Sign up for this weekly newsletter
SubscribeAn extremely easy-to-exploit flaw in Apache Tomcat raises concerns
A RCE vulnerability in Apache Tomcat (CVE-2025-24813) has been observed in the wild, raising concerns of imminent mass exploitation. The flaw allows unauthenticated attackers to take full control of servers through simple PUT API requests. It is considered extremely easy to exploit and first exploitations were indeed observed before a POC was released. Moreover, its seems that most WAF protections might be inefficient against the vulnerability because of a combination of factors (the use of “normal” PUT requests, the base64-encoded encryption of the payload and the fact that attack is two-step only).
Mitigate it
Set the readonly parameter to “true” in the conf/web.xml file, disable the PUT method and set org.apache.catalina.session.PersistentManager to false
A year-long persistence in a water facility
Back in 2023, the Chinese actor Volt Typhoon (aka UNC3236) has compromised a power utility in Massachusetts and maintained persistence for over 300 days. The group, known for promoting dormant threats on US military and critical infrastructures through a SOHO botnet, has in the past utilized various vulnerabilities such as flaws in Ivanti ConnectSecure, Versa Director or Fortinet.
A new Chinese campaign against telecoms
The Chinese state actor UNC3886 has deployed a backdoor in end-of-life Juniper MX routers, compromising at least ten organizations – apparently ISPs and telecommunication companies. The access to the routers was granted through terminal servers, themselves accessed with legitimate credentials. Moreover, the group leveraged a vulnerability in Junos OS kernel (CVE-2025-21590),allowing a privileged attacker to compromise a device. UNC3886 is a sophisitcated cyberespionage group known for its 2023 campaign exploiting a vulnerability in VMware ESXi (CVE-2023-20867).
Mitigate it
Restrict shell access to trusted users only
A new ransomware leverages Fortinet flaws
SuperBlack (aka Mora_001) has been observed leveraging two Fortinet vulnerabilities (CVE-2024-55591,CVE-2025-24472), allowing for privilege escalation to super-admin on FortiOS and FortiProxy. Using a chaining tactic, the flaws were exploited to create an admin account, itself utilized to create additional accounts. SuperBlack, a newly emerged ransomware gang, is apparently a former subsidiary of the now defunct LockBit group and deploys a modified LockBit 3.0 malware strain.
Mitigate it
Block access from IP addresses 45.55.158[.]47, 87.249.138[.]47, 155.133.4[.]175, 37.19.196[.]65 and 149.22.94[.]37
ChatGPT under attack
An unidentified threat actor is targeting a SSRF vulnerability in the infrastructure of ChatGPT (CVE-2024-27564) against government and financial organizations in the US. The flaw, discovered one year ago, allows attackers to inject malicious URLs into URL parameters and force ChatGPT to make arbitrary requests, eventually offering attackers access to internal data. More than 10K exploitation attempts from a single IP address have been spotted, with 35% of the victims considered to have a misconfigured IPS, Firewall or WAF.
A Windows zero-day used since 2017 by 11 APTs
A Windows zero-day, for which a CVE ID has yet to be assigned, might have been exploited since 2017 by no less than 11 state actors from China, Russia, Iran and North Korea. The flaw leverages hidden command lines within Windows shortcut files (.LNK) which, when downloaded by a user, might lead to arbitrary command execution. More than 1,000 .LNK file artifacts have been recovered and victims from sectors such as government, financial, telecommunication and defense have been identified. In response, Microsoft claimed that since it has “detections in place to detect and block this threat activity” and since the Smart App Control is able to block malicious files from the Internet, the flaw will not be fixed in the near future.
Mitigate it
Scan for ZDI-CAN-25373 in Trend Micro
A GitHub Action flaw used in supply chain attacks
A vulnerability in GitHub Action Changed Files (CVE-2025-30066) is exploited in the wild in supply chain attacks. The flaw allows attackers to inject malicious code into GitHub Action and access sensitive log data, including AWS access keys or GitHub Personal Access Tokens (PATs).
Medusa's vulnerability kit
CISA warned that, alongside its focus on phishing tactics, Medusa has also exploited vulnerabilities for initial access, including the widely targeted Fortinet SQLi (CVE-2023-48788) and ScreenConnect (CVE-2024-1709) vulnerabilities. Medusa is a notorious ransomware groupwith more than 400 victims and known for its centralized organizational structure.
Mitigate it
Mitigate it
Mitigate it
Sources
