Shield53

Category: Cybersecurity

  • Critical Erlang/OTP SSH Vulnerability (CVE-2025-32433) Puts Systems at Risk

    Critical Erlang/OTP SSH Vulnerability (CVE-2025-32433) Puts Systems at Risk

    Summary

    A critical vulnerability (CVE-2025-32433) has been identified in the Erlang/OTP SSH daemon, allowing unauthenticated attackers to execute arbitrary code remotely. This flaw arises from improper handling of SSH protocol messages, enabling attackers to send connection protocol messages before authentication. The issue affects all devices running the Erlang/OTP SSH daemon, commonly used in telecom infrastructure, databases, and high-availability systems. Public proof-of-concept (PoC) exploits have been released, increasing the urgency for immediate remediation.

    Risks

    The vulnerability poses significant risks due to its ease of exploitation and the widespread use of Erlang/OTP in critical systems. Unauthenticated remote code execution can lead to full system compromise, data breaches, and disruption of services. The availability of public exploits means that threat actors are likely to target vulnerable systems promptly. Given the prevalence of Erlang/OTP in telecom and database systems, the potential impact is substantial.

    Affected Versions

    Devices running Erlang/OTP versions prior to 25.3.2.10 and 26.2.4 are affected. Systems utilizing the Erlang/OTP SSH daemon, including those running CouchDB and other Erlang-based applications, are vulnerable.

    Remediation

    To mitigate the risk:

    1. Upgrade Erlang/OTP: Update to versions 25.3.2.10 or 26.2.4, which contain the patch for this vulnerability.

    2. Identify Affected Systems: Audit your infrastructure to locate systems running vulnerable versions of Erlang/OTP.

    3. Restrict SSH Access: Implement firewall rules to limit SSH access to trusted IP addresses.

    4. Monitor for Indicators of Compromise: Keep an eye on system logs and network traffic for unusual activity.

    Given the critical nature of this vulnerability and the availability of public exploits, immediate action is essential to protect your systems.

    Conclusion

    The CVE-2025-32433 vulnerability in Erlang/OTP’s SSH daemon is a severe security issue that requires prompt attention. Organizations should prioritize updating affected systems, restricting SSH access, and monitoring for potential exploitation attempts. Failure to address this vulnerability could result in significant security breaches and operational disruptions.

  • Fortinet Ends SSL VPN Support

    Fortinet Ends SSL VPN Support

    Summary

    Fortinet has announced the end of support for SSL VPN on several of its older devices, a move aimed at enhancing security and ensuring compatibility with modern cryptographic standards. This termination includes FortiOS versions running on models that do not support TLS 1.2 or higher. The company cites the need to mitigate cybersecurity risks stemming from legacy encryption protocols like TLS 1.0 and 1.1, which are no longer considered secure. Fortinet has urged all users to transition to newer hardware and software that support current encryption practices.

    Risks

    Continuing to use SSL VPN on outdated Fortinet hardware and firmware exposes organizations to significant security risks. The primary concern is the use of deprecated TLS versions, which are vulnerable to several known attacks, such as POODLE, BEAST, and various man-in-the-middle exploits. Devices still relying on these insecure protocols can be easily targeted by attackers, putting sensitive data and network integrity at risk. Moreover, the lack of support means no future security patches or updates, leaving known vulnerabilities unaddressed.

    Affected Version

    Fortinet has not released a comprehensive list of exact versions affected, but the change primarily impacts older devices and FortiOS versions that only support TLS 1.0 and 1.1. Users running FortiOS versions on legacy hardware that do not meet the TLS 1.2 requirement should assume they are affected and begin transition planning immediately.

    Remediation

    Organizations currently using SSL VPN on Fortinet hardware that does not support TLS 1.2 should take the following steps:

    1. Assess Devices: Identify and audit all Fortinet devices in use to determine which models support TLS 1.2 or higher.

    2. Upgrade Hardware: Replace unsupported legacy devices with newer models that comply with modern encryption standards.

    3. Update Firmware: Ensure that all devices are running FortiOS versions that support TLS 1.2 or above.

    4. Transition from SSL VPN: Consider moving to Fortinet’s IPSec VPN or other secure remote access solutions as alternatives to deprecated SSL VPN setups.

