Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Security flaw. Show all posts
Vulnerabilities and Exploits
code execution Ivanti EPM Remote Exploit Security flaw Vulnerabilities and Exploits

Ivanti Flags Critical Endpoint Manager Flaw Allowing Remote Code Execution

 

Ivanti is urging customers to quickly patch a critical vulnerability in its Endpoint Manager (EPM) product that could let remote attackers execute arbitrary JavaScript in administrator sessions through low-complexity cross-site scripting (XSS) attacks.The issue, tracked as CVE-2025-10573, affects the EPM web service and can be abused without authentication, but does require some user interaction to trigger.

The flaw stems from how Ivanti EPM handles managed endpoints presented to the primary web service. According to Rapid7 researcher Ryan Emmons, an attacker with unauthenticated access to the EPM web interface can register bogus managed endpoints and inject malicious JavaScript into the administrator dashboard. Once an EPM administrator views a poisoned dashboard widget as part of routine use, the injected code executes in the browser, allowing the attacker to hijack the admin session and act with their privileges.

Patch availability and exposure

Ivanti has released EPM 2024 SU4 SR1 to remediate CVE-2025-10573 and recommends customers install this update as soon as possible. The company stressed that EPM is designed to operate behind perimeter defenses and not be directly exposed to the public internet, which should lower practical risk where deployments follow guidance.However, data from the Shadowserver Foundation shows hundreds of Ivanti EPM instances reachable online, with the highest counts in the United States, Germany, and Japan, significantly increasing potential attack surface for those organizations.

Alongside the critical bug, Ivanti shipped fixes for three other high‑severity vulnerabilities affecting EPM, including CVE-2025-13659 and CVE-2025-13662. These two issues could also enable unauthenticated remote attackers to execute arbitrary code on vulnerable systems under certain conditions. Successful exploitation of the newly disclosed high‑severity flaws requires user interaction and either connecting to an untrusted core server or importing untrusted configuration files, which slightly raises the bar for real-world attacks.

Threat landscape and prior exploitation

Ivanti stated there is currently no evidence that any of the newly patched flaws have been exploited in the wild and credited its responsible disclosure program for bringing them to light. Nonetheless, EPM vulnerabilities have been frequent targets, and U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly added Ivanti EPM bugs to its catalog of exploited vulnerabilities. In 2024, CISA ordered federal agencies to urgently patch multiple Ivanti EPM issues, including three critical flaws flagged in March and another actively exploited vulnerability mandated for remediation in October.
Read more »
Vulnerabilities and Exploits
ASLR NSDictionary Project Zero Security flaw Vulnerabilities and Exploits

Project Zero Exposes Apple ASLR Bypass via NSDictionary Serialization Flaw

 

Google Project Zero has uncovered a sophisticated technique for bypassing Address Space Layout Randomization (ASLR) protections on Apple devices, targeting a fundamental issue in Apple’s serialization framework. Security researcher Jann Horn described how deterministic behaviors in NSKeyedArchiver and NSKeyedUnarchiver could enable attackers to leak memory pointer values without exploiting conventional bugs or timing-based side channels.

The vulnerability centers on the interaction between singleton objects, pointer-based hash values, and serialization routines. Specifically, Horn identified that NSNull—a singleton object within Apple’s Core Foundation (CFNull)—exposes its memory address through its hash value. Because this object resides in a fixed location in the shared cache, it creates a reliable oracle for leaking memory addresses, defeating standard ASLR defenses.

Attackers can exploit this by crafting malicious serialized input which, when de-serialized and then re-serialized by a victim application, can allow inference of key memory locations. By leveraging the predictable hashing of NSNumber keys and understanding how NSDictionary structures its internal hash table based on prime-numbered bucket counts, an attacker controls where keys are placed during serialization. The relative position of the NSNull key reveals the outcome of hash_code % num_buckets, letting attackers deduce the memory address used by NSNull.

Scaling this approach involves using dictionaries with different prime-sized bucket counts, repeatedly measuring key placements, and applying the Extended Euclidean Algorithm. This enables precise reconstruction of the NSNull pointer address. Horn’s proof-of-concept demonstrated the feasibility, though no real-world application was found with this pattern in production services. The attacker’s tooling involved generating specialized serialized input and computing memory addresses after receiving the victim’s output.

Apple addressed the issue in its March 31, 2025 security updates. Horn cautioned against frameworks using raw memory addresses as hash values, especially when those addresses are static, and recommended strict allowlisting during deserialization, not returning re-serialized attacker input, and keeping outputs within trusted boundaries—aligning with broader best practices for deserialization risks.

