{"id":4549,"date":"2025-04-28T09:27:04","date_gmt":"2025-04-28T08:27:04","guid":{"rendered":"https:\/\/www.d2na.com\/?p=4549"},"modified":"2025-04-28T09:35:47","modified_gmt":"2025-04-28T08:35:47","slug":"weekly-security-news-28th-april-2025","status":"publish","type":"post","link":"https:\/\/www.d2na.com\/index.php\/2025\/04\/28\/weekly-security-news-28th-april-2025\/","title":{"rendered":"Weekly Security News – 28th April 2025"},"content":{"rendered":"<\/span> 5<\/span> mins read<\/span><\/span>\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

ASUS vulnerability uncovered, Remote Desktop and Office being attacked, increase in CVE's being exploited so far in 2025...<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.\u00a0<\/p>\n

<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Vulnerabilities and Patches<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Critical ASUS Router Vulnerability Let Attackers Malicious Code Remotely<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

A critical security vulnerability has been discovered in\u00a0ASUS routers\u00a0featuring the AiCloud service, exposing millions of devices to the risk of remote code execution by unauthenticated attackers.\u00a0<\/p>

The flaw, tracked as CVE-2025-2492, has received a CVSS v4 score of 9.2, placing it among the most severe vulnerabilities affecting consumer networking equipment this year.<\/p>

The vulnerability stems from improper authentication control within certain ASUS router firmware series.\u00a0<\/p>

Attackers can exploit this flaw by sending a specially crafted HTTP request to the router\u2019s public interface, thereby bypassing authentication mechanisms and gaining unauthorized access to critical device functions.\u00a0<\/p>

This means that a remote attacker, without any valid credentials, could potentially execute arbitrary commands or malicious code on the affected router.<\/p>

AiCloud is a proprietary cloud-based feature that allows users to access files, stream media, and manage network-connected devices remotely.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Speedify VPN macOS Vulnerability Let Attackers Escalate Privilege<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

A significant security vulnerability, tracked as CVE-2025-25364, was discovered in Speedify VPN\u2019s\u00a0macOS application, exposing users to local privilege escalation and full system compromise.\u00a0<\/p>

The flaw, uncovered by SecureLayer7, resides in the privileged helper tool me.connectify.SMJobBlessHelper, which is responsible for executing system-level operations with root privileges for the Speedify VPN client.<\/p>

The vulnerability stemmed from improper input validation in the XPC (Cross-Process Communication) interface of the helper tool.<\/p>

Specifically, two user-controlled fields\u2014cmdPath and cmdBin\u2014within incoming XPC messages were used directly to construct command-line strings without adequate sanitization.\u00a0<\/p>

This oversight enabled a\u00a0command injection vulnerability, allowing any local attacker to craft a malicious XPC message and inject arbitrary shell commands that would be executed as root.<\/p>

The attack chain involved several functions:<\/p>

Entry point for XPC messages. It checked for a dictionary-type message and invoked _handleLaunchSpeedifyMsg if the \u201crequest\u201d field was \u201crunSpeedify\u201d. No validation was performed on the contents of cmdPath or cmdBin.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Microsoft fixes bug causing incorrect 0x80070643 WinRE errors<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Microsoft says it resolved a known issue causing erroneous 0x80070643 installation failure errors when deploying the April 2025 Windows Recovery Environment (WinRE) updates.<\/p>

When it\u00a0acknowledged the bug\u00a0two weeks ago, Redmond told those affected that these errors can be ignored since they’re inaccurate and don’t impact their Windows device’s functionality.<\/p>

The known issue impacts the\u00a0KB5057588\u00a0WinRE update on Windows Server 2022 and\u00a0KB5057589\u00a0on Windows 10, versions 22H2 and 21H2.<\/p>

“After installing the April 2025 Windows Recovery Environment update [KB5057588], you might see the following error message in the Windows Update settings page: 0x80070643 \u2013 ERROR_INSTALL_FAILURE. This error message is not accurate and does not impact the update or device functionality,”\u00a0Microsoft said\u00a0at the time.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

ASUS releases fix for AMI bug that lets hackers brick servers<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers.<\/p>

The flaw impacts American Megatrends International’s MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock.<\/p>

The\u00a0CVE-2024-54085\u00a0flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting.<\/p>

“A local or remote attacker can exploit the vulnerability by accessing the remote management interfaces (Redfish) or the internal host to the BMC interface (Redfish),”\u00a0explained Eclypsium in a related report.<\/p>

“Exploitation of this vulnerability allows an attacker to remotely control the compromised server, remotely deploy malware, ransomware, firmware tampering, bricking motherboard components (BMC or potentially BIOS\/UEFI), potential server physical damage (over-voltage \/ bricking), and indefinite reboot loops that a victim cannot stop.”<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Cyber Attacks<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Kimusky Hackers Exploiting RDP & MS Office Vulnerabilities in Targeted Attacks<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

A sophisticated Advanced Persistent Threat (APT) operation named Larva-24005, linked to the notorious Kimsuky threat group, has been discovered actively exploiting critical vulnerabilities in Remote Desktop Protocol (RDP) and Microsoft Office applications to compromise systems across multiple sectors and countries.<\/p>

The campaign, which began in September 2023, represents a significant evolution in the group\u2019s tactics, techniques, and procedures.<\/p>

The threat actors primarily leverage two critical vulnerabilities: BlueKeep (CVE-2019-0708), a severe RDP vulnerability that allows remote code execution without authentication, and the Microsoft Office Equation Editor vulnerability (CVE-2017-11882).<\/p>

After establishing initial access through these exploits, the attackers deploy a sophisticated arsenal of\u00a0malware\u00a0including MySpy and RDPWrap to maintain persistent remote access to compromised systems.<\/p>

The attacks have primarily targeted South Korea\u2019s software, energy, and financial industries, though victims in the United States, China, Japan, Germany, Singapore, and several other countries have also been identified.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

RedGolf Hackers Expose Fortinet Exploits & Tools Used to Hack Organisations<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

RedGolf, a sophisticated threat actor with ties to APT41, provided a rare insight into its operational toolbox after a directory on their attack infrastructure was briefly exposed.<\/p>

The server, linked to\u00a0KeyPlug malware\u00a0activities, inadvertently revealed a comprehensive arsenal of exploitation tools, reconnaissance scripts, and post-compromise utilities targeting Fortinet devices and a major Japanese corporation.<\/p>

Security researcher Jane_0sint first highlighted the server at IP 154.31.217.200 on social media, noting its connection to RedGolf operations.\u00a0<\/p>

Further investigation revealed it shared a WolfSSL-issued TLS certificate with five other servers hosted on Vultr.\u00a0<\/p>

Among these servers, 45.77.34.88 exposed a directory through a\u00a0Python\u00a0SimpleHTTP server for less than 24 hours, providing researchers an unfiltered view of the group\u2019s operational files.<\/p>

The WolfSSL certificate details included:<\/p>