    Conclusion

    The end of SSL VPN support on older Fortinet devices reflects a necessary step in improving cybersecurity posture across enterprise environments. With threats evolving rapidly and encryption standards tightening, organizations must proactively retire vulnerable systems. Failing to upgrade not only violates best practices but also leaves businesses exposed to potentially catastrophic breaches. By upgrading to supported devices and protocols, enterprises can safeguard their infrastructure and align with modern security frameworks.

  • CVE-2025-2825: A Critical Authentication Bypass in CrushFTP Threatens Enterprise File Transfer Infrastructure

    CVE-2025-2825: A Critical Authentication Bypass in CrushFTP Threatens Enterprise File Transfer Infrastructure

    Enterprise file transfer solutions are foundational to modern digital operations. Whether moving sensitive data between internal systems, synchronizing with partners, or supporting cloud workflows, these platforms must strike a careful balance between functionality, performance, and—most importantly—security.

    CrushFTP, a popular multi-protocol file transfer server, has built a strong reputation for its robust features, including Amazon S3-compatible API access, web-based administration, and support for protocols like FTP, SFTP, HTTP/S, and WebDAV. However, the discovery of a critical vulnerabilityCVE-2025-2825—in recent CrushFTP versions underscores how even mature, feature-rich systems can be undermined by small implementation flaws.

    The Vulnerability: CVE-2025-2825

    Discovered and responsibly disclosed by researchers at Outpost24, this vulnerability affects CrushFTP versions:

    10.0.0 through 10.8.3

    11.0.0 through 11.3.0

    The flaw received a CVSS score of 9.8 (Critical) due to the following characteristics:

    Unauthenticated access: No credentials are needed to exploit the issue.

    Network-based attack vector: Exploits can be launched remotely over the network.

    Low complexity: No special conditions or user interaction are required.

    High impact: Allows full unauthorized access to data and system resources.

    At its core, the vulnerability arises from a flawed use of authentication flags—a classic example of how shared state or reused logic in security-critical paths can unravel protection layers.

    The Root Cause: Dual-Purpose Flags and Security Drift

    CrushFTP reused a flag that was meant for session state tracking in both authorization checks and request handling paths. As a result, unauthenticated requests could be mistakenly treated as authenticated under certain conditions—leading to full access without valid credentials.

    This isn’t just a case of a “bug”—it’s a systemic issue tied to software design. When authentication and session management logic becomes entangled with operational logic, it opens the door for precisely this type of critical failure.

    Mitigation Steps

    If you’re using CrushFTP in your organization, take the following steps immediately:

    1. Update CrushFTP to version 10.8.4 or 11.3.1 or later.

    2. Audit access logs for signs of unusual or unauthorized activity, especially unauthenticated access to privileged endpoints.

    3. Review your deployment posture—ensure CrushFTP is not exposed directly to the internet unless absolutely necessary.

    4. Isolate file transfer servers within secure network zones, behind gateways and firewalls.

    Final Thoughts

    At Shield53, we continually emphasize that security posture is defined not only by the technologies you use—but how they’re implemented and maintained. CVE-2025-2825 illustrates how a single overlooked detail in authentication logic can expose critical infrastructure to attack.

  • High-Severity Cloud Security Alerts Tripled in 2024: What Your Organization Needs to Know

    High-Severity Cloud Security Alerts Tripled in 2024: What Your Organization Needs to Know

    Summary:

    A new report from Orca Security reveals that high-severity cloud security alerts tripled in 2024, signaling a concerning trend in cloud infrastructure risks. These alerts, often associated with misconfigured workloads and exposed secrets, are increasingly common as organizations accelerate cloud adoption. Misconfigurations in Identity and Access Management (IAM) and neglect of remediation practices are among the leading contributors. The findings underscore a growing attack surface and an urgent need for improved visibility and risk prioritization.

