Daily Brief

GitGuardian's 2025 report reveals a 25% increase in exposed secrets on GitHub, totaling 23.77 million in 2024. Non-human identities, such as service accounts and AI agents, now outnumber human identities 45-to-1 in DevOps, increasing vulnerability. Seventy percent of secrets detected in 2022 are still active, indicating a failure in credential management and rotation. Private repositories, previously thought safer, contain significantly more exposed secrets than public ones. AI tools like GitHub Copilot are exacerbating the problem by promoting faster coding at the expense of security. Over 100,000 valid secrets from Fortune 500 companies were found exposed in public Docker images on Docker Hub. Collaboration tools such as Slack and Jira are emerging as key vectors for critical credential leaks, often lacking adequate security measures. Despite the adoption of secret management tools, a 5.1% leakage rate suggests that a holistic approach to secret lifecycle management is urgently needed.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant security flaw in Gladinet CentreStack to its Known Exploited Vulnerabilities catalog. The identified vulnerability has a CVSS score of 9.0 and relates to a hard-coded cryptographic key that may allow remote code execution. Specifically, the vulnerability, designated as CVE-2025-30406, involves the incorrect management of a "machineKey" used in the IIS web.config file, which can be exploited to forge ViewState payloads for server-side deserialization. Active exploitation of this flaw has been observed in the wild, with the initial exploit occurring as a zero-day in March 2025. Gladinet has issued an advisory and released a fix in the CentreStack version 16.4.10315.56368 on April 3, 2025. They have recommended immediate patching or, alternatively, rotating the machineKey value as a temporary measure. Details regarding the attackers' identities, their methods of exploitation, and the specific targets remain undisclosed.

Microsoft patched a zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, which was exploited to deploy ransomware. The exploitation targeted diverse sectors across multiple countries including IT and real estate in the US, finance in Venezuela, a software company in Spain, and retail in Saudi Arabia. The malware, named PipeMagic, is a trojan that uses a malicious MSBuild file with an encrypted payload, enabling SYSTEM privileges upon successful execution. Threat actors utilized the certutil utility to download PipeMagic from a compromised legitimate third-party site, although the initial access vector remains unknown. This is the second instance of a Windows zero-day vulnerability associated with PipeMagic, following another similar exploit patched by Microsoft previously. The attack process includes overpowering system processes, extracting user credentials, and encrypting files, leaving behind a ransom note linked to the RansomEXX family. Microsoft continues to monitor and analyze these attacks but was unable to retrieve a sample of the ransomware for further analysis.

Microsoft has released patches for 126 vulnerabilities, with one actively exploited EoP flaw in the Windows CLFS Driver. The actively exploited vulnerability, identified as CVE-2025-29824, allows attackers to escalate privileges without needing administrative access. Out of the total vulnerabilities, 11 are deemed Critical, 112 Important, and two Low; the vulnerabilities include remote code execution and DoS bugs. CVE-2025-29824 has been tied to ransomware attacks and has been listed in the U.S. CISA's Known Exploited Vulnerabilities catalog. Some vulnerabilities, including critical remote execution flaws in Microsoft Office and Windows services, require urgent patching. Microsoft is yet to release patches for several critical vulnerabilities for Windows 10. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to apply necessary fixes by April 29, 2025. Other security updates from different vendors have also been released to address various vulnerabilities recently.

Adobe has issued updates to address 30 security vulnerabilities across a range of its products, including ColdFusion. Among the addressed issues, 11 critical vulnerabilities in ColdFusion could allow arbitrary file reads and code execution. The critical flaws impact multiple versions of ColdFusion (2025, 2023, and 2021). Updates also target vulnerabilities in other Adobe products like After Effects, Media Encoder, Bridge, Premiere Pro, Photoshop, Animate, and FrameMaker. Flaws addressed include out-of-bounds write and heap-based buffer overflow bugs that could also lead to arbitrary code execution. Adobe has confirmed that there are no known exploits in the wild for these vulnerabilities as of their report. Users are strongly urged to update their software to the latest versions to protect against these vulnerabilities and enhance security integrity.

