cybersecurity

Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

Introduction

This vulnerability report has been generated using data aggregated on Vulnerability-Lookup, with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for June 2025, based on sightings collected from various sources, including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists, The Shadowserver Foundation, Nuclei, and more. For further details, please visit this page.

The final section focuses on exploitations observed through The Shadowserver Foundation's honeypot network.

The Month at a Glance

The June 2025 report highlights a mix of long-standing and newly identified high-risk vulnerabilities. Notably, Citrix discloses a critical NetScaler ADC/Gateway flaw (CVE-2025-5777), dubbed “CitrixBleed 2,” which can expose session tokens and bypass multi-factor authentication — echoing last year’s infamous CitrixBleed. Other urgent issues include a PayU India WordPress plugin vulnerability (CVE-2025-31022) that allows full account takeover across thousands of sites, and a Python “tarfile” library bug (CVE-2025-4517) that enables attackers to write files outside intended directories. Among the most sighted vulnerabilities are multiple Microsoft Windows 10 and Google Chrome flaws, as well as several Citrix ADC bugs, many rated “High” or “Critical.” Common web weaknesses like cross-site scripting and SQL injection (CWE-79, CWE-89) remain widespread, highlighting the ongoing need for strong patching hygiene. Some older vulnerabilities — such as the 2015 D-Link DIR-645 flaw and known Confluence or Cisco RCE bugs — also continue to see active exploitation. Organizations should prioritize remediation of these critical and actively targeted vulnerabilities, while reinforcing application security against injection and XSS attacks.

Top 10 vulnerabilities of the Month

Vulnerability	Vendor	Product	VLAI Severity
CVE-2025-33053	Microsoft	Windows 10 Version 1809	High
CVE-2025-49113	Roundcube	Webmail	High
CVE-2025-5777	NetScaler	ADC	Critical
CVE-2025-5419	Google	Chrome	High
CVE-2025-2783	Google	Chrome	High
CVE-2025-6019	Red Hat	Red Hat Enterprise Linux 10	Medium
CVE-2025-33073	Microsoft	Windows 10 Version 1809	High
CVE-2025-6543	NetScaler	ADC	Critical
CVE-2015-2051	D-Link	DIR-645	Critical
CVE-2017-18368	ZyXEL	P660HN-T1A	Critical

Evolution of sightings per week

Top 10 Weaknesses of the Month

| CWE | Number of vulnerabilities | |

| -------------------------------------------------------- |

| CWE-79 | 659 | | CWE-89 | 411 | | CWE-74 | 342 | | CWE-119 | 190 | | CWE-862 | 157 | | CWE-352 | 157 | | CWE-120 | 105 | | CWE-94 | 94 | | CWE-22 | 86 | | CWE-98 | 74 |

Insights from Contributors

CitrixBleed 2
Citrix patched a critical vulnerability in its NetScaler ADC and NetScaler Gateway products that is already being compared to the infamous CitrixBleed flaw exploited by ransomware gangs and other cyber scum, although there haven't been any reports of active exploitation. Yet.

Security analyst Kevin Beaumont dubbed the vulnerability "CitrixBleed 2." As The Register's readers likely remember, that earlier flaw (CVE-2023-4966) allowed attackers to access a device's memory, find session tokens, and then use those to impersonate an authenticated user while bypassing multi-factor authentication — which is also possible with this new bug.

GCVE-1-2025-0002: Cl0p Ransomware Data Exfiltration Vulnerable to RCE Attacks A newly identified security vulnerability in the Cl0p ransomware group’s data exfiltration utility has exposed a critical remote code execution (RCE) flaw that security researchers and rival threat actors could potentially exploit.

The vulnerability, designated as GCVE-1-2025-0002, was published on July 1, 2025, and carries a high severity rating of 8.9 on the CVSS:4.0 scale.

Stuxnet-related CVEs

• CVE-2010-2568 MS10-046 Windows
• CVE-2010-2729 MS10-061 Windows
• CVE-2008-4250 MS08-067 Windows
• CVE-2010-2772 Not Available Siemens SIMATIC WinCC

CVE-2025-31022: More details about PayU wordpress extension
"This can be abused by a malicious actor to perform action which normally should only be able to be executed by higher privileged users. These actions might allow the malicious actor to gain admin access to the website."

CVE-2025-4517: Additional information
RISK : Multiple vulnerabilities affect the standard TarFile library for CPython. Currently, there is no indication that the vulnerability is actively exploited, but because it is a zero-day with a substantial install base, attackers can exploit it at any moment. An attacker could exploit flaws to bypass safety checks when extracting compressed files, allowing them to write files outside intended directories, create malicious links, or tamper with system files even when protections are supposedly enabled. Successful exploitation could lead to unauthorised access, data corruption, or malware installation, especially if your systems or third-party tools handle untrusted file uploads or archives RECOMMENDED ACTION: Patch Source: ccb.be

Continuous Exploitation

• CVE-2025-32433 - erlang / otp
• CVE-2015-2051 - D-Link / DIR-645
• CVE-2022-26134 - Atlassian / Confluence Data Center
• CVE-2019-1653 - Cisco / Cisco Small Business RV Series Router Firmware

