ASUS vulnerability uncovered, Remote Desktop and Office being attacked, increase in CVE's being exploited so far in 2025...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Critical ASUS Router Vulnerability Let Attackers Malicious Code Remotely
A critical security vulnerability has been discovered in ASUS routers featuring the AiCloud service, exposing millions of devices to the risk of remote code execution by unauthenticated attackers.
The flaw, tracked as CVE-2025-2492, has received a CVSS v4 score of 9.2, placing it among the most severe vulnerabilities affecting consumer networking equipment this year.
The vulnerability stems from improper authentication control within certain ASUS router firmware series.
Attackers can exploit this flaw by sending a specially crafted HTTP request to the router’s public interface, thereby bypassing authentication mechanisms and gaining unauthorized access to critical device functions.
This means that a remote attacker, without any valid credentials, could potentially execute arbitrary commands or malicious code on the affected router.
AiCloud is a proprietary cloud-based feature that allows users to access files, stream media, and manage network-connected devices remotely.
Speedify VPN macOS Vulnerability Let Attackers Escalate Privilege
A significant security vulnerability, tracked as CVE-2025-25364, was discovered in Speedify VPN’s macOS application, exposing users to local privilege escalation and full system compromise.
The flaw, uncovered by SecureLayer7, resides in the privileged helper tool me.connectify.SMJobBlessHelper, which is responsible for executing system-level operations with root privileges for the Speedify VPN client.
The vulnerability stemmed from improper input validation in the XPC (Cross-Process Communication) interface of the helper tool.
Specifically, two user-controlled fields—cmdPath and cmdBin—within incoming XPC messages were used directly to construct command-line strings without adequate sanitization.
This oversight enabled a command injection vulnerability, allowing any local attacker to craft a malicious XPC message and inject arbitrary shell commands that would be executed as root.
The attack chain involved several functions:
Entry point for XPC messages. It checked for a dictionary-type message and invoked _handleLaunchSpeedifyMsg if the “request” field was “runSpeedify”. No validation was performed on the contents of cmdPath or cmdBin.
Microsoft fixes bug causing incorrect 0x80070643 WinRE errors
Microsoft says it resolved a known issue causing erroneous 0x80070643 installation failure errors when deploying the April 2025 Windows Recovery Environment (WinRE) updates.
When it acknowledged the bug two weeks ago, Redmond told those affected that these errors can be ignored since they’re inaccurate and don’t impact their Windows device’s functionality.
The known issue impacts the KB5057588 WinRE update on Windows Server 2022 and KB5057589 on Windows 10, versions 22H2 and 21H2.
“After installing the April 2025 Windows Recovery Environment update [KB5057588], you might see the following error message in the Windows Update settings page: 0x80070643 – ERROR_INSTALL_FAILURE. This error message is not accurate and does not impact the update or device functionality,” Microsoft said at the time.
ASUS releases fix for AMI bug that lets hackers brick servers
ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers.
The flaw impacts American Megatrends International’s MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock.
The CVE-2024-54085 flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting.
“A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish),” explained Eclypsium in a related report.
“Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS/UEFI), potential server physical damage (over-voltage / bricking), and indefinite reboot loops that a victim cannot stop.”
Cyber Attacks
Kimusky Hackers Exploiting RDP & MS Office Vulnerabilities in Targeted Attacks
A sophisticated Advanced Persistent Threat (APT) operation named Larva-24005, linked to the notorious Kimsuky threat group, has been discovered actively exploiting critical vulnerabilities in Remote Desktop Protocol (RDP) and Microsoft Office applications to compromise systems across multiple sectors and countries.
The campaign, which began in September 2023, represents a significant evolution in the group’s tactics, techniques, and procedures.
The threat actors primarily leverage two critical vulnerabilities: BlueKeep (CVE-2019-0708), a severe RDP vulnerability that allows remote code execution without authentication, and the Microsoft Office Equation Editor vulnerability (CVE-2017-11882).
