Daily Brief

A dire security flaw was identified in Erlang/Open Telecom Platform (OTP) SSH, allowing potential unauthenticated arbitrary code execution. Designated CVE-2025-32433, the vulnerability received the highest severity rating (CVSS 10.0). Attackers can exploit the flaw by sending SSH protocol messages before authentication, leading to arbitrary code execution. If exploited, especially on systems where the daemon runs as root, attackers could fully control the device and manipulate or leak sensitive data. Affected versions impact all users with Erlang/OTP SSH servers; updating to versions OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 is advised. Temporary protection can be achieved by restricting access to vulnerable SSH servers through firewall settings. The flaw is especially critical for high-availability systems and devices using Erlang, such as those manufactured by Cisco and Ericsson. Close attention and prompt action, including upgrades or access limitations, are necessary to mitigate risks associated with this vulnerability.

Microsoft has identified a malvertising campaign that uses Node.js to install malware via fake cryptocurrency trading software installers. The malware, delivered through a rogue installer, uses a dynamic-link library to gather system information and ensures persistence on the infected device by setting up scheduled tasks. The malicious code evades detection by making exceptions in Microsoft Defender and initiates data theft by downloading additional payloads. Attackers mimic legitimate cryptocurrency trading platforms, like Binance and TradingView, to trick users into executing the malware. In one infection method, inline JavaScript is executed directly through a downloaded malicious Node.js binary, seeking out high-value network targets and masquerading C2 (Command and Control) traffic. The malware harvests detailed system, hardware, and application data, sending it back to the attackers in JSON format. Microsoft remarked on the ease with which Node.js allows the blending of malicious scripts with legitimate applications, complicating detection and enhancing persistence possibilities for attackers. Secondary attacks include phishing campaigns and social engineering tactics deploying other types of malware aimed at stealing sensitive data and unauthorized financial transactions.

CISA has issued an alert about active exploitation of a high-severity SonicWall VPN flaw, CVE-2021-20035, affecting federal agencies. The vulnerability allows remote attackers with low privileges to execute arbitrary code on SMA 100 series appliances. Originally discovered and patched in September 2021, this flaw was initially thought to facilitate only DoS attacks but has since been found to allow code execution. SonicWall recently updated the security advisory, boosting the CVSS score to 7.2 due to its exploitation in targeted attacks. U.S. Federal Civilian Executive Branch (FCEB) agencies are mandated to patch their systems by May 7th, per the Binding Operational Directive 22-01. Although the directive only applies to federal agencies, all network defenders are urged to prioritize fixing this flaw to avoid potential breaches. This alert follows recent warnings from SonicWall about other actively exploited vulnerabilities in their firewall products, underscoring ongoing security challenges.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in SonicWall SMA 100 Series to its KEV catalog due to active exploits. The vulnerability, known as CVE-2021-20035 with a CVSS score of 7.2, involves an operating system command injection that can lead to unauthorized code execution. Affected devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v across various platforms such as ESX, KVM, AWS, and Azure. SonicWall issued an advisory in September 2021, describing the vulnerability as allowing remote authenticated attacks through improper neutralization in the SMA100 management interface. The flaw permits attackers to execute arbitrary commands as a 'nobody' user, escalating the potential for targeted code execution attacks. Details on the exact nature of the active exploitations remain undisclosed, but the threat is considered significant enough to warrant a required update by Federal Civilian Executive Branch agencies by May 7, 2025.

Apple has released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to patch two actively exploited vulnerabilities. The vulnerabilities, identified as CVE-2025-31200 and CVE-2025-31201, were fixed by improving bounds checking and removing vulnerable code sections respectively. These security flaws were exploited in highly sophisticated attacks targeting specific individuals, demonstrating advanced exploitation techniques. Google Threat Analysis Group (TAG) reported one of these vulnerabilities, highlighting the collaborative efforts in cybersecurity. Users of affected Apple devices are urged to update their systems immediately to protect against these security risks. This incident marks the fifth instance of zero-day vulnerabilities in Apple's software being actively exploited since the beginning of the year. Persistent cyber threats emphasize the ongoing need for vigilance and regular updates in the tech industry to safeguard user data and privacy.

