OpenBrief

← Back to All

Category: 💣 Exploits
AI-Powered Threat Intel Briefings ·

Top Stories

Microsoft Releases Script to Restore inetpub Folder for Security Mitigation
Microsoft has provided a PowerShell script to restore the inetpub folder, crucial for mitigating CVE-2025-21204. This folder, created by April 2025 updates, should not be deleted as it helps prevent privilege escalation vulnerabilities. +

Key points:

  • The inetpub folder is linked to a high-severity privilege escalation vulnerability (CVE-2025-21204).
  • Microsoft warns users against deleting the inetpub folder, even if IIS is not installed.
  • The provided PowerShell script sets correct permissions to secure the folder and related directories.
  • Removing the folder can lead to vulnerabilities, as it allows local attackers to escalate permissions.
  • The script can be executed in PowerShell to recreate the folder with proper access controls.
Sources: Bleeping Computer (1 articles)
Bleeping Computer
Supply chain attack compromises 16 Gluestack NPM packages with 960K weekly downloads
A supply chain attack has affected 16 popular Gluestack NPM packages, injecting malicious code that functions as a remote access trojan. The attack, discovered by Aikido Security, poses significant risks due to the packages' high download volume. +

Key points:

  • The attack began on June 6, with malicious code added to the lib/index.js file of the packages.
  • The obfuscated code allows attackers to execute commands remotely, including file uploads and directory changes.
  • The trojan also hijacks the Windows PATH to execute malicious binaries disguised as legitimate Python commands.
  • Aikido Security has reported the issue to NPM and attempted to contact Gluestack, but has received no response.
Sources: Bleeping Computer (1 articles)
Bleeping Computer
Malicious npm Packages Disguised as Utilities Wipe Project Directories
Two harmful npm packages, 'express-api-sync' and 'system-health-sync-api', have been identified as data wipers that delete entire application directories. These packages, which were downloaded hundreds of times, have been removed from npm after being reported. +

Key points:

  • The packages 'express-api-sync' and 'system-health-sync-api' were published in May 2025 and contain backdoors for remote data wiping.
  • The first package executes 'rm -rf *' upon receiving a specific key, deleting all files in the application's directory.
  • The second package supports both Linux and Windows deletion commands and has multiple backdoor endpoints for destruction.
  • These incidents highlight a concerning trend in npm, suggesting potential state-level or sabotage motivations behind such attacks.
Sources: Bleeping Computer (1 articles)
Bleeping Computer
Mitsubishi Electric MELSEC iQ-F Series Vulnerability Exposes Critical Systems
A vulnerability in Mitsubishi Electric's MELSEC iQ-F Series could allow remote attackers to read sensitive data or cause denial-of-service conditions. The flaw, identified as CVE-2025-3755, has a high CVSS score of 9.1. +

Key points:

  • The vulnerability involves improper validation of input, enabling remote attacks.
  • Affected products include various models of the MELSEC iQ-F Series.
  • Successful exploitation could lead to data breaches or operational disruptions.
  • Mitsubishi Electric recommends using firewalls and VPNs to mitigate risks.
  • No public exploitation of this vulnerability has been reported yet.
Sources: CISA Cybersecurity Advisories (1 articles)
CISA Cybersecurity Advisories
Schneider Electric Wiser Home Automation Vulnerability Exposes Devices to Remote Exploitation
A critical buffer overflow vulnerability in Schneider Electric's Wiser Home Automation products could allow remote code execution and authentication bypass. Users are urged to disable firmware updates or remove affected devices from service. +

Key points:

  • The vulnerability, identified as CVE-2023-4041, has a CVSS v3.1 score of 9.8, indicating high severity.
  • Affected products include Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket, both of which are no longer supported.
  • CISA recommends minimizing network exposure and implementing secure remote access methods to mitigate risks.
  • Organizations should report any suspected malicious activity to CISA for tracking and correlation.
Sources: CISA Cybersecurity Advisories (1 articles)
CISA Cybersecurity Advisories

Other Updates

Multiple Vulnerabilities Found in CyberData 011209 SIP Emergency Intercom
CyberData's 011209 SIP Emergency Intercom is vulnerable to multiple critical security flaws. +

Key points:

  • Vulnerabilities include authentication bypass, SQL injection, and insufficiently protected credentials.
  • CVE-2025-30184 has a CVSS v3.1 score of 9.8, indicating high severity.
  • Affected versions are prior to 22.0.1; users should update immediately.
  • CISA recommends minimizing network exposure and using secure remote access methods.
  • Vulnerabilities reported by Vera Mens of Claroty Team82.
Sources: CISA Cybersecurity Advisories (1 articles)
CISA Cybersecurity Advisories
CISA Adds CVE-2025-5419 to Known Exploited Vulnerabilities Catalog
CISA adds three Qualcomm vulnerabilities to its KEV Catalog, highlighting active exploitation risks. +

Key points:

  • CISA's KEV Catalog now includes CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038.
  • These vulnerabilities are linked to Qualcomm chipsets and involve incorrect authorization and use-after-free issues.
  • BOD 22-01 mandates remediation of these vulnerabilities for Federal Civilian Executive Branch agencies.
  • CISA encourages all organizations to prioritize remediation of KEV vulnerabilities to mitigate cyber threats.
  • The catalog will continue to be updated with new vulnerabilities as they are identified.
Sources: CISA Cybersecurity Advisories (1 articles)
CISA Cybersecurity Advisories
Schneider Electric EcoStruxure Power Build Rapsody Vulnerability Disclosed
A buffer overflow vulnerability in EcoStruxure Power Build Rapsody could lead to arbitrary code execution. +

