Exploits exposed in VMWare, urgent browser updates, Amazon AWS client exploit patched and the latest CVEs...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. We’ve also got the latest CVE information to help you stay ahead of vulnerabilities. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.Â
News & Articles
Fire Ant Exploits VMware Flaws to Compromise ESXi Hosts and vCenter Environments
Virtualisation and networking infrastructure have been targeted by a threat actor codenamed Fire Ant as part of a prolonged cyber espionage campaign.
The activity, observed this year, is primarily designed to infiltrate organisations’ VMware ESXi and vCenter environments as well as network appliances.
The threat actor leveraged combinations of sophisticated and stealthy techniques creating multi-layered attack kill chains to facilitate access to restricted and segmented network assets within presumed to be isolated environments.” according to researchers Sygnia.
Fire Ant’s breach of the virtualization management layer is achieved by the exploitation of CVE-2023-34048, a known security flaw in VMware vCenter Server that has been exploited as a zero-day for years prior to it being patched by Broadcom in October 2023.
Google Chromium 0-Day Input Validation Vulnerability Exploited in Attacks
The vulnerability, designated as CVE-2025-6558, poses a significant security risk to millions of users across multiple web browsers that utilise the Chromium engine such as Edge and Chrome.
The vulnerability’s severity lies in its ability to allow malicious actors to break free from the browser’s security sandbox through carefully crafted HTML pages, effectively bypassing one of the most fundamental security mechanisms designed to protect users from web-based threats.
Security researchers have identified that the improper input validation occurs when the browser processes specific graphics-related operations, particularly those involving GPU acceleration and ANGLE’s OpenGL ES implementation.Â
Google has already begun releasing patches through their stable channel updates, with detailed information available through their Chrome releases blog.Â
Users and administrators should prioritise immediate updates to the latest browser versions to protect against ongoing exploitation attempts targeting this critical vulnerability.
New ZuRu Malware Variant Weaponizes Termius SSH Client to Attack macOS Users
A fresh strain of the long-running macOS.ZuRu family has surfaced, hiding inside a doctored of the popular Termius SSH client and quietly turning developer workstations into remote footholds.
First seen in late May 2025, the 248 MB rogue disk image looks and behaves like the genuine installer but stealthily inserts a 25 MB Mach-O binary into the Termius Helper bundle.
Once launched, the counterfeit helper runs the legitimate .Termius Helper1 to preserve normal UX while spawning a loader dubbed .localized, which drops a modified Khepri command-and-control beacon under /tmp/.fseventsd and begins polling its operator every five seconds over port 53.
The campaign specifically targets IT staff and software engineers who favour third-party terminals, underscoring the growing risk posed by pirated or tampered productivity apps.
AWS Client VPN for Windows Vulnerability Let Attackers Escalate Privileges
Amazon Web Services has disclosed a critical security vulnerability in its Client VPN software for Windows that could allow attackers to escalate privileges and execute malicious code with administrative rights.
The vulnerability, tracked as CVE-2025-8069, affects multiple versions of the AWS Client VPN client and has been patched in the latest release.
The vulnerability originates from a design flaw in the AWS Client VPN client installation process on Windows systems.
During installation, the software references a specific directory path at C:\usr\local\windows-x86_64-openssl-localbuild\ssl to retrieve the OpenSSL configuration file. This predictable file path creates a security weakness that malicious actors can exploit.
The vulnerability affects AWS Client VPN versions 4.1.0, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.2.0, and 5.2.1. Importantly, the security flaw is platform-specific and only impacts Windows devices, leaving Linux and macOS installations unaffected.
AWS has addressed the security vulnerability in AWS Client VPN Client version 5.2.2, which is now available for download.
The company strongly recommends that organizations immediately discontinue new installations of any AWS Client VPN version prior to 5.2.2 on Windows systems to prevent potential exploitation.
Latest Vulnerabilities & Exploits
CVE-2025-8069
High - Amazon Web Services Client
As mentioned in the article above, during the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file. As a result, a non-admin user could place arbitrary code in the configuration file. If an admin user starts the AWS Client VPN client installation process, that code could be executed with root-level privileges. This issue does not affect Linux or Mac devices. We recommend users discontinue any new installations of AWS Client VPN on Windows prior to version 5.2.2.
CVE-2025-6018
High - Linux PAM
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, “allow_active” user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorised control over system configurations, services, or other sensitive operations.
CVE-2025-40596
High - SonicWall
A Stack-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution.
CVE-2025-50481
Medium - Mezzanine CMS
A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post.
CVE-2025-46171
Medium - vBulletin
vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum.