SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 25ISSUE 34
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
A quick look at sextortion at scale: 1,900 messages and 205 Bitcoin addresses spanning four years
Published: 2025-09-02
Last Updated: 2025-09-02 06:05:33 UTC
by Jan Kopriva (Version: 1)
What can almost 2,000 sextortion messages tell us about how threat actors operate and whether they are successful? Let’s find out.
Although it is true that I covered sextortion in my last diary, I thought the topic deserved further discussion today.
This is not because we didn’t cover sextortion in enough depth here at the Internet Storm Center over the previous years – we did – for example, see the pre-2020 series of articles from Rick in which he discussed tracking of sextortion payments. The reason is that in my latest diary, we only had a fairly small sample to base our observations on… And this has recently changed.
After the last diary was published, our friend and colleague “l0c4l“ from France got in touch with me and offered to share his dataset containing approximately 1,900 sextortion messages for further analysis. And as Marlon Brando put it – it was an offer I couldn’t refuse.
After some initial cleanup of the received data, I was left with 1,888 individual sextortion messages that – according to their headers – were sent between June 2021 and August 2025. In these e-mails, there were 193 unique Bitcoin addresses to which recipients were supposed to send payments.
Although in some messages threat actors offered Ethereum (ETH) as an alternative to Bitcoin and provided a corresponding second wallet/address as a result, I only used the BTC addresses for further analysis.
Before moving on, I added the data from my own dataset (which was discussed last time) to the new dataset. After that, I ended up with 1,909 messages in which 205 unique addresses (203 BTC, 2 LTC) were used. This – although not overwhelmingly large – was a reasonable sample size for further analysis.
So, what can we learn from it? ...
Read the full entry: https://isc.sans.edu/diary/A+quick+look+at+sextortion+at+scale+1900+messages+and+205+Bitcoin+addresses+spanning+four+years/32252/
Increasing Searches for ZIP Files
Published: 2025-08-28
Last Updated: 2025-08-28 14:57:38 UTC
by Johannes Ullrich (Version: 1)
I noticed recently that we have more and more requests for ZIP files in our web honeypot logs. Over the last year, we have had a substantial increase in these requests ...
Here are some of the most common URLs requested so far this year ...
Of course, one should never have "random" backup zip files exposed on a web server like this. But we all know it happens. Your best defense is likely to first of all try to prevent downloading of zip files, if that is an option, but adjust the web server configuration. Secondly, you should monitor the document root directories for any rogue zip files.
Ultimately, good change control should be your defense to prevent files like this from being dropped on a web server by either system administrators or developers ...
Read the full entry: https://isc.sans.edu/diary/Increasing+Searches+for+ZIP+Files/32242/
Internet Storm Center Entries
pdf-parser: All Streams (2025.08.31)
https://isc.sans.edu/diary/pdfparser+All+Streams/32248/
Wireshark 4.4.9 Released (2025.08.31)
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2025-7775 - NetScaler ADC and NetScaler Gateway are vulnerable to Memory overflow leading to Remote Code Execution and/or Denial of Service when configured as Gateway or LB virtual servers bound with IPv6 services.
Product: Citrix NetScaler Application Delivery Controller
CVSS Score: 9.8
** KEV since 2025-08-26 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7775
ISC Podcast: https://isc.sans.edu/podcastdetail/9588
NVD References: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
CVE-2025-7776 - NetScaler ADC and NetScaler Gateway are vulnerable to memory overflow, potentially causing unpredictable behavior and denial of service if the product is configured as a Gateway with a PCoIP Profile.
Product: Citrix NetScaler Application Delivery Controller and NetScaler Gateway
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7776
ISC Podcast: https://isc.sans.edu/podcastdetail/9588
NVD References: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
CVE-2025-8424 - NetScaler ADC and NetScaler Gateway are vulnerable to improper access control on the NetScaler Management Interface, allowing attackers to gain access to critical IP addresses and potentially compromise the system.
Product name: Citrix NetScaler Application Delivery Controller and NetScaler Gateway
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8424
ISC Podcast: https://isc.sans.edu/podcastdetail/9588
NVD References: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
CVE-2025-57819 - FreePBX is vulnerable to unauthenticated access and remote code execution due to insufficient data sanitization, patched in versions 15.0.66, 16.0.89, and 17.0.3.
