CyberAlerts

CVE-2025-2567

Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Lantronix Equipment: Xport Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker unauthorized access to the configuration interface and cause disruption to monitoring and operations. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Lantronix products are affected: Xport: Versions 6.5.0.7 to 7.0.0.3 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation. CVE-2025-2567 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-20XX-XXXX. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Souvik Kandar from Microsec(microsec.io) reported this vulnerability to CISA. 4. MITIGATI...

EPSS Score: 0.05%

Source: All CISA Advisories

April 15th, 2025 (7 days ago)

Dark Web Launderer Unmasked Through Apple iCloud and Messaging Apps

Description: The dismantling of a sophisticated dark web laundering network tied to over $24 million in illicit funds has revealed just how vulnerable even the most anonymity-conscious actors can be when digital traces are left behind — particularly across encrypted messaging platforms and cloud services. Anurag Pramod Murarka, a 30-year-old Indian national operating under aliases like … The post Dark Web Launderer Unmasked Through Apple iCloud and Messaging Apps appeared first on CyberInsider.

Source: CyberInsider

April 15th, 2025 (7 days ago)

CVE-2025-29281

In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files...

Description: In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files and execute code within them.

EPSS Score: 0.08%

SSVC Exploitation: poc

Source: CVE

April 15th, 2025 (7 days ago)

CVE-2025-28145

Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via partition in...

Description: Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via partition in /boafrm/formDiskFormat.

EPSS Score: 4.33%

Source: CVE

April 15th, 2025 (7 days ago)

CVE-2025-28137

The TOTOLINK A810R V4.1.2cu.5182_B20201026 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function...

Description: The TOTOLINK A810R V4.1.2cu.5182_B20201026 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

EPSS Score: 0.32%

Source: CVE

April 15th, 2025 (7 days ago)

CVE-2025-27980

cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=.

Description: cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=.

EPSS Score: 0.04%

Source: CVE

April 15th, 2025 (7 days ago)

The AI Tools CBP Is Using to Scan Social Media

Description: Customs and Border Protection released more documents last week that show which AI-powered tools that agency has been using to identify people of interest.

Source: 404 Media

April 15th, 2025 (7 days ago)

[aws-cdk-lib] aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role

Description: Summary The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. In the CDK, developers organize their applications into reusable components called "constructs," which are organized into a hierarchical tree structure. One of the features of this framework is the ability to call "Aspects," which are mechanisms to set configuration options for all AWS Resources in a particular part of the hierarchy at once. Aspect execution happens in a specific order, and the last Aspect to execute controls the final values in the template. AWS CDK version 2.172.0 introduced a new priority system for Aspects. Prior to this version, CDK would run Aspects based on hierarchical location. The new priority system takes precedence over hierarchical location, altering the invocation order of Aspects. Different priority classes were introduced: Aspects added by CDK APIs were classified as MUTATING (priority 200), while Aspects added directly by the user were classified as DEFAULT (priority 500) unless the user specified otherwise. As a result of this change, CDK apps that use a custom Aspect to assign a default permissions boundary and then use a built-in CDK method to override it on select resources could have unexpected permissions boundaries assigned. The following is an affected code sample: Aspects.of(stack).add(new CustomAspectThatAssignsDefaultPermissionsBoundaries()); ...

Source: Github Advisory Database (NPM)

April 15th, 2025 (7 days ago)

Microsoft: Exchange 2016 and 2019 reach end of support in six months

Description: Microsoft warned that Exchange 2016 and Exchange 2019 will reach the end of support six months from now, on October 14. [...]

Source: BleepingComputer

April 15th, 2025 (7 days ago)

[github.com/donknap/dpanel] Dpanel's hard-coded JWT secret leads to remote code execution

Description: Summary The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. Details The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability. PoC The core code snippet is shown below: import jwt def generate_jwt(appname): payload = { "SECRET_KEY"："SECRET_VALUE", } print("appname:", appname) print("payload:", str(payload)) token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm="HS256") return token appname = "SECRET_KEY" token = generate_jwt(appname) print("url token:", token) Impact Attackers who successfully exploit this vulnerability can write arbitrar...