    Risks:

    The surge in high-severity cloud alerts points to multiple critical security issues, including exposed credentials, unrestricted inbound ports, and misconfigured IAM policies. These flaws can lead to unauthorized access, data breaches, and lateral movement across cloud environments. Particularly at risk are organizations with hybrid or multi-cloud deployments that lack comprehensive monitoring and automated remediation strategies. If left unaddressed, these weaknesses can be exploited by attackers to compromise entire cloud infrastructures.

    Remediation:

    Organizations must prioritize continuous cloud security posture management (CSPM) and automate alert triage processes. Recommendations include:

    • Implement real-time monitoring for sensitive workloads and exposed secrets.

    • Regularly audit IAM roles and restrict permissions following the principle of least privilege.

    • Patch misconfigurations promptly using tools that support automated remediation.

    • Enhance visibility across multi-cloud environments with unified security platforms.

    • Adopt zero-trust architecture and identity-based segmentation to contain potential breaches.

    Conclusion:

    As cloud usage grows, so does the attack surface. The tripling of high-severity cloud security alerts in 2024 should serve as a wake-up call to strengthen cloud governance and incident response capabilities. A proactive approach—centered around visibility, automation, and access control—will be crucial for organizations looking to stay ahead of cloud threats.

  • Critical Windows Server LDAP Vulnerability CVE-2024-49113 Exposes Systems to Remote DoS Attacks

    Critical Windows Server LDAP Vulnerability CVE-2024-49113 Exposes Systems to Remote DoS Attacks

    Summary:

    A critical vulnerability, identified as CVE-2024-49113, has been discovered in Windows Server’s Lightweight Directory Access Protocol (LDAP). This flaw allows remote attackers to crash unpatched Windows Servers by sending specially crafted LDAP requests, leading to a denial-of-service (DoS) condition. SafeBreach Labs has published a proof-of-concept (PoC) exploit demonstrating the vulnerability’s impact.

    Risks:

    Exploiting CVE-2024-49113 can result in significant disruptions, particularly for organizations relying on Active Directory Domain Controllers (DCs). Successful exploitation could render these servers unresponsive, disrupting authentication services and potentially leading to broader network outages.

    Affected Versions:

    All unpatched Windows Servers running the vulnerable LDAP implementation are at risk. Organizations should verify their systems against the latest security advisories to determine exposure.

    Remediation:

    Microsoft has addressed this vulnerability in their December 10, 2024, Patch Tuesday update. Administrators are strongly advised to apply the latest security patches immediately to mitigate the risk associated with CVE-2024-49113.

    Conclusion:

    The publication of this PoC by SafeBreach Labs underscores the critical nature of CVE-2024-49113. Organizations should prioritize patching their Windows Servers to protect against potential DoS attacks targeting this vulnerability.

    Reference:

  • Recent Info Stealer Phishing Campaigns

    Recent Info Stealer Phishing Campaigns

    This article presents a detailed analysis of a stealer campaign exploiting CVE-2024-21412, a security bypass vulnerability in Microsoft Windows SmartScreen. The vulnerability enables remote attackers to bypass the SmartScreen security warning dialog, thereby facilitating the delivery of malicious files. Over the past year, notorious threat actors such as Water Hydra, Lumma Stealer, and Meduza Stealer have leveraged this vulnerability to execute various malicious campaigns.

    Attack Methodology

    The campaign begins with the attacker constructing a malicious link that leads to a URL file. Once the victim interacts with the link, it downloads an LNK file, which in turn fetches an executable file embedding an HTA script. This script decodes and decrypts PowerShell code, which subsequently downloads additional files, including a decoy PDF and a malicious shell code injector.

    Stealer Deployment and Injector Techniques

    The campaign employs two main types of shell code injectors:

    1. Image-Based Injector: This injector downloads a seemingly harmless image file, from which it extracts shell code through pixel manipulation using the Windows API GdipBitmapGetPixel. The shell code is then executed to download and deploy stealers such as HijackLoader, Lumma Stealer, and ACR Stealer.