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
https://github.com/vulnerability-lookup/vulnerability-lookup/issues/

• GitHub Archive logs every public commit, even the ones developers try to delete. Force pushes often cover up mistakes like leaked credentials by rewriting Git history. GitHub keeps these dangling commits, from what we can tell, forever. In the archive, they show up as “zero-commit” PushEvents.
• I scanned every force push event since 2020 and uncovered secrets worth $25k in bug bounties.
• Together with Truffle Security, we're open sourcing a new tool to scan your own GitHub organization for these hidden commits (try it here).

cross-posted from: https://lemmy.sdf.org/post/37950350

Archived

• [Security firm] Silent Push Threat Analysts followed a tip from Mexican journalist Ignacio Gómez Villaseñor about a threat actor targeting “Hot Sale 2025,” an annual sales event similar to “Black Friday” in the U.S.
• The team pivoted from that Mexico-centric campaign into thousands of websites that broadly targeted a more global audience with abundant waves of fake marketplace scams.
• We identified a private technical fingerprint associated with this infrastructure, which contains Chinese words and characters to strongly indicate that the developers of this network are from China.
• Our analysts observed this threat actor group building multiple phishing websites with pages spoofing well-known retailers, including Apple, Harbor Freight Tools, Michael Kors, REI, Wayfair, and Wrangler Jeans.
• The threat actor has also been caught abusing online payment services, including MasterCard, PayPal, and Visa, as well as payment security techniques such as Google Pay, across the campaign’s network of scam websites.

[...]

cross-posted from: https://lemmy.sdf.org/post/37887750

Archived

Here is the report (pdf).

The French National Agency for Information Systems Security, or ANSSI, said Tuesday it observed French organizations affected by activity using a slew of security flaws to break into an end-of-life version of the Utah company's Cloud Services Appliance applications. The campaign affected government agencies, telecoms and firms in the media, finance and transport sectors. ANSII dubs the intrusion set "Houken".

[...]

The hacker used a wide number of open-source tools "mostly crafted by Chinese-speaking developers," were active during Chinese working hours and exhibited behaviors consistent with intelligence collection. The threat actor also sought self-enrichment, installing a cryptominer on one victim system. Chinese nation-state hacking is an unusual combination of intelligence agencies and private sector companies. Some hackers choose their own targets and sell exfiltrated data or access to government agencies - or may do for-profit hacking on the side. "Nevertheless, the use of cryptominers remains uncommon for this threat actor," ANSSI wrote.

[...]

A colleague was discussing an option to use different vendors either side of a DMZ and suggested StormShield... I'd not heard of them before.

Looks interesting, albeit an old Gartner "magic quadrant" showed their firewalls as being in the bottom left corner... so I thought I'd ask here for real-life opinions on them... if any?

cross-posted from: https://lemmy.sdf.org/post/37703162

Archived

[...]

A patient’s death has been officially connected to a cyber attack carried out by the Qilin ransomware group that crippled pathology services at several major NHS hospitals in London last year. The cyber attack on Synnovis, a key pathology provider, caused widespread disruption to vital diagnostic services, delaying critical blood test results and impacting patient care significantly.

King’s College Hospital NHS Foundation Trust confirmed that a patient unexpectedly died during the cyber-incident. A spokesperson for the trust revealed that a detailed review of the patient’s care found multiple contributing factors, including “a long wait for a blood test result due to the cyber attack impacting pathology services at the time.”

The findings of this safety investigation have been shared with the patient’s family. Synnovis CEO, Mark Dollar, expressed deep sadness, stating, “Our hearts go out to the family involved.”

[...]

The attack occurred on June 3, 2024, targeting Synnovis, which provides diagnostics, testing, and digital pathology in southeast London. This incident brought blood testing across multiple NHS trusts, including King’s College, Guy’s and St Thomas’, and Lewisham and Greenwich hospitals, along with GP practices, to a halt.

The disruption was extensive, affecting more than 10,000 outpatient appointments and leading to the postponement of 1,710 operations at King’s College and Guy’s and St Thomas’ NHS Foundation Trusts.

[...]

cross-posted from: https://lemmy.sdf.org/post/37599025

Archived

The Canadian government has ordered Chinese surveillance camera manufacturer Hikvision to cease operations in Canada over national security concerns, Industry Minister Melanie Joly said late on Friday.

[...]

"The government has determined that Hikvision Canada Inc's continued operations in Canada would be injurious to Canada's national security," Joly said on X, adding that the decision was taken after a multi-step review of information provided by Canada's security and intelligence community.

[...]

Canada said last year it was reviewing an application to impose sanctions against Chinese surveillance equipment companies, including Hikvision, after rights advocates alleged the firms were aiding repression and high-tech surveillance in Xinjiang.

Joly said Canada was also banning the purchase of Hikvison's products in government departments and agencies, and reviewing existing properties to ensure that legacy Hikvision products were not used in the future.