A whistleblower at the US National Labor Relations Board (NLRB), Dan Berulis, blew the whistle on questionable practices by DOGE IT department at the agency. Berulis reported that DOGE staffers were improperly granted superuser access, allowing them to read, copy, and alter agency data. He observed gigabytes of data being exfiltrated and disabled security protocols, such as multi-factor authentication changes. A significant finding was login attempts from a Russian IP address to an account set up for a DOGE aide shortly after its creation. US-CERT was engaged to investigate but was subsequently instructed to halt all investigations and reporting on the matter. Following the public disclosure of these activities, Democratic lawmakers have called for investigations into DOGE's actions at the NLRB. The whistleblower's report raises serious concerns about data security and potential manipulation at a critical federal agency.

Microsoft's latest updates for Windows 11 24H2 have triggered blue screen crashes post-installation and system reboot. The problematic updates identified are April cumulative update KB5055523 and March preview update KB5053656, both causing severe operational disruptions. Users have experienced a specific blue screen error coded 0x18B, which signifies a SECURE_KERNEL_ERROR. No comprehensive fix has been provided yet, with Microsoft implementing a temporary workaround through a Known Issue Rollback (KIR). KIR mechanism, introduced in 2021, allows Microsoft to retract faulty updates silently and automatically for personal and unmanaged devices, generally within 24 hours. IT departments managing affected systems must manually install a Group Policy .msi file to implement the rollback, which requires a system restart to take effect. Microsoft is currently preoccupied with integrating Copilot into its services, possibly deprioritizing the immediate resolution of existing technical issues, including long-standing bugs in OneDrive synchronization.

CIA Director John Ratcliffe's Signal chats regarding a secret military operation were almost entirely deleted from his smartphone. A court order to preserve the chat, named Signalgate, was issued amid accusations of violating federal record-keeping rules by using auto-deleting messages. The only remnants found on Ratcliffe’s phone were the group’s name and some member profiles, lacking substantive message content. These chats included highly sensitive information about an imminent military strike in Yemen, which was mistakenly shared with a journalist. American Oversight, a watchdog, claims the Trump administration systematically destroyed evidence, potentially breaching the Federal Records Act. Various government agencies were faster than the CIA in complying with the court's order to preserve these communications. The incident raises significant concerns about the transparency, accountability, and security practices of government officials handling classified information. The misuse of personal accounts and unsecured apps for discussing classified operations points to a disregard for established protocols and security measures.

Over 16,000 Fortinet devices were found compromised with a symlink backdoor, enabling read-only access to sensitive files. This security issue was identified and reported by The Shadowserver Foundation, which noted an increase from 14,000 to 16,620 affected devices. Fortinet had earlier alerted customers about the new persistence mechanism leveraged by attackers to maintain remote access on FortiGate devices, despite patches to the original vulnerabilities. Attackers used zero-day vulnerabilities to initially compromise the devices and then implanted symbolic links in the language files folder. These links provided ongoing access to the root filesystem of SSL-VPN enabled devices, even after vulnerabilities were addressed in new FortiOS versions. Fortinet has informed affected customers via email and released an updated AV/IPS signature to remove the malicious links and prevent similar future exploits. Customers are advised to reset all credentials and follow suggested security measures to protect against potential information breaches due to this exposure.

Security teams are currently overwhelmed by the sheer volume of security alerts and vulnerabilities, making it difficult to distinguish serious threats from less significant ones. True resilience in cybersecurity is not about addressing every vulnerability but focusing on those that are genuinely exploitable and pose real-world risks. Adversarial Exposure Validation offers a structured approach by mimicking real attacker behaviors to identify and prioritize the most significant exposures. This method not only tests vulnerabilities for exploitability but also evaluates the contextual risk they pose, moving beyond simplistic severity scores. Advanced tools such as Breach and Attack Simulation (BAS) and Automated Penetration Testing are critical, as they simulate real-world attack scenarios to discover actionable vulnerabilities. Consistent use of these tools helps organizations transition from periodic vulnerability assessment to continuous, proactive security improvements. Adversarial Exposure Validation is essential for modern security operations, shifting from reactive measures to proactive risk management, aligning defensive strategies more closely with actual threat landscapes. Security practitioners are encouraged to consult resources like the comparison whitepaper on Breach and Attack Simulation versus Automated Penetration Testing to choose the most suitable tools for their needs.