Product: Sangoma Freepbx
CVSS Score: 9.8
** KEV since 2025-08-29 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57819
NVD References:
-https://community.freepbx.org/t/security-advisory-please-lock-down-your-administrator-access/107203
-https://github.com/FreePBX/security-reporting/security/advisories/GHSA-m42g-xg4c-5f3h
CVE-2025-48384 - Git has a vulnerability that allows for unintentional execution of post-checkout hooks due to a trailing carriage return issue, fixed in versions v2.43.7 and above.
Product: Git
CVSS Score: 0
** KEV since 2025-08-25 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48384
ISC Podcast: https://isc.sans.edu/podcastdetail/9588
CVE-2025-55177 - WhatsApp for iOS, WhatsApp Business for iOS, and WhatsApp for Mac had incomplete authorization of linked device synchronization messages, potentially allowing an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.
Product: WhatsApp for iOS, WhatsApp Business for iOS, WhatsApp for Mac
CVSS Score: 5.4
** KEV since 2025-09-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55177
NVD References: https://www.whatsapp.com/security/advisories/2025/
CVE-2025-41702 - egOS WebGUI backend has a vulnerability where the JWT secret key is exposed to the default user, allowing unauthenticated remote attackers to generate valid tokens and bypass authentication/authorization.
Product: egOS WebGUI
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41702
NVD References: https://certvde.com/de/advisories/VDE-2025-076
CVE-2025-55526 - n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py
Product: n8n-workflows
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55526
CVE-2024-39335 - Mahara versions 24.04 and 23.04 may expose information to an institution administrator on the 'Current submissions' page.
Product: Mahara
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39335
NVD References: https://mahara.org/interaction/forum/topic.php?id=9519
CVE-2025-25734 - Kapsch TrafficCom RSUs v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 were found to have an unauthenticated EFI shell, enabling malicious actors to execute code or elevate privileges at boot.
Product: Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25734
CVE-2025-25736 - Kapsch TrafficCom RIS-9260 RSU LEO v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 have a vulnerability that enables unauthenticated root shell access to the cellular modem via the default 'kapsch' user.
Product: Kapsch TrafficCom RIS-9260 RSU LEO
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25736
CVE-2025-25737 - Kapsch TrafficCom RIS-9160 & RIS-9260 RSUs v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 have insecure password requirements for BIOS Supervisor and User accounts.
Product: Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs)
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25737
CVE-2025-52353 - Badaso CMS 2.9.11 is vulnerable to arbitrary code execution through file-upload endpoint, allowing authenticated users to upload PHP files that can run system commands and compromise the host.
Product: Badaso CMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52353
CVE-2025-55443 - Telpo MDM 1.4.6 thru 1.4.9 for Android exposes sensitive administrator credentials and MQTT server connection details in plaintext log files on external storage, enabling attackers to perform unauthorized administrative operations and access device data.
Product: Telpo MDM
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55443
CVE-2025-0074 - sdp_discovery.cc allows for remote code execution via a use after free vulnerability, requiring no user interaction for exploitation.
Product: Google Android
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0074
NVD References: https://source.android.com/security/bulletin/2025-03-01
CVE-2025-0075 - sdp_server.cc allows for possible remote code execution through a use after free vulnerability in the process_service_search_attr_req function.
Product: Google Android
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0075
NVD References: https://source.android.com/security/bulletin/2025-03-01
CVE-2025-22403 - sdp_discovery.cc has a use after free vulnerability in sdp_snd_service_search_req, allowing for remote code execution without user interaction.
Product: Google Android
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22403
NVD References: https://source.android.com/security/bulletin/2025-03-01
CVE-2025-22408 - rfc_utils.cc has a vulnerability that allows for arbitrary code execution through a use after free in rfc_check_send_cmd, leading to remote code execution without user interaction required.
Product: Google Android
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22408
NVD References: https://source.android.com/security/bulletin/2025-03-01
CVE-2025-9523 - Tenda AC1206 15.03.06.23 is vulnerable to a remote stack-based buffer overflow via the GetParentControlInfo function in the file /goform/GetParentControlInfo by manipulating the mac argument.
