Programmer’s Digest #125
03/05/2025-03/12/2025 FreeType Vulnerability, Over 400 IPs Exploiting Multiple SSRF Vulnerabilities, 3 Ivanti Flaws And More.
1. FreeType Vulnerability Actively Exploited for Arbitrary Code Execution
A critical vulnerability (CVE-2025-27363) in FreeType (versions ≤2.13.0) is being actively exploited, potentially leading to arbitrary code execution.
Vulnerability Details
The flaw occurs when parsing TrueType GX and variable fonts, due to improper assignment of a signed short to an unsigned long, causing heap buffer overflow. This results in out-of-bounds writes, enabling attackers to execute malicious code.
Affected Versions: FreeType: Versions 0.0.0 – 2.13.0
Recommendations
- Update FreeType to a version above 2.13.0
- Monitor for suspicious activity indicating exploitation
- Enhance security with firewalls and intrusion detection systems
This vulnerability poses a serious risk to affected systems, making immediate updates and security measures essential.
2. Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
Threat intelligence firm GreyNoise warns of a coordinated surge in SSRF vulnerability exploitation across multiple platforms. At least 400 IPs have been observed attacking multiple SSRF CVEs simultaneously, starting March 9, 2025.
Targeted countries include the U.S., Germany, Singapore, India, Lithuania, Japan, and Israel, which saw a spike on March 11, 2025.
Exploited SSRF vulnerabilities include:
- Zimbra Collaboration Suite (CVE-2020-7796, 9.8 CVSS)
- GitLab CE/EE (CVE-2021-22175, 9.8 CVSS)
- Ivanti Connect Secure (CVE-2024-21893, 8.2 CVSS)
- And others from VMware, DotNetNuke, and ColumbiaSoft
Attackers are targeting multiple SSRF flaws simultaneously, suggesting automation and intelligence gathering. GreyNoise suspects Grafana reconnaissance precedes the attacks.
Users should apply patches, restrict outbound connections, and monitor for suspicious traffic as SSRF can expose internal networks and steal cloud credentials.
3. 3 Ivanti Flaws Added to CISA’s Vulnerabilities Catalogue
The Cybersecurity and Infrastructure Security Agency (CISA) has added five actively exploited vulnerabilities to its catalogue, including three Ivanti Endpoint Manager (EPM) flaws that pose a serious security risk.
Newly Listed Vulnerabilities:
- Advantive VeraCore SQL Injection (CVE-2025-25181)
- Advantive VeraCore Unrestricted File Upload (CVE-2024-57968)
- Ivanti EPM Path Traversal (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161)
Experts warn that the Ivanti flaws allow remote, unauthenticated attackers to fully compromise servers. Organizations delaying patches risk domain compromise, credential theft, and lateral movement by attackers.
With Ivanti’s vast market share (400,000+ companies), unpatched systems remain prime targets. CISA urges immediate patching, assuming potential compromise and monitoring for indicators of attack.
4. This Malicious PyPI Package Stole Ethereum Private Keys via Polygon RPC Transactions
Cybersecurity researchers uncovered a malicious Python package, set-utils, on PyPI, designed to steal Ethereum private keys by impersonating popular libraries. The package, downloaded 1,077 times, has since been removed.
Set-utils mimics widely used libraries like python-utils (712M+ downloads) to trick developers, particularly those working with Ethereum wallets and blockchain applications.
The malware intercepts private keys during wallet creation functions like “from_key()” and “from_mnemonic()”, then encrypts and exfiltrates them via blockchain transactions using Polygon’s RPC endpoint to evade detection.
By running in a background thread, the attack remains stealthy, ensuring stolen keys are sent unnoticed. Socket warns that even successfully created Ethereum accounts are compromised.
Developers should verify package authenticity before installation and monitor for unexpected network activity to protect sensitive data.
5. Over 1,000 WordPress Sites Infected with JavaScript Backdoors Enabling Persistent Attacker Access
Over 1,000 WordPress websites have been infected with malicious JavaScript injecting four backdoors, allowing attackers multiple re-entry points.
The script, served via cdn.csyndication[.]com, has been detected on 908 sites. The backdoors:
- Fake Plugin – Installs “Ultra SEO Processor” to execute attacker commands.
- Code Injection – Adds malicious JavaScript to wp-config.php.
- SSH Access – Inserts an attacker-controlled SSH key for persistent access.
- Remote Commands – Executes commands and opens a reverse shell via gsocket[.]io.
To mitigate risks, users should remove unauthorized SSH keys, rotate admin credentials, and monitor logs.
Meanwhile, a separate malware campaign hijacked 35,000+ websites, redirecting users to Chinese gambling platforms via JavaScript from domains like mlbetjs[.]com.
Additionally, the ScreamedJungle group has compromised 115+ Magento e-commerce sites using Bablosoft JS for browser fingerprinting, exploiting known Magento vulnerabilities (CVE-2024-34102, CVE-2024-20720).