Apple released emergency updates for two zero-day vulnerabilities found in various operating systems including iOS, macOS, and others. The vulnerabilities, identified as CVE-2025-31200 and CVE-2025-31201, were utilized in highly sophisticated, targeted attacks on specific individuals. CVE-2025-31200 allows execution of remote code via a maliciously crafted media file affecting CoreAudio, discovered jointly by Apple and Google's Threat Analysis team. CVE-2025-31201 involves a security bypass in RPAC, which compromises Pointer Authentication, a feature defending against memory exploits. Apple promptly issued fixes for these vulnerabilities in updates iOS 18.4.1, iPadOS 18.4.1, and other affected systems. These security flaws impact a broad range of devices, both new and old, underlining the need for all users to update their devices swiftly. This patch marks Apple's continued effort to mitigate zero-day exploits, with five critical fixes already released in the same year.

The U.S. government secured funding for the CVE (Common Vulnerabilities and Exposures) Program just before the existing contract was set to expire. The funding extension prevents any interruption in the CVE services, which are crucial globally for identifying and managing security vulnerabilities in technology products. MITRE, a nonprofit that has been managing the CVE database, disclosed uncertainties about continuing federal support, prompting concerns about the program's future. In response, CVE board members announced plans to establish the CVE Foundation to maintain and enhance the program's independence and sustainability without sole reliance on federal funding. The newly formed CVE Foundation aims to address the vulnerability management ecosystem's vulnerabilities by reinforcing the program's global trust and community-driven approach. Despite the funding extension by CISA, there are ongoing discussions and concerns within the cybersecurity community about the need for a more globally collaborative approach to managing vulnerabilities. The situation has exposed potential risks, such as split-standards and reduced confidence in the CVE process, highlighted by reactions from international agencies and vendors.

Cybersecurity experts have identified four vulnerabilities within the Windows Task Scheduler that enable privilege escalation and log deletion. The flaws, found in a binary named "schtasks.exe," potentially allow local attackers to execute privileged commands and malicious payloads without user consent. One major vulnerability involves bypassing User Account Control to perform system-level operations covertly. Attackers could exploit known passwords—possibly obtained via credential cracking or other exploits—to register tasks that impersonate high-privilege users. The vulnerabilities also allow attackers to manipulate task logs and the Windows Event Log System to erase evidence of their activities. Defense evasion techniques associated with these flaws include overwriting and filling security logs, jeopardizing audit trails. The discovery underscores the importance of securing Task Scheduler and related components against potential abuse by attackers inside organizations.

DPP Law Ltd incurred a £60,000 fine for failing to promptly notify a data breach when personal client data was stolen and later found on the dark web. The breach occurred in June 2022, involving a brute-force attack on an underused administrator's account without multi-factor authentication in DPP Law's network. The attacker exploited access to a legacy case management system and extracted 32 GB of sensitive data, including details of identifiable individuals. The UK's Information Commissioner's Office (ICO) highlighted that DPP Law did not consider the incident a data breach initially and delayed reporting it for 43 days. DPP Law disputes the ICO's findings and is appealing the decision, asserting their compliance with legal and cybersecurity standards through Lexcel and Cyber Essentials certifications. ICO's investigation pointed out significant security lapses at DPP Law, stressing the importance of robust cybersecurity measures and timely incident reporting. ICO's enforcement director emphasized that data protection is a legal obligation, warning of substantial fines and reputational damage for non-compliance.

Atlassian is currently dealing with an 'active incident' leading to degraded performance across multiple Jira products. Affected services include Jira, Jira Service Management, Jira Work Management, and Jira Product Discovery. The issues began around 11:46 UTC today, resulting in errors and difficulty loading the Jira user interface and dashboards. Users globally are experiencing prolonged outages, with specific complaints about dashboard widgets failing to load or render. Atlassian teams are urgently investigating these disruptions, although the root cause has not been determined yet. The situation remains ongoing with updates promised as further information is available.