A former University of Maryland Medical Center (UMMC) pharmacist, Matthew Bathula, allegedly compromised hospital IT systems to spy on female colleagues using webcams. Bathula is accused of installing spyware on over 400 computers across various UMMC locations, enabling him to view private activities such as breastfeeding and sexual intercourse in home settings. The cyber-voyeurism extended to accessing personal cloud-stored photos and identification documents, enabled by keylogging software to capture login credentials. UMMC faces a lawsuit for negligence in failing to detect and prevent Bathula’s activities, which reportedly continued for nearly a decade. An IT department employee had flagged potential security breaches as early as 2024, but no definitive action was taken until a major incident was acknowledged publicly in October 2024. Post-discovery, UMMC placed Bathula on administrative leave, terminated his employment, and has taken steps to improve data security and compliance with health information protection laws. The FBI is involved in an ongoing criminal investigation, highlighting the severity of the privacy violations and data theft.

Microsoft's recent Patch Tuesday addressed over 120 flaws but did not fix a critical Windows 10 bug allowing ransomware attacks. The specific vulnerability, CVE-2025-29824, actively exploited by Storm-2460 group, affects Windows 10 and elevates user privileges via the Common Log File System Driver. Victims have been reported in the US, Spain, Venezuela, and Saudi Arabia, with the vulnerability being used to deploy PipeMagic ransomware. Microsoft has patched this issue for Windows Server and Windows 11 but is yet to release a fix for Windows 10, with updates promised "as soon as possible." Critical flaws fixed in this update include those that enable remote code execution, impacting Microsoft Office, Excel, LDAP, and Remote Desktop. Adobe and AMD also released updates fixing several critical vulnerabilities in their products, underscoring a broad concern over software security this month. Stakeholders running Windows 10 are advised to anticipate the patch and implement additional security measures in the interim.

Threat actors used SourceForge to distribute malicious Microsoft Office add-ins, impacting over 4,604 systems, predominantly in Russia. The fake "officepackage" project mimicked a legitimate Microsoft project available on GitHub but distributed malware instead. Victims who downloaded the fake add-ins received a malware-laden ZIP file that bypassed antivirus detection by inflating the file size. The malware established system persistence, performed environment checks, and downloaded additional harmful scripts. The attack utilized a cryptocurrency miner and a clipboard hijacker to steal cryptocurrency. This campaign highlights the risks of downloading software from non-official sources and the importance of verifying download channels and scanning files with antivirus software. Users are advised to download software only from trusted and verifiable sources to avoid similar security threats.

Microsoft identified a high-severity zero-day vulnerability, CVE-2025-29824, in the Windows Common Log File System, exploited by the RansomEXX ransomware gang. The exploit allows attackers with low privilege access to escalate to SYSTEM privileges through a use-after-free weakness, without needing user interaction. Patch updates have been issued, but patches for specific Windows 10 versions are delayed. Users of Windows 11 version 24H2 remain unaffected. Targets of these attacks include sectors such as IT and real estate in the U.S., financial services in Venezuela, a Spanish software firm, and retail in Saudi Arabia. The ransomware deploys via the PipeMagic backdoor, which also enables further exploits and lateral movements within affected networks. Microsoft urges all users to apply the security updates immediately to protect against these targeted ransomware attacks. Past exploits by the RansomEXX group have affected notable organizations including GIGABYTE, Konica Minolta, and several governmental bodies.

A vulnerability in WhatsApp for Windows allows execution of malicious code through rigged file attachments. The flaw, identified as CVE-2025-30401, impacts versions prior to 2.2450.6 of the desktop application. Attackers can mislabel executable files (.exe) as images (.jpg) by exploiting MIME type handling discrepancies. Users must manually open the attachment for the malicious code to execute, making social engineering a potential risk factor. WhatsApp's parent company, Meta, issued a security advisory encouraging users to update their app to avoid exploitation. Security expert Adam Brown highlighted the risks of data theft, malware propagation, and identity theft due to this vulnerability. The potential real-world exploitation of this bug remains unconfirmed as per the latest reports.

