02/05/2025-02/12/2025 Critical Flaws in Connect Secure and Policy Secure, Vulnerabilities in Cisco Identity Services Engine, Zimbra Releases Security Updates And More.

1. Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now

Ivanti has released security updates to fix multiple vulnerabilities in Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could enable remote code execution.

Vulnerabilities:

• CVE-2024-38657 (CVSS 9.1): Arbitrary file write via external control of file name (ICS <22.7R2.4, IPS <22.7R1.3).
• CVE-2025-22467 (CVSS 9.9): Stack-based buffer overflow (ICS <22.7R2.6).
• CVE-2024-10644 (CVSS 9.1): Code injection (ICS <22.7R2.4, IPS <22.7R1.3).
• CVE-2024-47908 (CVSS 9.1): OS command injection in CSA admin console (<5.0.5).

Fixed Versions: ICS 22.7R2.6, IPS 22.7R1.3, CSA 5.0.5. Ivanti urges immediate patching, warning that its products are targeted by sophisticated attackers.

Meanwhile, Bishop Fox disclosed details of CVE-2024-53704 in SonicWall SonicOS, affecting 4,500 unpatched SSL VPN servers. Akamai also revealed two vulnerabilities in Fortinet FortiOS (CVE-2024-46666, CVE-2024-46668), with Fortinet fixing another flaw (CVE-2025-24472).

2. Multiple Vulnerabilities in Cisco Identity Services Engine (ISE)

Cisco has released security updates to address critical vulnerabilities (CVE-2025-20124 and CVE-2025-20125) affecting their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), regardless of device configuration.

Vulnerabilities:

• CVE-2025-20124: Successful exploitation of the insecure java deserialisation vulnerability could allow an authenticated remote attacker to perform arbitrary code execution on the vulnerable device as a root user. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.
• CVE-2025-20125: Successful exploitation of the authorisation bypass vulnerability could allow an authenticated remote attacker with valid read-only credentials to access sensitive information, modify node configurations, and restart the node.
  The vulnerabilities affect Cisco ISE Software versions 3.3 and earlier.

3. Progress Software Fixes Multiple Vulnerabilities in Its LoadMaster Software

Progress Software has patched multiple high-severity vulnerabilities in its LoadMaster software that could allow authenticated attackers to execute system commands or access files. The flaws include CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, and CVE-2024-56135 (CVSS 8.4), all caused by improper input validation, enabling OS command injection. CVE-2024-56134 (CVSS 8.4) allows an attacker with access to the management interface to download any file via a crafted HTTP request. An attacker who gains access to LoadMaster’s management interface and successfully authenticates could exploit these flaws using specially crafted HTTP requests.

4. Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities

Zimbra has released updates to fix critical security flaws in its Collaboration software, including CVE-2025-25064 (CVSS 9.8), an SQL injection vulnerability in the ZimbraSync Service SOAP endpoint affecting versions before 10.0.12 and 10.1.4. Attackers could exploit it to retrieve email metadata. Another patched flaw is a stored cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client, which improves input sanitization. The fix is available in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5.

Zimbra also addressed CVE-2025-25065 (CVSS 5.3), a server-side request forgery (SSRF) flaw in the RSS feed parser that could allow unauthorized redirection to internal endpoints. This was patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4.
Users are urged to update to the latest Zimbra Collaboration versions to protect against these vulnerabilities.

5. Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware

Threat actors are exploiting recently disclosed vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software as part of a ransomware attack, according to Field Effect. The flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—allow information disclosure, privilege escalation, and remote code execution. They were patched in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8. Field Effect observed attackers using a vulnerable SimpleHelp instance to gain access, create an admin account, and deploy the Sliver framework for persistence. The attackers attempted to use a Cloudflare tunnel to stealthily route traffic, but the attack was detected before execution. The tactics resemble Akira ransomware attacks from 2023, though other threat actors may be involved. Organizations using SimpleHelp are urged to update immediately.

01/29/2025-02/05/2025 New Veeam Flaw, Weaponized Go Package Module, PyPI Adds Project Archiving System to Stop Malicious Updates And More.

1. New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack

Veeam has patched a critical security flaw (CVE-2025-23114, CVSS 9.0) in its Backup software that could allow attackers to execute arbitrary code via a Man-in-the-Middle attack. The vulnerability affects older versions of Veeam Backup for Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud, and Oracle Linux/Red Hat Virtualization. Updated versions with fixes include:

• Salesforce – Updater v7.9.0.1124
• Nutanix AHV – Updater v9.0.0.1125
• AWS – Updater v9.0.0.1126
• Microsoft Azure – Updater v9.0.0.1128
• Google Cloud – Updater v9.0.0.1128
• Oracle Linux/Red Hat Virtualization – Updater v9.0.0.1127

Deployments not protecting these cloud environments remain unaffected. Organizations should update immediately to mitigate security risks.

2. CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Urges Fixes by Feb 25

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The list of vulnerabilities is as follows:

• CVE-2024-45195 (CVSS score: 7.5/9.8) – A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized access and execute arbitrary code on the server (Fixed in September 2024)
• CVE-2024-29059 (CVSS score: 7.5) – An information disclosure vulnerability in Microsoft .NET Framework that could expose the ObjRef URI and lead to remote code execution (Fixed in March 2024)
• CVE-2018-9276 (CVSS score: 7.2) – An operating system command injection vulnerability in Paessler PRTG Network Monitor that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console (Fixed in April 2018)
• CVE-2018-19410 (CVSS score: 9.8) – A local file inclusion vulnerability in Paessler PRTG Network Monitor that allows a remote, unauthenticated attacker to create users with read-write privileges (Fixed in April 2018)

3. Weaponized Go Package Module Let Attackers Gain Remote Access To Infected Systems

Researchers at Socket have uncovered a malicious Go package exploiting the Go Module Proxy caching mechanism for remote access.

The attack uses a typosquatted version of the BoltDB database module, named “boltdb-go”, mimicking the legitimate github.com/boltdb/bolt package. This trick deceives developers into downloading the malicious version. The package includes a backdoor enabling remote code execution via a command and control (C2) server. Once cached by the Go Module Proxy, the attacker altered Git tags to point to a clean version, hiding malware traces from manual inspections. The malicious code obfuscates the C2 IP address (49.12.198[.]231:20022) by manipulating constants in cursor.go.

Developers should verify package authenticity and watch for potential backdoors. The Go community must also address vulnerabilities in the Go Module Proxy caching system to prevent similar attacks.

4. PyPI Adds Project Archiving System to Stop Malicious Updates

PyPI has introduced ‘Project Archival,’ allowing developers to archive projects, signaling no further updates while keeping them downloadable. A warning will inform users of the maintenance status, improving supply-chain security by reducing the risk of hijacked, abandoned packages distributing malicious updates.

The feature also reduces support requests by clearly communicating a project’s lifecycle. Developers can archive projects via PyPI settings and unarchive them anytime. PyPI recommends a final release explaining the archival, though it’s not mandatory.

Built on the LifecycleStatus model, originally designed for project quarantine, the system enables transitions between statuses. Future updates may include statuses like ‘deprecated,’ ‘feature-complete,’ and ‘unmaintained.’ This initiative enhances transparency, helping developers find actively maintained alternatives instead of relying on outdated, insecure dependencies. It also mitigates risks like ‘Revival Hijack’ attacks, where deleted projects are taken over by attackers. By providing a structured approach, PyPI aims to improve security and clarity in open-source project maintenance.

5. Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits

Three security flaws in the open-source PHP package Voyager could allow attackers to execute remote code with a single click.

Sonar researcher Yaniv Nizry revealed that when an authenticated user clicks a malicious link, attackers can run arbitrary code on the server. Despite responsible disclosure on September 11, 2024, the flaws remain unpatched:

• CVE-2024-55417 – Arbitrary file write via /admin/media/upload
• CVE-2024-55416 – Reflected XSS in /admin/compass
• CVE-2024-55415 – Arbitrary file leak and deletion

Attackers can bypass MIME type verification to upload a polyglot file containing executable PHP code. This could be combined with the XSS vulnerability to escalate the attack, triggering remote code execution when a user clicks a crafted link. Additionally, CVE-2024-55415 allows attackers to delete or extract file contents.
Since no fix is available, users should exercise caution when using Voyager.

6. Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution

A critical security flaw in the Cacti network monitoring framework (CVE-2025-22604, CVSS 9.1) could allow authenticated attackers to execute remote code. The issue stems from a flaw in the multi-line SNMP result parser, enabling users to inject malformed OIDs that lead to command execution via system commands. Exploiting this vulnerability lets users with device management permissions run arbitrary code, risking data theft, modification, or deletion. It affects all versions up to 1.2.28 and is patched in 1.2.29. Security researcher u32i discovered the flaw.

Another vulnerability (CVE-2025-24367, CVSS 7.2) is also fixed, preventing attackers from injecting PHP scripts via graph-related functions. Given past active exploits in Cacti, organizations should urgently update to the latest version to mitigate risks.

01/22/2025-01/29/2025 Critical Vulnerability in Meta’s Llama Framework, Old jQuery Vulnerability, High-Severity SQL Injection Flaw in VMware Avi Load Balancer And More.

1. Critical Vulnerability in Meta’s Llama Framework Exposes AI Systems to Remote Attacks

A critical security flaw, CVE-2024-50050, has been discovered in Meta’s Llama Stack, an open-source framework for generative AI. The vulnerability, caused by unsafe deserialization via Python’s pickle module, allows remote attackers to execute arbitrary code on affected servers. The flaw exists in the recv_pyobj method from pyzmq, which deserializes untrusted data. Attackers can exploit this by sending malicious payloads over exposed ZeroMQ sockets, leading to remote code execution (RCE). While Meta initially rated the severity as 6.3 (medium), security firms like Snyk assigned it a 9.3 (critical) under CVSS v4.0 due to risks of data breaches and system takeover.

