Category: Cybersecurity

Cybersecurity researchers have discovered a serious security issue that allows leaked Laravel APP_KEYs to be weaponized to gain remote code execution capabilities on hundreds of applications.

“Laravel’s APP_KEY, essential for encrypting sensitive data, is often leaked publicly (e.g., on GitHub),” GitGuardian said. “If attackers get access to this key, they can exploit a deserialization flaw to execute arbitrary code on the server – putting data and infrastructure at risk.”

The company, in collaboration with Synacktiv, said it was able to extract more than 260,000 APP_KEYs from GitHub from 2018 to May 30, 2025, identifying over 600 vulnerable Laravel applications in the process. GitGuardian said it observed over 10,000 unique APP_KEYs across GitHub, of which 400 APP_KEYs were validated as functional.

APP_KEY is a random 32-byte encryption key that’s generated during the installation of Laravel. Stored in the .env file of the application, it’s used to encrypt and decrypt data, generate secure, random strings, sign and verify data, and create unique authentication tokens, making a crucial security component.

GitGuardian noted that Laravel’s current implementation of decrypt() function introduces a security issue wherein it automatically deserializes decrypted data, thereby opening the door for possible remote code execution.

“Specifically in Laravel applications, if attackers obtain the APP_KEY and can invoke the decrypt() function with a maliciously crafted payload, they can achieve remote code execution on the Laravel web server,” security researcher Guillaume Valadon said.

“This vulnerability was first documented with CVE-2018-15133, which affected Laravel versions prior to 5.6.30. However, this attack vector persists in newer Laravel versions when developers explicitly configure session serialization in cookies using the SESSION_DRIVER=cookie setting, as demonstrated by CVE-2024-55556.”

It’s worth noting that CVE-2018-15133 has been exploited in the wild by threat actors associated with the AndroxGh0st malware, after scanning the internet for Laravel applications with misconfigured .env files.

Further analysis has found that 63% of APP_KEY exposures originate from .env files (or their variants) that typically contain other valuable secrets, such as cloud storage tokens, database credentials, and secrets associated with e-commerce platforms, customer support tools, and artificial intelligence (AI) services.

More importantly, approximately 28,000 APP_KEY and APP_URL pairs have been concurrently exposed on GitHub. Of these, approximately 10% have been found to be valid, rendering 120 applications vulnerable to trivial remote code execution attacks.

Given that the APP_URL configuration specifies the application’s base URL, exposing both APP_URL and APP_KEY creates a potent attack vector that threat actors can leverage to directly access the app, retrieve session cookies, and attempt to decrypt them using the exposed key.

Simply scrubbing secrets from repositories isn’t enough—especially when they’ve already been cloned or cached by third-party tools. What developers need is a clear rotation path, backed by monitoring that flags every future reappearance of sensitive strings across CI logs, image builds, and container layers.

“Developers should never simply delete exposed APP_KEYs from repositories without proper rotation,” GitGuardian said. “The proper response involves: immediately rotating the compromised APP_KEY, updating all production systems with the new key, and implementing continuous secret monitoring to prevent future exposures.”

These types of incidents also align with a broader class of PHP deserialization vulnerabilities, where tools like phpggc help attackers craft gadget chains that trigger unintended behaviors during object loading. When used in Laravel environments with leaked keys, such gadgets can achieve full RCE without needing to breach the app’s logic or routes.

The disclosure comes after GitGuardian revealed that it discovered a “staggering 100,000 valid secrets” in Docker images publicly accessible on the DockerHub registry. This includes secrets associated with Amazon Web Services (AWS), Google Cloud, and GitHub tokens.

A new Binarly analysis of over 80,000 unique Docker images spanning 54 organizations and 3,539 repositories has likewise uncovered 644 unique secrets that encompassed generic credentials, JSON Web Tokens, HTTP Basic Authorization header, Google Cloud API key, AWS access tokens, and CircleCI API tokens, among others.

“Secrets appear in a wide variety of file types, including source code, configuration files, and even large binary files, areas where many existing scanners fall short,” the company said. “Moreover, the presence of entire Git repositories inside container images represents a serious and often overlooked security risk.”

