Tag: Cyber Security

Oct 13, 2025Ravie LakshmananRansomware / Windows Security

Cybersecurity researchers have disclosed details of a new Rust-based backdoor called ChaosBot that can allow operators to conduct reconnaissance and execute arbitrary commands on compromised hosts.

“Threat actors leveraged compromised credentials that mapped to both Cisco VPN and an over-privileged Active Directory account named, ‘serviceaccount,’” eSentire said in a technical report published last week. “Using the compromised account, they leveraged WMI to execute remote commands across systems in the network, facilitating the deployment and execution of ChaosBot.”

The Canadian cybersecurity company said it first detected the malware in late September 2025 within a financial services customer’s environment.

ChaosBot is noteworthy for its abuse of Discord for command-and-control (C2). It gets its name from a Discord profile maintained by the threat actor behind it, who goes by the online moniker “chaos_00019” and is responsible for issuing remote commands to the infected devices. A second Discord user account associated with C2 operations is lovebb0024.

Alternatively, the malware has also been observed relying on phishing messages containing a malicious Windows shortcut (LNK) file as a distribution vector. Should the message recipient open the LNK file, a PowerShell command is executed to download and execute ChaosBot, while a decoy PDF masquerading as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism.

The payload is a malicious DLL (“msedge_elf.dll”) that’s sideloaded using the Microsoft Edge binary called “identity_helper.exe,” after which it performs system reconnaissance and downloads a fast reverse proxy (FRP) to open a reverse proxy into the network and maintain persistent access to the compromised network.

The threat actors have also been found to leverage the malware to unsuccessfully configure a Visual Studio Code Tunnel service to act as an additional backdoor to enable command execution features. The malware’s primary function, however, is to interact with a Discord channel created by the operator with the victim’s computer name to receive further instructions.

Some of the supported commands are listed below –

• shell, to execute shell commands via PowerShell
• scr, to capture screenshots
• download, to download files to the victim device
• upload, to upload a file to the Discord channel

“New variants of ChaosBot make use of evasion techniques to bypass ETW [Event Tracing for Windows] and virtual machines,” eSentire said.

“The first technique involves patching the first few instructions of ntdll!EtwEventWrite (xor eax, eax -> ret). The second technique checks the MAC addresses of the system against known Virtual Machine MAC address prefixes for VMware and VirtualBox. If a match is found, the malware exits.”

Chaos Ransomware Gains Destructive and Clipboard Hijacking Features

The disclosure comes Fortinet FortiGuard Labs detailed a new ransomware variant of Chaos written in C++ that introduces new destructive capabilities to irrevocably delete large files rather than encrypting them and manipulate clipboard content by swapping Bitcoin addresses with an attacker-controlled wallet to redirect cryptocurrency transfers.

“This dual strategy of destructive encryption and covert financial theft underscores Chaos’ transition into a more aggressive and multifaceted threat designed to maximize financial gain,” the company said.

By incorporating destructive extortion tactics and clipboard hijacking for cryptocurrency theft, the attackers aim to position Chaos-C++ ransomware as a potent tool that can not only encrypt files, but also delete the content of any file larger than 1.3 GB and facilitate financial fraud.

The Chaos-C++ ransomware downloader poses as bogus utilities like System Optimizer v2.1 to trick users into installing them. It’s worth mentioning here that previous iterations of Chaos ransomware, such as Lucky_Gh0$t, were distributed under the guise of OpenAI ChatGPT and InVideo AI.

Once launched, the malware checks for the presence of a file named “%APPDATA%READ_IT.txt,” which signals that the ransomware has already been executed on the machine. If the file exists, it enters into what’s called a monitoring mode to keep tabs on the system clipboard.

In the event the file is not present, Chaos-C++ checks if it’s running with administrative privileges, and if so, proceeds to run a series of commands to inhibit system recovery, and then launches the encryption process to fully encrypt files that are below 50 MB, while skipping those with a file size between 50 MB and 1.3 GB, presumably for efficiency reasons.

“Rather than relying solely on full file encryption, Chaos-C++ employs a combination of methods, including symmetric or asymmetric encryption and a fallback XOR routine,” Fortinet said. “Its versatile downloader also guarantees successful execution. Together, these approaches make the ransomware execution more robust and harder to disrupt.”

Oct 12, 2025Ravie LakshmananVulnerability / Threat Intelligence

Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data.

