End-of-Day report
Timeframe: Montag 12-05-2025 18:00 - Dienstag 13-05-2025 18:00
Handler: Guenes Holler
Co-Handler: n/a
News
Sit, Fetch, Steal - Chihuahua Stealer: A new Breed of Infostealer
Chihuahua Stealer is a newly discovered .NET-based infostealer that blends common malware techniques with unusually advanced features. It first came to our attention through a Reddit post made on April 9, where a user shared an obfuscated PowerShell script, they were tricked into executing via a Google Drive document.
https://feeds.feedblitz.com/~/918192962/0/gdatasecurityblog-en~Sit-Fetch-Steal-Chihuahua-Stealer-A-new-Breed-of-Infostealer
Türkiye-linked spy crew exploited a messaging app zero-day to snoop on Kurdish army in Iraq
Turkish spies exploited a zero-day bug in a messaging app to collect info on the Kurdish army in Iraq, according to Microsoft, which says the attacks began more than a year ago. Specifically, the snoops abused CVE-2025-27920, a directory traversal vulnerability in version 2.0.62 of messaging app Output Messenger, and the intrusions began in April 2024. The app's developer Srimax issued a software update in December to patch the hole, however not all users applied the fixes.
https://go.theregister.com/feed/www.theregister.com/2025/05/13/turkish_spies_messaging_app/
As US vuln-tracking falters, EU enters with its own security bug database
The European Vulnerability Database (EUVD) is now fully operational, offering a streamlined platform to monitor critical and actively exploited security flaws amid the US struggles with budget cuts, delayed disclosures, and confusion around the future of its own tracking systems.
https://go.theregister.com/feed/www.theregister.com/2025/05/13/eu_security_bug_database/
SAP-Patchday: Kritische Netweaver-Lücke und viele mehr gestopft
SAP veröffentlicht im Mai 2025 insgesamt 16 neue Sicherheitsmeldungen. Sie behandeln teils kritische Sicherheitslücken in diversen Produkten aus dem Business-Softwarekatalog des Unternehmens.
https://heise.de/-10381863
Auditing Moodles core hunting for logical bugs
The following article explains how, during an audit, we examined Moodle (v4.4.3) and found ways of bypassing all the restrictions preventing SSRF vulnerabilities from being exploited.
http://blog.quarkslab.com/auditing-moodles-core-hunting-for-logical-bugs.html
Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies
A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025.
http://blog.quarkslab.com/technical-dive-into-modern-phishing.html
Vulnerabilities
Apple Updates Everything: May 2025 Edition, (Mon, May 12th)
Apple released its expected update for all its operating systems. The update, in addition to providing new features, patches 65 different vulnerabilities. Many of these vulnerabilities affect multiple operating systems within the Apple ecosystem.
https://isc.sans.edu/diary/rss/31942
Perfekt implementierte Sicherungen ausgehebelt: Spectre-Angriffe sind zurück
Bisherige Schutzmechanismen schützen nicht immer gegen Spectre-artige Seitenkanalangriffe auf Prozessoren, selbst wenn sie perfekt implementiert sind und verschiedene Domains voneinander abschotten. Zu dem Ergebnis kommen Forscher der Systems and Network Security Group an der Vrije Universiteit Amsterdam (VUSec).
https://www.heise.de/news/Perfekt-implementierte-Sicherungen-ausgehebelt-Spectre-Angriffe-sind-zurueck-10381851.html
82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme
On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.
https://www.wordfence.com/blog/2025/05/82000-wordpress-sites-affected-by-arbitrary-file-upload-vulnerability-in-thegem-wordpress-theme/
Security updates for Tuesday
Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial).
https://lwn.net/Articles/1020948/
Stack-based buffer overflow vulnerability in API
A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
EPMM Security Update
To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited. The issue only affects the on-prem EPMM product.
https://www.ivanti.com/blog/epmm-security-update
Xen Security Advisory CVE-2024-28956 / XSA-469
https://xenbits.xen.org/xsa/advisory-469.html
Möglichkeit für Replay-Attacken im Tiiwee X1 Alarm System (SYSS-2025-006)
https://www.syss.de/pentest-blog/moeglichkeit-fuer-replay-attacken-im-tiiwee-x1-alarm-system-syss-2025-006