But that’s not all. The rapid adoption of Model Context Protocol (MCP) to enable agentic workflows in enterprise-driven AI applications has opened up brand new attack vectors – a concerning one being the leakage of secrets from MCP servers published to GitHub repositories.

Specifically, GitGuardian found that 202 of them leaked at least one secret, accounting for 5.2% of all the repositories – a number that the company said is “slightly higher than the 4.6% occurrence rate observed on all public repositories,” making MCP servers a “new source of secret leaks.”

While this research focuses on Laravel, the same root problem—unguarded secrets in public repositories—applies to other stacks. Organizations should explore centralized secret scanning, Laravel-specific hardening guides, and secure-by-design patterns for managing .env files and container secrets across frameworks.

Jul 05, 2025Ravie LakshmananNational Security / Privacy

Taiwan’s National Security Bureau (NSB) has warned that China-developed applications like RedNote (aka Xiaohongshu), Weibo, Douyin, WeChat, and Baidu Cloud pose security risks due to excessive data collection and data transfer to China.

The alert comes following an inspection of these apps carried out in coordination with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency.

“The results indicate the existence of security issues, including excessive data collection and privacy infringement,” the NSB said. “The public is advised to exercise caution when choosing mobile apps.”

The agency said it evaluated the apps against 15 indicators spanning five broad categories: Personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access.

According to the analysis, RedNote violated all 15 indicators, followed by Weibo and Douyin that were found to breach 13 indicators. WeChat and Baidu Cloud violated 10 and 9 of the 15 indicators, respectively.

These issues encompassed extensive collection of personal data, including facial recognition information, screenshots, clipboard contents, contact lists, and location information. All the apps have also been flagged for harvesting the list of installed apps and device parameters.

“With regard to data transmission and sharing, the said five apps were found to send packets back to servers located in China,” the NSB said. “This type of transmission has raised serious concerns over the potential misuse of personal data by third-parties.”

NSB also pointed out that companies operating in China are obligated to turn over user data under domestic laws for national security, public security, and intelligence purposes, and that using these apps can breach the privacy of Taiwanese users.

The development comes as countries like India have enacted bans against Chinese-made apps, citing security concerns. In November 2024, Canada ordered TikTok to dissolve its operations in the country, although its fate in the U.S. still remains in limbo, as the ban – which was supposed to take effect in January 2025 – has been extended for a third time.

Last week, one of Germany’s data protection authorities urged Apple and Google to remove Chinese artificial intelligence (AI) chatbot DeepSeek from their respective app stores due to unlawful user data transfers to China. Similar restrictions have also been imposed by other nations.

“The NSB strongly advises the public to remain vigilant regarding mobile device security and avoid downloading China-made apps that pose cybersecurity risks, so as to protect personal data privacy and corporate business secrets,” it added.

(The story was updated after publication to emphasize that the NSB referred to Douyin, TikTok’s China-focused app, and not TikTok itself.)

Jul 11, 2025Ravie LakshmananUnited States

Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances.

Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.

“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,” Fortinet said in an advisory released this week.

The shortcoming impacts the following versions –

• FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above)
• FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above)
• FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above)
• FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above)

Kentaro Kawane from GMO Cybersecurity, who was recently credited with reporting a set of critical flaws in Cisco Identity Services and ISE Passive Identity Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has acknowledged for discovering the issue.

In an analysis published today, watchTowr Labs said the problem is rooted in a function called “get_fabric_user_by_token” that’s associated with the Fabric Connector component, which acts as a bridge between FortiWeb and other Fortinet products.

The function, in turn, is invoked from another function named “fabric_access_check,” that’s called from three different API endpoints: “/api/fabric/device/status,” “/api/v[0-9]/fabric/widget/[a-z]+,” and “/api/v[0-9]/fabric/widget.”

The issue is that attacker-controlled input – passed via a Bearer token Authorization header in a specially crafted HTTP request – is passed directly to an SQL database query without adequate sanitization to make sure that it’s not harmful and does not include any malicious code.

