05/28/2025-06/04/2025 StoreOnce Bug, 10-Year-Old Roundcube RCE Vulnerability, 10-Year-Old Roundcube RCE Vulnerability.

1. HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass

Hewlett Packard Enterprise (HPE) has released security updates addressing eight vulnerabilities in its StoreOnce backup and deduplication software, including a critical flaw, CVE-2025-37093, rated 9.8 on the CVSS scale. This bug, an authentication bypass affecting all versions before 4.3.11, could allow remote attackers to access systems without credentials. According to the Zero Day Initiative, the flaw stems from a faulty authentication algorithm in the machineAccountCheck method. If exploited, CVE-2025-37093 could be combined with other issues—such as remote code execution, information disclosure, and arbitrary file deletion—to gain root-level access. Other CVEs include remote code execution (CVE-2025-37089, -37091, -37092, -37096), server-side request forgery (CVE-2025-37090), and directory traversal vulnerabilities (CVE-2025-37094, -37095).

HPE also patched critical issues in its Telco Service Orchestrator and OneView products tied to Apache component vulnerabilities.

2. 10-Year-Old Roundcube RCE Vulnerability Let Attackers Execute Malicious Code

 A critical vulnerability (CVE-2025-49113) has been discovered in Roundcube Webmail, allowing authenticated attackers to execute arbitrary code. Rated 9.9 on the CVSS scale, this flaw affects all versions before 1.5.10 and 1.6.11, potentially impacting over 53 million installations worldwide. The bug stems from improper validation in the upload.php file, allowing PHP object deserialization and code execution. The issue poses a serious risk to popular web hosting platforms like cPanel, Plesk, ISPConfig, and DirectAdmin, which use Roundcube as their default webmail. Roundcube has long been a target for nation-state actors like APT28 and Winter Vivern. Recent phishing and XSS attacks have exploited similar flaws.
The Centre for Cybersecurity Belgium urges immediate patching. Fixed versions 1.5.10 and 1.6.11 are now available. FearsOff plans to release technical details soon, following responsible disclosure protocols.

3. Cryptojacking campaign abuses DevOps APIs with GitHub tools

Security researchers at Wiz have uncovered a new crypto-mining campaign dubbed JINX-0132, targeting exposed DevOps systems like Docker, Gitea, HashiCorp Consul, and Nomad. Attackers exploit known misconfigurations and vulnerabilities to install mining software such as XMRig, often via GitHub-hosted payloads to obscure origins.

Notably, this is the first documented abuse of HashiCorp Nomad, where attackers use open APIs to run jobs that deploy miners. Misconfigured Consul servers are also exploited by injecting commands into health checks to execute hidden mining scripts. Gitea is misused for initial access, particularly when installation mode isn’t locked. Docker remains a frequent target through open APIs that allow launching miner-loaded containers.

Shodan data reveals over 5,300 Consul and 400 Nomad servers are publicly exposed. In a related campaign, attackers exploited Open WebUI to deploy miners and steal Discord and crypto wallet data.

These incidents highlight the urgent need for secure DevOps configurations and continuous monitoring.

4. Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems.

Socket noted that the two malicious gems were published by a threat actor under the aliases Bùi nam, buidanhnam, and si_mobile merely days after Vietnam ordered a nationwide ban on the Telegram messaging app late last month for allegedly not cooperating with the government to tackle illicit activities related to fraud, drug trafficking, and terrorism.