04/16/2025-04/23/2025 GCP Cloud Composer Bug, Critical Erlang/OTP SSH RCE Bug, Ripple’s xrpl.js npm Package.

1. GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages

Cybersecurity researchers revealed a now-patched vulnerability in Google Cloud Platform’s Cloud Composer, a workflow service based on Apache Airflow. Dubbed ConfusedComposer, the flaw could have let attackers with edit permissions escalate access to the powerful Cloud Build service account, enabling them to access sensitive GCP services like Cloud Storage and Artifact Registry. Tenable, which discovered the issue, described it as a variant of a previous GCP flaw called ConfusedFunction. The vulnerability stemmed from Cloud Composer’s ability to install custom PyPI packages, which attackers could abuse to execute malicious scripts and gain elevated privileges.

Google patched the flaw on April 13, 2025, switching Cloud Composer to use its environment-specific service account for package installations.
The disclosure comes amid a wave of cloud vulnerabilities, including an Azure SQL Server flaw that could trigger data loss, a Microsoft Entra ID bug that allowed privilege abuse, and AWS EC2 attacks exploiting SSRF vulnerabilities to access sensitive metadata.

2. Critical Erlang/OTP SSH RCE Bug

A critical vulnerability in Erlang/OTP’s SSH implementation (CVE-2025-32433) now has public exploits, enabling unauthenticated remote code execution. The flaw stems from improper handling of SSH protocol messages before authentication.Patched in versions 25.3.2.10 and 26.2.4, the bug poses a serious risk to devices using Erlang/OTP in telecom, database, and high-availability systems—many of which may not be updated quickly.

Exploits were confirmed by researchers from the Zero Day Initiative and Horizon3, who found the vulnerability easy to weaponize. Public proof-of-concept (PoC) code has been shared on GitHub and Pastebin, raising the risk of widespread attacks. Security experts warn that threat actors may begin scanning for vulnerable systems soon, especially in critical infrastructure. While over 600,000 IPs run Erlang/OTP, most appear to use CouchDB, which is not affected. Immediate patching is strongly recommended.

3. SonicWall SMA VPN Devices Targeted in Attacks

A remote code execution flaw in SonicWall Secure Mobile Access (SMA) devices (CVE-2021-20035) has been actively exploited since January 2025. The vulnerability, originally patched in 2021 and initially classified as a denial-of-service risk, has now been reclassified as high severity with confirmed remote code execution potential.

The flaw affects SMA 200, 210, 400, 410, and 500v devices. It allows low-privileged attackers to inject commands via the SMA100 management interface, potentially leading to full compromise. SonicWall updated its advisory, and CISA has added the bug to its Known Exploited Vulnerabilities catalog, requiring federal agencies to secure systems by May 7.

Attackers used default credentials (e. g., “password” for a super admin account) and targeted VPN credentials on exposed SMA 100 appliances. Defenders are urged to patch immediately, limit VPN access, disable unused accounts, enable MFA, and reset local passwords to prevent further compromise.

4. Ripple’s xrpl.js npm Package Backdoored to Steal Private Keys in Major Supply Chain Attack

The popular Ripple cryptocurrency library xrpl.js was compromised in a supply chain attack aimed at stealing users’ private keys. The malicious code affected versions 4.2.1 to 4.2.4 and 2.14.2, but has been patched in versions 4.2.5 and 2.14.3.
The attacker, using a compromised npm account under the name “mukulljangid”, added a function named checkValidityOfSeed that exfiltrated keys to an external domain. The account likely belonged to a Ripple employee, suggesting the npm access token was stolen.

xrpl.js is a widely used JavaScript API for interacting with the XRP Ledger, downloaded over 2.9 million times with 135,000+ weekly downloads. The associated GitHub repository remains unaffected.

Security researchers believe the attacker released several versions quickly to evade detection. Users are urged to immediately update to versions 4.2.5 or 2.14.3 to secure their applications. The XRP Ledger itself was not impacted by the attack.

04/09/2025-04/16/2025 Critical Apache Roller Vulnerability, Incomplete Patching Leaves Nvidia, Docker Exposed to DOS Attacks, Vulnerability in OttoKit WordPress Plugin And More.

1. Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence

A critical vulnerability (CVE-2025-24859, CVSS score: 10.0) has been discovered in Apache Roller, an open-source Java-based blogging platform, affecting versions up to 6.1.4. The flaw allows attackers to retain access through existing sessions even after a user changes their password, posing serious security risks. This is due to improper invalidation of active sessions, enabling continued unauthorized access if credentials were compromised. The issue has been fixed in version 6.1.5 with centralized session management that terminates sessions when passwords are changed or users are disabled. This comes amid other high-severity Apache issues, including a critical bug in Apache Parquet’s Java Library (CVE-2025-30065) allowing code execution, and a recent exploit targeting Apache Tomcat (CVE-2025-24813).

2. Malicious PyPI Package Targets MEXC Trading API to Steal Credentials and Redirect Orders

Cybersecurity researchers have uncovered a malicious Python package, ccxt-mexc-futures, on the PyPI repository that rerouted trading orders on the MEXC exchange to a malicious server, stealing crypto tokens and sensitive data. Masquerading as an extension of the legitimate ccxt library, the package was downloaded over 1,000 times before removal. It secretly modified MEXC-related APIs to redirect user requests to attacker-controlled domains, enabling unauthorized access and arbitrary code execution. The malicious code targeted three core ccxt functions—describe, sign, and prepare_request_headers—and exfiltrated API keys to a fake MEXC domain. Users are urged to revoke exposed tokens and uninstall the package immediately. This discovery comes amid growing concerns about supply chain attacks, including counterfeit packages across npm, PyPI, and other ecosystems. New research also warns that AI models can “hallucinate” non-existent packages, potentially leading developers to install malicious code—an emerging threat known as slopsquatting.

3. Hackers Exploit WordPress Plugin Auth Bypass Hours After Disclosure

Hackers began exploiting a high-severity authentication bypass flaw (CVE-2025-3102) in the OttoKit (formerly SureTriggers) WordPress plugin just hours after it was publicly disclosed. The vulnerability affects versions up to 1.0.78 and allows attackers to create admin accounts without authentication, risking full site takeover. The issue stems from a missing check in the authenticate_user() function when no API key is set, allowing an attacker to send an empty st_authorization header to gain unauthorized access. OttoKit, used on over 100,000 websites to automate tasks with tools like WooCommerce and Mailchimp, released a fix in version 1.0.79 on April 3.Users are strongly urged to upgrade to version 1.0.79.

4. Incomplete Patching Leaves Nvidia, Docker Exposed to DOS Attacks

A critical race condition bug (CVE-2024-0132) in the Nvidia Container Toolkit remains exploitable despite multiple patches. Rated CVSS 9.0, the Time-of-Check Time-of-Use (TOCTOU) flaw could allow crafted container images to access the host file system, leading to container escapes, code execution, or data theft. Trend Micro found that versions 1.17.3 and earlier are still vulnerable, while version 1.17.4 can be exploited if the optional feature “allow-cuda-compat-libs-from-containers” is enabled. The bug can also trigger a denial-of-service (DoS) attack on Docker for Linux by bloating the mount table and exhausting file descriptors, potentially locking users out.

Attackers could chain exploits to gain root access and launch a DoS using malicious container images. Nvidia’s patch, issued in September 2024 and updated in February 2025, may still be incomplete. Trend Micro advises disabling the optional rollback feature and restricting Docker API access to prevent exploitation and maintain system integrity.

5. Vulnerability in OttoKit WordPress Plugin Exploited in the Wild

A high-severity vulnerability (CVE-2025-3102, CVSS 8.1) in the OttoKit WordPress plugin is being actively exploited, potentially exposing over 100,000 websites to takeover. Formerly known as SureTriggers, OttoKit allows admins to automate tasks and connect apps and plugins.

The flaw stems from a missing check in a permission function. If OttoKit is installed but not configured with an API key, an attacker can submit an empty secret key, matching the plugin’s database, and gain access to REST API endpoints. This allows the creation of admin accounts, enabling attackers to upload malicious files, inject spam, or redirect users.

Only unconfigured installations are vulnerable, but Defiant confirms real-world exploitation. Users are urged to update to version 1.0.79 or later, which includes a fix released on April 3.

04/02/2025-04/09/2025 Flaw in Apache Parquet, CrushFTP Vulnerability, Malicious Python Packages And More.

1. Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code

A critical vulnerability (CVE-2025-30065) in Apache Parquet’s Java library could allow remote code execution if exploited. The flaw, rated with a maximum CVSS score of 10.0, affects versions up to 1.15.0 and has been fixed in version 1.15.1.