The attack can be extended further by embedding a SELECT … INTO OUTFILE statement to write the results of command execution to a file in the underlying operating system by taking advantage of the fact that the query is run as the “mysql” user.

“The new version of the function replaces the previous format-string query with prepared statements – a reasonable attempt to prevent straightforward SQL injection,” security researcher Sina Kheirkhah said.

As temporary workarounds until the necessary patches can be applied, users are recommended to disable HTTP/HTTPS administrative interface.

With flaws in Fortinet devices having been exploited by threat actors in the past, it’s essential that users move quickly to update to the latest version to mitigate potential risks.

Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.

The vulnerabilities, dubbed PerfektBlue, can be fashioned together as an exploit chain to run arbitrary code on cars from at least three major automakers, Mercedes-Benz, Volkswagen, and Skoda, according to PCA Cyber Security (formerly PCAutomotive). Outside of these three, a fourth unnamed original equipment manufacturer (OEM) has been confirmed to be affected as well.

“PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” the cybersecurity company said.

While infotainment systems are often seen as isolated from critical vehicle controls, in practice, this separation depends heavily on how each automaker designs internal network segmentation. In some cases, weak isolation allows attackers to use IVI access as a springboard into more sensitive zones—especially if the system lacks gateway-level enforcement or secure communication protocols.

The only requirement to pull off the attack is that the bad actor needs to be within range and be able to pair their setup with the target vehicle’s infotainment system over Bluetooth. It essentially amounts to a one-click attack to trigger over-the-air exploitation.

“However, this limitation is implementation-specific due to the framework nature of BlueSDK,” PCA Cyber Security added. “Thus, the pairing process might look different between various devices: limited/unlimited number of pairing requests, presence/absence of user interaction, or pairing might be disabled completely.”

The list of identified vulnerabilities is as follows –

• CVE-2024-45434 (CVSS score: 8.0) – Use-After-Free in AVRCP service
• CVE-2024-45431 (CVSS score: 3.5) – Improper validation of an L2CAP channel’s remote CID
• CVE-2024-45433 (CVSS score: 5.7) – Incorrect function termination in RFCOMM
• CVE-2024-45432 (CVSS score: 5.7) – Function call with incorrect parameter in RFCOMM

Successfully obtaining code execution on the In-Vehicle Infotainment (IVI) system enables an attacker to track GPS coordinates, record audio, access contact lists, and even perform lateral movement to other systems and potentially take control of critical software functions of the car, such as the engine.

Following responsible disclosure in May 2024, patches were rolled out in September 2024.

“PerfektBlue allows an attacker to achieve remote code execution on a vulnerable device,” PCA Cyber Security said. “Consider it as an entrypoint to the targeted system which is critical. Speaking about vehicles, it’s an IVI system. Further lateral movement within a vehicle depends on its architecture and might involve additional vulnerabilities.”

Earlier this April, the company presented a series of vulnerabilities that could be exploited to remotely break into a Nissan Leaf electric vehicle and take control of critical functions. The findings were presented at the Black Hat Asia conference held in Singapore.

“Our approach began by exploiting weaknesses in Bluetooth to infiltrate the internal network, followed by bypassing the secure boot process to escalate access,” it said.

“Establishing a command-and-control (C2) channel over DNS allowed us to maintain a covert, persistent link with the vehicle, enabling full remote control. By compromising an independent communication CPU, we could interface directly with the CAN bus, which governs critical body elements, including mirrors, wipers, door locks, and even the steering.”

CAN, short for Controller Area Network, is a communication protocol mainly used in vehicles and industrial systems to facilitate communication between multiple electronic control units (ECUs). Should an attacker with physical access to the car be able to tap into it, the scenario opens the door for injection attacks and impersonation of trusted devices.

“One notorious example involves a small electronic device hidden inside an innocuous object (like a portable speaker),” the Hungarian company said. “Thieves covertly plug this device into an exposed CAN wiring junction on the car.”