    2. Straightforward Injector: This injector decrypts its code from the data section and uses a sequence of Windows API functions (like NtCreateSection and NtMapViewOfSection) to inject the shell code, ultimately deploying the Meduza Stealer.

    Final Payloads

    The attack culminates in the deployment of various stealer variants, including Meduza Stealer and ACR Stealer. These stealers are capable of exfiltrating sensitive data, including browser credentials, cryptocurrency wallets, FTP clients, email clients, and even specific Chrome extensions. The Meduza Stealer communicates with its C2 server via a panel, while the ACR Stealer uses a dead drop resolver technique, leveraging platforms like Steam to hide its C2 communications.

    Mitigation Strategies

    To counteract such sophisticated attack vectors, it is imperative for organizations to:

    • Educate Users: Users should be made aware of the risks associated with downloading and executing files from unverified sources.

    • Implement Robust Security Protocols: Proactive security measures, including advanced endpoint detection and response (EDR) systems, should be employed.

    • Regular Security Audits: Organizations should conduct frequent security audits and vulnerability assessments to identify and mitigate potential risks.

    Conclusion

    This stealer campaign underscores the evolving tactics employed by cybercriminals to bypass security measures and execute sophisticated attacks. Organizations must remain vigilant and adapt their cybersecurity strategies to address these advanced threats effectively.

    Reference

    Detailed InfoStealer Investigation by Fortinet Team: https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-stealer-campaign-unleashed

  • The Evolving Threat of Ransomware: A New Tool to Disable EDR

    The Evolving Threat of Ransomware: A New Tool to Disable EDR

    Introduction

    As ransomware threats evolve, so do the tools and tactics employed by cybercriminals. A recent warning from cybersecurity experts highlights a new capability in a tool used by ransomware gangs, which could significantly impact the efficacy of endpoint protection software.

    The Emergence of Poortry/BurntCigar

    Sophos researchers have recently identified the use of an updated toolset, known as Poortry or BurntCigar, by ransomware groups. Traditionally, this toolset was known for its ability to terminate the processes of Endpoint Detection and Response (EDR) systems, allowing ransomware to infiltrate systems with minimal resistance. However, in a concerning development, this tool has now been observed to completely delete EDR components from victim systems.

    The New Threat Landscape

    This new capability was first reported by Trend Micro last year, but the recent Sophos investigation marks the first time this EDR-wiping functionality has been seen in action. The implications are significant: by eliminating EDR software, ransomware groups can clear the way for their malware to operate unchecked, making it even more challenging for defenders to respond in time.

    Implications for Cybersecurity

    The ability to wipe out EDR software represents a serious escalation in the capabilities of ransomware gangs. It underscores the need for organizations to adopt a multi-layered security approach that includes regular backups, network segmentation, and robust incident response strategies.

    Conclusion

    As ransomware tools become more sophisticated, cybersecurity defenses must evolve in tandem. The discovery of Poortry’s enhanced EDR-wiping ability is a stark reminder that the fight against ransomware is far from over. Continuous vigilance, combined with adaptive security measures, is essential to protect against these ever-evolving threats.

    Call to Action

    Stay informed about the latest cybersecurity threats and ensure your organization’s defenses are up to date. Consider conducting regular security assessments and investing in advanced threat detection capabilities to stay ahead of cybercriminals.

  • SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access

    SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access

    SonicWall has issued an urgent patch to fix a critical vulnerability in its SonicOS firewall operating system, designated as CVE-2024-40766. This flaw, which has a CVSS severity score of 9.3, is due to improper access control in the management interface of SonicOS. If exploited, it could allow unauthorized access to the firewall, potentially leading to a complete system compromise or even causing the firewall to crash under certain conditions.

    Affected Versions

    The vulnerability impacts multiple generations of SonicWall firewalls, specifically:

    • Gen 5 Firewalls: All devices running SonicOS versions prior to 5.9.2.14-13o.

