Welcome to this week’s Threat Intelligence Roundup! Each week we cover the latest on emerging threats, trends, and top security practices, all tailored just for you.
Threat Intel Thursdays are designed to give you a wider perspective and arm you with the knowledge you need to make smart security decisions.
Threat Intelligence Email Blasts This Week:
Ivanti Advising of New Connect Secure Exploit Used in Zero-Day Attacks Ivanti has disclosed a critical remote code execution vulnerability, identified as CVE-2025-0282, affecting its Connect Secure appliances. This flaw has been actively exploited in zero-day attacks, allowing unauthenticated attackers to execute arbitrary code on unpatched devices. Ivanti has released a security update for Connect Secure, urging administrators to apply the patch immediately.
This Week’s Roundup:
SonicWall Warning Of An Exploitable Vulnerability SonicWall has identified a critical improper access control vulnerability in its SonicOS firmware, affecting Gen 6 and certain Gen 7 firewall devices. This flaw, tracked as CVE-2024-53704, could allow unauthorized access to system resources and, in specific scenarios, cause the firewall to crash. Administrators are advised to apply the latest patches available on MySonicWall to secure their systems.
Critical Vulnerabilities in Moxa Routers Allow Root Access Moxa has reported two critical vulnerabilities in its cellular routers and network security appliances. The first, CVE-2024-9138, involves hard-coded credentials that could allow authenticated users to escalate privileges to the root level, leading to potential system compromise. The second, CVE-2024-9140, is an OS command injection flaw that permits attackers to execute arbitrary commands on the system. Teams are advised to update their devices with the latest firmware patches provided by Moxa.
RCE Flaw in GFI KerioControl Allows RCE Execution A critical remote code execution (RCE) vulnerability, identified as CVE-2024-52875, has been discovered in GFI KerioControl firewall software versions 9.2.5 through 9.4.5. This flaw allows attackers to inject malicious inputs into HTTP response headers, leading to potential system compromise. GFI Software released a patch to address this issue. Admins are advised to update their KerioControl installations to the latest version.
Scammers Exploiting M365 To Target PayPal Users Scammers are exploiting Microsoft 365’s Sender Rewrite Scheme (SRS) to send fraudulent PayPal money requests that appear legitimate to recipients. By registering a free Microsoft 365 test domain and creating a distribution list with targeted email addresses, attackers initiate a PayPal payment request. The SRS modifies the sender address to bypass email authentication checks, making the email seem authentic. Recipients who follow the provided link and log into their PayPal accounts risk unauthorized access by the scammers. To defend against such threats, it’s crucial to scrutinize unexpected payment requests, even when they appear legitimate, and consider implementing data loss prevention (DLP) rules to detect and block these phishing attempts.
Unpatched Critical Exploits Impacting Fancy Product Designer WP Plugin The Fancy Product Designer plugin for WordPress has two critical vulnerabilities that remain unpatched. The first flaw allows unauthenticated users to upload arbitrary files, potentially leading to remote code execution. The second is an SQL injection vulnerability that could enable attackers to manipulate or access database information. Despite being informed of these issues in March 2024, the vendor has not yet released fixes. Web admins are advised to deactivate the plugin until updates are provided.
Nuclei Flaw Allowing Malicious Templates A critical vulnerability, identified as CVE-2024-43405, was discovered in Nuclei, an open-source vulnerability scanner. This flaw allowed attackers to bypass template signature verification, enabling the execution of malicious code on local systems. The issue arose from discrepancies in how line breaks were handled during signature verification. ProjectDiscovery has addressed this vulnerability, and teams should update to this version to ensure system security.
New PhishWP Plugin Enabling Payment Page Scams Cybercriminals have developed a malicious WordPress plugin named PhishWP, designed to create counterfeit payment pages that closely mimic legitimate services like Stripe. This tool enables attackers to steal sensitive financial information, including credit card details and one-time passwords (OTPs), by tricking users into entering their data on these fraudulent pages. The stolen information is then transmitted directly to the attackers via Telegram, often in real-time. To protect against such threats, it’s crucial to scrutinize unexpected payment requests, even when they appear legitimate, and consider implementing data loss prevention (DLP) rules to detect and block these phishing attempts.