Product: Tenda AC1206
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9523
CVE-2025-43728 - Dell ThinOS 10 prior to version 2508_10.0127 is vulnerable to Protection Mechanism Failure, allowing unauthenticated attackers to bypass security measures.
Product: Dell ThinOS 10
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43728
NVD References: https://www.dell.com/support/kbdoc/en-us/000359619/dsa-2025-331
CVE-2025-50972 - AbanteCart 1.4.2 is vulnerable to SQL Injection, allowing unauthenticated attackers to execute arbitrary SQL commands through the tmpl_id parameter in index.php.
Product: AbanteCart 1.4.2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50972
CVE-2025-52122 - Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, is vulnerable to Server-side template injection (SSTI) allowing arbitrary code injection through form submission titles.
Product: Freeform CraftCMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52122
CVE-2025-50428 - RaspAP is vulnerable to a command injection flaw in the includes/hostapd.php script, caused by inadequate user input sanitization.
Product: RaspAP raspap-webgui
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50428
CVE-2025-55583 - D-Link DIR-868L B1 router firmware version FW2.05WWB02 is vulnerable to unauthenticated OS command injection via the fileaccess.cgi component, allowing remote attackers to execute commands as root.
Product: D-Link DIR-868L B1 router
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55583
NVD References: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10397
CVE-2025-58048 - Paymenter prior to version 1.2.11 allows a malicious authenticated user to upload arbitrary files, potentially leading to data extraction, credential theft, and remote code execution.
Product: Paymenter webshop solution
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58048
CVE-2025-58059 - Valtimo, a platform for Business Process Automation, is vulnerable to unauthorized access to sensitive data or resources in certain versions, requiring immediate patching or potential disabling of scripting capabilities to mitigate risks.
Product: Valtimo Business Process Automation
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58059
CVE-2025-9605 - Tenda AC21 and AC23 16.03.08.16 are vulnerable to a remote stack-based buffer overflow in the function GetParentControlInfo, due to manipulation of the argument mac in the file /goform/GetParentControlInfo.
Product: Tenda AC21 and AC23
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9605
CVE-2025-8857 - Clinic Image System by Changing has hard-coded Credentials vulnerability that allows unauthenticated attackers to log in as administrators.
Product: Changing Clinic Image System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8857
NVD References: https://www.twcert.org.tw/en/cp-139-10363-601c9-2.html
CVE-2025-8861 - TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents.
Product: Changing TSA
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8861
NVD References: https://www.twcert.org.tw/en/cp-139-10361-4ce04-2.html
CVE-2025-44033 - oa_system oasys v.1.1 is vulnerable to SQL injection through the allDirector() method declaration in AddressMapper.java, allowing remote attackers to execute arbitrary code.
Product: oa_system oasys
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-44033
CVE-2024-46484 - TRENDnet TV-IP410 vA1.0R was discovered to contain an OS command injection vulnerability via the /server/cgi-bin/testserv.cgi component.
Product: TRENDnet TV-IP410
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-46484
CVE-2025-58159 - WeGIA allows remote code execution through improper file validation, potentially leading to arbitrary code execution on the server.
Product: WeGIA
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58159
CVE-2022-38692 - BootROM is vulnerable to a memory buffer overflow due to a missing size check for RSA keys in Certificate Type 0 validation, no additional execution privileges needed.
Product: BootROM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-38692
CVE-2022-38693 - FDL1 has a potential missing payload size check, allowing for memory buffer overflow without extra execution privileges.
Product: FDL1
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-38693
CVE-2022-38696 - BootRom may be susceptible to memory buffer overflows due to a potential missing payload size check, compromising security.
Product: BootRom
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-38696
CVE-2024-28988 - SolarWinds Web Help Desk is susceptible to a Java Deserialization Remote Code Execution vulnerability, allowing attackers to run commands on the host machine.
Product: SolarWinds Web Help Desk
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28988
NVD References: https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28988
CVE-2025-57140 - rsbi-pom 4.7 is vulnerable to SQL Injection in the /bi/service/model/DatasetService path.
