Linux kernel 0-day discovered, patches for Ivanti and Samsung, payroll logins being stolen, Google domains compromised...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Ivanti Patches EPMM Vulnerabilities Exploited for Remote Code Execution in Limited Attacks
Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution.
The vulnerabilities in question are listed below –
- CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials
- CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system
An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication.
The flaws impact the following versions of the product –
- 11.12.0.4 and prior (Fixed in 11.12.0.5)
- 12.3.0.1 and prior (Fixed in 12.3.0.2)
- 12.4.0.1 and prior (Fixed in 12.4.0.2)
- 12.5.0.0 and prior (Fixed in 12.5.0.1)
Ivanti, which credited CERT-EU for reporting the issues, said it’s “aware of a very limited number of customers who have been exploited at the time of disclosure” and that the vulnerabilities are “associated with two open-source libraries integrated into EPMM.”
The company, however, did not disclose the names of the impacted libraries. It’s also not known what other software applications relying on the two libraries could be affected. Furthermore, the company said it’s still investigating the cases, and that it does not have reliable indicators of compromise associated with the malicious activity.
“The risk to customers is significantly reduced if they already filter access to the API using either the built-in Portal ACLs functionality or an external web application firewall,” Ivanti noted.
“The issue only affects the on-prem EPMM product. It is not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti Sentry, or any other Ivanti products.”
Separately, Ivanti has also shipped patches to contain an authentication bypass flaw in on-premise versions of Neurons for ITSM (CVE-2025-22462, CVSS score: 9.8) that could allow a remote unauthenticated attacker to gain administrative access to the system. There is no evidence that the security defect has been exploited in the wild.
With zero-days in Ivanti appliances becoming a lightning rod for threat actors in recent years, it’s imperative that users move quickly to update their instances to the latest versions for optimal protection.
Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit
Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild.
The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw.
“Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary files as system authority,” according to an advisory for the flaw.
It’s worth noting that CVE-2025-4632 is a patch bypass for CVE-2024-7399, another path traversal flaw in the same product that was remediated by Samsung in August 2024.
CVE-2025-4632 has since been exploited in the wild shortly after the release of a proof-of-concept (PoC) by SSD Disclosure on April 30, 2025, in some instances to even deploy the Mirai botnet.
While it was initially assumed that the attacks were targeting CVE-2024-7399, cybersecurity company Huntress first revealed the existence of an unpatched vulnerability last week after finding signs of exploitation even on MagicINFO 9 Server instances running the latest version (21.1050).
In a follow-up report published on May 9, Huntress revealed three separate incidents that involved the exploitation of CVE-2025-4632, with unidentified actors running an identical set of commands to download additional payloads like “srvany.exe” and “services.exe” on two hosts and executing reconnaissance commands on the third.
Users of the Samsung MagicINFO 9 Server are recommended to apply the latest fixes as soon as possible to safeguard against potential threats.
Linux kernel SMB 0-Day Vulnerability Uncovered Using ChatGPT
A zero-day vulnerability in the Linux kernel was discovered, utilizing OpenAI’s o3 model. This finding, assigned CVE-2025-37899, marks a significant advancement in AI-assisted vulnerability research.
The vulnerability, officially confirmed on May 20, 2025, affects the ksmbd component of the Linux kernel an in-kernel server that implements the SMB3 protocol for sharing files over networks.
Specifically, a use-after-free vulnerability in the handler for the SMB ‘logoff’ command was identified that could potentially lead to serious security breaches.
“I found the vulnerability with nothing more complicated than the o3 API – no scaffolding, no agentic frameworks, no tool use,” stated Sean, who discovered the flaw. “This is, as far as I’m aware, the first public discussion of a vulnerability of that nature being found by a large language model, Sean said.
The technical details reveal that when one thread is processing a logoff command, it frees the sess->user object.
However, suppose another connection has sent a session setup request to bind to the session being freed. In that case, the handler for that connection could simultaneously be accessing sess->user, resulting in a classic use-after-free scenario.
Such vulnerabilities can lead to memory corruption and potentially allow attackers to execute arbitrary code with kernel privileges.
OpenAI’s o3 model, released on April 16, 2025, represents a significant advancement in AI reasoning capabilities. The model is designed to “think for longer before responding” and demonstrates substantially improved performance in complex tasks, including coding and mathematics.
Its ability to understand complex code structures and reason about concurrent operations proved crucial in identifying this vulnerability.
“With o3, LLMs have made a leap forward in their ability to reason about code, and if you work in vulnerability research, you should start paying close attention,” Sean noted. “They are now at a stage where they can make you significantly more efficient and effective.”
Security experts rate this vulnerability with a high severity score, though the Exploit Prediction Scoring System (EPSS) currently estimates a relatively low exploitation probability of 0.02%. The vulnerability affects multiple Linux kernel versions up through 6.12.27, 6.14.5, and 6.15-rc4.
