What’s the Deal with This Vulnerability?

Redis developers recently disclosed CVE-2025-21605, which is basically Redis forgetting to check how much it’s eating. The vulnerability allows unauthenticated clients to trigger unlimited growth of output buffers, eventually exhausting server memory. It’s like your teenager’s appetite, but for RAM.

The technical classification is CWE-770 (Allocation of Resources Without Limits or Throttling), which is a fancy way of saying “this program doesn’t know when to stop.” This affects all Redis versions from 2.6 to just before 7.4.3. And yes, if you’re reading that correctly, that’s practically all versions in common use.

Why Should You Care?

If you’re running Redis exposed to the internet (which hopefully you’re not), this is especially bad news. Even if you’ve set a password, the “NOAUTH” responses can still trigger buffer growth. So your password protection is about as effective as a screen door on a submarine.

For those unfamiliar, Redis is an open-source database that’s incredibly popular for caching, session management, and message brokering. It’s fast because it works in memory – which also makes this vulnerability particularly nasty. When Redis runs out of memory, it doesn’t gracefully degrade – it crashes, taking down whatever services rely on it. This can create cascade failures across your infrastructure, similar to what we see in many modern cyber attacks.

How Bad Is It Really?

On a scale of “mildly annoying” to “oh no, call the incident response team,” this is firmly in the “weekend-ruining” category. The vulnerability requires minimal skill to exploit – no elaborate hacking sequences like in the movies. An attacker just needs to find your Redis instance and send some carefully crafted requests. Even script kiddies with basic automated tools could pull this off.

What makes this particularly concerning is that over 23,000 companies use Redis, with about half in the United States. Many are still running older versions, because upgrading databases is about as fun as a root canal. AWS and Google Cloud users are still deploying outdated Redis versions (6.x, 5.0, 4.0), so there’s a good chance many instances are vulnerable.

The real-world impact? Your e-commerce site goes down during a sales event. Your users get logged out randomly. Your metrics and monitoring disappear. All while you’re frantically trying to figure out why Redis keeps crashing. Fun times.

The sneakier concern is that attackers might use this as a distraction. While you’re busy restarting services and putting out fires, they could be exploiting other vulnerabilities elsewhere in your infrastructure. It’s a classic misdirection play that we’ve seen in sophisticated DDoS attacks before.

Fixing the Problem

The most obvious solution is to upgrade to Redis 7.4.3 or later. This version properly enforces output buffer limits, preventing the unchecked memory consumption. If you follow basic security best practices, keeping software updated should already be on your to-do list anyway.

But let’s be realistic – sometimes immediate upgrades aren’t possible. Maybe you’re running a legacy application that depends on a specific Redis version, or perhaps your change management process moves at the speed of continental drift. In that case, you have a few options:

• Block unauthenticated access using firewalls, iptables, or cloud security groups
• Enable TLS with client-side certificate authentication
• Isolate Redis instances in their own network segments
• Set up monitoring to detect unusual memory usage patterns

These mitigations aren’t perfect – they’re more like putting a band-aid on a leaky pipe. You’ll still want to plan that upgrade, but at least you won’t be completely exposed in the meantime. This vulnerability is just one example of why implementing a solid vulnerability management strategy is crucial for modern organizations.

The Bottom Line

CVE-2025-21605 is a perfect example of how even simple vulnerabilities in popular software can create significant security risks. The fact that it affects unauthenticated users makes it particularly dangerous in today’s interconnected landscape.

So check your Redis versions, plan that upgrade, and while you’re at it, maybe review what else in your infrastructure might be exposed to the internet unnecessarily. Security is rarely about big, dramatic threats – it’s usually these mundane, easily-fixable issues that end up causing the most problems.

The post CVE-2025-21605 Redis DoS Vulnerability Discovered, Patch Now appeared first on Gridinsoft Blog.

MITRE’s Warning on CVE Program Funding Expiry

MITRE, through a letter from Vice President and Director Yosry Barsoum at the Center for Securing the Homeland, warned that the current contracting pathway for developing, operating, and modernizing the CVE program, along with related programs like the Common Weakness Enumeration (CWE), will expire today, April 16, 2025. This warning was shared on several platforms. In a post on X/Twitter, which was linked in the letter, Barsoum said that a break in service could have several consequences.

These include a decline in national vulnerability databases and advisories, slower responses from vendors to new vulnerabilities, limited capabilities for incident response, and a broader impact on various types of critical infrastructure. The uncertainty about funding comes from the fact that the US government hasn’t confirmed whether the contract will be renewed. Reports suggest that the Trump administration is cutting federal spending, which could affect contracts like this one.

MITRE Corporation, a not-for-profit organization operating federal research and development centers, has raised significant concerns about the funding status of the Common Vulnerabilities and Exposures (CVE) program, which is set to expire on April 16, 2025. The CVE program, launched in 1999, is foundational for cataloging publicly disclosed cybersecurity vulnerabilities.

