Rose debug info
---------------

Human Factor Blog

how human behavior affects security

Programmer’s Digest #138

06/04/2025-06/11/2025 CISA Adds RoundCube Webmail and Erlang Erlang/OTP SSH Server Flaws, Microsoft Patches 67 Vulnerabilities, New Supply Chain Malware Operation Hits npm and PyPI Ecosystems And More.

1. U.S. CISA Adds RoundCube Webmail and Erlang Erlang/OTP SSH Server Flaws to its Known Exploited Vulnerabilities Catalog

CISA has added two critical flaws—CVE-2025-32433 in Erlang/OTP and CVE-2024-42009 in RoundCube Webmail—to its KEV catalog.

CVE-2025-32433 (CVSS 10) affects older Erlang/OTP versions and allows remote code execution via its SSH server without authentication. Systems running versions before OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 are vulnerable. Users should update or disable the SSH server as a temporary fix. CVE-2024-42009 (CVSS 9.3), found by Sonar, is a severe XSS flaw in RoundCube, widely deployed via cPanel. Attackers can execute JavaScript when a victim views a malicious email, enabling email theft, unauthorized sending, and persistent browser access.

These vulnerabilities are actively exploited and must be patched promptly. CISA mandates FCEB agencies address them by the specified deadline, and private organizations are strongly urged to do the same.

2. Cisco Patches Identity Services Engine Flaw Affecting AWS, Azure, OCI

Cisco released patches on June 4 for a critical flaw (CVE-2025-20286) in cloud deployments of Cisco Identity Services Engine (ISE) on AWS, Azure, and Oracle Cloud. The vulnerability allows attackers to access sensitive data, perform limited admin actions, modify configurations, or disrupt services. No active exploitation has been reported yet.

The issue stems from shared admin keys across ISE instances in the same cloud platform and software version, enabling attackers to move laterally across tenants and regions once they compromise one credential. Experts call it a severe “chain-of-trust rupture” that risks widespread takeover.

Security leaders are urged to prioritize patching this flaw immediately. The risk highlights the ongoing challenge of common credentials in enterprise systems and stresses the importance of layered defenses and least-privilege access models to limit damage from breaches.

With multiple critical Cisco patches released recently, teams must focus on vulnerabilities that allow pre-auth access or remote code execution to cloud admin tiers first.

3. Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild

Microsoft has released patches for 67 security flaws, including a critical zero-day (CVE-2025-33053) in WebDAV that is being actively exploited. The flaw allows remote code execution via a malicious URL and has been linked to the Stealth Falcon group, known for targeting Middle Eastern entities. Attackers used a .url file in phishing emails to deliver malware, including a C++ implant named Horus Agent. This tool collects data, downloads files, and injects shellcode. Microsoft also addressed a major Power Automate flaw (CVE-2025-47966) and other significant bugs in Netlogon, SMB, and KDC Proxy. The U.S. CISA has added CVE-2025-33053 to its KEV catalog, mandating federal agencies to patch it by July 1, 2025. CERT/CC also warned about UEFI vulnerabilities that could bypass Secure Boot, allowing malicious code to persist below the OS level. While Microsoft is unaffected by some of these, they pose risks to many UEFI-compliant systems.

4. Adobe Releases Patch Fixing 254 Vulnerabilities, Closing High-Severity Security Gaps

Adobe has released patches for 254 security flaws across its software, with 225 affecting Adobe Experience Manager (AEM). These vulnerabilities, mostly stored and DOM-based cross-site scripting (XSS), impact AEM Cloud Service and versions up to 6.5.22. Exploitation could lead to code execution, privilege escalation, or bypassing security features. The issues are fixed in AEM Cloud Service Release 2025.5 and 6.5.23.

Adobe also addressed a critical reflected XSS flaw (CVE-2025-47110, CVSS 9.1) in Adobe Commerce and Magento Open Source that allows arbitrary code execution, along with an improper authorization issue (CVE-2025-43585, CVSS 8.2).

Additional fixes include code execution bugs in InCopy and Substance 3D Sampler. Although none of the flaws are known to be exploited in the wild, Adobe strongly recommends updating to the latest versions to stay protected.

5. Researchers Uncover 20+ Configuration Risks, Including Five CVEs, in Salesforce Industry Cloud

Researchers have uncovered over 20 misconfiguration risks in Salesforce Industry Cloud, exposing sensitive data to unauthorized access. These flaws affect components like FlexCards, Data Mappers, OmniOut, and OmniScripts. Most issues stem from improper customer configurations, not the platform itself.

If unaddressed, the flaws could allow attackers to access encrypted employee and customer data, session details, credentials, and business logic. Salesforce has patched the issues and issued updated configuration guidance.