Linux distributions, including SUSE, are already working on patches. The SUSE Security Team currently rates the issue as having “moderate severity.” Users are encouraged to apply updates as they become available.
The discovery marks a watershed moment in how AI systems might transform security research. Rather than replacing human security researchers, models like o3 are proving to be powerful assistants that can efficiently analyze complex codebases.
Cyber Attacks
Critical Samlify SSO flaw lets attackers log in as admin
A critical Samlify authentication bypass vulnerability has been discovered that allows attackers to impersonate admin users by injecting unsigned malicious assertions into legitimately signed SAML responses.
Samlify is a high-level authentication library that helps developers integrate SAML SSO and Single Log-Out (SLO) into Node.js applications. It is a popular tool for building or connecting to identity providers (IdPs) and service providers (SPs) using SAML.
The library is used by SaaS platforms, organizations implementing SSO for internal tools, developers integrating with corporate Identity Providers like Azure AD or Okta, and in federated identity management scenarios. It is very popular, measuring over 200,000 weekly downloads on npm.
The flaw, tracked as CVE-2025-47949, is a critical (CVSS v4.0 score: 9.9) Signature Wrapping flaw impacting all versions of Samlify before 2.10.0.
As EndorLabs explained in a report, Samlify correctly verifies that the XML document providing a user’s identity is signed. Still, it proceeds to read fake assertions from a part of the XML that isn’t.
Attackers holding a valid signed SAML response through interception or via public metadata can modify it to exploit the parsing flaw in the library and authenticate as someone else.
“The attacker then takes this legitimately signed XML document and manipulates it. They insert a second, malicious SAML Assertion into the document,” explains EndorLabs.
“This malicious assertion contains the identity of a target user (e.g., an administrator’s username).”
“The crucial part is that the valid signature from the original document still applies to a benign part of the XML structure, but the SP’s vulnerable parsing logic will inadvertently process the unsigned, malicious assertion.”
This is a complete SSO bypass, allowing unauthorized remote attackers to perform privilege escalation and log in as administrators.
In Other News...
Hackers Exploiting Trusted Google Domains to Inject Malicious Scripts
A sophisticated new malvertising scheme has emerged, transforming legitimate e-commerce websites into phishing platforms without the knowledge of site owners or advertisers.
Cybercriminals are exploiting integrations with Google APIs to inject malicious scripts into e-commerce sites using JSONP calls.
These scripts silently redirect unsuspecting shoppers to fraudulent payment pages, tricking them into disclosing credit card details while believing they are transacting with trusted merchants.
Unlike traditional malvertising campaigns that rely on suspicious ads or obvious redirects, this attack weaponizes the legitimacy of high-quality sites and clean ad placements.
Shoppers click on legitimate advertisements and visit real storefronts only to encounter invisible threats operating beneath the surface.
One notable victim was Ray-Ban’s Indian store (india.ray-ban.com), where attackers compromised the site’s backend, transforming a trusted retail destination into an unwitting phishing platform.
GeoEdge researchers identified that this attack gives cybercriminals a double advantage: they hijack the credibility of established brands while leveraging the brands’ own marketing investments to drive traffic to their scams.
Although the current scale of attacks remains relatively small, their persistence is particularly concerning.
The vulnerability was disclosed to Google in November 2024, yet several compromised sites remain active, continuing to expose users to ongoing risk.
The technical foundation of this attack exploits JSONP (JSON with Padding), a technique originally designed to bypass the same-origin policy in browsers.
Attackers abuse JSONP endpoints in trusted Google domains to deliver malicious JavaScript that bypasses Content Security Policy (CSP) protections, as most websites explicitly allow Google’s domains.
Hackers Attacking Employees Mimic as Organisations to Steal Payroll Logins & Reroute Payments
A sophisticated search engine optimization (SEO) poisoning attack has emerged, targeting employees through their mobile devices with fake login pages that mimic legitimate corporate portals.
The attack, which has already affected organisations in the manufacturing sector, enables hackers to steal employee credentials, access payroll systems, and redirect salary payments to attacker-controlled accounts.
This deceptive campaign represents a new evolution in social engineering attacks, specifically designed to bypass traditional security measures by targeting personal devices that typically lack enterprise-grade protections.
The attack begins when employees search for their company’s payroll portal using mobile devices. Malicious actors have optimized fraudulent websites to appear at the top of search results when specific keywords like “payroll” and “portal” are combined with a company’s name.
When users click these links, they’re seamlessly directed to what appears to be their organization’s legitimate login page, where their credentials are harvested without their knowledge.
ReliaQuest researchers identified this attack in May 2025 after detecting unauthorized access to a customer’s SAP SuccessFactors human resources platform.
According to their investigation, the threat actors specifically targeted mobile devices because they typically connect to guest Wi-Fi networks or cellular connections that lack the robust security measures found on corporate networks, such as web traffic filtering that could block access to malicious sites.