After establishing initial access through these exploits, the attackers deploy a sophisticated arsenal of malware including MySpy and RDPWrap to maintain persistent remote access to compromised systems.
The attacks have primarily targeted South Korea’s software, energy, and financial industries, though victims in the United States, China, Japan, Germany, Singapore, and several other countries have also been identified.
RedGolf Hackers Expose Fortinet Exploits & Tools Used to Hack Organisations
RedGolf, a sophisticated threat actor with ties to APT41, provided a rare insight into its operational toolbox after a directory on their attack infrastructure was briefly exposed.
The server, linked to KeyPlug malware activities, inadvertently revealed a comprehensive arsenal of exploitation tools, reconnaissance scripts, and post-compromise utilities targeting Fortinet devices and a major Japanese corporation.
Security researcher Jane_0sint first highlighted the server at IP 154.31.217.200 on social media, noting its connection to RedGolf operations.
Further investigation revealed it shared a WolfSSL-issued TLS certificate with five other servers hosted on Vultr.
Among these servers, 45.77.34.88 exposed a directory through a Python SimpleHTTP server for less than 24 hours, providing researchers an unfiltered view of the group’s operational files.
The WolfSSL certificate details included:
- Subject Common Name: www.wolfssl.com.
- Subject Organizational Unit: Support_1024.
- SHA-256 Fingerprint: 4C1BAA3ABB774B4C649C87417ACAA4396EBA40E5028B43FADE4C685A405CC3BF.
Hunt.io reports that among the exposed files, ws_test.py, which appears to automate exploitation of Fortinet WebSocket CLI vulnerabilities similar to CVE-2024-23108 and CVE-2024-23109.
In Other News...
Microsoft Entra account lockouts caused by user token logging mishap
Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
On Saturday morning, numerous organizations reported that they began receiving Microsoft Entra alerts those accounts had leaked credentials, causing the accounts to be locked out automatically.
Impacted customers initially thought the account lockouts were tied to the rollout of a new enterprise application called “MACE Credential Revocation,” installed minutes before the alerts were issued.
However, an admin for one of the impacted organizations shared an advisory sent by Microsoft stating that the issue was caused by the company mistakenly logging the impacted account’s user refresh tokens rather than just their metadata.
After realizing they logged actual account tokens, they began invalidating them, which accidentally generated the alerts and lockouts.
“On Friday 4/18/25, Microsoft identified that it was internally logging a subset of short-lived user refresh tokens for a small percentage of users, whereas our standard logging process is to only log metadata about such tokens,” reads an advisory from Microsoft posted on Reddit.
“The internal logging issue was immediately corrected, and the team performed a procedure to invalidate these tokens to protect customers. As part of the invalidation process, we inadvertently generated alerts in Entra ID Protection indicating the user’s credentials may have been compromised.”
159 CVEs Exploited in Q1 2025 — 28.3% Within 24 Hours of Disclosure
As many as 159 CVE identifiers have been flagged as exploited in the wild in the first quarter of 2025, up from 151 in Q4 2024.
“We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure,” VulnCheck said in a report shared with The Hacker News.
This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year.
The cybersecurity company said a majority of the exploited vulnerabilities have been identified in content management systems (CMSes), followed by network edge devices, operating systems, open-source software, and server software.
The breakdown is as follows –
- Content Management Systems (CMS) (35)
- Network Edge Devices (29)
- Operating Systems (24)
- Open-Source Software (14)
- Server Software (14)
“On average, 11.4 KEVs were disclosed weekly, and 53 per month,” VulnCheck said. “While CISA KEV added 80 vulnerabilities during the quarter, only 12 showed no prior public evidence of exploitation.”
Of the 159 vulnerabilities, 25.8% have been found to be awaiting or undergoing analysis by the NIST National Vulnerability Database (NVD) and 3.1% have been assigned the new “Deferred” status.