Beazley Security Labs

Advisories

Critical Vulnerabilities in Ivanti Endpoint Management

On October 7, 2025, the Zero Day Initiative (ZDI) by Trend Micro publicly disclosed 13 unpatched vulnerabilities in Ivanti Endpoint Management, including twelve remote code execution (RCE) flaws and one local privilege escalation bug. These issues were privately reported to Ivanti between November 2024 and June 2025 but were still unresolved when they were publicly disclosed. ZDI did not provide technical details or public proof-of-concept (PoC) exploit code but did list the vulnerable endpoints.

Oct 9, 2025 - 2 Min Read

MySonicWall Cloud Backup Data Breach

On October 8th, SonicWall confirmed that threat actors gained access to firewall configuration backup files for all customers who used the MySonicWall cloud backup service.

Oct 9, 2025 - 4 Min Read

RediShell: Critical RCE Vulnerability in Redis (CVE-2025-49844)

A critical security vulnerability "RediShell" has been discovered in Redis, a widely used database and caching system. CVE-2025-49844, dubbed “RediShell,” is a use-after-free (UAF) vulnerability inside Redis’s Lua scripting engine, is present in all major versions of Redis, and has been assigned a CVSS score of 9.9. Threat actors can attack this vulnerability if they have authenticated access to a target Redis server, or if they discover a Redis server that is configured by default without authentication.

Oct 7, 2025 - 5 Min Read

Critical Vulnerability in Oracle E-Business Suite (EBS) Under Active Exploitation (CVE-2025-61882 & CVE-2025-61884)

On October 4th, Oracle reported a critical zero-day vulnerability in Oracle E-Business Suite (EBS) that is under active exploitation by Cl0p ransomware operators. The vulnerability (tracked as CVE-2025-61882 & CVE-2025-61884) is a critical unauthenticated remote code execution software vulnerability affecting Oracle EBS versions 12.2.3 through 12.2.14, with a CVSS score of 9.8.

Oct 6, 2025 - 5 Min Read

High Severity SNMP Vulnerability in Cisco IOS & IOS XE Under Active Exploitation (CVE-2025-20352)

On September 24th, Cisco published an advisory detailing a high severity vulnerability within the Simple Network Management Protocol (SNMP) subsystem in Cisco IOS and Cisco IOS XE devices. The bug, tracked as CVE-2025-20352, is caused by a stack overflow flaw within the SNMP subsystem of the underlying Cisco operating systems and could allow an authenticated attacker with valid “credentials” to cause a denial-of-service (DoS) attack with a valid SNMP read-write string or execute remote code. Cisco’s Product Security Incident Response Team (PSIRT) has confirmed successful exploitation of this vulnerability in the wild.

Sep 26, 2025 - 5 Min Read

Current Attack Campaign Leveraging Critical Vulnerabilities Against Cisco ASA & FTD VPN appliances (CVE-2025-20333, CVE-2025-20363)

On September 25, Cisco published several advisories concerning critical vulnerabilities in their Cisco Adaptive Security Appliance (ASA) and FirePower Threat Defense (FTD) product lines. These vulnerabilities have been actively exploited in the wild since earlier this year by a sophisticated adversary. The malicious activity has been attributed to the 2024 "ArcaneDoor" campaign, with current evidence indicating that the same threat actors involved in previous incidents are responsible for the ongoing attacks.

Sep 25, 2025 - 15 Min Read

Critical Vulnerability in Fortra GoAnywhere (CVE-2025-10035)

On September 18th, software company Fortra published an advisory detailing a critical vulnerability in their popular managed file transfer application GoAnywhere MFT. The issue is present in the Forta MFT administration interface and affects organizations whose admin interface is accessible from the internet. The vulnerability is related to deserialization and may permit an unauthorized attacker to execute command injection, allowing threat actors to run arbitrary commands on the appliance.

Sep 19, 2025 - 2 Min Read

Malicious Worm Code Found in Many NPM Packages

Beazley Security Labs is monitoring a rapidly evolving supply-chain attack in the NPM (Node.js) ecosystem, known as the Shai-Hulud campaign. This attack uses a worm-like malicious payload embedded in compromised NPM packages. Once installed, the payload attempts to harvest secrets such as GitHub and NPM access tokens, as well as cloud credentials for Cloud providers such as AWS, Azure, and Google cloud platform. Once access tokens have been harvested, the worm then uses them to republish malicious versions of any packages the compromised tokens control. It also injects GitHub Actions workflows to enable ongoing data exfiltration and persistence, making this a self-propagating NPM worm that is continuously expanding it is reach and the ability to exfiltrate credentials from a broader set of victims.

Sep 17, 2025 - 5 Min Read

Critical Vulnerability in SAP Netweaver (CVE-2025-42944)

On September 9th, SAP released an advisory describing several vulnerabilities across multiple SAP platforms. Among these was CVE-2025-42944 (CVSS 10.0), which affects SAP NetWeaver Application Server. This vulnerability involves insecure deserialization and may permit unauthorized remote code execution on target systems.

Sep 9, 2025 - 2 Min Read

Critical Vulnerability in Ivanti Connect Secure (CVE-2025-55147)

On September 9th, Ivanti published an advisory detailing multiple security vulnerabilities found in their Connect Secure, Policy Secure, ZTA Gateway, and Neurons products. The advisory contains multiple vulnerabilities, the most critical of which is CVE-2025-55147. That vulnerability is a cross-site request forgery (CSRF) bug that allows an unauthenticated threat actor the ability to execute sensitive actions on behalf of a victim user. Successful exploitation requires user interaction from the victim.

Sep 9, 2025 - 2 Min Read