04/02/2025-04/09/2025 Flaw in Apache Parquet, CrushFTP Vulnerability, Malicious Python Packages And More.

1. Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code

A critical vulnerability (CVE-2025-30065) in Apache Parquet’s Java library could allow remote code execution if exploited. The flaw, rated with a maximum CVSS score of 10.0, affects versions up to 1.15.0 and has been fixed in version 1.15.1.

According to project maintainers, the issue lies in schema parsing within the parquet-avro module. Endor Labs warns that attackers can exploit it by tricking systems into processing specially crafted Parquet files—especially dangerous for data pipelines and analytics platforms handling untrusted input. Although no active exploitation has been reported, vulnerabilities in Apache projects often draw attacker interest. Keyi Li of Amazon reported the flaw. Separately, a recent CVE-2025-24813 vulnerability in Apache Tomcat was exploited within 30 hours of disclosure. Aqua Security found an attack campaign using weak credentials to deploy Java-based web shells, steal SSH keys, and hijack resources for crypto mining—highlighting the urgency of patching such flaws quickly.

2. CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation

CISA has added a critical CrushFTP vulnerability (CVE-2025-31161, CVSS 9.8) to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw, an authentication bypass, allows remote attackers to access any known or guessable user account, potentially leading to full system compromise. It has been patched in versions 10.8.4 and 11.3.1. Initially tracked as CVE-2025-2825, the issue sparked confusion after VulnCheck published a CVE without coordinating with the vendor or discloser, Outpost24. MITRE later assigned the official CVE. VulnCheck accused CrushFTP of delaying disclosure and criticized MITRE’s process. Huntress confirmed exploitation in the wild as early as March 30, 2025. Attackers installed remote desktop tools like AnyDesk and MeshAgent, added admin users, and deployed malware linked to a Telegram bot. At least four organizations across marketing, retail, and semiconductor sectors have been targeted.

3. Malicious Python Packages Attacking Popular Cryptocurrency Library

Cybersecurity experts have uncovered a new threat targeting cryptocurrency developers and users. Two malicious Python packages—bitcoinlibdbfix and bitcoinlib-dev—were found on PyPI, posing as fixes for the widely used bitcoinlib library.

These packages secretly exfiltrate sensitive crypto wallet data by targeting bitcoinlib’s command-line interface. Once installed, they remove the legitimate clw tool and replace it with a malicious version that intercepts user commands and transmits private wallet data to attacker-controlled servers.
The bitcoinlib library is a key resource for developers building blockchain applications, making it a prime target. The malware campaign was discovered by ReversingLabs via its Spectra platform, which uses machine learning to detect suspicious behavior.

This attack is part of a broader trend of supply chain compromises in the crypto space, with nearly two dozen incidents reported in 2024 alone. The attackers used social engineering, claiming their packages fixed a database error to trick developers into installing the malware.

4. CISA Urges Patching For ‘Critical’ Ivanti VPN Flaw

A critical vulnerability (CVE-2025-22457) in Ivanti’s Connect Secure VPN is being actively exploited and must be patched immediately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned.

The flaw allows remote code execution and has been linked to UNC5221, a suspected China-based espionage group responsible for earlier mass attacks on Ivanti VPNs in 2024. Mandiant researchers observed malware deployments and signs of exploitation dating back to mid-March.

The vulnerability affects Ivanti Connect Secure versions 22.7R2.5 and earlier, and unsupported Pulse Connect Secure 9.1x devices. Ivanti released a fix (version 22.7R2.6) on February 11, initially misclassifying the issue as a minor bug.
CISA added the flaw to its Known Exploited Vulnerabilities catalog, urging all organizations—not just federal agencies—to update vulnerable systems. Ivanti noted its Integrity Checker Tool helped detect compromises and stressed that customers using supported versions with recommended configurations are at lower risk. Immediate upgrades are strongly advised.

5. Microsoft Patches 126 Flaws Including Actively Exploited Windows CLFS Vulnerability

Microsoft has released patches for 126 security flaws, including one actively exploited vulnerability (CVE-2025-29824) affecting the Windows Common Log File System (CLFS) Driver. This elevation of privilege (EoP) bug allows attackers with local access to gain SYSTEM-level access via a use-after-free condition. It has a CVSS score of 7.8 and has been linked to ransomware attacks. Notably, no patch is yet available for Windows 10 (32/64-bit).

Of the 126 flaws, 11 are Critical and 112 Important, covering privilege escalation, remote code execution, and denial-of-service issues. Other key fixes include RCE flaws in Windows Remote Desktop, Kerberos, Office, Excel, TCP/IP, and Hyper-V.
CISA added CVE-2025-29824 to its Known Exploited Vulnerabilities list, mandating federal agencies to patch by April 29, 2025.

Microsoft’s updates follow fixes from other major vendors, including Apple, Adobe, Cisco, Google, VMware, Fortinet, and more, addressing a wide range of vulnerabilities across platforms.