It is maintained by MITRE with funding primarily from the National Cyber Security Division of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. It serves as a vital resource for hackers, vendors, and organizations, enabling the sharing of accurate and consistent information about cybersecurity risks. The program has cataloged nearly 275,000 records and stores historical data on GitHub.

Why is MITRE Critical?

The potential impacts are hard to underestimate. The CVE program is described as the de-facto global standard for vulnerability identification and management, relied upon by organizations across industry, government, national security, and critical infrastructure.

Without funding, no new CVEs will be added after today, and the program website will eventually cease, though historical records will remain accessible on GitHub. Experts have noted that losing CVE could lead to mis-prioritized software updates and increased security risks due to the lack of a centralized, standardized severity description. Jen Easterly, former CISA Director, compared CVE to the Dewey Decimal System for cybersecurity.

Casey Ellis, founder of Bugcrowd, highlights that a sudden interruption could become a national security problem, as CVE underpins vulnerability management, incident response, and critical infrastructure protection efforts. Another policy researcher branded the potential end as “tragic,” a sentiment echoed by many in the cybersecurity community. In the end, transparent vulnerability disclosure helps developers to acknowledge bad coding practices and understand how things should not be done.

Some may argue that vulnerability disclosure may be a bad thing, as this allows threat actors to target the new flaw before the fixes are available. Thing is – hackers can find the flaw before security researchers or the developers do, develop the exploit, and use it as hard as they can. And without a proper publication of the issue, companies will remain clueless about a potential hazard.

Can MITRE Come Back?

Despite the expiry, the government is making “considerable efforts” to continue MITRE’s role. CISA has stated they are “urgently working to mitigate impact and maintain CVE services on which global stakeholders rely,” though they declined to answer questions about why the contract wasn’t renewed or future plans. This uncertainty is compounded by reports of CISA facing significant budget and staffing cuts, potentially linked to broader Trump administration policies.

MITRE remains committed to the CVE as a global resource, but without confirmed funding, the program’s future is at risk. The layoffs of over 400 employees in MITRE’s Virginia office, due to canceled contracts worth more than $28 million, indicate the financial pressures already at play. Additionally, CISA’s decision to end funding for other programs like MS-ISAC and Election ISAC, announced last month, suggests a broader trend of funding cuts affecting cybersecurity initiatives.

The post MITRE Warns CVE Program Funding Expires on April 16 appeared first on Gridinsoft Blog.

CVE-2025-32395 Vite Vulnerability Exposes Sensitive Files

A recent post by a cybersecurity researcher drew attention to a newly identified vulnerability CVE-2025-32395 in Vite, a popular frontend development server. The vulnerability may affect more than 286,000 exposed Vite services worldwide. Despite being described in some places as a Denial of Service flaw, technical evidence confirms that this is more accurately an information disclosure vulnerability.

Vite is a modern front-end development tool designed to provide a fast and efficient development experience for web applications. It features a development server that serves source files over native ES modules, with Hot Module Replacement (HMR) for quick updates, and uses Rollup for production builds.

Vite Arbitrary File Read Vulnerability Details

The vulnerability, tracked as CVE-2025-32395, affects Vite’s development server when running on Node or Bun runtimes and exposed to the network. According to the National Vulnerability Database, the issue allows the contents of arbitrary files to be returned to the browser, bypassing the server.fs.deny configuration. The issue arises from how Vite handles malformed HTTP requests containing the # symbol in the request target.

According to the HTTP/1.1 standard (RFC 9112), the # character is not permitted in the request target and should be rejected by compliant servers. However, when Vite runs on Node or Bun, these platforms do not properly validate or reject such malformed requests. Instead, they pass them through to the application layer, allowing unexpected behavior.

Vite’s internal file-serving mechanism uses the configuration option server.fs.deny to block access to sensitive files. However, when handling requests that contain invalid characters like #, this validation is bypassed. As a result, an attacker can craft a request to access files that should be restricted. These may include environment configuration files, source code, or any other files located outside the permitted directory scope.

Proof of Concept Exploit Released

The flaw instantly got much more dangerous, as a PoC exploit was released to demonstrate the significant potential behind the flaw. Published on GitHub, it shows how an attacker could exploit it to read arbitrary files. The process begins by creating a new Vite project using npm create vite@latest, moving into the project directory, installing dependencies with npm install, and starting the development server with npm run dev.

Once the server is running, the attacker can send a specially crafted HTTP request—for example, using curl –request-target /@fs/../../../../../etc/passwd http://127.0.0.1:5173. This demonstrates that by manipulating the request-target with relative paths and a # character, the attacker can bypass the server.fs.deny restriction and gain access to sensitive files like /etc/passwd. This also confirms the issue as an information disclosure vulnerability, not a denial-of-service problem.

