Category: Vulnerability

Summary

A critical path equivalence vulnerability (CVE-2025-24813) has been identified in Apache Tomcat, allowing unauthenticated remote code execution (RCE) under specific server configurations. Disclosed on March 10, 2025, this flaw affects multiple versions of Apache Tomcat and has been actively exploited in the wild following the release of a public proof-of-concept (PoC) exploit. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities catalog on April 1, 2025.

Risks

Exploitation of CVE-2025-24813 enables attackers to achieve remote code execution by exploiting how Apache Tomcat processes file paths internally, particularly in handling partial PUT requests and session file persistence. Successful attacks can lead to unauthorized access to restricted directories, information leakage, and injection of malicious content, potentially corrupting critical server configuration files. The vulnerability specifically affects the server’s internal mapping of file paths, where slashes are converted to dots in the DefaultServlet’s path mapping logic.

Affected Versions

• Apache Tomcat 11.0.0-M1 through 11.0.2

• Apache Tomcat 10.1.0-M1 through 10.1.34

• Apache Tomcat 9.0.0-M1 through 9.0.98

• Additionally, versions 8.5.0 to 8.5.98 and 8.5.100 are also vulnerable, though not included in Apache’s initial advisory. 

Remediation

Organizations are strongly advised to upgrade to the following patched versions to mitigate this vulnerability:

• Apache Tomcat 11.0.3

• Apache Tomcat 10.1.35

• Apache Tomcat 9.0.99

Additional mitigation strategies include:

• Disabling unnecessary HTTP methods, such as PUT, to reduce attack surfaces.

• Enforcing strict access controls to limit unauthorized access.

• Deploying Web Application Firewalls (WAFs) with specific rules to detect and block exploitation attempts of CVE-2025-24813.

Conclusion

CVE-2025-24813 poses a significant threat due to its potential for unauthenticated remote code execution and active exploitation in the wild. Organizations using affected versions of Apache Tomcat should prioritize upgrading to the patched versions and implement recommended mitigation strategies to protect their systems from potential attacks.

Summary

Fortinet has disclosed a critical stack-based buffer overflow vulnerability, identified as CVE-2025-32756, affecting multiple products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. This flaw allows remote, unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests. The vulnerability has been actively exploited in the wild, with confirmed attacks targeting FortiVoice systems.

Risks

Exploitation of CVE-2025-32756 poses significant risks:

• Remote Code Execution: Attackers can gain full control over affected systems without authentication.

• Credential Theft: Enabling FCGI debugging allows attackers to log system and SSH credentials.

• Persistence and Lateral Movement: Malicious cron jobs and modified system files facilitate ongoing access and potential spread within networks.

• Data Exfiltration: Sensitive information can be extracted, leading to potential data breaches.

Affected Versions

The following product versions are impacted:

• FortiVoice: 6.4.0–6.4.10, 7.0.0–7.0.6, 7.2.0

• FortiMail: 7.0.0–7.0.8, 7.2.0–7.2.7, 7.4.0–7.4.4, 7.6.0–7.6.2

• FortiNDR: 1.1–1.5, 7.0.0–7.0.6, 7.2.0–7.2.4, 7.4.0–7.4.7, 7.6.0

• FortiRecorder: 6.4.0–6.4.5, 7.0.0–7.0.5, 7.2.0–7.2.3

• FortiCamera: 1.1, 2.0, 2.1.0–2.1.3

Users are advised to upgrade to the latest versions to mitigate the vulnerability.

Remediation

Fortinet has released patches addressing CVE-2025-32756 for all affected products. Organizations should:

1. Apply Patches: Update to the latest firmware versions as specified in Fortinet’s advisory.

2. Disable HTTP/HTTPS Administrative Interface: If immediate patching isn’t feasible, disable these interfaces to reduce exposure.

3. Review System Logs: Check for indicators of compromise, such as unusual log entries or unauthorized system modifications.

4. Monitor Network Activity: Be vigilant for signs of lateral movement or data exfiltration.

Implementing these steps will help safeguard systems against potential exploitation.

