Notices by Caitlin Condon (catc0n@infosec.exchange)

Okay, so Tomcat's a bust, but this sucker (CVE-2025-23120) could get interesting if the technical reality matches the advisory severity.

It still throws me how many incidents Rapid7 MDR sees that include abuse of Veeam Backup & Replication in some manner — the deployment footprint of this product is always surprising to me, maybe because it's not usually internet-exposed, dunno. Anywho, domain-joined backup servers might be "against best practices," but that doesn't mean it's uncommon 🤷♀️ Thx to @fuzz for being on top of it as usual!

https://www.rapid7.com/blog/post/2025/03/19/etr-critical-veeam-backup-and-replication-cve-2025-23120/

Has anyone actually confirmed real-world compromises from the supposed Apache Tomcat exploitation (CVE-2025-24813) going on? Breathless headlines seem to be quoting a single vague source, and this bug isn't exploitable in anywhere close to a default config https://attackerkb.com/assessments/1a24556d-24fb-4017-be67-e4ab39c76566

New #Rapid7 vuln disclosure c/o
@stephenfewer: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/

I'm #hiring a vulnerability research manager in #Dublin, IE to manage zero-day research and coordinated vuln disclosure and to manage a small team of exceptionally skilled and kind folks. Hybrid role for now, Reading UK and Prague CZ also possible in addition to Dublin! https://careers.rapid7.com/jobs/manager-vulnerability-research-dublin-ireland

Pre-Christmas 0day just dropped, video PoC here: https://m.youtube.com/watch?v=E8gmARGvPlI

Almost exactly a year ago, Rapid7 put out a technical analysis of Apache #Struts 2 CVE-2023-50164 that said:

* Exploit payloads were going to need to be customized to the target

* It wasn't clear that there was any critical mass of remotely exploitable applications out of the box

* The reports of exploitation in the wild all appeared to be unsuccessful attempts rather than IRL compromises of production systems.

https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis

Fast-forward to CVE-2024-53677 and we can repeat the above verbatim, with one pretty notable exception — the "fixed" version that ostensibly remediates the vulnerability actually doesn't, and code-level changes are required (to migrate away from the vulnerable file upload interceptor) to actually remediate it. Also the "fixed" release (6.4.0) appears to have gone out a year ago? No idea. Big ups to @fuzz for the analysis!

https://attackerkb.com/assessments/28f08c0a-702c-4ab0-99cb-eea00202fa2c

Full Rapid7 analysis of #Cleo CVE-2024-55956 now available c/o @stephenfewer. It's neither a patch bypass of CVE-2024-50623 nor part of a chain after all — totally new bug, different exploitation strategies across the two issues (though the same endpoint gets used either way).

I'm not sure it's been mentioned much yet that Cleo evidently released IOCs related to CVE-2024-50623 in October 2024, implying the older bug's been exploited for a minute. Would sure be helpful to know more about who was doing that exploiting, particularly now that Cl0p has claimed credit for last week's attack.

https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

Unpatched 0day in an enterprise firewall management interface? Must be Friday :batman: https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targeting-palo-alto-networks-firewall-management-interfaces/

This is exceptional: https://ciaranmartin.substack.com/p/on-the-matter-of-the-british-library