Potential Impact and Risks

Reports suggest a significant number of services may be affected, with claims of over 286,000 services potentially exposed yearly. This statistic likely stems from scans using platforms, which can identify Vite development servers online by searching for patterns like “body=”/@vite/client”” in HTTP responses. Given Vite’s widespread use, especially in development environments, this number seems plausible.

CVE-2025-32395 Flaw Short Description

The exposure of development servers to the internet poses a confidentiality risk, as attackers could access sensitive files such as configuration files, source code, API keys, or other confidential data. This is particularly dangerous for applications explicitly configured with –host or server.host options, making them accessible over the network. The impact is less about service disruption and more about unauthorized data access.

Controversy About DoS Attack

Despite the clear classification as an information disclosure vulnerability, some publications have labeled it as a Denial-of-Service attack. A DoS attack typically aims to disrupt service availability, such as by overwhelming the server or causing it to crash. On the other hand, CVE-2025-32395 allows unauthorized file access, which is a confidentiality breach. The confusion may arise from the potential secondary effect: if an attacker sends a large number of requests exploiting this vulnerability, it could lead to resource exhaustion, indirectly causing a denial of service. However, the primary nature of the vulnerability is information disclosure, as confirmed by the NVD and GitHub sources.

Mitigation Strategies & Protection

To mitigate this vulnerability, users should start by updating Vite to one of the fixed versions — 6.2.6, 6.1.5, 6.0.15, 5.4.18, or 4.5.13 — as these versions include a patch that properly blocks invalid requests. It’s also important to make sure the Vite development server isn’t accessible from the public internet. Ideally, it should only be reachable via localhost or be protected behind a firewall within a secure network.

Additionally, users should scan for any unintentional exposure by using search tools. Finally, it’s a good practice to regularly audit server configurations, especially in development environments, to catch anything that might have been accidentally left open.

The post CVE-2025-32395 Vite Vulnerability Exposes Sensitive Files appeared first on Gridinsoft Blog.

Google Releases Fixes for Two Android Zero-Day Flaws

On April 8, 2025, Google released its monthly Android security bulletin, patching 62 vulnerabilities, with a focus on two zero-day flaws that were under active exploitation. Zero-day vulnerabilities are particularly concerning as they are exploited before developers can identify and patch them, often by sophisticated actors such as government agencies or cybercriminals. The timing of this update, aligning with the first Monday of April, follows Google’s standard practice, as noted in Android Security Bulletins Overview.

The vulnerabilities, tracked as CVE-2024-53150 and CVE-2024-53197, were part of the Linux kernel’s USB-audio driver, a critical component handling audio over USB connections. This location in the kernel makes them especially dangerous, as kernel-level exploits can bypass many security layers, potentially leading to full device compromise. As Android itself is a derivative of Linux, such flaws touch it as well.

New Android Vulnerabilities: Key Facts

To understand these vulnerabilities, we looked into the National Vulnerability Database (NVD) and related reports. Here’s a breakdown of each issue, including technical details and potential impact.

The first one, CVE-2024-53150, is an out-of-bounds read in the USB-audio driver, specifically in the ALSA (Advanced Linux Sound Architecture) component of the Linux kernel. Its CVSS score is 7.8, so it’s considered high severity. The problem occurs when the driver traverses clock descriptors—it doesn’t properly check the length (bLength) of each descriptor. A malicious device can exploit this by sending a bogus descriptor that’s too short, causing the driver to read beyond the allocated memory.

According to the vulnerability list entry, this was fixed by adding sanity checks to the validator functions to skip descriptors that don’t meet the minimum length requirements. Out-of-bounds reads can leak sensitive memory data, including user info or system-level secrets. This type of attack would typically be launched through a malicious USB device. Although there aren’t many details on real-world exploitation, reports indicate it’s been used in targeted attacks—likely alongside other bugs for greater effect.

The second vulnerability, CVE-2024-53197, is an out-of-bounds write—again in the USB-audio driver. Like the previous CVE, this one also scores a 7.8 on the CVSS scale, and worse—it’s a zero-click exploit. This one involves handling certain devices like the Extigy and Mbox. Here, an attacker can manipulate the bNumConfigurations value to exceed what the driver expects. That leads to out-of-bounds writes during configuration allocation.

The issue was patched by implementing proper bounds checks in the usb_get_configuration function. This flaw can be used for privilege escalation, potentially letting attackers inject and run arbitrary code in the kernel—yes, with full system privileges. No user interaction is required.

Amnesty International reported that this Android zero-day vulnerability was part of a real-world exploit chain used by Serbian authorities in December 2024. The target? A student activist’s Android phone. But more on that next. The exploit chain included this CVE along with CVE-2024-53104 and CVE-2024-50302, both of which had been patched earlier. This points to a coordinated attack likely involving commercial surveillance tools, such as those provided by Cellebrite.

Real-World Exploitation and Targeted Attacks Suggested

Some reports confirm that both Android zero-day vulnerabilities were used in “limited, targeted exploitation,” likely by state actors or advanced persistent threat groups. The case of the Serbian student activist is particularly notable, where local authorities used these flaws to attempt spyware installation, highlighting the geopolitical implications of such vulnerabilities.