“Once connected to the car’s CAN bus, the rogue device mimics the messages of an authorized ECU. It floods the bus with a burst of CAN messages declaring ‘a valid key is present’ or instructing specific actions like unlocking the doors.”

In a report published late last month, Pen Test Partners revealed it turned a 2016 Renault Clio into a Mario Kart controller by intercepting CAN bus data to gain control of the car and mapping its steering, brake, and throttle signals to a Python-based game controller.

An Iranian-backed ransomware-as-a-service (RaaS) named Pay2Key has resurfaced in the wake of the Israel-Iran-U.S. conflict last month, offering bigger payouts to cybercriminals who launch attacks against Israel and the U.S.

The financially motivated scheme, now operating under the moniker Pay2Key.I2P, is assessed to be linked to a hacking group tracked as Fox Kitten (aka Lemon Sandstorm).

“Linked to the notorious Fox Kitten APT group and closely tied to the well-known Mimic ransomware, […] Pay2Key.I2P appears to partner with or incorporate Mimic’s capabilities,” Morphisec security researcher Ilia Kulmin said.

“Officially, the group offers an 80% profit share (up from 70%) to affiliates supporting Iran or participating in attacks against the enemies of Iran, signaling their ideological commitment.”

Last year, the U.S. government revealed the advanced persistent threat’s (APT) modus operandi of carrying out ransomware attacks by covertly partnering with NoEscape, RansomHouse, and BlackCat (aka ALPHV) crews.

The use of Pay2Key by Iranian threat actors goes back to October 2020, with the attacks targeting Israeli companies by exploiting known security vulnerabilities.

Pay2Key.I2P, per Morphisec, emerged on the scene in February 2025, claiming over 51 successful ransom payouts in four months, netting it more than $4 million in ransom payments and $100,000 in profits for individual operators.

While their financial motives are apparent and doubtless effective, there is also an underlying ideological agenda behind them: the campaign appears to be a case of cyber warfare waged against targets in Israel and the U.S.

A notable aspect of the latest variant of Pay2Key.I2P is that it’s the first known RaaS platform to be hosted on the Invisible Internet Project (I2P).

“While some malware families have used I2P for [command-and-control] communication, this is a step further – a Ransomware-as-a-Service operation running its infrastructure directly on I2P,” Swiss cybersecurity company PRODAFT said in a post shared on X in March 2025. The post was subsequently reposted by Pay2Key.I2P’s own X account.

What’s more, Pay2Key.I2P has observed posting on a Russian darknet forum that allowed anyone to deploy the ransomware binary for a $20,000 payout per successful attack, marking a shift in RaaS operations. The post was made by a user named “Isreactive” on February 20, 2025.

“Unlike traditional Ransomware-as-a-Service (RaaS) models, where developers take a cut only from selling the ransomware, this model allows them to capture the full ransom from successful attacks, only sharing a portion with the attackers who deploy it,” Kulmin noted at the time.

“This shift moves away from a simple tool-sale model, creating a more decentralized ecosystem, where ransomware developers earn from attack success rather than just from selling the tool.”

As of June 2025, the ransomware builder includes an option to target Linux systems, indicating that the threat actors are actively refining and improving the locker’s functionality. The Windows counterpart, on the other hand, is delivered as a Windows executable within a self-extracting (SFX) archive.

It also incorporates various evasion techniques that allow it to run unimpeded by disabling Microsoft Defender Antivirus and deleting malicious artifacts deployed as part of the attack to minimize forensic trail.

“Pay2Key.I2P represents a dangerous convergence of Iranian state-sponsored cyber warfare and global cybercrime,” Morphisec said. “With ties to Fox Kitten and Mimic, an 80% profit incentive for Iran’s supporters, and over $4 million in ransoms, this RaaS operation threatens Western organizations with advanced, evasive ransomware.”

The findings come as the U.S. cybersecurity and intelligence agencies have warned of retaliatory attacks by Iran after American airstrikes on three nuclear facilities in the country.

