Shield53

Author: chris.stewart

  • CVE-2025-24813: Unauthenticated RCE in Apache Tomcat – PoC Released

    CVE-2025-24813: Unauthenticated RCE in Apache Tomcat – PoC Released

    Summary

    A critical path equivalence vulnerability (CVE-2025-24813) has been identified in Apache Tomcat, allowing unauthenticated remote code execution (RCE) under specific server configurations. Disclosed on March 10, 2025, this flaw affects multiple versions of Apache Tomcat and has been actively exploited in the wild following the release of a public proof-of-concept (PoC) exploit. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog on April 1, 2025.

    Risks

    Exploitation of CVE-2025-24813 enables attackers to achieve remote code execution by exploiting how Apache Tomcat processes file paths internally, particularly in handling partial PUT requests and session file persistence. Successful attacks can lead to unauthorized access to restricted directories, information leakage, and injection of malicious content, potentially corrupting critical server configuration files. The vulnerability specifically affects the server’s internal mapping of file paths, where slashes are converted to dots in the DefaultServlet’s path mapping logic.

    Affected Versions

    • Apache Tomcat 11.0.0-M1 through 11.0.2

    • Apache Tomcat 10.1.0-M1 through 10.1.34

    • Apache Tomcat 9.0.0-M1 through 9.0.98

    • Additionally, versions 8.5.0 to 8.5.98 and 8.5.100 are also vulnerable, though not included in Apache’s initial advisory. 

    Remediation

    Organizations are strongly advised to upgrade to the following patched versions to mitigate this vulnerability:

    • Apache Tomcat 11.0.3

    • Apache Tomcat 10.1.35

    • Apache Tomcat 9.0.99

    Additional mitigation strategies include:

    • Disabling unnecessary HTTP methods, such as PUT, to reduce attack surfaces.

    • Enforcing strict access controls to limit unauthorized access.

    • Deploying Web Application Firewalls (WAFs) with specific rules to detect and block exploitation attempts of CVE-2025-24813.

    Conclusion

    CVE-2025-24813 poses a significant threat due to its potential for unauthenticated remote code execution and active exploitation in the wild. Organizations using affected versions of Apache Tomcat should prioritize upgrading to the patched versions and implement recommended mitigation strategies to protect their systems from potential attacks.

  • FortiVoice Zero-Day Vulnerability (CVE-2025-32756) Exploited in the Wild

    FortiVoice Zero-Day Vulnerability (CVE-2025-32756) Exploited in the Wild

    Summary

    Fortinet has disclosed a critical stack-based buffer overflow vulnerability, identified as CVE-2025-32756, affecting multiple products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows remote, unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests. The vulnerability has been actively exploited in the wild, with confirmed attacks targeting FortiVoice systems.

    Risks

    Exploitation of CVE-2025-32756 poses significant risks:

    • Remote Code Execution: Attackers can gain full control over affected systems without authentication.

    • Credential Theft: Enabling FCGI debugging allows attackers to log system and SSH credentials.

    • Persistence and Lateral Movement: Malicious cron jobs and modified system files facilitate ongoing access and potential spread within networks.

    • Data Exfiltration: Sensitive information can be extracted, leading to potential data breaches.

    Affected Versions

    The following product versions are impacted:

    • FortiVoice: 6.4.0–6.4.10, 7.0.0–7.0.6, 7.2.0

    • FortiMail: 7.0.0–7.0.8, 7.2.0–7.2.7, 7.4.0–7.4.4, 7.6.0–7.6.2

    • FortiNDR: 1.1–1.5, 7.0.0–7.0.6, 7.2.0–7.2.4, 7.4.0–7.4.7, 7.6.0

    • FortiRecorder: 6.4.0–6.4.5, 7.0.0–7.0.5, 7.2.0–7.2.3

    • FortiCamera: 1.1, 2.0, 2.1.0–2.1.3

    Users are advised to upgrade to the latest versions to mitigate the vulnerability.