Fortinet has issued updates to fix a critical flaw in FortiSwitch, identified as CVE-2024-48887, with a CVSS score of 9.3. The vulnerability allows unauthorized remote attackers to change admin passwords through a specifically crafted request in the GUI. The security issue was detected internally by a member of the FortiSwitch web UI development team, Daniel Rozeboom. Affected users are advised to disable HTTP/HTTPS access to administrative interfaces and limit system access to trusted hosts. Although there have been no reported exploitations of this specific flaw, previous vulnerabilities in Fortinet products have been leveraged by cybercriminals. Implementing the newly released security patches promptly is crucial for maintaining the security integrity of the network.

This month's Microsoft Patch Tuesday has resolved 134 security vulnerabilities, including one zero-day that was actively exploited. The zero-day flaw, identified as CVE-2025-29824, could allow attackers to elevate privileges to SYSTEM level. The updates this April include fixes for eleven critical vulnerabilities, specifically targeting remote code execution risks. Security patches are currently available for Windows Server and Windows 11, with updates for Windows 10 to be released shortly. The vulnerabilities addressed span various aspects, but full details and affected system specifics can be found in the full Microsoft report. The discovery of the exploited zero-day was credited to the Microsoft Threat Intelligence Center. Alongside its regular patch release, Microsoft also disclosed earlier fixes involving Mariner and Microsoft Edge earlier in the month.

Hackers breached the U.S. Treasury’s Office of the Comptroller of the Currency (OCC) in June 2023, accessing over 150,000 emails. The attackers monitored OCC employees' emails by compromising an email system administrator’s account. The OCC reported the breach to the U.S. Cybersecurity and Infrastructure Security Agency in February 2025 as a cybersecurity incident affecting multiple accounts. Initially thought to be limited, the breach reportedly extended to about 100 bank regulators' emails. Treasury Department also suffered a breach in January 2025; attackers used a stolen Remote Support SaaS API key to compromise a BeyondTrust instance. This attack, deemed part of the larger breach, was attributed to Silk Typhoon, a Chinese state-backed hacking group. Silk Typhoon’s targets included significant Treasury divisions like the Office of Foreign Assets Control (OFAC) and the Committee on Foreign Investment in the U.S. (CFIUS). The full impact of the breaches, including one in the Treasury’s Office of Financial Research, is still under evaluation.

A critical security flaw was discovered in Amazon EC2 Simple Systems Manager (SSM) Agent, enabling potential privilege escalation and code execution. The vulnerability involved improper validation of plugin IDs, allowing attackers to manipulate filesystem directories and execute arbitrary scripts with root privileges. The security risk stemmed from the SSM Agent's dynamic creation of directories based on plugin specifications, which did not properly sanitize input for malicious content. Attackers could exploit the flaw by using path traversal sequences in specially crafted plugin IDs to gain elevated system access. Cybersecurity firm Cymulate identified and disclosed the vulnerability, which was subsequently patched by Amazon in the SSM Agent version 3.3.1957.0 released on March 5, 2025. Amazon addressed the issue by introducing a new method called BuildSafePath to prevent path traversal attacks in future updates of the SSM Agent. The patch was released following responsible disclosure practices, promoting cybersecurity across AWS services and its user base.

Meta has issued an urgent update for the WhatsApp application on Windows to address a significant spoofing vulnerability identified as CVE-2025-30401. The flaw allows attackers to execute arbitrary code on the victims' PCs by sending files with mismatched MIME types and filename extensions. All previous versions of WhatsApp for Windows were affected, but the issue has been resolved in the newest release, version 2.2450.6. The vulnerability was discovered through Meta's Bug Bounty program by an external researcher, though it's unclear if it was exploited in the wild. This follows a series of security concerns for WhatsApp, including a previous issue that enabled Python and PHP files to execute code unexpectedly and a zero-day exploit used to install spyware. Meta continues to engage with the security community to address vulnerabilities promptly and enhance user safety on their platforms.