02/19/2025-02/26/2025 CMS Vulnerability, Security Fix for NetScaler Console Privilege Escalation Vulnerability, Security Flaws in Adobe and Oracle Products And More.

1. CISA Warns of Attacks Exploiting Craft CMS Vulnerability

The agency added CVE-2025-23209 to its KEV catalog, alongside a Palo Alto Networks firewall flaw. Though Craft CMS has a small market share, over 41,000 instances may be affected. Patched in mid-January (versions 5.5.8 and 4.13.8), CVE-2025-23209 is a high-severity remote code execution flaw requiring a compromised security key. CISA has instructed federal agencies to address it by March 13, though no public attack reports exist.

Meanwhile, CVE-2024-56145, another Craft CMS vulnerability allowing remote code execution, has been actively exploited. Patched in November 2024, developers warned users in December, but it’s not yet in CISA’s KEV catalog.
SecurityWeek contacted Craft for details on CVE-2025-23209 exploits. A representative confirmed the flaw required a compromised security key.

2. Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability

Citrix has released security updates for CVE-2024-12284, a high-severity privilege escalation flaw in NetScaler Console and NetScaler Agent. Rated 8.8/10 on CVSS v4, the issue stems from improper privilege management, allowing authenticated attackers to execute commands without extra authorization.

The vulnerability affects:

• NetScaler Console: Versions before 14.1-38.53 and 13.1-56.18
• NetScaler Agent: Versions before 14.1-38.53 and 13.1-56.18

Fixed versions include 14.1-38.53+ and 13.1-56.18+. Citrix urges customers to update immediately, as no workarounds exist. However, users of the Citrix-managed NetScaler Console Service are not affected.

3. Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability

Microsoft has released security updates for two critical flaws in Bing and Power Pages, one of which is actively exploited.

Vulnerabilities:

• CVE-2025-21355 (CVSS 8.6): Bing Remote Code Execution due to missing authentication, requiring no customer action.
• CVE-2025-24989 (CVSS 8.2): Power Pages Elevation of Privilege flaw allowing unauthorized access.

Microsoft credited employee Raj Kumar for discovering CVE-2025-24989 and confirmed at least one instance of exploitation. However, details on attacks and threat actors remain undisclosed. The vulnerability has been mitigated, and affected customers have been notified with review and cleanup instructions.

On February 21, 2025, CISA added CVE-2025-24989 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply fixes by March 14, 2025.

4. CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation

CISA placed two security flaws impacting Microsoft Partner Center and Synacor Zimbra Collaboration Suite (ZCS) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerabilities in question are as follows:

• CVE-2024-49035 (CVSS score: 8.7) – An improper access control vulnerability in Microsoft Partner Center that allows an attacker to escalate privileges. (Fixed in November 2024);
• CVE-2023-34192 (CVSS score: 9.0) – A cross-site scripting (XSS) vulnerability in Synacor ZCS that allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. (Fixed in July 2023 with version 8.8.15 Patch 40)

Last year, Microsoft acknowledged that CVE-2024-49035 had been exploited in the wild, but did not reveal any additional details on how it was weaponized in real-world attacks. There are currently no public reports about in-the-wild abuse of CVE-2023-34192.

5. Two Actively Exploited Security Flaws in Adobe and Oracle Products Flagged by CISA

CISA has added two actively exploited vulnerabilities to its KEV catalog:

• CVE-2017-3066 (CVSS 9.8): A deserialization flaw in Adobe ColdFusion’s Apache BlazeDS library allowing arbitrary code execution (patched April 2017).
• CVE-2024-20953 (CVSS 8.8): A deserialization flaw in Oracle Agile PLM enabling low-privileged attackers to compromise systems via HTTP (patched January 2024).

No public reports confirm their exploitation, but another Oracle Agile PLM flaw (CVE-2024-21287) was abused in late 2024. Federal agencies must apply patches by March 17, 2025.

Meanwhile, GreyNoise detected 110 malicious IPs—mostly from Bulgaria, Brazil, and Singapore—exploiting CVE-2023-20198, a patched Cisco vulnerability. Two IPs, linked to CVE-2018-0171, were active in late 2024 and early 2025, coinciding with reported Chinese state-sponsored telecom breaches.

