The Download A newly disclosed zero-day vulnerability in CrushFTP (CVE-2024-4040) allows unauthenticated remote attackers to bypass its Virtual File System (VFS) sandbox and access sensitive files well beyond their permitted boundaries. For business owners, MSPs, and IT operators, this is a red-alert scenario. CrushFTP is widely used for secure file transfers, often between trusted partners, vendors, or remote users. If exploited, attackers could steal confidential data, deploy malicious payloads, or gain persistent access to your network—all without needing valid credentials. Active exploitation in the wild is being reported. What You Can Do Immediate action is required. Upgrade CrushFTP to version 10.7.1 or 11.1.0, which include fixes for this critical flaw. Use available tools like ThreatMate to scan for exposure and verify remediation. Review server logs for any suspicious access patterns or anomalies in file access that could suggest unauthorized activity. Consider isolating your file transfer infrastructure behind segmented firewalls, disabling unused services, and applying least-privilege principles to VFS configurations. Also, inform users and partners of the patch requirement to prevent third-party risk. ThreatMate will analyze all your attack surfaces for exposures that adversaries exploit. Sign up for a demo today. To Learn More: https://blog.qualys.com/vulnerabilities-threat-research/2024/04/30/crushftp-zero-day-exploitation-due-to-cve-2024-4040?utm_source=chatgpt.com

The Download Google Chrome’s latest zero-day—CVE-2025-2783—is a sandbox escape vulnerability that’s already being exploited in the wild. For MSPs and IT leaders, this is more than just a browser bug. It means threat actors can execute code beyond Chrome’s normal security boundaries, potentially gaining control of the entire system. With employees living inside their browsers—handling email, SaaS apps, and cloud dashboards—this exploit can be the gateway to total business compromise. What You Can Do Immediately push the latest Chrome updates across all managed devices via group policy or your endpoint management platform. Disable automatic execution of downloaded files and enforce content filtering where feasible. Regularly scan systems for indicators of compromise, and consider browser isolation tools or virtualized browsing environments for high-risk users. Most critically—educate users not to click on suspicious links, especially in spear-phishing campaigns. Continuously monitor your attack surfaces with ThreatMate. Sign up for a demo today! To Learn More: https://www.iconnectitbs.com/top-cyber-security-vulnerabilities-march-2025-roundup/?utm_source=chatgpt.com

The Download A newly disclosed vulnerability (CVE-2025-22457) in Ivanti’s Connect Secure VPN appliances allows remote, unauthenticated attackers to execute arbitrary code—no credentials required. For business owners, Managed Service Providers (MSPs), and IT operators, this means the crown jewels—internal systems, user data, and cloud apps—could be exposed with a single exploit. Actively exploited in the wild, this vulnerability puts remote access gateways, a lifeline for hybrid workforces, at critical risk of compromise, lateral movement, and data theft. What You Can Do Ivanti has released urgent patches, and IT admins should immediately update all Connect Secure appliances to the latest firmware. If patching isn't immediately feasible, temporarily isolate vulnerable VPN endpoints from the internet and monitor for signs of compromise. Review logs for abnormal activity, rotate privileged credentials, and implement MFA everywhere. It’s also wise to assess remote access architecture for other gaps while reinforcing firewall rules. ThreatMate monitors all your attack surfaces for exploitable vulnerabilities. Schedule time today for a demo. To Learn More: https://www.techradar.com/pro/security/ivanti-patches-serious-connect-secure-flaw?utm_source=chatgpt.com

The Download In the March 2025 Patch Tuesday release, Microsoft addressed 57 security flaws, including six actively exploited zero-day vulnerabilities. Among these, two Windows kernel critical vulnerabilities stand out due to their potential impact on businesses:​ CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability:  This flaw allows local attackers to gain SYSTEM privileges by exploiting a race condition within the Win32 Kernel Subsystem. Successful exploitation grants attackers full control over the affected system, enabling them to install malicious software, modify data, and create new accounts with comprehensive user rights.  CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability:  This vulnerability involves a heap-based buffer overflow in the Windows NTFS driver. Attackers can exploit this flaw by convincing a user to mount a specially crafted Virtual Hard Disk (VHD), leading to remote code execution. Once exploited, attackers can execute arbitrary code with elevated privileges, potentially leading to data theft, system compromise, and further network infiltration.  While the details are technical, the impact is quite severe if exploited and warrants immediate patching. What You Can Do To protect against these vulnerabilities, IT administrators should take the following actions:​ Apply Security Updates Promptly:  Ensure that all systems are updated with the latest patches released in the March 2025 Patch Tuesday to mitigate these and other vulnerabilities.​ Limit User Privileges:  Restrict user permissions to the minimum necessary to reduce the potential impact of exploitation.​ Educate Users:  Train staff to recognize and avoid actions that could lead to exploitation, such as mounting untrusted VHD files.​ BleepingComputer Implement Endpoint Protection:  Deploy advanced endpoint detection and response solutions to identify and block exploit attempts.​ By proactively addressing these vulnerabilities, organizations can enhance their security posture and reduce the risk of exploitation. Sign up for ThreatMate today to continuously monitor your networks attack surfaces. To Learn More: https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2025-patch-tuesday-fixes-7-zero-days-57-flaws/