Operational technology (OT) security company Nozomi Networks said it has observed Iranian hacking groups like MuddyWater, APT33, OilRig, Cyber Av3ngers, Fox Kitten, and Homeland Justice targeting transportation and manufacturing organizations in the U.S.

“Industrial and critical infrastructure organizations in the U.S. and abroad are urged to be vigilant and review their security posture,” the company said, adding it detected 28 cyber attacks related to Iranian threat actors between May and June 2025.

Jul 11, 2025Ravie LakshmananCyber Attack / Vulnerability

A recently disclosed maximum-severity security flaw impacting the Wing FTP Server has come under active exploitation in the wild, according to Huntress.

The vulnerability, tracked as CVE-2025-47812 (CVSS score: 10.0), is a case of improper handling of null (‘’) bytes in the server’s web interface, which allows for remote code execution. It has been addressed in version 7.4.4.

“The user and admin web interfaces mishandle ‘’ bytes, ultimately allowing injection of arbitrary Lua code into user session files,” according to an advisory for the flaw on CVE.org. “This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).”

What makes it even more concerning is that the flaw can be exploited via anonymous FTP accounts. A comprehensive breakdown of the vulnerability entered the public domain towards the end of June 2025, courtesy of RCE Security researcher Julien Ahrens.

Cybersecurity company Huntress said it observed threat actors exploiting the flaw to download and execute malicious Lua files, conduct reconnaissance, and install remote monitoring and management software.

“CVE-2025-47812 stems from how null bytes are handled in the username parameter (specifically related to the loginok.html file, which handles the authentication process),” Huntress researchers said. “This can allow remote attackers to perform Lua injection after using the null byte in the username parameter.”

“By taking advantage of the null-byte injection, the adversary disrupts the anticipated input in the Lua file which stores these session characteristics.”

Evidence of active exploitation was first observed against a single customer on July 1, 2025, merely a day after details of the exploit were disclosed. Upon gaining access, the threat actors are said to have run enumeration and reconnaissance commands, created new users as a form of persistence, and dropped Lua files to drop an installer for ScreenConnect.

There is no evidence that the remote desktop software was actually installed, as the attack was detected and stopped before it could progress any further. It’s currently not clear who is behind the activity.

Data from Censys shows that there are 8,103 publicly-accessible devices running Wing FTP Server, out of which 5,004 have their web interface exposed. The majority of the instances are located in the U.S., China, Germany, the U.K., and India.

In light of active exploitation, it’s essential that users move quickly to apply the latest patches and update their Wing FTP Server versions of 7.4.4 or later.

Jul 11, 2025The Hacker NewsData Security / Enterprise Security

The 2025 Data Risk Report: Enterprises face potentially serious data loss risks from AI-fueled tools. Adopting a unified, AI-driven approach to data security can help.

As businesses increasingly rely on cloud-driven platforms and AI-powered tools to accelerate digital transformation, the stakes for safeguarding sensitive enterprise data have reached unprecedented levels. The Zscaler ThreatLabz 2025 Data Risk Report reveals how evolving technology landscapes are amplifying vulnerabilities, highlighting the critical need for a proactive and unified approach to data protection.

Drawing on insights from more than 1.2 billion blocked transactions recorded by the Zscaler Zero Trust Exchange between February and December 2024, this year’s report paints a clear picture of the data security challenges that enterprises face. From the rise of data leakage through generative AI tools to the undiminished risks stemming from email, SaaS applications, and file-sharing services, the findings are both eye-opening and urgent.

The 2025 Data Risk Report sheds light on the multifaceted data security risks enterprises face in today’s digitally enabled world. Some of the most noteworthy trends include:

• AI apps are a major data loss vector: AI tools like ChatGPT and Microsoft Copilot contributed to millions of data loss incidents in 2024, particularly social security numbers.
• SaaS data loss is surging: Spanning 3,000+ SaaS apps, enterprises saw more than 872 million data loss violations.
• Email remains a leading source of data loss: Nearly 104 million transactions leaked billions of instances of sensitive data.
• File-sharing data loss spikes: Among the most popular file-sharing apps, 212 million transactions saw data loss incidents.