Horn linked this exploit to earlier research on hash-based attacks, such as hashDoS, but highlighted that this method exploits hash order determinism for information leakage rather than denial-of-service. Ultimately, the finding broadens the understanding of how seemingly safe serialization behavior can be weaponized, and underscores the importance of robust serialization hygiene in software security.
Read more »
Security flaw
Data Privacy Indian Government iPhone Users Mobile Security Security flaw

Beware iPhone Users: Indian Government Issues Urgent Advisory Over Data Theft Risk

 

The Indian government has issued an urgent security warning to iPhone and iPad users, citing major flaws in Apple's iOS and iPadOS software. If not addressed, these vulnerabilities could allow cybercriminals to access sensitive user data or make devices inoperable. The advisory was issued by the Indian Computer Emergency Response Team (CERT-In), which is part of the Ministry of Electronics and Information Technology, and urged users to act immediately.

Apple devices running older versions of iOS (before to 18.3) and iPadOS (prior to 17.7.3 or 18.3) are particularly vulnerable to the security flaws. The iPad Pro (2nd generation and up), iPad 6th generation and later, iPad Air (3rd generation and up), and iPad mini (5th generation and later) are among the popular models that fall within this category, as are the iPhone XS and newer. 

A key aspect of Apple's message system, the Darwin notification system, is one of the major flaws. The vulnerability enables unauthorised apps to send system-level notifications without requiring additional permissions. The device could freeze or crash if it is exploited, necessitating user intervention to restore functionality.

These flaws present serious threats. Hackers could gain access to sensitive information such as personal details, financial information, and so on. In other cases, they could circumvent the device's built-in security protections, running malicious code that jeopardises the system's integrity. In the worst-case situation, a hacker could crash the device, rendering it completely unusable. CERT-In has also confirmed that some of these flaws are actively abused by hackers, emphasising the need for users to act quickly. 

Apple has responded by releasing security upgrades to fix these vulnerabilities. It is highly recommended that impacted users update to the most latest version of iOS or iPadOS on their devices as soon as feasible. To defend against any threats, this update is critical. Additionally, users are cautioned against downloading suspicious or unverified apps as they could act as entry points for malware. It's also critical to monitor any unusual device behaviour as it may be related to a security risk. 

As Apple's footprint in India grows, it is more critical than ever that people remain informed and cautious. Regular software upgrades and sensible, cautious usage patterns are critical for guarding against the growing threat of cyber assaults. iPhone and iPad users can improve the security of their devices and sensitive data by taking proactive measures.
Read more »
WinRAR
Mark of the Web Security flaw Symlink Vulnerabilities and Exploits WinRAR

WinRAR Bug Circumvents Windows Mark of Web Security Notifications.

 

A security flaw in the WinRAR file archiver solution might be used to circumvent the Mark of the Web (MotW) security warning and execute arbitrary code on a Windows computer. The vulnerability is known as CVE-2025-31334 and impacts all WinRAR versions except the most recent release, 7.11. 

Mark of the Web is a security mechanism in Windows that uses a metadata value (an additional data stream called 'zone-identifier') to identify potentially dangerous files downloaded from the internet. When you launch an executable with the MotW tag, Windows informs you that it was obtained from the internet and can be risky, and you can choose whether to continue or terminate it.

Symlink to executable

The CVE-2025-31334 flaw allows an attacker to circumvent the MotW security warning when opening a symbolic link (symlink) to an executable file in any WinRAR version prior to 7.11. Using a specially designed symbolic link, an attacker can execute arbitrary code. It should be noted that on Windows, symlinks can only be generated with administrator privileges. 

The security flaw received a medium severity score of 6.8 and was fixed in the latest version of WinRAR, according to the applications change log: “If symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored” - WinRaR. 

Shimamine Taihei of Mitsui Bussan Secure Directions reported the vulnerability to the Information Technology Promotion Agency (IPA) in Japan. The responsible disclosure was organised by Japan's Computer Security Incident Response Team with the developer of WinRAR.

Starting with version 7.10, WinRAR allows you to remove information from the MotW alternative data stream (such as location and IP address) that could be deemed a privacy issue. Cybercriminals, including state-sponsored ones, have previously used MotW bypasses to transmit malware without triggering the security warning. 

Recently, Russian attackers exploited a vulnerability in the 7-Zip archiver that did not propagate the MotW when double archiving (archiving one file within another) to launch the Smokeloader malware dropper.
Read more »
Security flaw
Cyber Attacks email servers Exim Security flaw

Serious Security Flaw in Exim Email Servers Could Let Hackers Steal Data

 



A dangerous security flaw has been discovered in Exim, a widely used email server software. The vulnerability, officially tracked as CVE-2025-26794, allows hackers to inject harmful commands into the system, potentially leading to data theft or even complete control over the email server. This issue affects Exim version 4.98 when used with a specific database system called SQLite. Experts warn that this is one of the biggest email security threats of 2025.  


