homepage
Menu
Open menu

@RISK

The Consensus Security Vulnerability Alert

April 3, 2025  |  Vol. 25, Num. 13

Internet Storm Center SpotlightInternet Storm Center EntriesRecent CVEs

Internet Storm Center Spotlight

INTERNET STORM CENTER SPOTLIGHT

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Apple Patches Everything: March 31st 2025 Edition

Published: 2025-03-31

Last Updated: 2025-03-31 23:46:37 UTC

by Johannes Ullrich (Version: 1)

Today, Apple released updates across all its products: iOS, iPadOS, macOS, tvOS, visionOS, Safari, and XCode. WatchOS was interestingly missing from the patch lineup. This is a feature update for the operating systems, but we get patches for 145 different vulnerabilities in addition to new features. This update includes a patch for CVE-2025-24200 and CVE-2025-24201, two already exploited iOS vulnerabilities, for older iOS/iPadOS versions. Current versions received this patch a few weeks ago ...

Read the full entry: https://isc.sans.edu/diary/Apple+Patches+Everything+March+31st+2025+Edition/31816/

Apache Camel Exploit Attempt by Vulnerability Scan (CVE-2025-27636, CVE-2025-29891)

Published: 2025-03-31

Last Updated: 2025-03-31 12:20:30 UTC

by Johannes Ullrich (Version: 1)

About three weeks ago, Apache patched two vulnerabilities in Apache Camel. The two vulnerabilities (CVE-2025-27636 and CVE-2025-29891) may lead to remote code execution, but not in the default configuration. The vulnerability is caused by Apache Camel using case-sensitive filters to restrict which headers may be used. However HTTP headers are not case-sensitive, and an attacker may trivially bypass the filter.

At this point, the attempts we see originate from authorized vulnerability scanners. I do not call this "exploited" yet, but the exploit is trivial, and actual exploitation is likely, but the number of vulnerable systems is likely small. The vulnerability is still interesting because (a) It uses HTTP headers, and I am currently focusing on HTTP headers (b) it is trivial to exploit.

Here is a sample request ...

Why do I believe that these are authorized vulnerability scans?

1. The target IP of the "ping" is an internal IP address

2. The User-Agent is the name of a well respected security company (redacted to protect the innocent)

3. The victim IP is also an internal IP address.

4. The hexadecimal ping payload decodes to "_OpenVASVT91380_". OpenVAS is an open source vulnerability scanner unsuitable for typical internet wide scans done by attackers we usually observe.

Could this still be an actual attack? Sure. Everything is possible. But it is very unlikely that an attacker would spoof this user agent, and this attacker would already be "inside" the network.

Read the full entry: https://isc.sans.edu/diary/Apache+Camel+Exploit+Attempt+by+Vulnerability+Scan+CVE202527636+CVE202529891/31814/

Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218

Published: 2025-03-27

Last Updated: 2025-03-27 17:05:40 UTC

by Johannes Ullrich (Version: 1)

On March 6th, Searchlight Cyber published a blog revealing details about a new deserialization vulnerability in Sitecore. Sitecore calls itself a "Digital Experience Platform (CXP)," which is a fancy content management system (CMS). Sitecore itself is written in .Net and is often sold as part of a solution offered by Sitecore partners. Like other CMSs, it makes it easy to manage a website's content. It offers several attractive features to marketing professionals seeking more insight into user patterns.

Searchlight Cyber has reviewed Sitecore in the past, and this is not the first vulnerability Searchlight Cyber has discovered in Sitecore.

This most recent vulnerability is interesting in that it does not require authentication. Like other deserialization vulnerabilities, this vulnerability may lead to remote code execution. Another somewhat unusual property of this vulnerability is using a custom header. A few deserialization vulnerabilities are exploitable via cookies, but I do not remember seeing one exploiting a custom header. Let me know if there are others ...