02/12/2025-02/19/2025 PostgreSQL Vulnerability, New OpenSSH Flaws, Marstech1 JavaScript Implant And More.

1. PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks

Threat actors behind the December 2024 zero-day exploitation of BeyondTrust PRA and RS products likely also leveraged a newly discovered SQL injection flaw in PostgreSQL.Tracked as CVE-2025-1094 (CVSS 8.1), the vulnerability affects PostgreSQL’s interactive tool psql. Attackers can exploit it to achieve arbitrary code execution via meta-commands. Rapid7 discovered this issue while investigating CVE-2024-12356, a BeyondTrust flaw enabling unauthenticated remote code execution.

Successful exploitation of CVE-2024-12356 required CVE-2025-1094. PostgreSQL maintainers have patched the issue in versions 13.19, 14.16, 15.11, 16.7, and 17.3. The flaw stems from improper handling of invalid UTF-8 characters, allowing attackers to execute shell commands using the shortcut “!”. Meanwhile, CISA has added CVE-2024-57727, affecting SimpleHelp remote support software (CVSS 7.5), to its KEV catalog, mandating fixes by March 6, 2025.

2. New OpenSSH Flaws Expose SSH Servers to MiTM And DoS Attacks

OpenSSH has released security updates for two vulnerabilities: a man-in-the-middle (MitM) flaw (CVE-2025-26465) and a denial-of-service (DoS) issue (CVE-2025-26466). CVE-2025-26465, present since OpenSSH 6.8p1 (2014), affects clients with VerifyHostKeyDNS enabled, allowing attackers to hijack SSH sessions by forcing an out-of-memory error. Though disabled by default, it was enabled in FreeBSD from 2013–2023. CVE-2025-26466, introduced in OpenSSH 9.5p1 (2023), exploits unrestricted memory allocation during key exchange. Attackers can overload system resources by repeatedly sending small ping messages. Disabling VerifyHostKeyDNS and manually verifying SSH fingerprints are advised for security. To mitigate DoS risks, admins should enforce connection rate limits and monitor SSH traffic.

3. Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks

The Lazarus Group has been linked to Marstech1, a new JavaScript implant used in targeted attacks against developers. Dubbed Marstech Mayhem by SecurityScorecard, the malware was distributed via a now-deleted GitHub profile, SuccessFriend. It collects system data and can be embedded in websites and NPM packages, posing a supply chain risk.

Active since December 2024, the attack has impacted 233 victims across the U.S., Europe, and Asia. Marstech1 targets Chromium-based browser directories, altering settings for wallets like MetaMask, Exodus, and Atomic. It can also download additional payloads and exfiltrate stolen data. The implant uses advanced obfuscation techniques to evade detection. Meanwhile, Recorded Future uncovered a related North Korean operation, PurpleBravo, targeting cryptocurrency firms through fraudulent IT hires. These workers act as insider threats, stealing data and facilitating cyberattacks. Organizations hiring North Korean IT workers risk violating sanctions and facing security threats.

4. Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software

Palo Alto Networks has patched a high-severity authentication bypass flaw in PAN-OS, tracked as CVE-2025-0108 (CVSS 7.8). The flaw allows unauthenticated attackers with network access to invoke PHP scripts via the management interface, impacting system integrity and confidentiality.

The issue stems from discrepancies in how Nginx and Apache handle requests, enabling directory traversal attacks. It affects multiple PAN-OS versions, with fixes available in 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, and 10.1.14-h9. GreyNoise has detected active exploitation attempts from IPs in the U.S., China, and Israel. Palo Alto Networks confirmed ongoing attacks, warning that CVE-2025-0108 can be chained with CVE-2024-9474 for unauthorized access. Users should immediately apply patches and restrict access to the management interface. Those not using OpenConfig should disable or uninstall the plugin to mitigate risk.

02/05/2025-02/12/2025 Critical Flaws in Connect Secure and Policy Secure, Vulnerabilities in Cisco Identity Services Engine, Zimbra Releases Security Updates And More.