    Remediation

    Fortinet has released patches addressing CVE-2025-32756 for all affected products. Organizations should:

    1. Apply Patches: Update to the latest firmware versions as specified in Fortinet’s advisory.

    2. Disable HTTP/HTTPS Administrative Interface: If immediate patching isn’t feasible, disable these interfaces to reduce exposure.

    3. Review System Logs: Check for indicators of compromise, such as unusual log entries or unauthorized system modifications.

    4. Monitor Network Activity: Be vigilant for signs of lateral movement or data exfiltration.

    Implementing these steps will help safeguard systems against potential exploitation.

    Indicators of Compromise (IoCs)

    Fortinet has identified several IoCs associated with the exploitation of CVE-2025-32756:

    Log Entries

    • [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection

    • [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11

    Malicious Files

    • /bin/wpad_ac_helper (MD5: 4410352e110f82eabc0bf160bec41d21)

    • /bin/busybox (MD5: ebce43017d2cb316ea45e08374de7315, 489821c38f429a21e1ea821f8460e590)

    • /lib/libfmlogin.so (MD5: 364929c45703a84347064e2d5de45bcd)

    • /tmp/.sshdpm

    • /bin/fmtest (MD5: 2c8834a52faee8d87cff7cd09c4fb946)

    • /var/spool/.sync

    Modified Files

    • /data/etc/crontab

    • /var/spool/cron/crontabs/root

    • /etc/pam.d/sshd

    • /etc/httpd.conf

    Malicious Settings

    • fcgi debug level is 0x80041

    • general to-file ENABLED

    Threat Actor IPs

    • 198.105.127.124

    • 43.228.217.173

    • 43.228.217.82

    • 156.236.76.90

    • 218.187.69.244

    • 218.187.69.59 

    Conclusion

    The active exploitation of CVE-2025-32756 underscores the critical importance of timely vulnerability management. Organizations using Fortinet products, especially FortiVoice, must act swiftly to apply patches and implement recommended mitigations. Continuous monitoring and adherence to security best practices are essential to protect against such threats.

    References

  • CVE-2025-0133: Palo Alto Networks GlobalProtect XSS Vulnerability

    CVE-2025-0133: Palo Alto Networks GlobalProtect XSS Vulnerability

    Summary:

    Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, identified as CVE-2025-0133, affecting the GlobalProtect gateway and portal features of its PAN-OS software. This flaw allows execution of malicious JavaScript in the browsers of authenticated Captive Portal users when they click on specially crafted links. While the default configuration poses a low risk (CVSS Base Score 2.0), the severity increases to medium (CVSS 5.5) when the Clientless VPN feature is enabled. 

    Risks:

    The primary risk associated with CVE-2025-0133 is credential theft through phishing attacks. Attackers can craft convincing phishing links that appear to originate from the legitimate GlobalProtect portal, tricking users into divulging sensitive information. The vulnerability is particularly concerning for organizations utilizing the Clientless VPN feature, as it elevates the attack’s severity. Although no malicious exploitation has been reported yet, the availability of proof-of-concept exploit code increases the urgency for mitigation. 

    Affected Versions:

    The following PAN-OS versions are affected by CVE-2025-0133:

    • Cloud NGFW: All versions

    • PAN-OS 11.2: Versions prior to 11.2.7

    • PAN-OS 11.1: Versions prior to 11.1.11

    • PAN-OS 10.2: Versions prior to 10.2.17

    • PAN-OS 10.1: All versions

    It’s important to note that Prisma Access is unaffected by this vulnerability. 

    Remediation:

    Palo Alto Networks recommends the following remediation steps:

    • Upgrade PAN-OS:

      • PAN-OS 11.2: Upgrade to version 11.2.7 or later (expected June 2025).

      • PAN-OS 11.1: Upgrade to version 11.1.11 or later (expected July 2025).

      • PAN-OS 10.2: Upgrade to version 10.2.17 or later (expected August 2025).

      • PAN-OS 10.1: Upgrade to version 10.2.17 or later (expected August 2025).