Read the full entry: https://isc.sans.edu/diary/Sitecore+thumbnailsaccesstoken+Deserialization+Scans+and+some+new+reports+CVE202527218/31806/

Internet Storm Center Entries

Surge in Scans for Juniper "t128" Default User (2025.04.02)

https://isc.sans.edu/diary/Surge+in+Scans+for+Juniper+t128+Default+User/31824/

A Tale of Two Phishing Sites (2025.03.28)

https://isc.sans.edu/diary/A+Tale+of+Two+Phishing+Sites/31810/

Recent CVEs

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-26633 - Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Product: Microsoft Microsoft Management Console

CVSS Score: 0

** KEV since 2025-03-11 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26633

ISC Podcast: https://isc.sans.edu/podcastdetail/9380

CVE-2025-24200 - iPadOS, iOS, and iPadOS are vulnerable to an authorization issue due to poor state management, potentially allowing a physical attack to disable USB Restricted Mode and Apple is investigating reports of exploitation in sophisticated attacks against specific individuals.

Product: Apple iPadOS

CVSS Score: 0

** KEV since 2025-02-12 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24200

ISC Diary: https://isc.sans.edu/diary/31816

CVE-2025-24201 - visionOS, iOS, iPadOS, macOS Sequoia, Safari were vulnerable to an out-of-bounds write issue that could allow malicious web content to break out of the sandbox.

Product: Apple iOS

CVSS Score: 0

** KEV since 2025-03-13 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24201

ISC Diary: https://isc.sans.edu/diary/31816

CVE-2025-2783 - Google Chrome's Mojo vulnerability in Windows versions prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file.

Product: Google Chrome

CVSS Score: 8.3

** KEV since 2025-03-27 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2783

NVD References:

- https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html

- https://issues.chromium.org/issues/405143032

CVE-2025-27218 - Sitecore Experience Manager (XM) and Experience Platform (XP) 10.4 before KB1002844 allow remote code execution through insecure deserialization.

Product: Sitecore Experience Manager (XM)

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27218

ISC Podcast: https://isc.sans.edu/podcastdetail/9384

CVE-2024-3721 - TBK DVR-4104 and DVR-4216 up to 20240412 are vulnerable to a critical os command injection issue via manipulation of the argument mdb/mdc in the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___.

Product: TBK DVR-4104, DVR-4216

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3721

ISC Podcast: https://isc.sans.edu/podcastdetail/9380

CVE-2025-1974 - Kubernetes has a security issue where an unauthenticated attacker could execute arbitrary code through the ingress-nginx controller, potentially leading to disclosure of sensitive data.

Product: Kubernetes ingress-nginx

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1974

NVD References: https://https://github.com/kubernetes/kubernetes/issues/131009

CVE-2024-42533 - Convivance StandVoice is vulnerable to SQL injection attacks in the authentication module, enabling remote attackers to execute arbitrary code through the GEST_LOGIN parameter.

Product: Convivance StandVoice

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42533

NVD References:

- https://gist.github.com/7h30th3r0n3/eae27e0eed39741365c55dfd46b57dc8

- https://gist.github.com/7h30th3r0n3/eae27e0eed39741365c55dfd46b57dc8

CVE-2024-48818 - An issue in IIT Bombay, Mumbai, India Bodhitree of cs101 version allows a remote attacker to execute arbitrary code.

Product: IIT Bombay Bodhitree

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48818

NVD References:

- https://packetstorm.news/files/id/183309

- https://packetstorm.news/files/id/183309

CVE-2025-30216 - CryptoLib is vulnerable to a heap overflow in versions 1.3.3 and prior, allowing for potential arbitrary code execution or system instability.

Product: NASA CryptoLib

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30216

NVD References:

- https://github.com/nasa/CryptoLib/commit/810fd66d592c883125272fef123c3240db2f170f

- https://github.com/nasa/CryptoLib/security/advisories/GHSA-v3jc-5j74-hcjv

- https://github.com/user-attachments/assets/d49cea04-ce84-4d60-bb3a-987e843f09c4

CVE-2024-55028 - NASA Fprime v3.4.3 is vulnerable to template injection in its Dashboard, enabling attackers to execute arbitrary code by uploading a malicious Vue file.

Product: NASA Fprime

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55028

NVD References:

- https://visionspace.com/remote-code-execution-and-critical-vulnerabilities-in-nasa-fprime-v3-4-3/

CVE-2024-55030 - A command injection vulnerability in the Command Dispatcher Service of NASA Fprime v3.4.3 allows attackers to execute arbitrary commands.

