors Enabling Persistent Attacker Access

Over 1,000 WordPress websites have been infected with malicious JavaScript injecting four backdoors, allowing attackers multiple re-entry points.

The script, served via cdn.csyndication[.]com, has been detected on 908 sites. The backdoors:

  1. Fake Plugin – Installs “Ultra SEO Processor” to execute attacker commands.
  2. Code Injection – Adds malicious JavaScript to wp-config.php.
  3. SSH Access – Inserts an attacker-controlled SSH key for persistent access.
  4. Remote Commands – Executes commands and opens a reverse shell via gsocket[.]io.

To mitigate risks, users should remove unauthorized SSH keys, rotate admin credentials, and monitor logs.

Meanwhile, a separate malware campaign hijacked 35,000+ websites, redirecting users to Chinese gambling platforms via JavaScript from domains like mlbetjs[.]com.
Additionally, the ScreamedJungle group has compromised 115+ Magento e-commerce sites using Bablosoft JS for browser fingerprinting, exploiting known Magento vulnerabilities (CVE-2024-34102, CVE-2024-20720).

13 d   digest   programmers'
Earlier Ctrl + ↓