    • Enable Threat Prevention:

      • For customers with a Threat Prevention subscription, enable Threat IDs 510003 and 510004, introduced in Applications and Threats content version 8970.

    • Disable Clientless VPN:

      • Consider disabling the Clientless VPN feature to reduce the attack surface.

    Implementing these measures will help mitigate the risk associated with CVE-2025-0133. 

    Conclusion:

    CVE-2025-0133 presents a significant security concern for organizations using affected versions of PAN-OS, especially those with the Clientless VPN feature enabled. The vulnerability’s potential for credential theft through phishing attacks necessitates prompt action. Organizations should prioritize upgrading to the recommended PAN-OS versions, enable relevant Threat Prevention measures, and educate users to recognize and avoid phishing attempts. Proactive mitigation is essential to safeguard against potential exploitation.

    Reference:

    • Palo Alto Networks Security Advisory: CVE-2025-0133

    • Cyber Security News Article on CVE-2025-0133

  • CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild

    CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild

    Summary:

    Tenable researchers have uncovered a critical zero-day vulnerability (CVE-2025-31324) affecting SAP NetWeaver AS Java systems. The flaw, currently exploited in the wild, stems from a missing authentication check in a servlet responsible for handling certain HTTP requests. If successfully exploited, attackers can achieve unauthenticated remote code execution (RCE), granting them full control over the affected SAP systems. Given SAP’s prominent role in enterprise environments, this vulnerability poses a substantial risk across multiple industries.

    Risks:

    The exploitation of CVE-2025-31324 could have devastating consequences. Attackers could fully compromise an SAP NetWeaver system, leading to unauthorized data access, tampering with business-critical operations, deployment of malware, and lateral movement throughout the network. Given that the vulnerability does not require prior authentication, internet-exposed SAP instances are especially at risk. Organizations leveraging SAP for finance, HR, manufacturing, and logistics are facing significant potential operational and reputational damages.

    Remediation:

    SAP has released a patch to address CVE-2025-31324 in its April 2025 Security Patch Day updates. Organizations should:

    • Apply the SAP-provided patches immediately to affected systems.

    • Audit SAP NetWeaver instances for signs of exploitation.

    • Review exposed SAP services and restrict access where possible.

    • Implement Web Application Firewalls (WAFs) and enhanced monitoring for suspicious activity targeting SAP endpoints.

    It is critical that organizations prioritize patching and security hardening to mitigate risks from active exploitation.

    Conclusion:

    CVE-2025-31324 represents a severe security threat to enterprises relying on SAP NetWeaver. Its active exploitation emphasizes the urgent need for prompt remediation. Given the widespread reliance on SAP’s platform, the fallout from a successful attack could be extensive. Shield53 recommends that all SAP customers act immediately to secure their environments against this critical flaw.

    Reference:

  • Critical Cisco ASA SSH Vulnerability (CVE-2024-20329) Allows Remote Root Access

    Critical Cisco ASA SSH Vulnerability (CVE-2024-20329) Allows Remote Root Access

    Summary

    Cisco has disclosed a critical vulnerability (CVE-2024-20329) in the SSH subsystem of its Adaptive Security Appliance (ASA) Software.

    This flaw allows an authenticated, remote attacker to execute operating system commands as root.

    The vulnerability arises from insufficient validation of user input, enabling attackers to submit crafted input when executing remote CLI commands over SSH. Successful exploitation could grant attackers full control over the affected system.

    Cisco has released software updates to address this issue.

    Risks

    The vulnerability poses a significant threat to organizations utilizing Cisco ASA Software with the CiscoSSH stack enabled.

    An attacker with limited user privileges could exploit this flaw to gain root-level access, leading to potential data breaches, network infiltration, or deployment of malicious software.

    Given the elevated privileges obtained through exploitation, the risk is particularly high for devices exposed to the internet.

    Affected Versions

    • To determine if the CiscoSSH stack is enabled, administrators should verify the SSH configuration in the device’s settings.

    • If the configuration includes a reference to the CiscoSSH stack, the device is in a vulnerable configuration.