How This Vulnerability Works

The problem occurs because of the way Exim handles database queries under certain settings. It mainly affects systems that:  

1. Use SQLite for storing email-related data – This happens when Exim is set up with a special feature called `USE_SQLITE`.  

2. Enable the ETRN command – This is a function that allows users to request email deliveries, but it can be misused if not properly restricted.  

3. Have weak protections against command execution – Some default settings make it easier for attackers to sneak in harmful database commands.  

If all these conditions are met, a hacker can send specially designed emails to the server, tricking it into running unauthorized commands. This could allow them to access sensitive information, modify system settings, or even take control of the entire email system.  


How Attackers Can Use This Flaw

For this security risk to be exploited, three things need to be true:  

1. The system must be running Exim 4.98 with SQLite enabled.  

2. The ETRN command must be set to "accept" instead of the safer "deny" mode.  

3. A specific security setting, smtp_etrn_serialize, must be left at its default value, which can create a loophole for hackers.  

Even though Exim’s default settings provide some level of security, many organizations adjust them to work with older systems, unknowingly making their servers more vulnerable.  


Steps to Stay Safe

To protect email systems from this issue, cybersecurity experts recommend taking the following steps immediately:  

1. Check which version of Exim is installed using the command `exim -bV`.  

2. Disable SQLite integration if it’s not necessary.  

3. Modify ETRN settings to prevent unauthorized use.  

4. Update to the latest Exim version (4.98.1), which includes a fix for this problem.  

For organizations that must continue using SQLite, additional security measures should be in place, such as filtering out risky commands and monitoring unusual activity in the database.  


How Exim Developers Responded

The Exim development team acted quickly by releasing a patched version within 72 hours after confirming the issue. The flaw was originally reported by cybersecurity researcher Oscar Bataille, who followed responsible disclosure guidelines. This allowed Exim’s developers to fix the problem before it became public, reducing the chances of widespread attacks.  


Why This Matters

Exim is used by over 60% of email servers on the internet, meaning this flaw could have affected millions of systems worldwide. This incident is a reminder that even well-established software can have hidden weaknesses, especially when newer features interact with older components.  

To stay safe, organizations must regularly update their email software, follow security best practices, and stay informed about new threats. The faster vulnerabilities like this are addressed, the lower the risk of cyberattacks.

Read more »
Starlink
Automakers Cyber Attacks data security internet-connected cars PII Security flaw Smart Cars Starlink

Subaru Starlink Security Flaw Exposes Risks of Connected Cars

 

As vehicles become increasingly connected to the internet, cybersecurity threats pose growing risks to drivers. A recent security flaw in Subaru’s Starlink system highlights the potential dangers, allowing hackers to remotely control vehicles and access sensitive data. This incident is part of a broader trend affecting the automotive industry, where weaknesses in connected car systems expose users to financial loss, privacy breaches, and safety concerns. 

Researchers found that with just a license plate number and basic owner details, attackers could exploit Subaru’s Starlink system to start or stop the car, lock or unlock doors, and track real-time locations. More alarmingly, hackers could extract personally identifiable information (PII), including billing details, emergency contacts, and historical location data accurate within five meters. The vulnerability stemmed from weak security in the Starlink admin portal, including an insecure password reset API and insufficient protection against two-factor authentication (2FA) bypass. 

Subaru quickly patched the issue within 24 hours of its discovery, but the incident underscores the risks associated with connected vehicles. This is not an isolated case. Other automakers have faced similar security lapses, such as a flaw in Kia’s dealer portal that allowed hackers to track and steal vehicles. Common security issues in connected car systems include weak authentication, improper encryption, centralized storage of sensitive data, and vulnerabilities in third-party integrations. Delayed responses from automakers further exacerbate these risks, leaving vehicles exposed for extended periods. 

Beyond direct system hacks, connected cars face a range of cybersecurity threats. Attackers could remotely hijack vehicle controls, steal onboard financial and personal data, or even deploy ransomware to disable vehicles. GPS spoofing could mislead drivers or facilitate vehicle theft, while compromised infotainment systems may leak personal details or spread malware. While automakers must strengthen security measures, consumers can take steps to protect themselves. Regularly updating vehicle firmware and connected apps can help prevent exploits. 

Using multi-factor authentication (MFA) for connected car accounts and avoiding weak passwords add an extra layer of security. Limiting the amount of personal data linked to vehicle systems reduces exposure. Disabling unnecessary connectivity features, such as remote start or location tracking, also minimizes risk. Additional precautions include avoiding public Wi-Fi for accessing connected car systems, using a virtual private network (VPN) when necessary, and carefully vetting third-party apps before granting permissions. Traditional security tools like steering wheel locks and GPS trackers remain valuable backup measures against cyber threats. 