    • Gen 6 Firewalls:

      • SM9800, NSsp 12400, and NSsp 12800 running SonicOS 6.5.2.8-2n.

      • Other Gen 6 Firewall appliances running SonicOS 6.5.4.15.116n.

    • Gen 7 Firewalls: Devices running SonicOS versions 7.0.1-5035 and older.

    The vulnerability is not reproducible on Gen 7 devices running SonicOS firmware versions higher than 7.0.1-5035, but SonicWall still advises updating to the latest firmware version to ensure security​ risk is mitigated

    Resolution and Mitigation

    SonicWall has provided firmware updates that address the vulnerability across all affected versions. Users are strongly encouraged to apply these updates as soon as possible. The specific firmware versions that resolve the issue include:

    • Gen 5 Firewalls: Upgrade to SonicOS 5.9.2.14-13o.

    • Gen 6 Firewalls:

      • SM9800, NSsp 12400, and NSsp 12800 should upgrade to SonicOS 6.5.2.8-2n.

      • Other Gen 6 Firewall appliances should upgrade to SonicOS 6.5.4.15.116n.

    • Gen 7 Firewalls: Upgrade to a version higher than SonicOS 7.0.1-5035.

    For administrators who are unable to immediately install the patch, SonicWall recommends temporary workarounds to mitigate potential risks. These include restricting firewall management access to trusted IP addresses or completely disabling WAN management access from the internet​.

    Given the critical nature of this vulnerability and the potential for exploitation, it is imperative that organizations take swift action to secure their systems.

  • Zero-Click Windows TCP/IP RCE: Understanding the Vulnerability and Its Impact on IPv6-Enabled Systems

    Zero-Click Windows TCP/IP RCE: Understanding the Vulnerability and Its Impact on IPv6-Enabled Systems

    Introduction

    In the ever-evolving landscape of cybersecurity, vulnerabilities in widely-used software can pose significant threats to organizations and individuals alike. One such recent discovery is a zero-click vulnerability in Windows TCP/IP, specifically affecting systems with IPv6 enabled. This vulnerability, categorized as a Remote Code Execution (RCE), has been patched by Microsoft, but its implications are far-reaching, affecting all Windows systems with IPv6 enabled.

    This blog post will delve into the technical details of this vulnerability, its potential impact, and the importance of promptly applying the security patch provided by Microsoft.

    Understanding the Vulnerability: CVE-2024-xxxxx

    The vulnerability in question has been assigned the identifier CVE-2024-xxxxx. It resides in the TCP/IP stack implementation within Windows, specifically when handling IPv6 packets. The flaw is triggered when an attacker sends a specially crafted packet to a vulnerable system. What makes this vulnerability particularly concerning is its “zero-click” nature, meaning that the victim does not need to interact with the malicious payload for the attack to succeed.

    Technical Details:

    1. IPv6 and Windows TCP/IP Stack: IPv6 is the latest version of the Internet Protocol (IP) and is designed to replace IPv4. It introduces a larger address space and improved routing capabilities. The TCP/IP stack in Windows manages the handling and routing of these IP packets. In this vulnerability, the flaw lies in how the stack processes incoming IPv6 packets.

    2. The Zero-Click Exploit: The exploit works by sending a malformed IPv6 packet that the TCP/IP stack incorrectly processes. This incorrect processing leads to a buffer overflow or other memory corruption, which can then be leveraged by an attacker to execute arbitrary code on the target system.

    3. Remote Code Execution (RCE): Once the exploit is successful, the attacker gains the ability to execute code on the target machine. This could range from installing malware, extracting sensitive information, or gaining further access to the network.

    Impact and Potential Risks

    The impact of this vulnerability is significant due to its widespread applicability. Any Windows system with IPv6 enabled is potentially at risk, including both client and server systems. Given the nature of the exploit, which requires no user interaction, it is particularly dangerous in environments where systems may not have regular oversight or monitoring.

    Potential Scenarios:

    1. Corporate Networks: In corporate environments, an attacker could use this vulnerability to gain a foothold within the network. From there, lateral movement could lead to broader network compromise, data exfiltration, or even the deployment of ransomware.