    Remediation

    Cisco has released free software updates to address this vulnerability.

    Additionally, as a workaround, administrators can disable the CiscoSSH stack through device configuration settings.

    Note that this change will disconnect active SSH sessions and must be saved to persist across reboots.

    While this workaround has been tested successfully, organizations should assess its applicability and potential impact within their specific environments.

    Conclusion

    Organizations using vulnerable versions of Cisco ASA Software must prioritize upgrading to the latest patched versions to mitigate the risk of exploitation. The critical nature of this vulnerability, combined with the potential for full system compromise, necessitates immediate attention from network security teams.

    References

    • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-erlang-otp-ssh-xyZZy

  • Critical Erlang/OTP SSH Vulnerability (CVE-2025-32433) Puts Systems at Risk

    Critical Erlang/OTP SSH Vulnerability (CVE-2025-32433) Puts Systems at Risk

    Summary

    A critical vulnerability (CVE-2025-32433) has been identified in the Erlang/OTP SSH daemon, allowing unauthenticated attackers to execute arbitrary code remotely. This flaw arises from improper handling of SSH protocol messages, enabling attackers to send connection protocol messages before authentication. The issue affects all devices running the Erlang/OTP SSH daemon, commonly used in telecom infrastructure, databases, and high-availability systems. Public proof-of-concept (PoC) exploits have been released, increasing the urgency for immediate remediation.

    Risks

    The vulnerability poses significant risks due to its ease of exploitation and the widespread use of Erlang/OTP in critical systems. Unauthenticated remote code execution can lead to full system compromise, data breaches, and disruption of services. The availability of public exploits means that threat actors are likely to target vulnerable systems promptly. Given the prevalence of Erlang/OTP in telecom and database systems, the potential impact is substantial.

    Affected Versions

    Devices running Erlang/OTP versions prior to 25.3.2.10 and 26.2.4 are affected. Systems utilizing the Erlang/OTP SSH daemon, including those running CouchDB and other Erlang-based applications, are vulnerable.

    Remediation

    To mitigate the risk:

    1. Upgrade Erlang/OTP: Update to versions 25.3.2.10 or 26.2.4, which contain the patch for this vulnerability.

    2. Identify Affected Systems: Audit your infrastructure to locate systems running vulnerable versions of Erlang/OTP.

    3. Restrict SSH Access: Implement firewall rules to limit SSH access to trusted IP addresses.

    4. Monitor for Indicators of Compromise: Keep an eye on system logs and network traffic for unusual activity.

    Given the critical nature of this vulnerability and the availability of public exploits, immediate action is essential to protect your systems.

    Conclusion

    The CVE-2025-32433 vulnerability in Erlang/OTP’s SSH daemon is a severe security issue that requires prompt attention. Organizations should prioritize updating affected systems, restricting SSH access, and monitoring for potential exploitation attempts. Failure to address this vulnerability could result in significant security breaches and operational disruptions.

  • Fortinet Ends SSL VPN Support

    Fortinet Ends SSL VPN Support

    Summary

    Fortinet has announced the end of support for SSL VPN on several of its older devices, a move aimed at enhancing security and ensuring compatibility with modern cryptographic standards. This termination includes FortiOS versions running on models that do not support TLS 1.2 or higher. The company cites the need to mitigate cybersecurity risks stemming from legacy encryption protocols like TLS 1.0 and 1.1, which are no longer considered secure. Fortinet has urged all users to transition to newer hardware and software that support current encryption practices.

    Risks

    Continuing to use SSL VPN on outdated Fortinet hardware and firmware exposes organizations to significant security risks. The primary concern is the use of deprecated TLS versions, which are vulnerable to several known attacks, such as POODLE, BEAST, and various man-in-the-middle exploits. Devices still relying on these insecure protocols can be easily targeted by attackers, putting sensitive data and network integrity at risk. Moreover, the lack of support means no future security patches or updates, leaving known vulnerabilities unaddressed.

