06/11/2025-06/18/2025 Active Exploitation of Linux Kernel Privilege Escalation Vulnerability,Veeam Patches Critical Vulnerability And More.

1. CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability

CISA has added a Linux kernel vulnerability (CVE-2023-0386, CVSS 7.8) to its KEV catalog, warning it’s being actively exploited. The flaw, patched in early 2023, is an improper ownership bug in the OverlayFS subsystem that allows local privilege escalation. The issue arises when files are copied from a nosuid mount to another mount, letting unprivileged users escalate privileges by creating a root-owned SUID binary. Datadog called the exploit “trivial,” noting it abuses the kernel’s failure to properly check user namespace mappings.

While exact exploitation methods in the wild remain unclear, similar OverlayFS-related flaws—dubbed GameOver(lay)—have been detailed by cloud security firm Wiz, showing they can also grant root access on Unix systems. CISA has mandated all Federal Civilian Executive Branch agencies to apply patches by July 8, 2025, to defend against these active threats.

2. Veeam Patches Critical Vulnerability in Backup & Replication

Veeam has released patches for a critical vulnerability (CVE-2025-23120, CVSS 9.9) in its Backup & Replication software that could allow remote code execution (RCE) by authenticated domain users. The flaw affects version 12.3.0.310 and earlier builds. Users are urged to update to version 12.3.1 (build 12.3.1.1139).The issue stems from insecure deserialization within Veeam’s allow-list mechanism. Improper handling allows attackers to trigger inner deserialization using block-listed classes, enabling code execution.

The vulnerability is linked to CVE-2024-40711, exploited in ransomware attacks, and CVE-2024-42455, which allows arbitrary file deletion by authenticated users. Similar flaws may persist due to the software’s large codebase and weak authentication controls.Attackers could potentially exploit the flaw using modified proof-of-concept code. Veeam’s prior patches relied on block-listing, but deeper structural fixes may be needed.

3. Recent Langflow Vulnerability Exploited by Flodrix Botnet

Threat actors are exploiting CVE-2025-3248, a recently patched vulnerability in Langflow, to deploy the Flodrix botnet. The flaw—added to CISA’s KEV catalog in May—allows unauthenticated remote attackers to execute arbitrary code.

Langflow, a low-code AI workflow platform with over 70,000 GitHub stars, patched the issue in version 1.3.0 released in April. Proof-of-concept (PoC) exploits emerged shortly after, and attackers began scanning for exposed instances.

Trend Micro says the attackers use PoC exploits to gain shell access, perform reconnaissance, and then download and execute Flodrix malware. Once active, the bot connects to a command-and-control (C&C) server to await DDoS commands. Flodrix is an evolution of the LeetHozer malware, featuring enhanced obfuscation, new attack types, and stealth techniques to avoid detection.

GreyNoise has observed over 370 IPs exploiting the flaw, with Censys reporting 1,600 internet-exposed Langflow instances as of mid-June.

4. PyPI, npm, and AI Tools Exploited in Malware Surge Targeting DevOps and Cloud Environments

Researchers  have uncovered multiple malware-laced npm packages—such as eslint-config-airbnb-compat, ts-runtime-compat-check, and solders—designed to execute remote code and deliver layered payloads. These packages, now removed, were downloaded thousands of times.

One package used obfuscated scripts and Unicode tricks to install Pulsar RAT, a variant of Quasar RAT, hiding payloads within PNG image pixels. Another triggered code via a post-install script, running a PowerShell command that fetched further malware while evading detection.

Separately, Socket identified cryptocurrency-focused threats—stealers, drainers, and clippers—targeting blockchain projects. AI-assisted coding also introduced risks like slopsquatting, where LLMs hallucinate fake package names that attackers exploit by registering real ones.

Additionally, JFrog discovered chimera-sandbox-extensions on PyPI, a red teaming tool disguised as a helper module. It targeted developer credentials, CI/CD tokens, and macOS JAMF data, using domain generation and staged payloads for stealth.