Product: rsbi-pom 4.7
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57140
CVE-2020-24363 - TP-Link TL-WA855RE V5 20200415-rel37464 devices have a vulnerability that allows an unauthenticated attacker to reset the device and gain incorrect access control.
Product: TP-Link TL-WA855RE V5 20200415
CVSS Score: 0
** KEV since 2025-09-02 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-24363
Recent CVEs Continued
CVE-2025-39496 - WBW WooBeWoo Product Filter Pro allows SQL Injection due to improper neutralization of special elements in SQL commands, affecting versions before 2.9.6.
Product: WBW WooBeWoo Product Filter Pro
Active Installations: 60,000+. Update to version 2.9.6 or later.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39496
CVE-2025-48100 - bidorbuy Store Integrator is vulnerable to Code Injection, allowing for Remote Code Inclusion in versions from n/a through 2.12.0.
Product: extremeidea bidorbuy Store Integrator
Active Installations: This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48100
CVE-2025-49387 - Drag and Drop File Upload for Elementor Forms allows uploading of dangerous files, enabling attackers to upload web shells onto web servers.
Product: add-ons.org Drag and Drop File Upload for Elementor Forms
Active Installations: 800+. Update to version 1.5.4 or later.
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49387
CVE-2025-49388 - Miraculous Core Plugin is vulnerable to Incorrect Privilege Assignment, allowing for Privilege Escalation from version n/a through 2.0.7.
Product: kamleshyadav Miraculous Core Plugin
Active Installations: Unknown. Update to version 2.0.8 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49388
CVE-2025-54720 - Nest Addons by SteelThemes is vulnerable to SQL Injection through improper neutralization of special elements in SQL commands, affecting versions from n/a through 1.6.3.
Product: SteelThemes Nest Addons
Active Installations: Unknown. Update to version 1.6.4 or later.
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54720
CVE-2025-54725 - Golo: from n/a through 1.7.0 allows Authentication Abuse via an alternate path or channel.
Product: uxper Golo
Active Installations: Unknown. Update to version 1.7.1 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54725
NVD References: https://patchstack.com/database/wordpress/theme/golo/vulnerability/wordpress-golo-theme-1-7-0-broken-authentication-vulnerability?_s_id=cve
CVE-2025-54738 - NooTheme Jobmonster version n/a through 4.7.9 allows Authentication Abuse through an Alternate Path or Channel.
Product: NooTheme Jobmonster
Active Installations: Unknown. Update to version 4.8.0 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54738
CVE-2024-32832 - Missing Authorization vulnerability in Hamid Alinia Login with phone number.This issue affects Login with phone number: from n/a through 1.6.93.
Product: Hamid Alinia Login with phone number
Active Installations: 1,000+. Update to version 1.6.94 or later.
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32832
CVE-2025-31100 - Mojoomla School Management allows an Unrestricted Upload of File with Dangerous Type vulnerability, enabling the upload of a Web Shell to a Web Server, impacting versions up to 1.93.1 (02-07-2025).
Product: Mojoomla School Management
Active Installations: Unknown
CVSS Score: 9.9
Sponsors
ThreatLocker
Still relying on detection? ThreatLocker® Protect blocks ransomware and unauthorized software before it runs. Application Allowlisting denies everything you haven’t explicitly approved: no signatures, no guesswork. Sleep better at night knowing you are not chasing threats after the damage is done.
Sevco Security
Are you taking a proactive, comprehensive, and continuous approach to exposure management? Move beyond traditional vulnerability management with CTEM. Learn about the benefits and best practices.
SANS
Webcast | 2025 Attack Surface & Vulnerability Management Survey: Hackers Don’t Wait—Why Should We? | Wednesday, October 22, 2025 at 10:30 AM ET Uncover strategies to reduce risk across today's expanding attack surface, learn how to prioritize vulnerabilities, strengthen defenses, and stay ahead of adversaries targeting every corner of your environment.
SANS
Webcast | Balancing On-Prem and Cloud Security: Strategic Considerations for Modern Organizations | Tuesday, September 16, 2025 at 1:00PM ET Explore how security leaders are striking the right balance between on-premises and cloud environments - with practical guidance for managing risk, maintaining compliance, and optimizing resources in a hybrid world.