    Affected Version

    Fortinet has not released a comprehensive list of exact versions affected, but the change primarily impacts older devices and FortiOS versions that only support TLS 1.0 and 1.1. Users running FortiOS versions on legacy hardware that do not meet the TLS 1.2 requirement should assume they are affected and begin transition planning immediately.

    Remediation

    Organizations currently using SSL VPN on Fortinet hardware that does not support TLS 1.2 should take the following steps:

    1. Assess Devices: Identify and audit all Fortinet devices in use to determine which models support TLS 1.2 or higher.

    2. Upgrade Hardware: Replace unsupported legacy devices with newer models that comply with modern encryption standards.

    3. Update Firmware: Ensure that all devices are running FortiOS versions that support TLS 1.2 or above.

    4. Transition from SSL VPN: Consider moving to Fortinet’s IPSec VPN or other secure remote access solutions as alternatives to deprecated SSL VPN setups.

    Conclusion

    The end of SSL VPN support on older Fortinet devices reflects a necessary step in improving cybersecurity posture across enterprise environments. With threats evolving rapidly and encryption standards tightening, organizations must proactively retire vulnerable systems. Failing to upgrade not only violates best practices but also leaves businesses exposed to potentially catastrophic breaches. By upgrading to supported devices and protocols, enterprises can safeguard their infrastructure and align with modern security frameworks.

  • Fortinet FortiGate 0-Day Allegedly for Sale on Dark Web: What Enterprises Need to Know

    Fortinet FortiGate 0-Day Allegedly for Sale on Dark Web: What Enterprises Need to Know

    A threat actor claims that a previously unknown vulnerability commonly referred to as a zero-day affecting Fortinet’s FortiGate firewalls is being sold on the dark web. This development poses a potentially serious risk to enterprises relying on Fortinet for perimeter defense.

     

    Overview of the Threat

    • A user operating under the alias “Racoon Hacker” has advertised what they claim is a zero-day remote code execution (RCE) exploit impacting FortiGate devices running FortiOS versions 7.2.0 through 7.4.2. According to the threat actor, the exploit enables unauthenticated, remote access with full root privileges.

    • The exploit is being offered for $10,000 USD in cryptocurrency—a low price given the potential impact, suggesting either an effort to disseminate quickly or a question of credibility. However, the forum on which the exploit was posted has a reputation for hosting legitimate threat actor activity, prompting serious concern within the cybersecurity community.

     

    Fortinet as a High-Value Target

    • FortiGate appliances are widely used in enterprise networks to provide firewall, VPN, and security services. Their deployment at the network edge makes them attractive targets for both criminal threat actors and nation-state groups. A successful compromise of these devices could provide direct access to internal systems, allowing lateral movement, data exfiltration, or command and control activities.

    • This is not the first time Fortinet devices have been in the spotlight. Past vulnerabilities, such as CVE-2022-40684 and CVE-2023-27997, have been actively exploited, often before patches were widely applied. The continued targeting of Fortinet solutions highlights the need for rigorous vulnerability management and network segmentation.

     

    Recommended Actions for Enterprises

    While the exploit has not yet been independently confirmed or released publicly, organizations should take a proactive stance:

    • Restrict Exposure: Limit external access to FortiGate management interfaces using IP allowlisting or VPN gateways.

    • Review and Patch FortiOS: Ensure all FortiGate devices are running the most current version of FortiOS. While the exploit reportedly affects versions up to 7.4.2, staying current is critical to mitigate both known and emerging vulnerabilities.

    • Enable Multi-Factor Authentication: Implement MFA on all administrative interfaces to reduce the risk of unauthorized access.

    • Monitor Logs and Network Activity: Closely inspect FortiGate logs and network traffic for anomalies, particularly those involving remote access attempts.

    • Segment Critical Assets: Reduce lateral movement risk by segmenting high-value systems and applying strict access controls.

     

    Vendor Response

    • As of the time of writing, Fortinet has not released an official statement regarding this alleged zero-day vulnerability. Organizations are encouraged to monitor Fortinet’s security advisories and threat intelligence channels for updates.