Key vulnerabilities include exposure of encrypted fields due to missing permission checks (CVE-2025-43697, CVE-2025-43700), guest user access to sensitive settings (CVE-2025-43701), and improper enforcement of required permissions (CVE-2025-43699). A new setting, “EnforceDMFLSAndDataEncryption,” helps mitigate some risks.

Separately, a SQL injection flaw in a default Aura controller could allow attackers to extract database contents. Salesforce confirmed the issue was patched promptly with no signs of exploitation.

 

6. New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally

Cybersecurity researchers have uncovered a supply chain attack targeting over a dozen GlueStack-related npm packages, introducing malware that allows attackers to run shell commands, take screenshots, and upload files. These packages collectively see nearly 1 million weekly downloads. The first compromise was detected on June 6, 2025. The injected malware, similar to a recent trojan from another npm package, supports new commands to harvest system info and public IP addresses.

Maintainers revoked access tokens and deprecated affected versions. They say the risk of code execution on user systems is low since the affected libraries are frontend-only, but users should still roll back to safe versions. Separately, two malicious npm packages—express-api-sync and system-health-sync-api—were found containing destructive wipers that delete files and steal data, using SMTP for stealthy exfiltration. Additionally, a Python package on PyPI masquerading as an Instagram growth tool harvests credentials and spreads them to bot services, emphasizing the growing threat in software supply chains.

3 d   digest   programmers'

Programmer’s Digest #137

05/28/2025-06/04/2025 StoreOnce Bug, 10-Year-Old Roundcube RCE Vulnerability, 10-Year-Old Roundcube RCE Vulnerability.

1. HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass

Hewlett Packard Enterprise (HPE) has released security updates addressing eight vulnerabilities in its StoreOnce backup and deduplication software, including a critical flaw, CVE-2025-37093, rated 9.8 on the CVSS scale. This bug, an authentication bypass affecting all versions before 4.3.11, could allow remote attackers to access systems without credentials. According to the Zero Day Initiative, the flaw stems from a faulty authentication algorithm in the machineAccountCheck method. If exploited, CVE-2025-37093 could be combined with other issues—such as remote code execution, information disclosure, and arbitrary file deletion—to gain root-level access. Other CVEs include remote code execution (CVE-2025-37089, -37091, -37092, -37096), server-side request forgery (CVE-2025-37090), and directory traversal vulnerabilities (CVE-2025-37094, -37095).

HPE also patched critical issues in its Telco Service Orchestrator and OneView products tied to Apache component vulnerabilities.

2. 10-Year-Old Roundcube RCE Vulnerability Let Attackers Execute Malicious Code

 A critical vulnerability (CVE-2025-49113) has been discovered in Roundcube Webmail, allowing authenticated attackers to execute arbitrary code. Rated 9.9 on the CVSS scale, this flaw affects all versions before 1.5.10 and 1.6.11, potentially impacting over 53 million installations worldwide. The bug stems from improper validation in the upload.php file, allowing PHP object deserialization and code execution. The issue poses a serious risk to popular web hosting platforms like cPanel, Plesk, ISPConfig, and DirectAdmin, which use Roundcube as their default webmail. Roundcube has long been a target for nation-state actors like APT28 and Winter Vivern. Recent phishing and XSS attacks have exploited similar flaws.
The Centre for Cybersecurity Belgium urges immediate patching. Fixed versions 1.5.10 and 1.6.11 are now available. FearsOff plans to release technical details soon, following responsible disclosure protocols.

3. Cryptojacking campaign abuses DevOps APIs with GitHub tools

Security researchers at Wiz have uncovered a new crypto-mining campaign dubbed JINX-0132, targeting exposed DevOps systems like Docker, Gitea, HashiCorp Consul, and Nomad. Attackers exploit known misconfigurations and vulnerabilities to install mining software such as XMRig, often via GitHub-hosted payloads to obscure origins.

Notably, this is the first documented abuse of HashiCorp Nomad, where attackers use open APIs to run jobs that deploy miners. Misconfigured Consul servers are also exploited by injecting commands into health checks to execute hidden mining scripts. Gitea is misused for initial access, particularly when installation mode isn’t locked. Docker remains a frequent target through open APIs that allow launching miner-loaded containers.

Shodan data reveals over 5,300 Consul and 400 Nomad servers are publicly exposed. In a related campaign, attackers exploited Open WebUI to deploy miners and steal Discord and crypto wallet data.

These incidents highlight the urgent need for secure DevOps configurations and continuous monitoring.

4. Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems.

Socket noted that the two malicious gems were published by a threat actor under the aliases Bùi nam, buidanhnam, and si_mobile merely days after Vietnam ordered a nationwide ban on the Telegram messaging app late last month for allegedly not cooperating with the government to tackle illicit activities related to fraud, drug trafficking, and terrorism.

