Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-0282 |
Description: Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
Summary
Description
CISA analyzed three files obtained from a critical infrastructure’s Ivanti Connect Secure device after threat actors exploited Ivanti CVE-2025-0282 for initial access. One file—that CISA is calling RESURGE—has functionality similar to SPAWNCHIMERA in how it creates a Secure Shell (SSH) tunnel for command and control (C2). RESURGE also contains a series of commands that can modify files, manipulate integrity checks, and create a web shell that is copied to the running Ivanti boot disk. The second file is a variant of SPAWNSLOTH, that was contained within the RESURGE sample. The file tampers with the Ivanti device logs. The third file is a custom embedded binary that contains an open-source shell script and a subset of...
CVSS: CRITICAL (9.0)
March 28th, 2025 (22 days ago)
|
|
CVE-2025-0282 |
Description:
CISA has published a Malware Analysis Report (MAR) with analysis and associated detection signatures on a new malware variant CISA has identified as RESURGE. RESURGE contains capabilities of the SPAWNCHIMERA[1] malware variant, including surviving reboots; however, RESURGE contains distinctive commands that alter its behavior. These commands:
Create a web shell, manipulate integrity checks, and modify files.
Enable the use of web shells for credential harvesting, account creation, password resets, and escalating permissions.
Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image.
RESURGE is associated with the exploitation of CVE-2025-0282 in Ivanti Connect Secure appliances. CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. CISA added CVE-2025-0282 to its Known Exploited Vulnerabilities Catalog on January 8, 2025.
For more information on the abovementioned malware variants and YARA rules for detection, see: MAR-25993211.R1.V1.CLEAR.
For a downloadable copy of the SIGMA rule associated with this MAR, see: AR25-087A SIGMA YAML.
CISA urges users and administrators to implement the following actions in addition to the Mitigation Instructions for CVE-2025-0282:
For the highest level of confidence, conduct a factory reset.
For Cloud and Virtual systems, conduct a factory reset using an external known clean image of the device.
See Ivan...
CVSS: CRITICAL (9.0)
March 28th, 2025 (22 days ago)
|
|
CVE-2025-22526 |
Description: Deserialization of Untrusted Data vulnerability in NotFound PHP/MySQL CPU performance statistics allows Object Injection. This issue affects PHP/MySQL CPU performance statistics: from n/a through 1.2.1.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
March 28th, 2025 (22 days ago)
|
|
CVE-2025-22523 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Schedule allows Blind SQL Injection. This issue affects Schedule: from n/a through 1.0.0.
CVSS: CRITICAL (9.3) EPSS Score: 0.04% SSVC Exploitation: none
March 28th, 2025 (22 days ago)
|
|
CVE-2025-2294 |
Description: The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS: CRITICAL (9.8) EPSS Score: 20.52%
March 28th, 2025 (23 days ago)
|
|
CVE-2024-20439 |
🚨 Marked as known exploited on March 21st, 2025 (30 days ago).
Description: A vulnerability in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to log in to an affected system by using a static administrative credential.
This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to log in to the affected system. A successful exploit could allow the attacker to log in to the affected system with administrative privileges over the API of the Cisco Smart Licensing Utility application.
CVSS: CRITICAL (9.8) EPSS Score: 89.45% SSVC Exploitation: active
March 28th, 2025 (23 days ago)
|
|
CVE-2025-22398 |
Description: Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution as root. Exploitation may lead to a system take over by an attacker. This vulnerability is considered critical as it can be leveraged to completely compromise the operating system. Dell recommends customers to upgrade at the earliest opportunity.
CVSS: CRITICAL (9.8) EPSS Score: 1.21%
March 28th, 2025 (23 days ago)
|
|
CVE-2025-26898 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shinetheme Traveler.This issue affects Traveler: from n/a through 3.1.8.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
March 27th, 2025 (23 days ago)
|
|
CVE-2025-26873 |
Description: Deserialization of Untrusted Data vulnerability in Shinetheme Traveler.This issue affects Traveler: from n/a through 3.1.8.
CVSS: CRITICAL (9.0) EPSS Score: 0.05%
March 27th, 2025 (23 days ago)
|
|
CVE-2024-29855 |
Description: Hard-coded JWT secret allows authentication bypass in Veeam Recovery Orchestrator
CVSS: CRITICAL (9.0) EPSS Score: 17.79% SSVC Exploitation: none
March 27th, 2025 (23 days ago)
|