So, government-backed actors are leveraging these flaws for surveillance—adding a layer of complexity, especially for activists and journalists who may be targeted. It also raises questions about the role of forensic tool providers like Cellebrite, which was implicated in developing the exploit chain, leading to their banning Serbia from using their products, as noted in Candid Technology.

From a technical standpoint, both Android zero-day vulnerabilities highlight the challenges of securing kernel-level components, particularly those interfacing with hardware like USB. The USB-audio driver’s complexity, handling various device types, makes it a frequent target, as seen with previous vulnerabilities like CVE-2024-53104, patched in February 2025. Policy-wise, the exploitation by state actors raises concerns about digital rights and privacy, especially in authoritarian contexts.

Mitigation and User Guidance

Google acted quickly in response to these vulnerabilities, releasing patches as part of the April 2025 security update. Devices that have been updated to this patch level are protected. The update includes two patch levels: 2025-04-01 and 2025-04-05.

To stay safe, users are strongly encouraged to take a few important steps. First, check for and install the latest security updates on your Android device. Make sure your patch level is 2025-04-05 or later to ensure you’re covered.

Second, be extra cautious with USB connections — especially when plugging into unfamiliar or untrusted devices. These Android zero-day vulnerabilities are tied to the USB stack, so it’s not the best time to be adventurous with random charging stations.

The post Google Releases Two Android Zero-Day Fixes, Exploited in the Wild appeared first on Gridinsoft Blog.

CrushFTP’s Unauthenticated Access Flaw Warning

CrushFTP, a widely used file transfer protocol server, has recently issued a critical warning to its users, urging them to patch an unauthenticated access flaw immediately. This warning addresses a significant security vulnerability that affects all versions of v11, with potential implications for v10 as well.

On March 21, 2025, the company emailed customers, warning of an unauthenticated HTTP(S) port access vulnerability. The email emphasized the urgency, stating, “Please take immediate action to patch ASAP. A vulnerability has been addressed today (March 21st, 2025). All CrushFTP v11 versions were affected. (No earlier versions are affected.) A CVE will be generated soon.”

CrushFTP Flaw Description

The vulnerability is described as an unauthenticated HTTP(S) port access flaw. This means attackers can potentially gain access to unpatched servers without authentication if the HTTP(S) port is exposed on the internet. This is particularly dangerous for servers accessible online, as it could lead to unauthorized access, data exfiltration, or further exploitation. The bottom line of this vulnerability is that an exposed HTTP(S) port could lead to unauthenticated access.

The severity is underscored by the potential for ransomware and other adversaries to target file transfer technologies. This vulnerability is especially concerning given historical exploitation of similar flaws in CrushFTP, such as the 2024 zero-day (CVE-2024-4040), which allowed complete server compromise.

It will hapdly be different this time, especially considering the availability of the PoC exploit on GitHub. It was posted merely hours after the original disclosure from the developers, and will surely act as an additional push for this flaw exploitation.

Mitigation and Patch Details

To address this flaw, CrushFTP released version 11.3.1. The change log, accessible via version history, mentions an “Authentication fix” for v11.3.1. Users are urged to update immediately, without waiting for regular patch cycles.

An important mitigation strategy is the use of the DMZ feature. This is particularly relevant for users with exposed servers, as it reduces the attack surface. For users still on older versions, the update process involves downloading the latest version from CrushFTP download, with options for Java21 and without Java17, ensuring compatibility across platforms.

The email notification explicitly states that no earlier versions than v11 are affected, focusing solely on v11. However, the advisory’s mention of v10 in some sources, introduces uncertainty. Given the lack of specific patch information for v10 in the recent updates, it seems that the focus is on v11. So, v10 users need to ensure they are on the latest patch for previous vulnerabilities, such as those addressed in v10.7.1 and v11.1.0 for CVE-2024-4040.

Users should prioritize updating to v11.3.1, ensuring their servers are not exposed to the internet without the DMZ feature. For those unsure of their version, checking the dashboard on the CrushFTP website and following the upgrade guide is recommended.

The post CrushFTP’s Unauthenticated Access Flaw Discovered appeared first on Gridinsoft Blog.

CVE-2025-24071 Windows File Explorer Spoofing Vulnerability Overview

Cybersecurity agencies have published information about the CVE-2025-24071 vulnerability. This is a critical vulnerability in Windows File Explorer, with a CVSS score of 7.5. It affects multiple versions of Windows, including Windows 10, Windows 11, and various Windows Server versions. The vulnerability arises from Windows Explorer’s implicit trust and automatic parsing of .library-ms files, which are XML-based files used to define search or library locations within the operating system.

The core issue is that when a .library-ms file, crafted with a malicious SMB (Server Message Block) path, is embedded in a RAR or ZIP archive and subsequently extracted, Windows Explorer automatically processes it for indexing, previews, or thumbnails.