Product: NASA Fprime

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55030

NVD References:

- https://visionspace.com/remote-code-execution-and-critical-vulnerabilities-in-nasa-fprime-v3-4-3/

CVE-2025-25373 - NASA cFS (Core Flight System) Aquila's Memory Management Module has insecure permissions, allowing potential attackers to exploit it for remote code execution.

Product: NASA cFS (Core Flight System) Aquila

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25373

NVD References:

- https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/

- https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/

CVE-2025-27831, CVE-2025-27832, CVE-2025-27836, CVE-2025-27837 - Multiple vulnerabilities (buffer overflows and access to arbitrary files) in Artifex Ghostscript before 10.05.0.

Product: Artifex Ghostscript

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27831

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27832

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27836

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27837

NVD References: https://bugs.ghostscript.com/show_bug.cgi?id=708132

NVD References: https://bugs.ghostscript.com/show_bug.cgi?id=708133

NVD References: https://bugs.ghostscript.com/show_bug.cgi?id=708192

NVD References: https://bugs.ghostscript.com/show_bug.cgi?id=708238

CVE-2024-47516 - Pagure is vulnerable to remote code execution due to an argument injection in Git during repository history retrieval.

Product: Pagure Git

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47516

NVD References:

- https://access.redhat.com/security/cve/CVE-2024-47516

- https://bugzilla.redhat.com/show_bug.cgi?id=2315805

CVE-2025-2825 - CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 allow unauthenticated access via remote HTTP requests.

Product: CrushFTP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2825

NVD References:

- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update

- https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-next-js-cve-2025-29927/

CVE-2025-25535 - HTTP Response Manipulation in SCRIPT CASE v.1.0.002 Build7 allows a remote attacker to escalate privileges via a crafted request.

Product: SCRIPT CASE

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25535

NVD References:

- https://github.com/simalamuel/Research/tree/main/CVE-2025-25535

- https://www.besafebrasil.com.br/script-case-cve-2025-xx-xxxx/

CVE-2025-26002 through CVE-2025-26008, CVE-2025-26010, CVE-2025-26011 - Multiple vulnerabilities in Telesquare TLR-2005KSH 1.1.4.

Product: Telesquare TLR-2005KSH

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26002

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26003

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26004

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26005

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26006

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26007

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26008

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26010

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26011

NVD References: https://github.com/Fan-24/Digging/blob/main/3/1.md

NVD References: https://github.com/Fan-24/Digging/tree/main/2

NVD References: https://github.com/Fan-24/Digging/blob/main/5/1.md

NVD References: https://github.com/Fan-24/Digging/blob/main/6/1.md

NVD References: https://github.com/Fan-24/Digging/blob/main/7/1.md

NVD References: https://github.com/Fan-24/Digging/blob/main/4/1.md

NVD References: https://github.com/Fan-24/Digging/blob/main/10/1.md

NVD References: https://github.com/Fan-24/Digging/blob/main/2/1.md

NVD References: https://github.com/Fan-24/Digging/blob/main/9/1.md

NVD References: https://github.com/Fan-24/Digging/blob/main/8/1.md

CVE-2025-25686 - semcms <=5.0 is vulnerable to SQL Injection in SEMCMS_Fuction.php.

Product: semcms <=5.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25686

NVD References: https://github.com/J1095/fkapfxx

CVE-2025-28138 - TOTOLINK A800R V4.1.2cu.5137_B20200730 contains a remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

Product: TOTOLINK A800R

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28138

NVD References: https://sudsy-eyeliner-a59.notion.site/RCE2-1ac72b8cd95f8055a76ee0ca262aac1a?pvs=4

CVE-2024-54502 - Processing maliciously crafted web content may lead to an unexpected process crash.

Product: Multiple Apple products

CVSS Score: 6.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54502

ISC Diary: https://isc.sans.edu/diary/31816

ISC Podcast: https://isc.sans.edu/podcastdetail/9390

NVD References:

- https://support.apple.com/en-us/121837

- https://support.apple.com/en-us/121839

- https://support.apple.com/en-us/121843

- https://support.apple.com/en-us/121844

- https://support.apple.com/en-us/121845

- https://support.apple.com/en-us/121846

CVE-2024-54508 - Processing maliciously crafted web content may lead to an unexpected process crash.