Source: Github Advisory Database (Go)

April 15th, 2025 (7 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-2567	Lantronix Xport Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Lantronix Equipment: Xport Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker unauthorized access to the configuration interface and cause disruption to monitoring and operations. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Lantronix products are affected: Xport: Versions 6.5.0.7 to 7.0.0.3 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation. CVE-2025-2567 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-20XX-XXXX. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Souvik Kandar from Microsec(microsec.io) reported this vulnerability to CISA. 4. MITIGATI... EPSS Score: 0.05% Source: All CISA Advisories April 15th, 2025 (7 days ago)
	Dark Web Launderer Unmasked Through Apple iCloud and Messaging Apps Description: The dismantling of a sophisticated dark web laundering network tied to over $24 million in illicit funds has revealed just how vulnerable even the most anonymity-conscious actors can be when digital traces are left behind — particularly across encrypted messaging platforms and cloud services. Anurag Pramod Murarka, a 30-year-old Indian national operating under aliases like … The post Dark Web Launderer Unmasked Through Apple iCloud and Messaging Apps appeared first on CyberInsider. Source: CyberInsider April 15th, 2025 (7 days ago)
CVE-2025-29281	In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files... Description: In PerfreeBlog version 4.0.11, regular users can exploit the arbitrary file upload vulnerability in the attach component to upload arbitrary files and execute code within them. EPSS Score: 0.08% SSVC Exploitation: poc Source: CVE April 15th, 2025 (7 days ago)
CVE-2025-28145	Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via partition in... Description: Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via partition in /boafrm/formDiskFormat. EPSS Score: 4.33% Source: CVE April 15th, 2025 (7 days ago)
CVE-2025-28137	The TOTOLINK A810R V4.1.2cu.5182_B20201026 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function... Description: The TOTOLINK A810R V4.1.2cu.5182_B20201026 were found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter. EPSS Score: 0.32% Source: CVE April 15th, 2025 (7 days ago)
CVE-2025-27980	cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=. Description: cashbook v4.0.3 has an arbitrary file read vulnerability in /api/entry/flow/invoice/show?invoice=. EPSS Score: 0.04% Source: CVE April 15th, 2025 (7 days ago)
	The AI Tools CBP Is Using to Scan Social Media Description: Customs and Border Protection released more documents last week that show which AI-powered tools that agency has been using to identify people of interest. Source: 404 Media April 15th, 2025 (7 days ago)
	[aws-cdk-lib] aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role Description: Summary The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. In the CDK, developers organize their applications into reusable components called "constructs," which are organized into a hierarchical tree structure. One of the features of this framework is the ability to call "Aspects," which are mechanisms to set configuration options for all AWS Resources in a particular part of the hierarchy at once. Aspect execution happens in a specific order, and the last Aspect to execute controls the final values in the template. AWS CDK version 2.172.0 introduced a new priority system for Aspects. Prior to this version, CDK would run Aspects based on hierarchical location. The new priority system takes precedence over hierarchical location, altering the invocation order of Aspects. Different priority classes were introduced: Aspects added by CDK APIs were classified as MUTATING (priority 200), while Aspects added directly by the user were classified as DEFAULT (priority 500) unless the user specified otherwise. As a result of this change, CDK apps that use a custom Aspect to assign a default permissions boundary and then use a built-in CDK method to override it on select resources could have unexpected permissions boundaries assigned. The following is an affected code sample: Aspects.of(stack).add(new CustomAspectThatAssignsDefaultPermissionsBoundaries()); ... Source: Github Advisory Database (NPM) April 15th, 2025 (7 days ago)
	Microsoft: Exchange 2016 and 2019 reach end of support in six months Description: Microsoft warned that Exchange 2016 and Exchange 2019 will reach the end of support six months from now, on October 14. [...] Source: BleepingComputer April 15th, 2025 (7 days ago)
	[github.com/donknap/dpanel] Dpanel's hard-coded JWT secret leads to remote code execution Description: Summary The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. Details The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability. PoC The core code snippet is shown below: import jwt def generate_jwt(appname): payload = { "SECRET_KEY"："SECRET_VALUE", } print("appname:", appname) print("payload:", str(payload)) token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm="HS256") return token appname = "SECRET_KEY" token = generate_jwt(appname) print("url token:", token) Impact Attackers who successfully exploit this vulnerability can write arbitrar... Source: Github Advisory Database (Go) April 15th, 2025 (7 days ago)