This processing triggers an SMB authentication request to the attacker-controlled server, resulting in the disclosure of the user’s NTLMv2 hash. This hash can then be used for attacks such as pass-the-hash or offline NTLM hash cracking, posing significant security risks.

Technical Details

The PoC for CVE-2025-24071 has been released for educational purposes only and is publicly available on GitHub in the eponymous repository, created by a malware and CTI analyst known as 0x6rss. The PoC is implemented as a Python script, designed to demonstrate the exploitation process. The PoC involves creating a specially crafted .library-ms file that includes a tag pointing to an attacker-controlled SMB server (e.g., \\192.168.1.116\shared). This file is compressed within a RAR or ZIP archive.

Upon extraction of the archive, Windows Explorer automatically initiates processing of the .library-ms file. This is observed through tools like Procmon, where processes such as Explorer.exe and SearchProtocolHost.exe perform operations like CreateFile, ReadFile, QueryBasicInformationFile, and CloseFile for indexing purposes.

The automatic processing triggers an SMB authentication handshake, captured via Wireshark with an SMB filter (smb or smb2). This includes an SMB2 Negotiate Protocol Request from the victim to the attacker server, followed by an SMB2 Session Setup Request (NTLMSSP_AUTH), which leaks the victim’s NTLMv2 hash. The key feature of this vulnerability is that no user interaction is required beyond extracting the archive, making this a zero-click exploit in certain scenarios.

Exploitation in the Wild and Microsoft Response

Research suggests that CVE-2025-24071 is not only theoretical but actively exploited in the wild. In the aforementioned blog, the author reports that the vulnerability may have been sold on a forum by a threat actor named “Krypt0n,” known for developing EncryptHub Stealer. An X post further corroborates this, detailing how the exploit is configured on a local server (e.g., VPS) with the attacker’s IP and share, triggering hash leaks when accessed by Explorer without file opening.

Microsoft has addressed this vulnerability in the March 2025 Patch Tuesday update, released earlier this month. The patch details are referenced in the Microsoft Security Update Guide. Users of vulnerable systems are advised to upgrade to an up-to-date version of the OS.

The post CVE-2025-24071 Windows File Explorer Spoofing Vulnerability Uncovered, Patch Now appeared first on Gridinsoft Blog.

CISA Has Added Five Vulnerabilities To Its KEV List

On March 10, 2025, CISA announced the inclusion of five vulnerabilities in its Known Exploited Vulnerabilities catalog. The affected products, Advantive VeraCore and Ivanti Endpoint Manager, are enterprise-level solutions critical to their respective industries. Advantive VeraCore is a SaaS platform for order and warehouse management, catering to third-party logistics and fulfillment companies. It integrates functions like inventory management and eCommerce, making it a backbone for operational efficiency.

Ivanti Endpoint Manager is designed for endpoint management and security, supporting devices across Windows, macOS, and IoT systems, essential for hybrid work environments. Federal Civilian Executive Branch agencies are mandated to remediate these vulnerabilities by March 31, 2025, under Binding Operational Directive 22-01.

Technical Details of Vulnerabilities

Unrestricted File Upload Vulnerability (CVE-2024-57968). This flaw in Advantive VeraCore permits remote unauthenticated attackers to upload files via the upload.aspx endpoint without restrictions. Such vulnerabilities typically arise from inadequate input validation, allowing attackers to upload executable scripts or shells. The XE Group, identified as a likely Vietnamese threat actor, has been exploiting this to drop reverse or web shells, enabling remote control of compromised servers. Reverse shells allow attackers to execute commands from their machines, while web shells provide a command-line interface via web access, both facilitating unauthorized access.

SQL Injection Vulnerability (CVE-2025-25181). Also affecting Advantive VeraCore, this SQL injection vulnerability allows remote attackers to inject and execute arbitrary SQL commands. This can lead to data extraction, modification, or deletion, and in severe cases, server compromise if the database has elevated privileges. The XE Group’s exploitation involves dropping reverse or web shells, suggesting a strategy to escalate access for further malicious activities.

Absolute Path Traversal Vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161). These three vulnerabilities in Ivanti EPM are absolute path traversal flaws, allowing remote unauthenticated attackers to access files and directories outside the intended root. Path traversal exploits manipulate file paths, often using sequences like “../../” to navigate up directories, accessing sensitive files such as configuration data or user credentials.

While there are no public reports of real-world attacks, Horizon3.ai released a proof-of-concept, indicating potential for exploitation. This PoC demonstrates how attackers could craft requests to leak sensitive information, posing a significant risk.

Potential Impact and Risk Assessment

These vulnerabilities pose severe risks due to their enterprise-level usage and active exploitation. Unrestricted file upload and SQL injection flaws threaten critical business data, including customer orders and inventory details, essential for 3PL companies. Reports indicate XE Group has exploited these vulnerabilities, likely for espionage or data exfiltration.