Indicators of Compromise (IoCs)

Fortinet has identified several IoCs associated with the exploitation of CVE-2025-32756:

Log Entries

• [fcgid:warn] [pid 1829] [client x.x.x.x:x] mod_fcgid: error reading data, FastCGI server closed connection

• [fcgid:error] [pid 1503] mod_fcgid: process /migadmin/www/fcgi/admin.fe(1741) exit(communication error), get unexpected signal 11

Malicious Files

• /bin/wpad_ac_helper (MD5: 4410352e110f82eabc0bf160bec41d21)

• /bin/busybox (MD5: ebce43017d2cb316ea45e08374de7315, 489821c38f429a21e1ea821f8460e590)

• /lib/libfmlogin.so (MD5: 364929c45703a84347064e2d5de45bcd)

• /tmp/.sshdpm

• /bin/fmtest (MD5: 2c8834a52faee8d87cff7cd09c4fb946)

• /var/spool/.sync

Modified Files

• /data/etc/crontab

• /var/spool/cron/crontabs/root

• /etc/pam.d/sshd

• /etc/httpd.conf

Malicious Settings

• fcgi debug level is 0x80041

• general to-file ENABLED

Threat Actor IPs

• 198.105.127.124

• 43.228.217.173

• 43.228.217.82

• 156.236.76.90

• 218.187.69.244

• 218.187.69.59 

Conclusion

The active exploitation of CVE-2025-32756 underscores the critical importance of timely vulnerability management. Organizations using Fortinet products, especially FortiVoice, must act swiftly to apply patches and implement recommended mitigations. Continuous monitoring and adherence to security best practices are essential to protect against such threats.

References

• FortiVoice 0-day Vulnerability Exploited in the Wild to Execute Arbitrary Code

• Fortinet Patches CVE-2025-32756 Zero-Day RCE Flaw Exploited in FortiVoice Systems

• CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild

Summary:

Palo Alto Networks has disclosed a reflected cross-site scripting (XSS) vulnerability, identified as CVE-2025-0133, affecting the GlobalProtect gateway and portal features of its PAN-OS software. This flaw allows execution of malicious JavaScript in the browsers of authenticated Captive Portal users when they click on specially crafted links. While the default configuration poses a low risk (CVSS Base Score 2.0), the severity increases to medium (CVSS 5.5) when the Clientless VPN feature is enabled. 

Risks:

The primary risk associated with CVE-2025-0133 is credential theft through phishing attacks. Attackers can craft convincing phishing links that appear to originate from the legitimate GlobalProtect portal, tricking users into divulging sensitive information. The vulnerability is particularly concerning for organizations utilizing the Clientless VPN feature, as it elevates the attack’s severity. Although no malicious exploitation has been reported yet, the availability of proof-of-concept exploit code increases the urgency for mitigation. 

Affected Versions:

The following PAN-OS versions are affected by CVE-2025-0133:

• Cloud NGFW: All versions

• PAN-OS 11.2: Versions prior to 11.2.7

• PAN-OS 11.1: Versions prior to 11.1.11

• PAN-OS 10.2: Versions prior to 10.2.17

• PAN-OS 10.1: All versions

It’s important to note that Prisma Access is unaffected by this vulnerability. 

Remediation:

Palo Alto Networks recommends the following remediation steps:

• Upgrade PAN-OS:

  • PAN-OS 11.2: Upgrade to version 11.2.7 or later (expected June 2025).

  • PAN-OS 11.1: Upgrade to version 11.1.11 or later (expected July 2025).

  • PAN-OS 10.2: Upgrade to version 10.2.17 or later (expected August 2025).

  • PAN-OS 10.1: Upgrade to version 10.2.17 or later (expected August 2025).

• Enable Threat Prevention:

  • For customers with a Threat Prevention subscription, enable Threat IDs 510003 and 510004, introduced in Applications and Threats content version 8970.

• Disable Clientless VPN:

  • Consider disabling the Clientless VPN feature to reduce the attack surface.

Implementing these measures will help mitigate the risk associated with CVE-2025-0133. 

