UK organisation fined £2.3m for data breach, Minecraft players targeted, updates for Veeam and Citrix, Linux root access flaw...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Veeam Releases Security Updates for Backup & Replication and Windows Agent
Veeam has released a security bulletin to address three vulnerabilities in Veeam Backup & Replication and Veeam Agent for Microsoft Windows.
Veeam Backup & Replication is a proprietary backup application for virtual environments built on various hypervisors. CVE-2025-23121 is a critical vulnerability in Veeam Backup & Replication with a CVSSv3 score of 9.9. Successful exploitation could allow an authenticated domain user to execute code remotely. CVE-2025-23121 only impacts domain-joined backup servers, which is against Veeam’s Security & Compliance Best Practices. CVE-2025-24286 is a high severity vulnerability in Backup & Replication with a CVSSv3 score of 7.2.
Successful exploitation could allow an authenticated user with the “Backup Operator” role to modify backup jobs, which could lead to arbitrary code execution. CVE-2025-24287 is a medium severity vulnerability in Veeam Agent for Microsoft Windows with a CVSSv3 score of 6.1.
Successful exploitation could allow a local user to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions. Veeam states “Unsupported product versions are not tested but are likely affected and should be considered vulnerable. Enterprise backup and disaster recovery applications are valuable targets for cyber threat groups. Vulnerabilities in backup and disaster recovery applications are often exploited in the wild by ransomware groups shortly after official disclosure, to increase the difficulty of recovery after an attack.
Affected organisations are strongly encouraged to review Veeam Security Bulletin kb4743 and apply the latest update.
Citrix Releases Security Updates for NetScaler ADC and NetScaler Gateway
Citrix has released a critical security bulletin addressing two vulnerabilities affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). CVE-2025-5777 is an ‘out-of-bounds read’ vulnerability with a CVSSv4 base score of 9.3. If exploited, the insufficient input validation could lead to memory overread in NetScaler Management Interface NetScaler ADC and NetScaler Gateway. CVE-2025-5349 is an ‘improper access control’ vulnerability with a CVSSv4 base score of 8.7. If exploited, an attacker with access to NSIP, Cluster Management IP or local GSLB Site IP could gain unauthorised access to NetScaler Management Interface. To be vulnerable to CVE-2025-5777, NetScaler must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. The following platforms are known to be affected:
NetScaler
- All prior to 14.1-43.56
- All prior to 13.1 – 58.32
- All prior to 13.1-37.235-FIPS and NDcPP
NetScaler Gateway
- All prior to 14.1-43.56
- All prior to 13.1-58.32
NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End of Life (EOL) and are vulnerable. Organisations using EoL versions should upgrade to the latest release of supported versions as soon as possible. Additionally, Secure Private Access on-premises or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Organisations should upgrade NetScaler to the latest release of supported versions as soon as possible. Affected organisations are strongly encouraged to review Citrix Security Bulletin CTX693420 and apply the relevant updates as soon as possible.
Cyber Attacks
TP-Link Router Flaw CVE-2023-33538 Under Active Exploit, CISA Issues Immediate Alert
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request. “TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm,” the agency said.
CISA has also warned that there is a possibility that affected products could be end-of-life (EoL) and/or end-of-service (EoS), urging users to discontinue their use if no mitigations are available. There is currently no public information available about how the shortcoming is being exploited in the wild, the scale of the attacks, and who is behind them. In December 2024, Palo Alto Networks Unit 42 revealed that it had identified additional samples of an operational technology (OT)-centric malware called FrostyGoop (aka BUSTLEBERM) and that one of the IP addresses corresponding to an ENCO control device also acted as a router web server using TP-Link WR740N to facilitate access to the ENCO device from a web browser.
However, it further pointed out that “there is no hard evidence to indicate that the attackers exploited [CVE-2023-33538] in the July 2024 FrostyGoop attack”. TP-Link has said that it has provided fixes for the vulnerability since 2018 through its tech support platform and has urged customers to contact it in order to receive the necessary firmware updates. “Although these product models have been discontinued since 2017, TP-Link has provided patches for this potential security flaw since 2018 through its tech support platform,” the company said.