Given their suspected Vietnamese origin, attacks could disrupt logistics operations, causing financial and reputational damage. Path traversal flaws in Ivanti EPM risk exposing sensitive data, which could facilitate credential stuffing or lateral movement. A breach could compromise entire networks, endangering industries like government and healthcare.

The post CISA Adds 5 Exploited Vulnerabilities, Patch ASAP appeared first on Gridinsoft Blog.

CVE-2025-27607 Overview

Numerous reports point at a newly discovered critical security vulnerability identified as CVE-2025-27607, affecting the Python JSON Logger, a popular JSON formatting library for Python logging. This vulnerability has a CVSS score of 8.8 and was discovered between December 30, 2024, and March 4, 2025. It is a remote code execution flaw, which is considered one of the most dangerous flaws one can encounter.

It is caused by a missing dependency—specifically, the msgspec-python313-pre package. The package was deleted by its owner, leaving the name open for malicious actors to claim. The issue was resolved in version 3.3.0 of Python JSON Logger, released to patch the vulnerability. Some of the estimations expec over 12.5 million services to be affected, so the updating to the patched version is a necessity, not an option.

Python JSON Logger Vulnerability Technical Details

CVE-2025-27607 arises due to a supply chain attack vector in Python’s package ecosystem, specifically PyPI (Python Package Index). The Python JSON Logger library, when installed with development dependencies (e.g., using pip install python-json-logger[dev]), relied on the msgspec-python313-pre package for Python 3.13 compatibility. However, the owner of this dependency removed it, leaving the package name available for anyone to claim. A malicious actor could claim the package name, upload a malicious version, and introduce code that executes remotely on any system installing or updating Python JSON Logger with the development dependencies.

This RCE vulnerability allows attackers to run arbitrary code on affected systems, potentially compromising servers, applications, or entire networks that use the library. The vulnerability is particularly dangerous because Python JSON Logger is widely used in logging configurations across various applications, and the attack requires no user interaction beyond a standard dependency installation.

Expected Impact of the Flaw

The impact of CVE-2025-27607 is significant due to its potential for remote code execution, classified as a high-severity vulnerability. Systems running Python JSON Logger versions prior to 3.3.0, especially those using Python 3.13 and the development dependencies, are at risk of complete compromise if a malicious version of msgspec-python313-pre is installed.

This could lead to data breaches, malware deployment, or unauthorized access to sensitive systems. A post on X/Twitter indicates that 12.5 million services worldwide may be vulnerable. The vulnerability’s exploitation window, from December 30, 2024, to March 4, 2025, also means many systems could have been exposed during this period, especially if automatic dependency updates were enabled.

Response and Mitigations

The response to CVE-2025-27607 came from the maintainers of JSON Logger, who acted swiftly to address the vulnerability. After the issue was identified, likely through community reports or security research, the maintainers released version 3.3.0 of the library to resolve the problem. This update ensures that the dependency on msgspec-python313-pre is either removed, replaced with a secure alternative, or properly secured to prevent package hijacking.

The report confirms that the vulnerability was patched by March 7, 2025, with clear guidance for users to upgrade to version 3.3.0 or higher to mitigate the risk. Users are also advised to monitor their dependencies closely to prevent similar issues in the future.

The post Python JSON Logger Vulnerability Exposes Millions of Users appeared first on Gridinsoft Blog.

Zimbra Releases Fixes for SQL Injection, other Vulnerabilities

Zimbra has released critical security updates to address multiple vulnerabilities in its Collaboration software. These flaws, if exploited, could allow attackers to gain unauthorized access to sensitive data.

They could also execute malicious scripts or redirect internal requests to unauthorized endpoints. The most severe of these vulnerabilities, tracked as CVE-2025-25064, has been assigned a CVSS score of 9.8.

Technical Details

The first, SQL injection vulnerability CVE-2025-25064 (CVSS 9.8). This is a critical vulnerability that affects the ZimbraSync Service SOAP endpoint in Zimbra Collaboration versions 10.0.x before 10.0.12 and 10.1.x before 10.1.4. The flaw stems from improper sanitization of a user-supplied parameter, allowing authenticated attackers to inject arbitrary SQL queries. Exploiting this vulnerability could enable attackers to retrieve email metadata or manipulate database content.

The root cause lies in the failure to neutralize special SQL elements, allowing an attacker to manipulate the query structure. Recommended mitigations include the use of prepared statements, parameterized queries, and strict input validation to prevent unauthorized SQL execution.

Another major issue addressed in this update is a stored XSS vulnerability in the Zimbra Classic Web Client. This flaw has not yet been assigned a CVE identifier. It allows attackers to inject malicious scripts into stored content, potentially compromising user sessions and stealing sensitive data.

Zimbra has strengthened input sanitization mechanisms to mitigate this threat. The vulnerability has been fixed in Zimbra versions 9.0.0 Patch 44, 10.0.13, and 10.1.5.