Conclusion:

CVE-2025-0133 presents a significant security concern for organizations using affected versions of PAN-OS, especially those with the Clientless VPN feature enabled. The vulnerability’s potential for credential theft through phishing attacks necessitates prompt action. Organizations should prioritize upgrading to the recommended PAN-OS versions, enable relevant Threat Prevention measures, and educate users to recognize and avoid phishing attempts. Proactive mitigation is essential to safeguard against potential exploitation.

Reference:

• Palo Alto Networks Security Advisory: CVE-2025-0133

• Cyber Security News Article on CVE-2025-0133

Summary:

Tenable researchers have uncovered a critical zero-day vulnerability (CVE-2025-31324) affecting SAP NetWeaver AS Java systems. The flaw, currently exploited in the wild, stems from a missing authentication check in a servlet responsible for handling certain HTTP requests. If successfully exploited, attackers can achieve unauthenticated remote code execution (RCE), granting them full control over the affected SAP systems. Given SAP’s prominent role in enterprise environments, this vulnerability poses a substantial risk across multiple industries.

Risks:

The exploitation of CVE-2025-31324 could have devastating consequences. Attackers could fully compromise an SAP NetWeaver system, leading to unauthorized data access, tampering with business-critical operations, deployment of malware, and lateral movement throughout the network. Given that the vulnerability does not require prior authentication, internet-exposed SAP instances are especially at risk. Organizations leveraging SAP for finance, HR, manufacturing, and logistics are facing significant potential operational and reputational damages.

Remediation:

SAP has released a patch to address CVE-2025-31324 in its April 2025 Security Patch Day updates. Organizations should:

• Apply the SAP-provided patches immediately to affected systems.

• Audit SAP NetWeaver instances for signs of exploitation.

• Review exposed SAP services and restrict access where possible.

• Implement Web Application Firewalls (WAFs) and enhanced monitoring for suspicious activity targeting SAP endpoints.

It is critical that organizations prioritize patching and security hardening to mitigate risks from active exploitation.

Conclusion:

CVE-2025-31324 represents a severe security threat to enterprises relying on SAP NetWeaver. Its active exploitation emphasizes the urgent need for prompt remediation. Given the widespread reliance on SAP’s platform, the fallout from a successful attack could be extensive. Shield53 recommends that all SAP customers act immediately to secure their environments against this critical flaw.

Reference:

• Tenable Blog: CVE-2025-31324 Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild

A threat actor claims that a previously unknown vulnerability commonly referred to as a zero-day affecting Fortinet’s FortiGate firewalls is being sold on the dark web. This development poses a potentially serious risk to enterprises relying on Fortinet for perimeter defense.

Overview of the Threat

• A user operating under the alias “Racoon Hacker” has advertised what they claim is a zero-day remote code execution (RCE) exploit impacting FortiGate devices running FortiOS versions 7.2.0 through 7.4.2. According to the threat actor, the exploit enables unauthenticated, remote access with full root privileges.

• The exploit is being offered for $10,000 USD in cryptocurrency—a low price given the potential impact, suggesting either an effort to disseminate quickly or a question of credibility. However, the forum on which the exploit was posted has a reputation for hosting legitimate threat actor activity, prompting serious concern within the cybersecurity community.

Fortinet as a High-Value Target

• FortiGate appliances are widely used in enterprise networks to provide firewall, VPN, and security services. Their deployment at the network edge makes them attractive targets for both criminal threat actors and nation-state groups. A successful compromise of these devices could provide direct access to internal systems, allowing lateral movement, data exfiltration, or command and control activities.

• This is not the first time Fortinet devices have been in the spotlight. Past vulnerabilities, such as CVE-2022-40684 and CVE-2023-27997, have been actively exploited, often before patches were widely applied. The continued targeting of Fortinet solutions highlights the need for rigorous vulnerability management and network segmentation.

Recommended Actions for Enterprises

While the exploit has not yet been independently confirmed or released publicly, organizations should take a proactive stance:

• Restrict Exposure: Limit external access to FortiGate management interfaces using IP allowlisting or VPN gateways.

• Review and Patch FortiOS: Ensure all FortiGate devices are running the most current version of FortiOS. While the exploit reportedly affects versions up to 7.4.2, staying current is critical to mitigate both known and emerging vulnerabilities.