Product: Multiple Apple products

CVSS Score: 7.5

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54508

ISC Diary: https://isc.sans.edu/diary/31816

ISC Podcast: https://isc.sans.edu/podcastdetail/9390

NVD References:

- https://support.apple.com/en-us/121837

- https://support.apple.com/en-us/121839

- https://support.apple.com/en-us/121843

- https://support.apple.com/en-us/121844

- https://support.apple.com/en-us/121845

- https://support.apple.com/en-us/121846

CVE-2024-54534 - Processing maliciously crafted web content may lead to memory corruption.

Product: Multiple Apple products

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54534

ISC Diary: https://isc.sans.edu/diary/31816

ISC Podcast: https://isc.sans.edu/podcastdetail/9390

NVD References:

- https://support.apple.com/en-us/121837

- https://support.apple.com/en-us/121839

- https://support.apple.com/en-us/121843

- https://support.apple.com/en-us/121844

- https://support.apple.com/en-us/121845

- https://support.apple.com/en-us/121846

CVE-2025-26941 - Andy Moyle Church Admin is vulnerable to SQL Injection from versions n/a through 5.0.18.

Product: Andy Moyle Church Admin

Active Installations: 900+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26941

NVD References: https://patchstack.com/database/wordpress/plugin/church-admin/vulnerability/wordpress-church-admin-plugin-5-0-18-sql-injection-vulnerability?_s_id=cve

CVE-2025-28904 - Shamalli Web Directory Free from n/a through 1.7.6 allows Blind SQL Injection via improper neutralization of special elements in an SQL command (SQL Injection) vulnerability.

Product: Shamalli Web Directory Free

Active Installations: 500+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28904

NVD References: https://patchstack.com/database/wordpress/plugin/web-directory-free/vulnerability/wordpress-web-directory-free-plugin-1-7-6-sql-injection-vulnerability?_s_id=cve

CVE-2025-28942 - Trust Payments Gateway for WooCommerce allows SQL injection due to improper neutralization of special elements in SQL commands, affecting versions from n/a through 1.1.4.

Product: Trust Payments Gateway for WooCommerce

Active Installations: 400+

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28942

NVD References: https://patchstack.com/database/wordpress/plugin/trust-payments-hosted-payment-pages-integration/vulnerability/wordpress-trust-payments-gateway-for-woocommerce-plugin-1-1-4-sql-injection-vulnerability?_s_id=cve

CVE-2025-28893 - Visual Text Editor is vulnerable to Code Injection, allowing Remote Code Inclusion from version n/a through 1.2.1.

Product: Visual Text Editor

Active Installations: unknown

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28893

NVD References: https://patchstack.com/database/wordpress/plugin/visual-text-editor/vulnerability/wordpress-visual-text-editor-plugin-1-2-1-remote-code-execution-rce-vulnerability?_s_id=cve

CVE-2025-28898 - WP Multistore Locator is vulnerable to SQL Injection in versions from n/a through 2.5.2.

Product: WP Multistore Locator

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28898

NVD References: https://patchstack.com/database/wordpress/plugin/wp-multi-store-locator/vulnerability/wordpress-wp-multistore-locator-plugin-2-5-2-sql-injection-vulnerability?_s_id=cve

CVE-2025-28916 - Docpro allows PHP Local File Inclusion due to Improper Control of Filename for Include/Require Statement.

Product: Docpro

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-28916

NVD References: https://patchstack.com/database/wordpress/plugin/docpro/vulnerability/wordpress-docpro-plugin-2-0-1-local-file-inclusion-vulnerability?_s_id=cve

CVE-2025-30524 - Product Catalog allows SQL Injection due to improper neutralization of special elements in SQL commands, impacting versions n/a through 1.0.4.

Product: origincode Product Catalog

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30524

NVD References: https://patchstack.com/database/wordpress/plugin/displayproduct/vulnerability/wordpress-product-catalog-plugin-1-0-4-sql-injection-vulnerability?_s_id=cve

CVE-2025-26873 - Deserialization of Untrusted Data vulnerability in Shinetheme Traveler.This issue affects Traveler: from n/a through 3.1.8.

Product: Shinetheme Traveler

Active Installations: unknown

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26873

NVD References: https://patchstack.com/database/wordpress/theme/traveler/vulnerability/wordpress-traveler-theme-3-1-8-php-object-injection-vulnerability?_s_id=cve