End-of-Day report
Timeframe: Freitag 11-04-2025 18:00 - Montag 14-04-2025 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
BentoML Vulnerability Allows Remote Code Execution on AI Servers
This vulnerability, tracked as CVE-2025-27520 with a high severity score of 9.8 and discovered by GitHub user c2an1, could allow attackers who aren-t even logged in to take complete control of the servers running these AI services. [..] Interestingly, according to Checkmarx-s report, this vulnerability is essentially a repeat of CVE-2024-2912, which was fixed in BentoML version 1.2.5., but the fix was later removed in BentoML version 1.3.8, causing the same dangerous weakness to reappear.
https://hackread.com/bentoml-vulnerability-remote-code-execution-ai-servers/
Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248), (Sat, Apr 12th)
Two weeks ago, version 1.3.0 of Langflow was released. The release notes list many fixes but do not mention that one of the "Bug Fixes" addresses a major vulnerability. Instead, the release notes state, "auth current user on code validation." [..] The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit.
https://isc.sans.edu/diary/rss/31850
Proton66 Part 1: Mass Scanning and Exploit Campaigns
Trustwave SpiderLabs continuously tracks a range of malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns leading to malware infections.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-1-mass-scanning-and-exploit-campaigns/
Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft
Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online accounts. The technique has been codenamed precision-validating phishing by Cofense, which it said employs real-time email validation so that only a select set of high-value targets are served the fake login screens.
https://thehackernews.com/2025/04/phishing-campaigns-use-real-time-checks.html
CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide
CyberAv3ngers has been vocal about their operations that targeted Israel and Israeli technology products. But they've also quietly expanded their target list to include a variety of other devices and networks, including a US oil and gas firm and a wide array of industrial control systems across the world.
https://www.wired.com/story/cyberav3ngers-iran-hacking-water-and-gas-industrial-systems/
A short(-ish) guide on information security writing
Whether you-re compiling incident notes at 3 AM, drafting a post-mortem report for the board or helping the marketing department to craft a blog post that will generate near endless riches for your employer - we may like it or not, the ability to produce qualitative writing is as much a vital skill when working in information security as your technical prowess.
https://bytesandborscht.com/a-short-ish-guide-on-information-security-writing/
Vorsicht vor Dreiecksbetrug bei Kleinanzeigenplattformen
eBay, Willhaben, Shpock und Co. sind beliebte Plattformen, um günstig gebrauchte Waren zu kaufen oder nicht mehr benötigte Gegenstände zu verkaufen. Doch Vorsicht: Hinter manchen Profilen verbergen sich Kriminelle. Besonders tückisch ist der Dreiecksbetrug, bei dem sowohl Käufer:innen als auch Verkäufer:innen betrogen werden.
https://www.watchlist-internet.at/news/vorsicht-vor-dreiecksbetrug-bei-kleinanzeigenplattformen/
BPFDoor-s Hidden Controller Used Against Asia, Middle East Targets
A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.html
Vulnerabilities
Sicherheitsupdates: Schadcode-Attacken auf KI-Analyseplattform Spotfire möglich
Wie aus zwei Warnmeldungen zu den Sicherheitslücken (CVE-2025-3114 "kritisch", CVE-2025-3115 "kritisch") hervorgeht, sind konkret Spotfire Analyst, AWS Marketplace, Deployment Kit Spotfire Server, Desktop, Enterprise Runtime, Service for Python, Service for R und Statistics Services bedroht.
https://www.heise.de/news/Sicherheitsupdates-Schadcode-Attacken-auf-KI-Analyseplattform-Spotfire-moeglich-10350088.html
Netzwerkgeräte mit Arista EOS können Verschlüsselung vergessen
Wie aus einer Warnmeldung hervorgeht, funktioniert die Verschlüsselung von Datenverkehr nicht verlässlich. Das ist aber den Entwicklern zufolge aber nur gegeben, wenn Secure Vxlan konfiguriert ist. [..] Die Sicherheitslücke (CVE-2024-12378) ist mit dem Bedrohungsgrad "kritisch" eingestuft.
https://www.heise.de/news/Netzwerkgeraete-mit-Arista-EOS-koennen-Verschluesselung-vergessen-10350160.html
Security updates for Monday
Security updates have been issued by Debian (glib2.0, jinja2, kernel, mediawiki, perl, subversion, twitter-bootstrap3, twitter-bootstrap4, and wpa), Fedora (c-ares, chromium, condor, corosync, cri-tools1.29, exim, firefox, matrix-synapse, nextcloud, openvpn, perl-Data-Entropy, suricata, upx, varnish, webkitgtk, yarnpkg, and zabbix), Mageia (giflib, gnupg2, graphicsmagick, and poppler), Oracle (delve and golang, go-toolset:ol8, grub2, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (chromium, fontforge-20230101, govulncheck-vulndb, kernel, liblzma5-32bit, pgadmin4, python311-Django, and python311-PyJWT), and Ubuntu (graphicsmagick).
https://lwn.net/Articles/1017396/