• Enable Multi-Factor Authentication: Implement MFA on all administrative interfaces to reduce the risk of unauthorized access.

• Monitor Logs and Network Activity: Closely inspect FortiGate logs and network traffic for anomalies, particularly those involving remote access attempts.

• Segment Critical Assets: Reduce lateral movement risk by segmenting high-value systems and applying strict access controls.

Vendor Response

• As of the time of writing, Fortinet has not released an official statement regarding this alleged zero-day vulnerability. Organizations are encouraged to monitor Fortinet’s security advisories and threat intelligence channels for updates.

While it remains to be seen whether the Fortinet zero-day exploit being advertised is authentic, the potential risk warrants immediate attention from security teams. In today’s threat landscape, early awareness and swift action can make the difference between a thwarted attempt and a serious breach.

Summary:

Cisco has disclosed multiple high-severity vulnerabilities affecting its Meraki and Emergency Calling and Education (ECE) products. These flaws, identified under various CVEs, allow remote attackers to launch Denial-of-Service (DoS) attacks by exploiting improper input validation and memory handling. Successful exploitation could cause affected devices or services to reload unexpectedly, disrupting critical operations, especially in network and communication infrastructures.

Risks:

The vulnerabilities pose serious operational risks, particularly in environments relying on Meraki cloud-managed devices or ECE systems for real-time communication. A remote attacker could exploit these flaws to crash services or devices, potentially leading to network outages, disrupted emergency communications, and degraded service availability. The lack of user interaction required to trigger the DoS makes these flaws especially dangerous in exposed or internet-facing deployments.

Affected Version:

While Cisco did not list specific version numbers in the public advisory, the vulnerabilities affect various Meraki products and the ECE solution. Organizations should refer to Cisco’s official security advisory and tools to check if their deployment is vulnerable.

Remediation:

Cisco has released patches to address all known vulnerabilities. Administrators are urged to:

• Apply the latest software updates immediately

• Use Cisco’s Software Checker to identify affected versions

• Limit network exposure of devices where possible

• Monitor systems for unusual service interruptions

Conclusion:

Organizations using Cisco Meraki or ECE products should treat these DoS vulnerabilities with urgency. Even though the vulnerabilities don’t allow code execution or data exfiltration, the ease of exploitation and potential for significant service disruption make them a high-priority issue. Regular patch management and vigilant monitoring are essential to safeguarding your network infrastructure.

Reference:

https://www.securityweek.com/vulnerabilities-expose-cisco-meraki-and-ece-products-to-dos-attacks/

Summary:

A recently disclosed vulnerability in OpenVPN, identified as CVE-2024-27459, allows remote attackers to crash VPN servers by sending malformed IPv6 packets. The flaw stems from improper handling of IPv6 routes during peer connection processing, which results in a segmentation fault. This denial-of-service (DoS) condition could severely disrupt business operations dependent on OpenVPN for secure connectivity.

Risks:

This vulnerability introduces a significant denial-of-service (DoS) risk to organizations using OpenVPN, particularly in environments with IPv6 enabled. An unauthenticated attacker can remotely trigger a server crash, potentially cutting off access to critical infrastructure or private networks. While it does not enable remote code execution or data theft directly, the service disruption could open doors to broader attacks or cause cascading effects in interconnected systems.

Affected Version:

The vulnerability affects OpenVPN version 2.6.6 when IPv6 and –peer-id options are used together. Older or differently configured versions may not be impacted, but organizations should review configurations thoroughly.

Remediation:

The OpenVPN team has addressed the issue in version 2.6.7. Users are strongly advised to upgrade to this version immediately. In addition to patching, administrators should also consider auditing IPv6 configurations and limiting exposure to potentially malicious peers until the update is applied.

Conclusion:

Organizations relying on OpenVPN should treat CVE-2024-27459 as a high-priority issue. Although it doesn’t enable full system compromise, the ability for attackers to crash VPN servers remotely poses a serious operational risk. Prompt updates and configuration reviews are essential to maintaining secure and uninterrupted VPN services.