She said the order does not extend to the company's affiliate operations outside Canada but "strongly" encouraged Canadians "to take note of this decision and make their own decisions accordingly."

cross-posted from: https://lemmy.sdf.org/post/37521781

Historically, Western assessments of cyber threats have concentrated on state adver­saries. More than 600 state-backed groups are tracked globally. Yet, for more than a decade, Western analyses and discussions of cyber threat concerns have focused mainly on four states: China, Iran, Russia and North Korea. Based on open-source report­ing evaluated by the European Repository of Cyber Incidents (EuRepoC), these coun­tries account for more than 70 per cent of the state-backed threats that Europe and its partners have faced since 2000.

[...]

Critically, in the current climate of heightened geopolitical tension, the opera­tional divide between state and non-state actors shows signs of collapsing, as states seek to assert control over cyber capabilities both inside and outside their borders. A closer examination of EuRepoC data under­scores the need for a more integrated understanding in the analysis of state and non-state actor threats. These trend lines are particularly pronounced in the case of the authoritarian states that have been dominating Western threat perceptions, drawing attention to the reinforcement that long-standing nation state threats derive from non-state capabilities. Russia, China and North Korea have developed their own distinct approaches. While Russia has pro­vided sanctuary for criminal groups, Chi­na’s state programmes have served to accel­erate the emergence of a domestic hacking industry. Charting its own path, North Korea has sought to create bridgeheads extra­territorially for its operators.

[...]

Russia: The safe haven blueprint

Russian cyber criminals make up nearly half of the most wanted list published by Germany’s Federal Criminal Police Office (BKA). That list typically includes individ­uals accused of high-profile crimes, such as members of the far-left terrorist organi­sation RAF, those who collaborated in the 9/11 attacks and individuals such as Jan Marsalek, the former chief operating officer of the now bankrupt payment processor Wirecard. The BKA list has had a notable success rate. Close to 70 per cent of suspects included on it since 1999 were arrested. How­ever, in the case of the twenty-six people included on the list because of sus­pected links to the Russian criminal under­ground, there is little expectation of any breakthrough, despite German law enforce­ment and its international partners having collected a wealth of information on those individuals.

[...]

China: Command, control, deny

Unlike Russia, the People’s Republic of China (PRC) seeks to seize non-state cyber capabil­ities through the targeted development of a commercial ecosystem. This approach is part of the three-fold aim to establish com­mand, control and deniability within the PRC cyber portfolio. As regards the first goal, command efforts are designed to secure un­conditional authority over high-risk opera­tions entrusted to the military.

Meanwhile, initiatives to strengthen con­trol have centralised the coordination of cyber espionage objectives within the Minis­try of State Security (MSS). This arrangement is supported by the legally mandated report­ing of vulnerabilities and a network of hack­ing competitions that channel the findings of vulnerability research into offensive pro­grammes. The MSS 13th Bureau’s management of the Chinese National Vulnerability Database ensures near-seamless integration into this vulnerability discovery system.

[...]

North Korea: Breaking out of isolation

The cyber activities of the Democratic People’s Republic of Korea (DPRK) are both a strategic continuation of and operational departure from the political, economic and military self-reliance strongly emphasised in the country’s state ideology. While the DPRK is attempting to break out, at least partly, of its self-imposed isolation through its cyber programme – thereby demonstrat­ing the political will and the capability to innovate means of subverting internation­al sanctions – it is also making con­sider­able efforts to leverage non-state capa­bilities beyond its own borders. Despite its diplomatic isolation, the DPRK has been able to enlist foreign tools and know-how to steal cryptocurrency and use blockchain-based technologies developed by a global decentralised community of engineers to launder funds and thereby support the devel­opment of its military capabilities. To gen­erate revenue and alleviate the pressure of sanctions, the DPRK has sought to lever­age legitimate platforms and expertise, which be­come criminally liable – and thus a focus of interest – only when co-opted in this way.

[...]

Calibrating responses [by the EU and the West]

In the absence of an integrated understanding of how authoritarian actors lever­age non-state resources, the potential of tac­tics to slow down and fragment attribution efforts may weaken the response toolkit developed by EU member states. Currently, key cyber diplomacy tools – such as sanc­tions – remain closely tied to attribution. Addressing senior officials responsible for developing cyber policies/practices in May 2025, Germany’s cyber ambassador, Maria Adebahr, recognised that efforts to hold threat actors accountable are dependent on this link to attribution. Implicit in this recog­nition is the need to develop response options that are independent of attribution.

Capturing non-state capabilities allows authoritarian states to increase their capa­bilities pool and step up their operational tempo. Diplomatic measures that address the interweaving of state and non-state capabilities have a strong complementary potential. They include not only initiatives aimed at restricting access for threat actors to legitimate platforms and disrupting criminal tools; information sharing – as part of a regular exchange with friendly jurisdictions – with a view to developing a common threat perception could support due diligence efforts to constrain the room for manoeuvre overseas and facilitate the takedown of shadow infrastructure. A re­sponse framework that remains fit for pur­pose requires a range of tools that can match the changing scope of the threat.

Wanna chat about something non-infosec amongst those of us who frequent /c/cybersecurity? Here’s your chance! (Keep things civil & respectful please)