There has never been a more critical time to rethink your enterprise’s approach to data security. The 2025 ThreatLabz Data Risk Report offers a comprehensive look at where risks lie, what drives them, and how organizations can respond effectively to secure their sensitive data in today’s rapidly evolving, AI-driven ecosystem.

To learn more about Zscaler Zero Trust Architecture and Zero Trust + AI, visit zscaler.com/security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming the vulnerability has been weaponized in the wild.

The shortcoming in question is CVE-2025-5777 (CVSS score: 9.3), an instance of insufficient input validation that could be exploited by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server. It’s also called Citrix Bleed 2 owing to its similarities with Citrix Bleed (CVE-2023-4966).

“Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation,” the agency said. “This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.”

Although multiple security vendors have since reported that the flaw has been exploited in real-world attacks, Citrix has yet to update its own advisories to reflect this aspect. As of June 26, 2025, Anil Shetty, senior vice president of engineering at NetScaler, said, “there is no evidence to suggest exploitation of CVE-2025-5777.”

However, security researcher Kevin Beaumont, in a report published this week, said the Citrix Bleed 2 exploitation started as far back as mid-June, adding one of the IP addresses carrying out the attacks has been previously linked to RansomHub ransomware activity.

Data from GreyNoise shows that exploitation efforts are originating from 10 unique malicious IP addresses located in Bulgaria, the United States, China, Egypt, and Finland over the past 30 days. The primary targets of these efforts are the United States, France, Germany, India, and Italy.

The addition of CVE-2025-5777 to the KEV catalog comes as another flaw in the same product (CVE-2025-6543, CVSS score: 9.2) has also come under active exploitation in the wild. CISA added the flaw to the KEV catalog on June 30, 2025.

“The term ‘Citrix Bleed’ is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively ‘bleeding’ sensitive information,” Akamai said, warning of a “drastic increase of vulnerability scanner traffic” after exploit details became public.

“This flaw can have dire consequences, considering that the affected devices can be configured as VPNs, proxies, or AAA virtual servers. Session tokens and other sensitive data can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks.”

Because these appliances often serve as centralized entry points into enterprise networks, attackers can pivot from stolen sessions to access single sign-on portals, cloud dashboards, or privileged admin interfaces. This type of lateral movement—where a foothold quickly becomes full network access—is especially dangerous in hybrid IT environments with weak internal segmentation.

To mitigate this flaw, organizations should immediately upgrade to the patched builds listed in Citrix’s June 17 advisory, including version 14.1-43.56 and later. After patching, all active sessions—especially those authenticated via AAA or Gateway—should be forcibly terminated to invalidate any stolen tokens.

Admins are also encouraged to inspect logs (e.g., ns.log) for suspicious requests to authentication endpoints such as /p/u/doAuthentication.do, and review responses for unexpected XML data like <InitialValue> fields. Since the vulnerability is a memory overread, it does not leave traditional malware traces—making token hijack and session replay the most urgent concerns.

The development also follows reports of active exploitation of a critical security vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8) to deploy NetCat and the XMRig cryptocurrency miner in attacks targeting South Korea by means of PowerShell and shell scripts. CISA added the flaw to the KEV catalog in July 2024.

“Threat actors are targeting environments with vulnerable GeoServer installations, including those of Windows and Linux, and have installed NetCat and XMRig coin miner,” AhnLab said.

“When a coin miner is installed, it uses the system’s resources to mine the threat actor’s Monero coins. The threat actor can then use the installed NetCat to perform various malicious behaviors, such as installing other malware or stealing information from the system.”

Jul 10, 2025Ravie LakshmananVulnerability / AI Security

Cybersecurity researchers have discovered a critical vulnerability in the open-source mcp-remote project that could result in the execution of arbitrary operating system (OS) commands.

The vulnerability, tracked as CVE-2025-6514, carries a CVSS score of 9.6 out of 10.0.

“The vulnerability allows attackers to trigger arbitrary OS command execution on the machine running mcp-remote when it initiates a connection to an untrusted MCP server, posing a significant risk to users – a full system compromise,” Or Peles, JFrog Vulnerability Research Team Leader, said.