    2. Critical Infrastructure: Systems that are part of critical infrastructure and rely on Windows for operation could be targeted. The potential for disruption in such environments is considerable, especially if the attacker manages to take control of key systems.

    3. Home Users: While corporate and enterprise environments are high-value targets, home users are not immune. Compromised personal computers could be used as part of a botnet or for launching further attacks.

    Microsoft’s Response and Patch

    Microsoft has responded to this vulnerability by issuing a security patch as part of their regular update cycle. The patch addresses the flaw in the TCP/IP stack and ensures that the malformed IPv6 packets no longer trigger the vulnerability. Users and administrators are strongly urged to apply this patch immediately to mitigate the risk of exploitation.

    Steps to Apply the Patch:

    1. Windows Update: The patch is available through Windows Update. Users should ensure their systems are set to automatically receive updates or manually check for updates via the Settings > Update & Security > Windows Update menu.

    2. WSUS and SCCM: For enterprise environments, the patch is also available via Windows Server Update Services (WSUS) and System Center Configuration Manager (SCCM). Administrators should prioritize the deployment of this patch across all affected systems.

    3. Verification: After applying the patch, it is advisable to verify that the system has been updated correctly. This can be done by checking the installed update list or by running Windows version commands to confirm the patch has been applied.

    Conclusion

    The zero-click Windows TCP/IP RCE vulnerability is a stark reminder of the importance of maintaining up-to-date systems and the potential dangers of unpatched software. While the immediate risk can be mitigated by applying the patch provided by Microsoft, the broader implications of such vulnerabilities underscore the need for vigilance in cybersecurity practices.

    By understanding the technical details and the potential impact of this vulnerability, organizations and individuals can better appreciate the importance of timely patching and proactive defense measures. As the cybersecurity landscape continues to evolve, staying informed and prepared is crucial to safeguarding digital assets.

    Call to Action

    If you manage Windows systems, ensure that all devices have been updated with the latest security patches. Consider conducting a security audit to identify any other potential vulnerabilities and reinforce your organization’s overall cybersecurity posture.

    For further information on this vulnerability and other recent security updates, refer to Microsoft’s official security update guide and stay tuned for more technical insights on emerging threats.

  • Critical Patches Released for BIG-IP and NGINX Plus: Addressing High-Severity Vulnerabilities

    Critical Patches Released for BIG-IP and NGINX Plus: Addressing High-Severity Vulnerabilities

    F5 Networks recently addressed multiple high-severity vulnerabilities affecting their BIG-IP and NGINX Plus products. Here’s a breakdown of the key vulnerabilities:

    1. BIG-IP Next Central Manager (CVE-2024-39809): Insufficient session expiration, which could allow an attacker to maintain unauthorized access. Versions prior to the patched release are affected.

    2. BIG-IP Traffic Management Microkernel (TMM) (CVE-2024-39778): This DoS vulnerability affects the TMM component, leading to potential service disruptions. Specific versions impacted include those prior to the fixed update.

    3. NGINX Plus (CVE-2024-39792): The MQTT filter module has a resource consumption flaw that could be exploited to cause a denial of service. Versions before the patch are vulnerable.

    Attack Surface:

    • CVE-2024-39809: Exploitation requires access to a session that hasn’t been properly terminated.

    • CVE-2024-39778: An attacker could flood the TMM with malicious traffic, disrupting service.

    • CVE-2024-39792: Malicious MQTT messages could deplete system resources, leading to downtime.

    Recommendations:

    • Patch Immediately: Apply the latest security updates provided by F5 to mitigate these vulnerabilities.

    • Session Management: Review and improve session management policies to prevent unauthorized access.

    • Monitoring and Response: Implement monitoring to detect and respond to DoS attacks, particularly on the TMM component.

    Staying updated with the latest patches and maintaining rigorous security practices are critical to protecting your infrastructure from these vulnerabilities.

    For detailed information, visit the SecurityWeek article.