Notices by Caitlin Condon (catc0n@infosec.exchange)

Today, @fuzz disclosed 3 new vulnerabilities in SonicWall SMA-100 series appliances, one of which we believe may have been used in the wild. We're grateful to SonicWall's PSIRT team for a smooth and exceptionally quick response!

An attacker with access to an SMA SSLVPN user account can chain these 3 vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory. This chain results in root-level remote code execution. The vulnerabilities have been fixed in the latest version.

https://www.rapid7.com/blog/post/2025/05/07/multiple-vulnerabilities-in-sonicwall-sma-100-series-2025/

@GossiTheDog @fuzz yeah! Part of me dislikes that we're spending so much time on debunking (rather than, like...bunking?) vuln hype recently, but the practitioner side sounded pretty concerned about this and it's nice to be able to say honestly there's no need to panic. Thanks @fuzz :)

Really thoughtful write-up on Apache Parquet CVE-2025-30065 by @fuzz:

"Overall, this feels like a clever red team exploit, where attackers have some existing authenticated write access to a bucket, knowledge of the underlying tech stack, and the desire to perform fancy lateral movement to achieve a niche goal in a hardened environment....As it stands, though this is cool, it requires a lot of expertise and time to weaponize, and RCE isn’t a sure thing even if you do get a Parquet file deserialized by a vulnerable instance."

https://attackerkb.com/assessments/3c043281-25a1-44fc-a361-00e02ec2bc60

Full analysis of Ivanti Connect Secure CVE-2025-22457 via @stephenfewer — full RCE, exploitation non-trivial (at least as it stands now).

We should all be assuming that for any popular or high-profile technology, particularly network edge devices, adversaries have piles of software they're actively reverse engineering and developing complex exploit chains for, regardless of whether vulnerabilities are disclosed publicly as security issues or not. TAs are putting time, resources, and focus into learning the internals of *many* of these systems. If the technology industry broadly — and we ALL live in glass houses here — can't match that investment with expertise and evolution, I'm not sure we can expect the current attack landscape to improve.

https://attackerkb.com/topics/0ybGQIkHzR/cve-2025-22457/rapid7-analysis

Okay, so Tomcat's a bust, but this sucker (CVE-2025-23120) could get interesting if the technical reality matches the advisory severity.

It still throws me how many incidents Rapid7 MDR sees that include abuse of Veeam Backup & Replication in some manner — the deployment footprint of this product is always surprising to me, maybe because it's not usually internet-exposed, dunno. Anywho, domain-joined backup servers might be "against best practices," but that doesn't mean it's uncommon 🤷♀️ Thx to @fuzz for being on top of it as usual!

https://www.rapid7.com/blog/post/2025/03/19/etr-critical-veeam-backup-and-replication-cve-2025-23120/

Has anyone actually confirmed real-world compromises from the supposed Apache Tomcat exploitation (CVE-2025-24813) going on? Breathless headlines seem to be quoting a single vague source, and this bug isn't exploitable in anywhere close to a default config https://attackerkb.com/assessments/1a24556d-24fb-4017-be67-e4ab39c76566

New #Rapid7 vuln disclosure c/o
@stephenfewer: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/

I'm #hiring a vulnerability research manager in #Dublin, IE to manage zero-day research and coordinated vuln disclosure and to manage a small team of exceptionally skilled and kind folks. Hybrid role for now, Reading UK and Prague CZ also possible in addition to Dublin! https://careers.rapid7.com/jobs/manager-vulnerability-research-dublin-ireland

Pre-Christmas 0day just dropped, video PoC here: https://m.youtube.com/watch?v=E8gmARGvPlI

Almost exactly a year ago, Rapid7 put out a technical analysis of Apache #Struts 2 CVE-2023-50164 that said:

* Exploit payloads were going to need to be customized to the target

* It wasn't clear that there was any critical mass of remotely exploitable applications out of the box

* The reports of exploitation in the wild all appeared to be unsuccessful attempts rather than IRL compromises of production systems.

https://attackerkb.com/topics/pe3CCtOE81/cve-2023-50164/rapid7-analysis

Fast-forward to CVE-2024-53677 and we can repeat the above verbatim, with one pretty notable exception — the "fixed" version that ostensibly remediates the vulnerability actually doesn't, and code-level changes are required (to migrate away from the vulnerable file upload interceptor) to actually remediate it. Also the "fixed" release (6.4.0) appears to have gone out a year ago? No idea. Big ups to @fuzz for the analysis!

https://attackerkb.com/assessments/28f08c0a-702c-4ab0-99cb-eea00202fa2c

Full Rapid7 analysis of #Cleo CVE-2024-55956 now available c/o @stephenfewer. It's neither a patch bypass of CVE-2024-50623 nor part of a chain after all — totally new bug, different exploitation strategies across the two issues (though the same endpoint gets used either way).

I'm not sure it's been mentioned much yet that Cleo evidently released IOCs related to CVE-2024-50623 in October 2024, implying the older bug's been exploited for a minute. Would sure be helpful to know more about who was doing that exploiting, particularly now that Cl0p has claimed credit for last week's attack.

https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

Unpatched 0day in an enterprise firewall management interface? Must be Friday :batman: https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targeting-palo-alto-networks-firewall-management-interfaces/

This is exceptional: https://ciaranmartin.substack.com/p/on-the-matter-of-the-british-library