Mcp-remote is a tool that sprang forth following Anthropic’s release of Model Context Protocol (MCP), an open-source framework that standardizes the way large language model (LLM) applications integrate and share data with external data sources and services.

It acts as a local proxy, enabling MCP clients like Claude Desktop to communicate with remote MCP servers, as opposed to running them locally on the same machine as the LLM application. The npm package has been downloaded more than 437,000 times to date.

The vulnerability affects mcp-remote versions from 0.0.5 to 0.1.15. It has been addressed in version 0.1.16 released on June 17, 2025. Anyone using mcp-remote that connects to an untrusted or insecure MCP server using an affected version is at risk.

“While previously published research has demonstrated risks from MCP clients connecting to malicious MCP servers, this is the first time that full remote code execution is achieved in a real-world scenario on the client operating system when connecting to an untrusted remote MCP server,” Peles said.

The shortcoming has to do with how a malicious MCP server operated by a threat actor could embed a command during the initial communication establishment and authorization phase, which, when processed by mcp-remote, causes it to be executed on the underlying operating system.

While the issue leads to arbitrary OS command execution on Windows with full parameter control, it results in the execution of arbitrary executables with limited parameter control on macOS and Linux systems.

To mitigate the risk posed by the flaw, users are advised to update the library to the latest version and only connect to trusted MCP servers over HTTPS.

“While remote MCP servers are highly effective tools for expanding AI capabilities in managed environments, facilitating rapid iteration of code, and helping ensure more reliable delivery of software, MCP users need to be mindful of only connecting to trusted MCP servers using secure connection methods such as HTTPS,” Peles said.

“Otherwise, vulnerabilities like CVE-2025-6514 are likely to hijack MCP clients in the ever-growing MCP ecosystem.”

The disclosure comes after Oligo Security detailed a critical vulnerability in the MCP Inspector tool (CVE-2025-49596, CVSS score: 9.4) that could pave the way for remote code execution.

Earlier this month, two other high-severity security defects were uncovered in Anthropic’s Filesystem MCP Server, which, if successfully exploited, could let attackers break out of the server’s sandbox, manipulate any file on the host, and achieve code execution.

The two flaws, per Cymulate, are listed below –

• CVE-2025-53110 (CVSS score: 7.3) – A directory containment bypass that makes it possible to access, read, or write outside of the approved directory (e.g., “/private/tmp/allowed_dir”) by using the allowed directory prefix on other directories (e.g., “/private/tmp/allow_dir_sensitive_credentials”), thereby opening the door data theft and possible privilege escalation
• CVE-2025-53109 (CVSS score: 8.4) – A symbolic link (aka symlink) bypass stemming from poor error handling that can be used to point to any file on the file system from within the allowed directory, allowing an attacker to read or alter critical files (e.g., “/etc/sudoers”) or drop malicious code, resulting in code execution by making use of Launch Agents, cron jobs, or other persistence techniques

Both shortcomings impact all Filesystem MCP Server versions prior to 0.6.3 and 2025.7.1, which include the relevant fixes.

“This vulnerability is a serious breach of the Filesystem MCP Servers security model,” security researcher Elad Beber said about CVE-2025-53110. “Attackers can gain unauthorized access by listing, reading or writing to directories outside the allowed scope, potentially exposing sensitive files like credentials or configurations.”

“Worse, in setups where the server runs as a privileged user, this flaw could lead to privilege escalation, allowing attackers to manipulate critical system files and gain deeper control over the host system.”

Jul 10, 2025Ravie LakshmananCryptocurrency / Cybercrime

Cryptocurrency users are the target of an ongoing social engineering campaign that employs fake startup companies to trick users into downloading malware that can drain digital assets from both Windows and macOS systems.

“These malicious operations impersonate AI, gaming, and Web3 firms using spoofed social media accounts and project documentation hosted on legitimate platforms like Notion and GitHub,” Darktrace researcher Tara Gould said in a report shared with The Hacker News.

