End-of-Day report
Timeframe: Mittwoch 13-08-2025 18:00 - Donnerstag 14-08-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Spike in Fortinet VPN brute-force attacks raises zero-day concerns
A massive spike in brute-force attacks targeted Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager, marked a deliberate shift in targeting that has historically preceded new vulnerability disclosures.
https://www.bleepingcomputer.com/news/security/spike-in-fortinet-vpn-brute-force-attacks-raises-zero-day-concerns/
New downgrade attack can bypass FIDO auth in Microsoft Entra ID
Security researchers have created a new FIDO downgrade attack against Microsoft Entra ID that tricks users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking.
https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id/
When Hackers Call: Social Engineering, Abusing Brave Support, and EncryptHub-s Expanding Arsenal
Trustwave SpiderLabs researchers have recently identified an EncryptHub campaign that combines social engineering with abuse of the Brave Support platform to deliver malicious payloads via the CVE-2025-26633 vulnerability. In this blog post, we will break down the techniques used in the campaign and highlight the new tools employed by the threat group.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-hackers-call-social-engineering-abusing-brave-support-and-encrypthubs-expanding-arsenal/
A Mega Malware Analysis Tutorial Featuring Donut-Generated Shellcode
The motivation behind writing this post is that we want to provide the kind of resource that we wouldve liked to have seen more of when starting our own careers in malware research.
https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Mega-Malware-Analysis-Tutorial-Featuring-Donut.pdf
Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth Attacks
Crypto24 is a ransomware group that stealthily blends legitimate tools with custom malware, using advanced evasion techniques to bypass security and EDR technologies.
https://www.trendmicro.com/en_us/research/25/h/crypto24-ransomware-stealth-attacks.html
Vulnerabilities
N-central 2025.3.1
This release includes a critical security fix for CVE-2025-8875 and CVE-2025-8876. These vulnerabilities require authentication to exploit.
https://status.n-able.com/2025/08/13/announcing-the-ga-of-n-central-2025-3-1/
Security updates for Thursday
Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq).
https://lwn.net/Articles/1033737/
Rockwell Automation Security Advisories 14.08.2025
Rockwell Automation has released 6 new security advisories (3x Critical, 3x High)
https://www.rockwellautomation.com/en-us/trust-center/security-advisories.html?sort=pubAsc&published-date-start=2025-08-14&updated-date-start=2025-08-14
Sicherheitspatches: Angreifer können Schadcode auf GitLab-Servern verankern
Die GitLab-Entwickler haben insgesamt zwölf Sicherheitslücken geschlossen. Angreifer können Systeme kompromittieren. [..] In einer Warnmeldung versichern die Verantwortlichen, dass GitLab.com bereits abgesichert sei. Sie empfehlen, dass Admins von On-premise-Instanzen die reparierten Ausgaben 18.0.6, 18.1.4 oder 18.2.2 zeitnah installieren sollten. Noch gibt es keine Informationen, ob bereits Attacken laufen.
https://heise.de/-10523017
Nvidia stopft Sicherheitslücken in KI-Software
In diverser KI-Software von Nvidia haben die Entwickler Sicherheitslücken gefunden. Diese stellen teils ein hohes Risiko dar. [..] Betroffen sind die Nvidia-Projekte Apex, Isaac-GR00T, Megatron LM, Merlin Transformers4Rec, NeMo Framework sowie WebDataset.
https://heise.de/-10524310
Foxit PDF Reader: Präparierte PDFs können Schadcode auf PCs schleusen
Sicherheitsupdates für Foxit PDF Reader und Editor schließen mehrere Sicherheitslücken. [..] Im schlimmsten Fall kann Schadcode auf Systeme gelangen und diese vollständig kompromittieren. Das kann etwa über mit JavaScript präparierte PDFs erfolgen (etwa CVE-2025-55313 "hoch"). Dabei ist aber davon auszugehen, dass Opfer mitspielen und so eine Datei öffnen müssen, damit eine Attacke eingeleitet werden kann.
https://heise.de/-10524778
Drupal: Layout Builder Advanced Permissions - Moderately critical - Access bypass - SA-CONTRIB-2025-097
https://www.drupal.org/sa-contrib-2025-097
Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
https://www.drupal.org/sa-contrib-2025-096
Drupal: Authenticator Login - Highly critical - Access bypass - SA-CONTRIB-2025-096
https://www.drupal.org/sa-contrib-2025-096
ABB: 2025-08-12: Cyber Security Advisory -ABB AbilityTM zenon Remote Transport Vulnerability
https://search.abb.com/library/Download.aspx?DocumentID=2NGA002743&LanguageCode=en&DocumentPartId=&Action=Launch
ABB: 2025-08-11: Cyber Security Advisory -ELSB/BLBA ASPECT advisory several CVEs
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108471A4462&LanguageCode=en&DocumentPartId=pdf&Action=Launch
TYPO3-PSA-2025-001: Sanitization bypass in SVG Sanitizer
https://typo3.org/security/advisory/typo3-psa-2025-001
Siemens: SSA-395458 V1.0: Account Hijacking Vulnerability in Mendix SAML Module
https://cert-portal.siemens.com/productcert/html/ssa-395458.html
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 4, 2025 to August 10, 2025)
https://www.wordfence.com/blog/2025/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-august-4-2025-to-august-10-2025/
Bosch: Vulnerabilities in ctrlX OS - Setup
https://psirt.bosch.com/security-advisories/bosch-sa-129652.html
Bosch: Denial of Service on Rexroth Fieldbus Couplers
https://psirt.bosch.com/security-advisories/bosch-sa-757244.html
Kubernetes: CVE-2025-5187
https://github.com/kubernetes/kubernetes/issues/133471