The Download A new AI-driven offensive security tool, RamiGPT , has been developed by GitHub user M507, demonstrating the capability to autonomously escalate privileges and gain root access to vulnerable systems in under a minute. By integrating OpenAI's API with established penetration testing frameworks like PwnTools, RamiGPT demonstrated attacks on intentionally vulnerable virtual machines hosted on platforms such as VulnHub. In various scenarios, RamiGPT achieved privilege escalation times ranging from approximately 9.66 to 12.8 seconds. The tool combines automated vulnerability scanning using utilities like LinPEAS for Linux and BeRoot for Windows with AI-driven decision-making to identify misconfigurations, weak credentials, or exploitable services. For example, in the R-TEMIS: 1 CTF challenge, RamiGPT replicated manual steps such as SSH brute-forcing and MySQL history analysis to extract root credentials programmatically. What You Can Do To defend against tools like RamiGPT, IT administrators should implement robust security measures, including:​ Vulnerability Management:  Ensure all systems and applications are up-to-date with the latest security patches to mitigate known vulnerabilities.​ Strong Authentication Mechanisms:  Enforce the use of complex, unique passwords and implement multi-factor authentication (MFA) to reduce the risk of unauthorized access.​ Comprehensive Privileged Access Management (PAM):  Deploy PAM solutions that incorporate algorithm audit trails, behavioral analytics to detect anomalous access patterns, and time-based access controls to limit exposure windows.​ Regular Security Audits:  Conduct frequent security assessments and penetration testing to identify and remediate potential weaknesses before they can be exploited.​ User Education:  Train staff on cybersecurity best practices, including recognizing phishing attempts and understanding the importance of maintaining strong, unique passwords.​ By proactively implementing these strategies, organizations can enhance their resilience against AI-driven threats like RamiGPT and maintain the integrity of their systems. AI driven adversarial attacks will lower the bar for criminal actors, while speeding the time to compromise. Getting left of boom to protect your networks is essential now more than ever. Sign up for a demonstration of the ThreatMate continuous threat exposure management platform to show you how to get in front of adversaries. To Learn More: https://cybersecuritynews.com/ramigpt-gain-root-access/

The Download A new ransomware-as-a-service (RaaS) operation named VanHelsing  has surfaced, posing a significant threat to various operating systems, including Windows, Linux, BSD, ARM, and ESXi. First promoted on underground cybercrime platforms on March 7, 2025, VanHelsing offers experienced affiliates free membership, while less experienced actors are required to deposit $5,000. This Russian-led cybercrime project prohibits targeting systems within Commonwealth of Independent States (CIS) countries. The Commonwealth of Independent States (CIS) is a regional organization formed during the dissolution of the Soviet Union in 1991. It was created to foster cooperation among former Soviet Republics in areas like economics, defense, and foreign policy. Affiliates retain 80% of ransom payments, with the remaining 20% allocated to the operators. Payments are managed through an automated escrow system utilizing blockchain confirmations for enhanced security. Once a system is compromised, attackers can deploy the ransomware to encrypt critical data, rendering it inaccessible and disrupting operations. This can lead to significant financial losses, operational downtime, and potential data breaches if sensitive information is exfiltrated.  What You Can Do To defend against the VanHelsing ransomware, IT administrators should implement comprehensive security measures. Regularly updating and patching all systems and software can mitigate vulnerabilities that ransomware exploits. Deploying robust endpoint protection solutions capable of detecting and blocking ransomware activities is crucial. Implementing network segmentation can limit the spread of ransomware within an organization. Regular data backups, stored offline or in secure cloud environments, ensure that critical information can be restored without capitulating to ransom demands. Conducting regular security awareness training for employees can reduce the risk of phishing attacks, a common vector for ransomware infections. By adopting these proactive strategies, organizations can enhance their resilience against emerging ransomware threats like VanHelsing. ThreatMate will continuously monitor your attack surfaces for vulnerabilities to ransomware attacks helping you patch holes that ransomware groups would otherwise find and exploit. Sign up for a demo today. To Learn More: https://www.bleepingcomputer.com/news/security/new-vanhelsing-ransomware-targets-windows-arm-esxi-systems/