As connected cars become more common, cybersecurity will play a crucial role in vehicle safety. Automakers must prioritize security by implementing robust encryption, strong authentication, and rapid vulnerability response. At the same time, consumers should stay informed and take proactive steps to safeguard their vehicles and personal data from evolving digital threats.
Read more »
sophisticated attacks
Business Security Cyber Security IT Flaw Security flaw sophisticated attacks

Public Holidays And Weekends Make Companies More Vulnerable to Cyberattacks

 


 Cyberattacks Surge During Holidays and Weekends: Semperis Report

Companies are particularly susceptible to cyberattacks during public holidays and weekends due to reduced security manpower. A recent report on ransomware assaults, published by Semperis, a provider of identity-based cyber resilience, confirms this vulnerability.

The study revealed that an average of 86% of organizations assessed across the United States, United Kingdom, France, and Germany were targeted during public holidays or weekends. The findings also indicate that 75% of businesses reduced their security workforce by up to 50% during these periods, leaving critical systems exposed.

Targeted Attacks During Key Business Events

Half of the respondents who experienced cyberattacks reported being targeted during major business events such as mergers or acquisitions. For instance, after UnitedHealth acquired Change Healthcare, cybercriminals exploited a security flaw in remote access systems to breach the company’s infrastructure.

The report highlighted that 90% of ransomware attacks compromised a firm’s identity service, such as Microsoft Active Directory (AD) or Entra ID, as these are widely used and vulnerable. Additionally:

  • 35% of businesses reported insufficient funds to safeguard against cyberattacks.
  • 61% of organizations lacked adequate backup solutions for their identity services.

While 81% of respondents stated they possess the knowledge to defend against identity-related threats, 83% admitted to experiencing a successful ransomware assault within the past year. This disconnect underscores the need for better implementation of security measures.

The US Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly emphasized the need for vigilance during weekends and public holidays. Notably, the ransomware group Clop exploited a long weekend to take advantage of a vulnerability in the MOVEit data exchange software. This attack affected over 130 companies in Germany, leading to significant data breaches and blackmail attempts.

Solutions to Mitigate Risks

To address these vulnerabilities, enterprises must take the following measures:

  • Protect critical flaws, such as those in Active Directory (AD) and other identity services.
  • Ensure security operations centers (SOCs) are adequately staffed during off-hours.
  • Integrate cybersecurity into the broader business resiliency strategy, alongside safety, financial, and reputational risk management.

Prioritizing security as an essential component of business resilience can make the difference between surviving and thriving in the face of catastrophic cyber incidents.

Read more »
Windows Security
Bitlocker Security flaw TPM Vulnerabilities and Exploits Windows Security

TPM-Equipped Devices Trigger Warnings Due to a Windows BitLocker Flaw

 

Microsoft is examining a flaw that activates security alerts on systems equipped with a Trusted Platform Module (TPM) processor after enabling BitLocker. 

A Windows security feature called BitLocker encrypts storage discs to guard against data leakage or theft. Redmond claims that when combined with a TPM, it "provides maximum protection" "to ensure that a device hasn't been tampered with while the system is offline.”  

TPMs are specialised security processors that offer hardware-based security features and serve as reliable hardware parts for storing private data, including encryption keys and other security credentials.

The company stated in a notice issued past week that unmanaged devices, or BYOD (bring your own device), are also impacted by this known vulnerability. These are typically privately held devices utilised in business settings that can be secured or onboard using methods provided by the IT or security department of each firm.  

Users of vulnerable Windows 10 and 11 PCs will notice a "For your security, some settings are managed by your administrator" alert "in the BitLocker control panel and other places in Windows.” 

The tech giant noted that it is currently working on a fix and will provide further details regarding the flaw when it has more information. In April 2024, Microsoft resolved another issue that led to faulty BitLocker drive encryption issues in select managed Windows environments. In October 2023, the company classified this as a reporting issue with no impact on drive encryption.  

Microsoft revealed in June 2021 that TPM 2.0 is required for installing or upgrading to Windows 11, claiming that it will make PCs more resistant to manipulation and sophisticated cyberattacks. However, this has not prevented Windows users from developing a variety of tools, programs, and strategies to circumvent it. 

More than three years later, in December 2024, Redmond emphasised that TPM 2.0 compliance is a "non-negotiable" condition, as consumers will be unable to upgrade to Windows 11 without it. According to Statcounter Global data, more than 62% of all Windows computers globally are still using Windows 10, with less than 34% on Windows 11 three years after its October 2021 launch. 
Read more »
Subscribe to: Comments (Atom)