    While it remains to be seen whether the Fortinet zero-day exploit being advertised is authentic, the potential risk warrants immediate attention from security teams. In today’s threat landscape, early awareness and swift action can make the difference between a thwarted attempt and a serious breach.

  • Cisco Meraki and ECE Vulnerabilities Enable Remote DoS Attacks

    Cisco Meraki and ECE Vulnerabilities Enable Remote DoS Attacks

    Summary:

    Cisco has disclosed multiple high-severity vulnerabilities affecting its Meraki and Emergency Calling and Education (ECE) products. These flaws, identified under various CVEs, allow remote attackers to launch Denial-of-Service (DoS) attacks by exploiting improper input validation and memory handling. Successful exploitation could cause affected devices or services to reload unexpectedly, disrupting critical operations, especially in network and communication infrastructures.

    Risks:

    The vulnerabilities pose serious operational risks, particularly in environments relying on Meraki cloud-managed devices or ECE systems for real-time communication. A remote attacker could exploit these flaws to crash services or devices, potentially leading to network outages, disrupted emergency communications, and degraded service availability. The lack of user interaction required to trigger the DoS makes these flaws especially dangerous in exposed or internet-facing deployments.

    Affected Version:

    While Cisco did not list specific version numbers in the public advisory, the vulnerabilities affect various Meraki products and the ECE solution. Organizations should refer to Cisco’s official security advisory and tools to check if their deployment is vulnerable.

    Remediation:

    Cisco has released patches to address all known vulnerabilities. Administrators are urged to:

    • Apply the latest software updates immediately

    • Use Cisco’s Software Checker to identify affected versions

    • Limit network exposure of devices where possible

    • Monitor systems for unusual service interruptions

    Conclusion:

    Organizations using Cisco Meraki or ECE products should treat these DoS vulnerabilities with urgency. Even though the vulnerabilities don’t allow code execution or data exfiltration, the ease of exploitation and potential for significant service disruption make them a high-priority issue. Regular patch management and vigilant monitoring are essential to safeguarding your network infrastructure.

    Reference:

    https://www.securityweek.com/vulnerabilities-expose-cisco-meraki-and-ece-products-to-dos-attacks/

  • Critical OpenVPN Vulnerability (CVE-2024-27459) Lets Remote Attackers Crash VPN Servers

    Critical OpenVPN Vulnerability (CVE-2024-27459) Lets Remote Attackers Crash VPN Servers

    Summary:

    A recently disclosed vulnerability in OpenVPN, identified as CVE-2024-27459, allows remote attackers to crash VPN servers by sending malformed IPv6 packets. The flaw stems from improper handling of IPv6 routes during peer connection processing, which results in a segmentation fault. This denial-of-service (DoS) condition could severely disrupt business operations dependent on OpenVPN for secure connectivity.

    Risks:

    This vulnerability introduces a significant denial-of-service (DoS) risk to organizations using OpenVPN, particularly in environments with IPv6 enabled. An unauthenticated attacker can remotely trigger a server crash, potentially cutting off access to critical infrastructure or private networks. While it does not enable remote code execution or data theft directly, the service disruption could open doors to broader attacks or cause cascading effects in interconnected systems.

    Affected Version:

    The vulnerability affects OpenVPN version 2.6.6 when IPv6 and –peer-id options are used together. Older or differently configured versions may not be impacted, but organizations should review configurations thoroughly.

    Remediation:

    The OpenVPN team has addressed the issue in version 2.6.7. Users are strongly advised to upgrade to this version immediately. In addition to patching, administrators should also consider auditing IPv6 configurations and limiting exposure to potentially malicious peers until the update is applied.

    Conclusion:

    Organizations relying on OpenVPN should treat CVE-2024-27459 as a high-priority issue. Although it doesn’t enable full system compromise, the ability for attackers to crash VPN servers remotely poses a serious operational risk. Prompt updates and configuration reviews are essential to maintaining secure and uninterrupted VPN services.