The Download A significant security flaw has been identified in Next.js, a popular React-based framework, affecting versions from 11.1.4 through 15.1.7. This vulnerability, designated as CVE-2025-29927, allows attackers to bypass middleware functions by manipulating the x-middleware-subrequest header. Middleware in Next.js is commonly used for tasks such as authentication, authorization, and request rewriting. By crafting requests with specific x-middleware-subrequest header values, attackers can effectively disable these middleware protections. This exploitation can lead to unauthorized access to restricted areas, circumvention of security policies like Content Security Policy (CSP), and potential denial-of-service (DoS) conditions through cache poisoning. What You Can Do To mitigate this vulnerability, IT administrators should promptly update Next.js to the latest patched versions—15.2.3 for the 15.x series and 14.2.25 for the 14.x series. For versions between 11.1.4 and 13.5.6, where direct patches may not be available, it is advisable to implement workarounds such as filtering or blocking external requests containing the x-middleware-subrequest header. Additionally, reviewing and updating middleware configurations to ensure they do not rely solely on client-supplied headers for critical security functions is essential. Regularly monitoring application logs for unusual access patterns can aid in early detection of exploitation attempts.  Use ThreatMate to monitor your attack surfaces for exploitable vulnerabilities. Sign up for a demo. To Learn More: https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware

The Download A critical PHP remote code execution (RCE) vulnerability, identified as CVE-2024-4577, is currently being widely exploited, posing significant risks to Windows systems running PHP in CGI mode. Despite a patch released in June 2024, many systems remain unpatched, leaving them vulnerable. Threat actors can exploit this flaw to execute arbitrary code, potentially leading to full system compromise. Notably, attackers have targeted organizations since early January 2025, with activities including credential theft, establishing persistence, privilege escalation, and deploying adversarial tools like the "TaoWu" Cobalt Strike kit. What You Can Do To mitigate this threat, IT administrators should promptly apply the security patch released in June 2024 to all affected PHP installations. It's crucial to verify that PHP is not running in CGI mode unless absolutely necessary. Implementing continuous monitoring for unusual activities, conducting regular security assessments, and employing intrusion detection systems can further enhance defenses against such exploits. Additionally, reviewing system logs for indicators of compromise, such as unauthorized access attempts or deployment of known adversarial tools, is essential for early detection and response. Use the ThreatMate platform to continuously monitor websites for vulnerabilities. To Learn More: https://www.bleepingcomputer.com/news/security/critical-php-rce-vulnerability-mass-exploited-in-new-attacks/

The Download In a recent cybersecurity incident, the Akira ransomware group demonstrated advanced tactics to infiltrate networks and evade security measures. Initially, they gained access to a victim's network through an exposed remote access solution and deployed AnyDesk.exe to maintain persistent access. They attempted to deploy their ransomware payload on a Windows server via a password-protected zip file ('win.zip') containing the malicious executable ('win.exe'). However, the organization's Endpoint Detection and Response (EDR) system successfully identified and quarantined the threat, thwarting the initial attack. ​ Undeterred, Akira conducted a network scan and discovered unsecured Internet of Things (IoT) devices, including webcams and fingerprint scanners. Exploiting critical vulnerabilities in a Linux-based webcam—such as remote shell capabilities and lack of EDR protection—they compromised the device to bypass traditional security controls. Using the compromised webcam, they generated malicious Server Message Block (SMB) traffic directed at the targeted Windows server, successfully encrypting files across the victim's network without detection.  What You Can Do To mitigate such sophisticated attack vectors, IT administrators should implement several key security measures:​ Network Segmentation:  Isolate IoT devices from critical systems and servers to limit lateral movement opportunities for attackers.​ Regular Audits:  Conduct comprehensive internal network audits to identify and address vulnerabilities in connected devices.​ Patch Management:  Maintain strict patch management practices, ensuring all devices, including IoT equipment, are updated with the latest security patches.​ Secure Configurations:  Change default passwords on IoT devices and disable unnecessary services to reduce potential attack surfaces.​ Monitoring and Detection:  Implement robust monitoring solutions capable of detecting unusual traffic patterns, even from devices not typically covered by EDR systems.​ Device Management:  Power off or disconnect IoT devices when not in use to minimize exposure.​ By proactively addressing these areas, organizations can enhance their defenses against evolving ransomware tactics that exploit unconventional entry points. ThreatMate will both inventory all IoT devices on your network as well as scan them for vulnerabilities and pen test. Sign up for a demo today!