The elaborate social media scam has been for sometime now, with a previous iteration in December 2024 leveraging bogus videoconferencing platforms to dupe victims into joining a meeting under the pretext of discussing an investment opportunity after approaching them on messaging apps like Telegram.

Users who ended up downloading the purported meeting software were stealthily infected by stealer malware such as Realst. The campaign was codenamed Meeten by Cado Security (which was acquired by Darktrace earlier this year) in reference to one of the phony videoconferencing services.

That said, there are indications that the activity may have been ongoing since at least March 2024, when Jamf Threat Labs disclosed the use of a domain named “meethub[.]gg” to deliver Realst.

The latest findings from Darktrace show that the campaign not only still remains an active threat, but has also adopted a broader range of themes related to artificial intelligence, gaming, Web3, and social media.

Furthermore, the attackers have been observed leveraging compromised X accounts associated with companies and employees, primarily those that are verified, to approach prospective targets and give their fake companies an illusion of legitimacy.

“They make use of sites that are used frequently with software companies such as X, Medium, GitHub, and Notion,” Gould said. “Each company has a professional looking website that includes employees, product blogs, whitepapers and roadmaps.”

One such non-existent company is Eternal Decay (@metaversedecay), which claims to be a blockchain-powered game and has shared digitally altered versions of legitimate pictures on X to give the impression that they are presenting at various conferences. The end goal is to build an online presence that makes these firms appear as real as possible and increases the likelihood of infection.

Some of the other identified companies are listed below –

• BeeSync (X accounts: @BeeSyncAI, @AIBeeSync)
• Buzzu (X accounts: @BuzzuApp, @AI_Buzzu, @AppBuzzu, @BuzzuApp)
• Cloudsign (X account: @cloudsignapp)
• Dexis (X account: @DexisApp)
• KlastAI (X account: Links to Pollens AI’s X account)
• Lunelior
• NexLoop (X account: @nexloopspace)
• NexoraCore
• NexVoo (X account: @Nexvoospace)
• Pollens AI (X accounts: @pollensapp, @Pollens_app)
• Slax (X accounts: @SlaxApp, @Slax_app, @slaxproject)
• Solune (X account: @soluneapp)
• Swox (X accounts: @SwoxApp, @Swox_AI, @swox_app, @App_Swox, @AppSwox, @SwoxProject, @ProjectSwox)
• Wasper (X accounts: @wasperAI, @WasperSpace)
• YondaAI (X account: @yondaspace)

The attack chains begin when one of these adversary-controlled accounts messages a victim through X, Telegram, or Discord, urging them to test out their software in exchange for a cryptocurrency payment.

Should the target agree to the test, they are redirected to a fictitious website from where they are promoted to enter a registration code provided by the employee to download either a Windows Electron application or an Apple disk image (DMG) file, depending on the operating system used.

On Windows systems, opening the malicious application displays a Cloudflare verification screen to the victim while it covertly profiles the machine and proceeds to download and execute an MSI installer. Although the exact nature of the payload is unclear, it’s believed that an information stealer is run at this stage.

The macOS version of the attack, on the other hand, leads to the deployment of the Atomic macOS Stealer (AMOS), a known infostealer malware that can siphon documents as well as data from web browsers and crypto wallets, and exfiltrate the details to external server.

The DMG binary is also equipped to fetch a shell script that’s responsible for setting up persistence on the system using a Launch Agent to ensure that the app starts automatically upon user login. The script also retrieves and runs an Objective-C/Swift binary that logs application usage and user interaction timestamps, and transmits them to a remote server.

Darktrace also noted that the campaign shares tactical similarities with those orchestrated by a traffers group called Crazy Evil that’s known to dupe victims into installing malware such as StealC, AMOS, and Angel Drainer.

“While it is unclear if the campaigns […] can be attributed to CrazyEvil or any sub teams, the techniques described are similar in nature,” Gould said. “This campaign highlights the efforts that threat actors will go to make these fake companies look legitimate in order to steal cryptocurrency from victims, in addition to the use of newer evasive versions of malware.”