1. Ivanti Patches Critical Flaws in Connect Secure and Policy Secure – Update Now

Ivanti has released security updates to fix multiple vulnerabilities in Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) that could enable remote code execution.

Vulnerabilities:

• CVE-2024-38657 (CVSS 9.1): Arbitrary file write via external control of file name (ICS <22.7R2.4, IPS <22.7R1.3).
• CVE-2025-22467 (CVSS 9.9): Stack-based buffer overflow (ICS <22.7R2.6).
• CVE-2024-10644 (CVSS 9.1): Code injection (ICS <22.7R2.4, IPS <22.7R1.3).
• CVE-2024-47908 (CVSS 9.1): OS command injection in CSA admin console (<5.0.5).

Fixed Versions: ICS 22.7R2.6, IPS 22.7R1.3, CSA 5.0.5. Ivanti urges immediate patching, warning that its products are targeted by sophisticated attackers.

Meanwhile, Bishop Fox disclosed details of CVE-2024-53704 in SonicWall SonicOS, affecting 4,500 unpatched SSL VPN servers. Akamai also revealed two vulnerabilities in Fortinet FortiOS (CVE-2024-46666, CVE-2024-46668), with Fortinet fixing another flaw (CVE-2025-24472).

2. Multiple Vulnerabilities in Cisco Identity Services Engine (ISE)

Cisco has released security updates to address critical vulnerabilities (CVE-2025-20124 and CVE-2025-20125) affecting their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), regardless of device configuration.

Vulnerabilities:

• CVE-2025-20124: Successful exploitation of the insecure java deserialisation vulnerability could allow an authenticated remote attacker to perform arbitrary code execution on the vulnerable device as a root user. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.
• CVE-2025-20125: Successful exploitation of the authorisation bypass vulnerability could allow an authenticated remote attacker with valid read-only credentials to access sensitive information, modify node configurations, and restart the node.
  The vulnerabilities affect Cisco ISE Software versions 3.3 and earlier.

3. Progress Software Fixes Multiple Vulnerabilities in Its LoadMaster Software

Progress Software has patched multiple high-severity vulnerabilities in its LoadMaster software that could allow authenticated attackers to execute system commands or access files. The flaws include CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, and CVE-2024-56135 (CVSS 8.4), all caused by improper input validation, enabling OS command injection. CVE-2024-56134 (CVSS 8.4) allows an attacker with access to the management interface to download any file via a crafted HTTP request. An attacker who gains access to LoadMaster’s management interface and successfully authenticates could exploit these flaws using specially crafted HTTP requests.

4. Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities

Zimbra has released updates to fix critical security flaws in its Collaboration software, including CVE-2025-25064 (CVSS 9.8), an SQL injection vulnerability in the ZimbraSync Service SOAP endpoint affecting versions before 10.0.12 and 10.1.4. Attackers could exploit it to retrieve email metadata. Another patched flaw is a stored cross-site scripting (XSS) vulnerability in the Zimbra Classic Web Client, which improves input sanitization. The fix is available in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5.

Zimbra also addressed CVE-2025-25065 (CVSS 5.3), a server-side request forgery (SSRF) flaw in the RSS feed parser that could allow unauthorized redirection to internal endpoints. This was patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4.
Users are urged to update to the latest Zimbra Collaboration versions to protect against these vulnerabilities.

5. Hackers Exploiting SimpleHelp RMM Flaws for Persistent Access and Ransomware

Threat actors are exploiting recently disclosed vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software as part of a ransomware attack, according to Field Effect. The flaws—CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728—allow information disclosure, privilege escalation, and remote code execution. They were patched in SimpleHelp versions 5.3.9, 5.4.10, and 5.5.8. Field Effect observed attackers using a vulnerable SimpleHelp instance to gain access, create an admin account, and deploy the Sliver framework for persistence. The attackers attempted to use a Cloudflare tunnel to stealthily route traffic, but the attack was detected before execution. The tactics resemble Akira ransomware attacks from 2023, though other threat actors may be involved. Organizations using SimpleHelp are urged to update immediately.