Key points:

  • The vulnerability, tracked as CVE-2025-3916, affects versions 2.7.12 FR and earlier.
  • Exploitation requires local access and occurs when opening a malicious SSD project file.
  • Schneider Electric recommends updating to version 2.8.1 FR and implementing additional security measures.
  • CISA advises minimizing network exposure and using secure communication protocols.
  • No public exploitation of this vulnerability has been reported yet.
Sources: CISA Cybersecurity Advisories (1 articles)
CISA Cybersecurity Advisories
Supply Chain Attack Targets RubyGems to Exfiltrate Telegram API Data
Malicious RubyGems packages are stealing Telegram API data through compromised Fastlane plugins. +

Key points:

  • Threat actors are using aliases to publish malicious gems that mimic legitimate Fastlane plugins.
  • The attack redirects Telegram API traffic to an actor-controlled C2 server, exfiltrating sensitive data.
  • The timing of the attack coincides with Vietnam's ban on Telegram, suggesting a targeted approach.
  • Security experts warn of the broader implications of such supply chain vulnerabilities.
  • Recommendations include verifying the legitimacy of Telegram proxies and being cautious of typosquatting.
Sources: CSO Online (1 articles)
CSO Online
Hitachi Energy Products Vulnerable to Remote Exploitation via Integer Overflow
Critical vulnerabilities in Hitachi Energy products could allow remote exploitation and memory corruption. +

Key points:

  • Vulnerabilities identified in Hitachi Energy's Relion 670, 650 Series, and SAM600-IO products.
  • Integer overflow issues could lead to memory corruption, affecting multiple product versions.
  • CVE-2020-28895 and CVE-2020-35198 have been assigned to the vulnerabilities with high CVSS scores.
  • Mitigations include updating to the latest software versions and minimizing network exposure.
  • CISA recommends implementing cybersecurity strategies to protect ICS assets.
Sources: CISA Cybersecurity Advisories (1 articles)
CISA Cybersecurity Advisories
Critical exploit in Cisco Wireless LAN Controllers demands urgent patching
Cisco Wireless LAN Controllers face a critical vulnerability requiring immediate patching. +

Key points:

  • The vulnerability, tracked as CVE-2025-20188, affects the Out-of-Band Access Point Download feature.
  • A hard-coded JSON Web Token (JWT) allows attackers to authenticate requests without valid credentials.
  • Cisco has issued a patch for this max severity flaw, rated CVSS 10 out of 10.
  • Experts recommend immediate upgrades and compensating controls if patching is not possible.
  • The flaw exemplifies dangerous coding practices, particularly the use of hard-coded secrets.
Sources: CSO Online (1 articles)
CSO Online
Google addresses third zero-day vulnerability in Chrome for 2025
Google fixes a third zero-day vulnerability in Chrome, CVE-2025-5419, amid ongoing exploitation. +

Key points:

  • CVE-2025-5419 is a high-severity flaw in Chrome's V8 engine, requiring chaining with other vulnerabilities for exploitation.
  • The vulnerability was reported by Google's Threat Analysis Group, indicating it was likely discovered in the wild.
  • Chrome's automatic update mechanism will distribute the fix, but users can manually check for updates.
  • The update also addresses a medium-severity use-after-free bug in the Blink rendering engine.
Sources: CSO Online (1 articles)
CSO Online
Alex Protocol Loses $8.3M in Exploit Due to Vulnerability
Alex Protocol suffered an $8.3 million exploit due to a vulnerability in its verification logic. +

Key points:

  • The exploit resulted in the loss of 8.4 million STX tokens, 21.85 sBTC, 149,850 USDC, and 2.8 WBTC.
  • Alex Lab Foundation pledged to reimburse affected users using treasury reserves, with compensation in USDC tokens.
  • Affected wallets will receive notifications and must submit claims by June 10 for reimbursement.
  • This incident marks one of the largest exploits in the Stacks ecosystem.
  • Alex Protocol previously suffered a $4.3 million exploit in May 2024, linked to the Lazarus group.
Sources: Cointelegraph (1 articles)
Cointelegraph
Suricata's URL Decoding Challenges and Evasion Techniques
The article explores Suricata's URL decoding issues and the development of tools to enhance detection rules. +

Key points:

  • GreyNoise transitioned over 1000 tags to Suricata, facing significant challenges during the process.
  • The team developed a testing pipeline and a linter with over 100 rules to validate Suricata rules and prevent evasion.
  • The article includes a primer on URL encoding, explaining its necessity for handling ambiguous characters in web requests.
  • The author expresses a desire to share more insights on Suricata rule evasion techniques in future workshops.
Sources: GreyNoise Labs (1 articles)
GreyNoise Labs
Mirai Botnet Exploits CVE-2024-3721 to Target TBK DVR Devices
CVE-2024-3721 is being exploited by a new Mirai variant targeting TBK DVR devices. +

Key points:

  • CVE-2024-3721 allows unauthorized command execution on TBK DVR devices via crafted POST requests.
  • The new Mirai variant includes features such as RC4 string encryption and anti-VM detection.
  • Telemetry indicates over 50,000 exposed DVR devices globally, primarily in countries like China and India.
  • The botnet's primary objective is to infect unpatched IoT devices for DDoS and resource hijacking.
Sources: Securelist (1 articles)
Securelist

Read More by Category

All 💣 Exploits 🚨 Intrusions 🎯 Campaigns ☁️ Cloud 🤖 AI 🪙 Blockchain 🏛️ Policy

Additional Signals