Programmer’s Digest #120
01/29/2025-02/05/2025 New Veeam Flaw, Weaponized Go Package Module, PyPI Adds Project Archiving System to Stop Malicious Updates And More.
1. New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack
Veeam has patched a critical security flaw (CVE-2025-23114, CVSS 9.0) in its Backup software that could allow attackers to execute arbitrary code via a Man-in-the-Middle attack. The vulnerability affects older versions of Veeam Backup for Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud, and Oracle Linux/Red Hat Virtualization. Updated versions with fixes include:
- Salesforce – Updater v7.9.0.1124
- Nutanix AHV – Updater v9.0.0.1125
- AWS – Updater v9.0.0.1126
- Microsoft Azure – Updater v9.0.0.1128
- Google Cloud – Updater v9.0.0.1128
- Oracle Linux/Red Hat Virtualization – Updater v9.0.0.1127
Deployments not protecting these cloud environments remain unaffected. Organizations should update immediately to mitigate security risks.
2. CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of vulnerabilities is as follows:
- CVE-2024-45195 (CVSS score: 7.5/9.8) – A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized access and execute arbitrary code on the server (Fixed in September 2024)
- CVE-2024-29059 (CVSS score: 7.5) – An information disclosure vulnerability in Microsoft .NET Framework that could expose the ObjRef URI and lead to remote code execution (Fixed in March 2024)
- CVE-2018-9276 (CVSS score: 7.2) – An operating system command injection vulnerability in Paessler PRTG Network Monitor that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console (Fixed in April 2018)
- CVE-2018-19410 (CVSS score: 9.8) – A local file inclusion vulnerability in Paessler PRTG Network Monitor that allows a remote, unauthenticated attacker to create users with read-write privileges (Fixed in April 2018)
3. Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems
Researchers at Socket have uncovered a malicious Go package exploiting the Go Module Proxy caching mechanism for remote access.
The attack uses a typosquatted version of the BoltDB database module, named “boltdb-go”, mimicking the legitimate github.com/boltdb/bolt package. This trick deceives developers into downloading the malicious version. The package includes a backdoor enabling remote code execution via a command and control (C2) server. Once cached by the Go Module Proxy, the attacker altered Git tags to point to a clean version, hiding malware traces from manual inspections. The malicious code obfuscates the C2 IP address (49.12.198[.]231:20022) by manipulating constants in cursor.go.
Developers should verify package authenticity and watch for potential backdoors. The Go community must also address vulnerabilities in the Go Module Proxy caching system to prevent similar attacks.
4. PyPI Adds Project Archiving System to Stop Malicious Updates
PyPI has introduced ‘Project Archival,’ allowing developers to archive projects, signaling no further updates while keeping them downloadable. A warning will inform users of the maintenance status, improving supply-chain security by reducing the risk of hijacked, abandoned packages distributing malicious updates.
The feature also reduces support requests by clearly communicating a project’s lifecycle. Developers can archive projects via PyPI settings and unarchive them anytime. PyPI recommends a final release explaining the archival, though it’s not mandatory.
Built on the LifecycleStatus model, originally designed for project quarantine, the system enables transitions between statuses. Future updates may include statuses like ‘deprecated,’ ‘feature-complete,’ and ‘unmaintained.’ This initiative enhances transparency, helping developers find actively maintained alternatives instead of relying on outdated, insecure dependencies. It also mitigates risks like ‘Revival Hijack’ attacks, where deleted projects are taken over by attackers. By providing a structured approach, PyPI aims to improve security and clarity in open-source project maintenance.
5. Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits
Three security flaws in the open-source PHP package Voyager could allow attackers to execute remote code with a single click.
Sonar researcher Yaniv Nizry revealed that when an authenticated user clicks a malicious link, attackers can run arbitrary code on the server. Despite responsible disclosure on September 11, 2024, the flaws remain unpatched:
- CVE-2024-55417 – Arbitrary file write via /admin/media/upload
- CVE-2024-55416 – Reflected XSS in /admin/compass
- CVE-2024-55415 – Arbitrary file leak and deletion
Attackers can bypass MIME type verification to upload a polyglot file containing executable PHP code. This could be combined with the XSS vulnerability to escalate the attack, triggering remote code execution when a user clicks a crafted link. Additionally, CVE-2024-55415 allows attackers to delete or extract file contents.
Since no fix is available, users should exercise caution when using Voyager.
6. Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution
A critical security flaw in the Cacti network monitoring framework (CVE-2025-22604, CVSS 9.1) could allow authenticated attackers to execute remote code. The issue stems from a flaw in the multi-line SNMP result parser, enabling users to inject malformed OIDs that lead to command execution via system commands. Exploiting this vulnerability lets users with device management permissions run arbitrary code, risking data theft, modification, or deletion. It affects all versions up to 1.2.28 and is patched in 1.2.29. Security researcher u32i discovered the flaw.
Another vulnerability (CVE-2025-24367, CVSS 7.2) is also fixed, preventing attackers from injecting PHP scripts via graph-related functions. Given past active exploits in Cacti, organizations should urgently update to the latest version to mitigate risks.