The Download Recent research indicates that approximately 28% of the vulnerabilities listed in the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog were actively leveraged by ransomware criminals in 2024. The KEV catalog, designed to highlight vulnerabilities with known exploits to aid organizations in prioritizing patching efforts, has inadvertently become a resource for threat actors to identify and target unpatched systems. Attackers monitor these publicly disclosed vulnerabilities, swiftly developing exploits to infiltrate systems lacking timely updates. Once exploited, these vulnerabilities can grant unauthorized access, allowing attackers to deploy ransomware, exfiltrate sensitive data, or disrupt critical services. What You Can Do To mitigate these risks, IT administrators must adopt a proactive vulnerability management strategy. Regularly monitoring and promptly addressing vulnerabilities listed in the KEV catalog is essential. Implementing automated patch management systems can expedite the remediation process, reducing the window of exposure. Additionally, conducting continuous security assessments and penetration testing can identify potential weaknesses before adversaries exploit them. Employing multi-factor authentication (MFA) and network segmentation further enhances defense mechanisms, limiting the impact of potential breaches. By staying vigilant and prioritizing the remediation of known exploited vulnerabilities, organizations can strengthen their resilience against ransomware attacks. ThreatMate scans networks daily for vulnerabilities listed in the KEV catalog and alerts you to any present on the network. We know the adversaries monitor the KEV catalog, you should monitor networks for these vulnerabilities. ThreatMate automates this process for you. Sign up for a demo today! To Learn More: https://www.theregister.com/2025/02/28/cisa_kev_list_ransomware/

The Download In a significant security initiative, nearly 1,000 WordPress plugins and themes were temporarily closed in October due to unresolved vulnerabilities. This action resulted from a special event organized by Patchstack during Cyber Security Month, which led to the discovery of 1,571 valid security vulnerability reports affecting approximately 7.14 million active installations. The vulnerabilities ranged in severity, with some scoring as high as 10.0 on the CVSS scale, indicating critical risks that could allow attackers to execute arbitrary code, escalate privileges, or inject malicious scripts. Exploiting these vulnerabilities could enable attackers to gain unauthorized access, deface websites, steal sensitive data, or even take full control of affected sites. What You Can Do To safeguard their websites, IT administrators should promptly review their installed plugins and themes, ensuring they are up-to-date and sourced from reputable developers. Regular security audits, continuous monitoring for unusual activities, and the use of security plugins can further enhance the protection of WordPress sites.  ThreatMate's pen testing as a service (PTaaS) allows you to test your website's WordPress plug-ins among other attack surfaces for vulnerabilities actively exploited by adversaries. Sign up for a demo today! To Learn More: https://patchstack.com/articles/nearly-1000-plugins-closed-during-wordpress-security-cleanup/

The Download A massive botnet comprising over 130,000 compromised devices is executing large-scale password-spraying attacks targeting Microsoft 365 accounts. These attacks exploit the noninteractive sign-in feature—a basic authentication method often overlooked by security teams. Noninteractive sign-ins are performed by client applications or operating system components on behalf of users, utilizing previously established credentials without requiring user intervention. Attackers leverage this feature to conduct high-volume password-spraying attempts, aiming to gain unauthorized access to accounts while remaining undetected. What You Can Do To defend against these stealthy attacks, IT administrators should disable basic authentication protocols like noninteractive sign-ins, replacing them with modern, secure authentication methods such as OAuth or token-based authentication. Implementing multi-factor authentication (MFA) adds an additional layer of security, significantly reducing the risk of unauthorized access. Regularly monitoring sign-in logs, including noninteractive sign-ins, is crucial for detecting unusual activities. Enforcing strong password policies and educating users about the importance of unique, complex passwords can further enhance account security. ThreatMate analyses M365 tenants for security risks. Sign up for a demo today! To Learn More: https://www.darkreading.com/cyberattacks-data-breaches/microsoft-365-accounts-sprayed-mega-botnet