Following responsible disclosure on September 29, 2024, Meta patched the issue in version 0.0.41, replacing pickle with a secure JSON-based implementation. Users should upgrade immediately to mitigate risks. This flaw highlights broader security concerns in AI frameworks and the need for stronger safeguards in open-source dependencies.

2. CISA Warns of Old jQuery Vulnerability Linked to Chinese APT

CISA has added an old jQuery vulnerability (CVE-2020-11023) to its KEV catalog.
Disclosed in April 2020, this medium-severity XSS flaw can lead to arbitrary code execution. Major organizations like Linux distributions, F5, IBM, and Atlassian previously warned users about its impact.

It’s unclear why CISA added it now, as no recent exploitation reports have surfaced. However, past reports indicate that Chinese state-sponsored APT1 exploited the flaw, with Tenable confirming its use in 2021 for system compromises.

CISA hasn’t clarified if newer attacks prompted this move or if it’s based on older threats. Federal agencies must assess their exposure and take action by February 13.

3. Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits

A security review of Palo Alto Networks firewalls uncovered multiple firmware vulnerabilities and misconfigurations, exposing devices to potential attacks.
Security firm Eclypsium analyzed three models—PA-3260, PA-1410, and PA-415—identifying well-known flaws, collectively named PANdora’s Box.

These include:

• CVE-2020-10713 (BootHole) – Secure Boot bypass
• Multiple SMM vulnerabilities (PA-3260) – Privilege escalation
• LogoFAIL (PA-3260) – Secure Boot bypass via image parsing flaws
• PixieFail (PA-1410, PA-415) – UEFI network stack vulnerabilities
• Insecure flash access (PA-415) – UEFI modification risk
• CVE-2023-1017 (PA-415) – TPM 2.0 out-of-bounds write
• Intel BootGuard bypass (PA-1410)

Palo Alto Networks stated these flaws cannot be exploited under normal conditions with updated PAN-OS and secured interfaces but is working on mitigations. Organizations should update firmware and follow best practices to secure their networks.

4. Broadcom Warns of High-Severity SQL Injection Flaw in VMware Avi Load Balancer

Broadcom has warned of a high-severity flaw (CVE-2025-22217, CVSS 8.6) in VMware Avi Load Balancer, allowing attackers to gain unauthenticated database access via blind SQL injection.

Attackers with network access can exploit this by sending crafted SQL queries. The flaw, discovered by Daniel Kukuczka and Mateusz Darda, affects:

• 30.1.1, 30.1.2 (Fixed in 30.1.2-2p2)
• 30.2.1 (Fixed in 30.2.1-2p5)
• 30.2.2 (Fixed in 30.2.2-2p2)

Versions 22.x and 21.x are not affected. Users on 30.1.1 must upgrade to 30.1.2+ before patching.

There are no workarounds, making immediate updates essential for security.

5. Hackers Actively Exploiting Zyxel 0-day Vulnerability to Execute Arbitrary Commands

A zero-day vulnerability (CVE-2024-40891) in Zyxel CPE devices is being actively exploited, allowing attackers to execute arbitrary commands without authentication. This flaw poses serious risks, including system compromise, data theft, and network infiltration.

Security scans have identified over 1,500 infected devices, with no official fix available. The flaw, a command injection issue in telnet service accounts (e. g., “supervisor,” “zyuser”), enables attackers to send crafted telnet requests to gain control.

Researchers at GreyNoise and VulnCheck confirmed active exploitation, but Zyxel has not yet released a patch.

Mitigation Steps:

• Monitor network traffic for suspicious telnet activity.
• Restrict access to admin interfaces from trusted IPs.
• Disable remote management to reduce attack surfaces.
• Check for Zyxel security updates and apply patches when available.

Organizations using Zyxel CPE devices must act immediately to mitigate threats while awaiting an official fix.

6. GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs

Several security vulnerabilities, collectively named Clone2Leak, have been found in GitHub Desktop and related Git projects, potentially exposing users’ Git credentials.

Key Vulnerabilities:

• CVE-2025-23040 (6.6 CVSS) – Crafted URLs can leak credentials in GitHub Desktop.
• CVE-2024-50338 (7.4 CVSS) – Carriage return character smuggling in Git Credential Manager.
• CVE-2024-53263 (8.5 CVSS) – Git LFS leaks credentials via HTTP URL injection.
• CVE-2024-53858 (6.5 CVSS) – GitHub CLI leaks authentication tokens to unauthorized hosts.

Exploitation could allow attackers to access privileged Git resources. Git has patched CVE-2024-52006 and CVE-2024-50349 in v2.48.1.

Mitigation Steps:

• Update Git, GitHub Desktop, and Git LFS to the latest versions.
• Avoid cloning untrusted repositories with --recurse-submodules.
• Disable credential helpers and use public repositories when possible.