10 d   digest   programmers'

Programmer’s Digest #136

05/21/2025-05/28/2025 Critical Versa Concerto Flaws, Hidden Prompts In Gitlab Duo, Over 70 Malicious npm and VS Code Packages Found Stealing Data and Crypto And More.

1. Critical Versa Concerto Flaws Let Attackers Escape Docker and Compromise Hosts

Cybersecurity researchers have identified three critical vulnerabilities in Versa Concerto’s network security and SD-WAN orchestration platform, which could allow attackers to fully compromise affected systems. Despite being disclosed on February 13, 2025, the flaws remained unpatched past the 90-day deadline, prompting a public advisory.

The issues include CVE-2025-34025 (CVSS 8.6), a Docker privilege escalation; CVE-2025-34026 (CVSS 9.2), an authentication bypass exposing sensitive endpoints; and CVE-2025-34027 (CVSS 10.0), a flaw enabling remote code execution via arbitrary file writes. Successful exploitation of CVE-2025-34027 could allow an attacker to leverage a race condition and write malicious files to disk, ultimately resulting in remote code execution using LD_PRELOAD and a reverse shell.

Versa Networks stated the issues were fixed in version 12.2.1 GA released on April 16, 2025, with no known exploitation in the wild. Users are advised to upgrade, block semicolons in URLs, and monitor traffic for suspicious activity.

2. Hidden Prompts In Gitlab Duo Expose Source Code To Theft

 A critical vulnerability in GitLab’s AI coding assistant, Duo, exposed private code repositories through an indirect prompt injection attack, now patched. Discovered by Legit Security, the flaw allowed attackers to embed hidden prompts in merge requests, commit messages, and comments, tricking Duo into leaking sensitive data or injecting malicious HTML. Built on Anthropic’s Claude, Duo processes full-page content—including Markdown—making it vulnerable to prompts hidden in source code or UI elements. This deep integration introduced client-side risks, letting attackers manipulate responses or redirect users to phishing sites.

Researchers used obfuscation methods like Base16 encoding, Unicode smuggling, and white-text formatting to conceal prompts. These tactics made detection difficult for both developers and security tools. GitLab, following a February 12, 2025, disclosure, added protections such as structured prompts and context boundaries. While these measures reduce risk, GitLab warns they may not block all advanced attacks.

3. Over 70 Malicious npm and VS Code Packages Found Stealing Data and Crypto

Researchers have uncovered multiple malicious campaigns abusing open-source platforms like npm and Visual Studio Code (VS Code) Marketplace to steal data and distribute malware.

Socket found 60 npm packages that exfiltrate hostnames, IPs, and user data to a Discord webhook during install. These packages, downloaded over 3,000 times, target Windows, macOS, and Linux, using sandbox evasion and encoded payloads to avoid detection. Some masqueraded as helper libraries for frameworks like React and Vue, but deployed destructive payloads that could corrupt files or crash systems. One, js-bomb, even triggered shutdowns.

Separately, a phishing campaign used a malicious npm package to redirect victims to a fake Office 365 login page. Another npm package, citiycar8, delivered second-stage JavaScript via encrypted payloads hosted on jsDelivr.

In the VS Code Marketplace, Datadog linked threat actor MUT-9332 to malware-laced extensions targeting Solidity developers. These disguised tools stole crypto wallet credentials and disabled security features. Some also deployed additional malware from remote servers. All extensions have since been removed.

A list of known malicious packages identified across the npm registry and VS Code Marketplace

Still available at time of report; downloaded 6,200+ times:

  • vite-plugin-vue-extend;
  • quill-image-downloader;
  • js-hood;
  • js-bomb (includes file deletion + system shutdown);
  • vue-plugin-bomb;
  • vite-plugin-bomb;
  • vite-plugin-bomb-extend;
  • vite-plugin-react-extend.

4. CISA Warns of Attacks Targeting Commvault SaaS Environment

A threat actor has exploited a zero-day vulnerability (CVE-2025-3928) in Commvault’s cloud-based backup platform, Metallic, to access Microsoft 365 credentials and compromise customer accounts. The attacker, likely linked to a nation-state, gained unauthorized access via Commvault’s Azure-hosted environment, though no backup data was stolen. Commvault first reported the incident in March 2025 after a Microsoft alert. Investigations revealed the threat actor used sophisticated techniques and targeted a small number of customers. The company patched the flaw and enhanced key rotation, monitoring, and configuration options to strengthen defenses. CISA warned this may be part of a larger campaign exploiting SaaS misconfigurations. It recommends rotating app secrets, applying conditional access policies, and monitoring Entra ID logs for anomalies.

On-premises users should secure management interfaces and block path traversal or unauthorized file uploads. Commvault released indicators of compromise and aligned its security measures with Microsoft’s recommendations.

17 d   digest   programmers'
Earlier Ctrl + ↓