Another fixed vulnerability is CVE-2025-25065. This is Server-Side Request Forgery (SSRF) Vulnerability that has CVSS 5.3. It exists in the RSS feed parser of Zimbra Collaboration versions 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4. The flaw enables attackers to redirect requests to internal network resources. This could facilitate lateral movement or reconnaissance attacks within the targeted environment.

The SSRF vulnerability has been mitigated in the latest patches, reducing the risk of unauthorized internal resource access.

Response and Mitigation Measures

Zimbra has swiftly addressed these vulnerabilities and released security patches to mitigate potential risks. Users are strongly encouraged to upgrade to the latest versions of Zimbra Collaboration. The SQL injection vulnerability (CVE-2025-25064) has been fixed in versions 10.0.12 and 10.1.4. The stored XSS issue has been resolved in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5. The SSRF vulnerability (CVE-2025-25065) has been patched in versions 9.0.0 Patch 43, 10.0.12, and 10.1.4.

To protect against these threats, administrators should apply the latest patches immediately, restrict access to SOAP endpoints, and monitor for suspicious activity. Administrators should perform regular audits and proper sanitization of user input are essential to mitigate any SQL injection and XSS risks. Given Zimbra’s history of being a frequent target for attackers, delaying updates could expose organizations to cyber threats. Keeping systems up to date with the latest patches remains the most effective way to ensure security.

The post Zimbra Security Updates Fix a Critical SQL Injection Vulnerability appeared first on Gridinsoft Blog.

0-Click Deanonymization Attack Exploits Telegram, Signal, Discord And Other Apps

A 15 year old cybersecurity researcher who names himself Daniel has uncovered a chilling 0-click deanonymization attack targeting popular platforms like Signal and Discord. By exploiting Cloudflare’s caching mechanisms, the attacker can uncover the location of the receiver. The method relies on Cloudflare’s geographically distributed datacenters, which are placed near large cities to improve content delivery times. Analyzing cached data to reveal where a user is accessing the internet. So, your secret bunker might not be as secret as you think.

In brief, the attack works by analyzing caching behaviors triggered by routine actions, like receiving message attachments or friend requests. In Signal, even a push notification could betray your location. While on Discord, a custom emoji or avatar might as well be a homing beacon. The researcher even created a bot to automate the process to literally demonstrate the capabilities of this theory.

How Does It Work?

By analyzing the “cf-cache-status” and “cf-ray” headers in HTTP responses, an attacker can identify the specific Cloudflare datacenter serving a user’s request. The response appears regardless of user participating in the communication in any way, all that should happen is a successful message delivery. Since these datacenters are geographically distributed, pinpointing the one gives an estimate of the user’s location.

To bypass Cloudflare’s anycast network restrictions, a tool called Cloudflare Teleport was created. This tool, based on a bug in Cloudflare Workers, allowed HTTP requests to be routed to specific datacenters. However, Cloudflare patched the vulnerability later.

Real Test

The first practical application of this method involved Signal. An attacker exploited the caching of message attachments served via Cloudflare. When a user received and opened a message containing an attachment, their device downloaded the file, causing it to be cached in a local datacenter. By analyzing which datacenters cached the file, the attacker could approximate the user’s location.

An alternative scenario is to exploit the “0-click version» of this vulnerability. That is, the user does not need to take any action. If the target had push notifications enabled, their device automatically downloaded message attachments to display in the notification. This meant the attacker could determine the user’s location without requiring any interaction.

Discord served as the next demonstration platform. It was similarly vulnerable, and an attacker could exploit cached custom emojis or user avatars. For instance, sending a friend request to a target triggered a push notification, which included the attacker’s avatar. The target’s device would download the avatar, allowing the attacker to identify the datacenter that handled the request and infer the target’s location.

The researcher also developed a private Discord bot named GeoGuesser, which automated the attack. The bot changed its avatar to ensure unique caching, sent a friend request to the target, and analyzed the caching behavior to estimate the target’s location. In one example, the bot accurately pinpointed the approximate location of Discord’s CTO by triangulating data from two datacenters.

Companies Response

Being a decent tester, the young researcher alerted the companies through Bug Bounty Reports, to which the companies responded with varying levels of concern and urgency. Signal, for instance, outright rejected the report, claiming the problem wasn’t theirs to solve. Telegram, by contrast, emerged unscathed thanks to their custom protocol and lack of reliance on Cloudflare.

Discord, initially promising action, decided the issue was Cloudflare’s responsibility. Meanwhile, it wouldn’t be the first time for Cloudflare. As it turned out later, another researcher had reported this problem a year ago. But without proper proof, the problem was not considered noteworthy. Finally, Cloudflare patched it. Reporters got award a $200 bounty, and split it amongst themselves.

The post 0-Click Cloudflare Deanonymization Vulnerability Discovered appeared first on Gridinsoft Blog.