According to project maintainers, the issue lies in schema parsing within the parquet-avro module. Endor Labs warns that attackers can exploit it by tricking systems into processing specially crafted Parquet files—especially dangerous for data pipelines and analytics platforms handling untrusted input. Although no active exploitation has been reported, vulnerabilities in Apache projects often draw attacker interest. Keyi Li of Amazon reported the flaw. Separately, a recent CVE-2025-24813 vulnerability in Apache Tomcat was exploited within 30 hours of disclosure. Aqua Security found an attack campaign using weak credentials to deploy Java-based web shells, steal SSH keys, and hijack resources for crypto mining—highlighting the urgency of patching such flaws quickly.

2. CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation

CISA has added a critical CrushFTP vulnerability (CVE-2025-31161, CVSS 9.8) to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw, an authentication bypass, allows remote attackers to access any known or guessable user account, potentially leading to full system compromise. It has been patched in versions 10.8.4 and 11.3.1. Initially tracked as CVE-2025-2825, the issue sparked confusion after VulnCheck published a CVE without coordinating with the vendor or discloser, Outpost24. MITRE later assigned the official CVE. VulnCheck accused CrushFTP of delaying disclosure and criticized MITRE’s process. Huntress confirmed exploitation in the wild as early as March 30, 2025. Attackers installed remote desktop tools like AnyDesk and MeshAgent, added admin users, and deployed malware linked to a Telegram bot. At least four organizations across marketing, retail, and semiconductor sectors have been targeted.

3. Malicious Python Packages Attacking Popular Cryptocurrency Library

Cybersecurity experts have uncovered a new threat targeting cryptocurrency developers and users. Two malicious Python packages—bitcoinlibdbfix and bitcoinlib-dev—were found on PyPI, posing as fixes for the widely used bitcoinlib library.

These packages secretly exfiltrate sensitive crypto wallet data by targeting bitcoinlib’s command-line interface. Once installed, they remove the legitimate clw tool and replace it with a malicious version that intercepts user commands and transmits private wallet data to attacker-controlled servers.
The bitcoinlib library is a key resource for developers building blockchain applications, making it a prime target. The malware campaign was discovered by ReversingLabs via its Spectra platform, which uses machine learning to detect suspicious behavior.

This attack is part of a broader trend of supply chain compromises in the crypto space, with nearly two dozen incidents reported in 2024 alone. The attackers used social engineering, claiming their packages fixed a database error to trick developers into installing the malware.

4. CISA Urges Patching For ‘Critical’ Ivanti VPN Flaw

A critical vulnerability (CVE-2025-22457) in Ivanti’s Connect Secure VPN is being actively exploited and must be patched immediately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned.

The flaw allows remote code execution and has been linked to UNC5221, a suspected China-based espionage group responsible for earlier mass attacks on Ivanti VPNs in 2024. Mandiant researchers observed malware deployments and signs of exploitation dating back to mid-March.

The vulnerability affects Ivanti Connect Secure versions 22.7R2.5 and earlier, and unsupported Pulse Connect Secure 9.1x devices. Ivanti released a fix (version 22.7R2.6) on February 11, initially misclassifying the issue as a minor bug.
CISA added the flaw to its Known Exploited Vulnerabilities catalog, urging all organizations—not just federal agencies—to update vulnerable systems. Ivanti noted its Integrity Checker Tool helped detect compromises and stressed that customers using supported versions with recommended configurations are at lower risk. Immediate upgrades are strongly advised.

5. Microsoft Patches 126 Flaws Including Actively Exploited Windows CLFS Vulnerability

Microsoft has released patches for 126 security flaws, including one actively exploited vulnerability (CVE-2025-29824) affecting the Windows Common Log File System (CLFS) Driver. This elevation of privilege (EoP) bug allows attackers with local access to gain SYSTEM-level access via a use-after-free condition. It has a CVSS score of 7.8 and has been linked to ransomware attacks. Notably, no patch is yet available for Windows 10 (32/64-bit).

Of the 126 flaws, 11 are Critical and 112 Important, covering privilege escalation, remote code execution, and denial-of-service issues. Other key fixes include RCE flaws in Windows Remote Desktop, Kerberos, Office, Excel, TCP/IP, and Hyper-V.
CISA added CVE-2025-29824 to its Known Exploited Vulnerabilities list, mandating federal agencies to patch by April 29, 2025.

Microsoft’s updates follow fixes from other major vendors, including Apple, Adobe, Cisco, Google, VMware, Fortinet, and more, addressing a wide range of vulnerabilities across platforms.