1,500+ Minecraft Players Infected by Java Malware Masquerading as Game Mods on GitHub
A new multi-stage malware campaign is targeting Minecraft users with a Java-based malware that employs a distribution-as-service (DaaS) offering called Stargazers Ghost Network. “The campaigns resulted in a multi-stage attack chain targeting Minecraft users specifically,” Check Point researchers Jaromír Hořejší and Antonis Terefos said in a report shared with The Hacker News. “The malware was impersonating Oringo and Taunahi, which are ‘Scripts and macros tools’ (aka cheats).
Both the first and second stages are developed in Java and can only be executed if the Minecraft runtime is installed on the host machine”. The end goal of the attack is to trick players into downloading a Minecraft mod from GitHub and deliver a .NET information stealer with comprehensive data theft capabilities. The campaign was first detected by the cybersecurity company in March 2025. What makes the activity notable is its use of an illicit offering called the Stargazers Ghost Network, which makes use of thousands of GitHub accounts to set up tainted repositories that masquerade as cracked software and game cheats. Terefos said that they flagged “approximately 500 GitHub repositories, including those that are forked or copied,” adding “We’ve also seen 700 stars produced by approximately 70 accounts”.
These malicious repositories, masquerading as Minecraft mods, serve as a conduit for infecting users of the popular video game with a Java loader (e.g., “Oringo-1.8.9.jar”) that remains undetected by all antivirus engines as of writing. The Java archive (JAR) files implement simple anti-VM and anti-analysis techniques to sidestep detection efforts. Their main objective is to download and run another JAR file, a second-stage stealer that fetches and executes a .NET stealer as the final payload when the game is started by the victim.
In Other News...
UK fines 23andMe for ‘profoundly damaging’ breach exposing genetics data
The UK Information Commissioner’s Office (ICO) has fined genetic testing provider 23andMe £2.31 million ($3.12 million) over ‘serious security failings’ that led to a ‘profoundly damaging’ data breach in 2023. The data protection watchdog said today that 23andMe failed to protect the sensitive data of UK residents who had their genotype data, health reports, and personal information stolen in credential stuffing attacks using stolen login credentials that went unnoticed for five months between April 2023 and September 2023.
“This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK,” said John Edwards, UK’s Information Commissioner. “As one of those impacted told us: once this information is out there, it cannot be changed or reissued like a password or credit card number”. As the genomics company disclosed in data breach notification letters sent to impacted individuals, some of this extremely sensitive stolen data was released on the unofficial 23andMe subreddit site and the BreachForums hacking forum.
The leaked information included the data of 4.1 million people living in the United Kingdom and Germany, as well as that of 1 million Ashkenazi Jews. After discovering this extensive breach, 23andMe implemented measures to block similar incidents, including enabling two-factor authentication by default and requiring customers to reset passwords. “As part of our regulatory process, we took into consideration representations from 23andMe, before deciding on whether to impose a financial penalty, and the final amount of the penalty,” an ICO spokesperson said when asked how the fine amount was calculated.
Linux Security: New Flaws Allow Root Access, CISA Warns of Old Bug Exploitation
Linux users received two important security notifications on Tuesday: a couple of new vulnerabilities can be chained for full root access, and CISA warned about the in-the-wild exploitation of an older flaw.
Cybersecurity firm Qualys has published details and proof-of-concept (PoC) code for two new Linux vulnerabilities that can be exploited for local privilege escalation. One of the security holes, tracked as CVE-2025-6018, impacts the Pluggable Authentication Modules (PAM) framework on Linux and it allows an unprivileged local attacker to elevate permissions to ‘allow_active’ and invoke actions that are normally reserved for users who are physically present.
The second vulnerability, CVE-2025-6019, enables an ‘allow_active’ user to leverage the Udisks daemon (used for storage management) and Llibblockdev (a library for low-level block-device operations) to obtain full root access. CVE-2025-6018 and CVE-2025-6019 can be chained to allow an unprivileged attacker to achieve full root access on the targeted system. Qualys pointed out that the Udisks component is present by default on nearly all Linux distributions, which makes the vulnerabilities dangerous. “Given the ubiquity of Udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay,” Qualys warned. Separately, CISA warned on Tuesday that a Linux kernel vulnerability, tracked as CVE-2023-0386, has been exploited in attacks.
The cybersecurity agency added the flaw, which impacts the Linux kernel’s OverlayFS subsystem and allows a local attacker to escalate privileges, to its Known Exploited Vulnerabilities (KEV) catalog. There do not appear to be any public reports describing exploitation of CVE-2023-0386.