GayFemboy Mirai Botnet Exploits Four-Faith Flaw

Over the course of its activity, the botnet of an unconventional naming has used plenty of vulnerabilities, which makes it stand out from the rest of Mirai-based backdoors. Researchers from X Lab hold a record of a grand total of 20 flaws used over its activity span. The flaw in Four-Faith routers has given a major boost in activity for that malware, as may be seen for the graphic below.

Mirai itself, and almost all the malware based on its source code, targets IoT devices to form botnets. Further, the network of infected devices is put for rent on the Darknet. Hackers may use it for all kinds of purposes – from mining cryptocurrencies to launching DDoS attacks or massive spam mailing.

The last wave of activity of the botnet started in November 2024, right when the vulnerability in the industrial routers was found. Malware spreading generally targets the US, China, Iran and Russia – a rather unusual geographics, considering that threats typically target only countries from one political camp. DDoS attacks that this botnet performs target almost exclusively the US of A and China.

To gain insight into its operations, the researchers have established several command servers and started calling out known botnet IP addresses. This was needed to observe the behavior of infected devices and get a rough estimate of the botnet’s scale. The observations revealed that Gayfemboy has more than 15,000 daily active nodes and operates through over 40 active groups.

One particularly notable finding was the botnet’s retaliatory behavior. Upon detecting that one of the command servers was under control of malware analysts, the network hailed a DDoS attack against them.

What is CVE-2024-12856 Vulnerability?

The flaw detected in Four-Faith industrial routers is one of a few 0-day vulnerabilities, discovered in 2024. It allows attackers to inject and execute the code into the firmware of the router. One of the most prominent use cases for such a security hole is to make the router connect the remote server, download the payload and execute it.

Sure enough, it cannot go any further than this: the router becomes infected, but it is not really possible to make it pass the malicious payload to the devices within the network. The only exception is other routers, as they may exchange packets and perform other communications, depending on network configurations. Nonetheless, there is a solid application for routers and overall IoT devices in botnets.

Protection Against New Mirai Botnet and Vulnerability Exploitation

The main problem is that there is no fix available for the Four-Faith routers’ flaw. The vendor of the network hardware is due analysing the vulnerability and releasing a firmware update. And, even with the update released, it should get installed to the devices – which is not trivial considering the area these routers are used in.

For now, security analysts only name indicators of compromise and suggest classic ways of removing the threat. As this malware is another Mirai offspring, the removal process is well-known and has been tested a lot over the years.

Unplug the router or another device from the network, in order to prevent any further infections. Then, reset it to factory settings, which should wipe out the malware. After that, set it up as usual but with adding a TCP port 23 closed. Analysts also recommend keeping the Telnet service disabled as well. Changing device management page passwords to stronger ones is another step that will prevent further attacks, and not only from Mirai malware.

The post New Mirai Based Botnet Exploits Four-Faith Vulnerability appeared first on Gridinsoft Blog.

Severe SQL Injection Flaw in Apache Traffic Control Uncovered

The flaw, identified as CVE-2024-45387, carries a CVSS severity score of 9.9 out of 10 – a pretentious mark. According to the project team, the issue is an SQL injection vulnerability that could be exploited by a privileged user assigned roles like ‘admin,’ ‘federation,’ ‘operations,’ ‘portal,’ or ‘steering.’ All it takes is crafting a malicious PUT request to gain access to all the data stored on an instance.

For those who might not know, Apache Traffic Control is an open-source solution for building and managing content delivery networks. CDNs play a critical role in maintaining content accessibility around the globe, and the solution from Apache, as a well-known software vendor, is exceptionally popular. Potential scale of impact may touch tens of thousands of companies around the world.

Accessing the data can lead to a whole range of consequences. Malicious actors can steal it or use it to plan further attacks on the company’s infrastructure. If a CDN maintained with the Traffic Control platform carries any executable files or installers, hackers can inject an infected file – a direct pathway to a supply chain attack.

The vulnerability sits in the way Apache Traffic Control handles the requests. The said crafted PUT request is able to slip through the security systems because of the incorrect neutralization of certain parts of the command. Although falling under the classic definition of SQL injection, it differs wildly from one vulnerability to another.

On top of all this, adversaries trying to exploit the flaw do not require any permissions. That is, in fact, the reason for the 9.9 CVSS rating: anyone from anywhere can abuse this flaw, and there is no password or 2FA that can stop that from happening.

Apache Fixes CVE-2024-45387

One fortunate moment about this vulnerability is that its existence became known long after the release of a version that has the issue fixed. The official recommendation from Apache is to install it as soon as possible; there is no mitigation available to temporarily block the exploitation possibilities before the proper update.

The list of versions affected by the flaw is rather modest – it is only about versions 8.0.0 and 8.0.1 of Apache Traffic Control, released earlier this year. Version 8.0.2, that they’ve published in October 2024, is not affected by the issue; all 7.x.x versions are free of any danger, too.

The post Apache Traffic Control Critical SQLi Vulnerability Fixed appeared first on Gridinsoft Blog.