The vulnerability, tracked as CVE-2025-61884, carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14.

“Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD). “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”

In a standalone alert, Oracle said the flaw is remotely exploitable without requiring any authentication, making it crucial that users apply the update as soon as possible. The company, however, makes no mention of it being exploited in the wild.

Oracle’s Chief Security Officer, Rob Duhart, pointed out that the vulnerability affects “some deployments” of E-Business Suite and that it could be weaponized to allow access to sensitive resources.

The development comes shortly after Google Threat Intelligence Group (GTIG) and Mandiant disclosed that dozens of organizations may have been impacted following the zero-day exploitation of CVE-2025-61882 in Oracle’s E-Business Suite (EBS) software.

The attacks have been found to leverage the vulnerability to trigger two different payload chains, dropping malware families like GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE.

While the tech giant did not specifically attribute the activity to a specific named threat actor or group, it’s believed that the attackers are orchestrated by a hacking group with ties to the Cl0p ransomware group.

Oct 11, 2025Ravie LakshmananCloud Security / Network Security

Cybersecurity company Huntress on Friday warned of “widespread compromise” of SonicWall SSL VPN devices to access multiple customer environments.

“Threat actors are authenticating into multiple accounts rapidly across compromised devices,” it said. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”

A significant chunk of the activity is said to have commenced on October 4, 2025, with more than 100 SonicWall SSL VPN accounts across 16 customer accounts having been impacted. In the cases investigated by Huntress, authentications on the SonicWall devices originated from the IP address 202.155.8[.]73.

The company noted that in some instances, the threat actors did not engage in further adversarial actions in the network and disconnected after a short period of time. However, in other cases, the attackers have been found conducting network scanning activity and attempting to access numerous local Windows accounts.

The disclosure comes shortly after SonicWall acknowledged that a security incident resulted in the unauthorized exposure of firewall configuration backup files stored in MySonicWall accounts. The breach, according to the latest update, affects all customers who have used SonicWall’s cloud backup service.

“Firewall configuration files store sensitive information that can be leveraged by threat actors to exploit and gain access to an organization’s network,” Arctic Wolf said. “These files can provide threat actors with critical information such as user, group, and domain settings, DNS and log settings, and certificates.”

Huntress, however, noted that there is no evidence at this stage to link the breach to the recent spike in compromises.

Considering that sensitive credentials are stored within firewall configurations, organizations using the MySonicWall cloud configuration backup service are advised to reset their credentials on live firewall devices to avoid unauthorized access.

It’s also recommended to restrict WAN management and remote access where possible, revoke any external API keys that touch the firewall or management systems, monitor logins for signs of suspicious activity, and enforce multi-factor authentication (MFA) for all admin and remote accounts.

The disclosure comes amid an increase in ransomware activity targeting SonicWall firewall devices for initial access, with the attacks leveraging known security flaws (CVE-2024-40766) to breach target networks for deploying Akira ransomware.

Darktrace, in a report published this week, said it detected an intrusion targeting an unnamed U.S. customer in late August 2025 that involved network scanning, reconnaissance, lateral movement, privilege escalation using techniques like UnPAC the hash, and data exfiltration.

“One of the compromised devices was later identified as a SonicWall virtual private network (VPN) server, suggesting that the incident was part of the broader Akira ransomware campaign targeting SonicWall technology,” it said.

“This campaign by Akira ransomware actors underscores the critical importance of maintaining up-to-date patching practices. Threat actors continue to exploit previously disclosed vulnerabilities, not just zero-days, highlighting the need for ongoing vigilance even after patches are released.”

Oct 11, 2025Ravie LakshmananNetwork Security / Vulnerability

Threat actors are abusing Velociraptor, an open-source digital forensics and incident response (DFIR) tool, in connection with ransomware attacks likely orchestrated by Storm-2603 (aka CL-CRI-1040 or Gold Salem), which is known for deploying the Warlock and LockBit ransomware.

The threat actor’s use of the security utility was documented by Sophos last month. It’s assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that’s susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos.

In the attack in mid-August 2025, the threat actors are said to have made attempts to escalate privileges by creating domain admin accounts and moving laterally within the compromised environment, as well as leveraging the access to run tools like Smbexec to remotely launch programs using the SMB protocol.

Prior to data exfiltration and dropping Warlock, LockBit, and Babuk, the adversary has been found to modify Active Directory (AD) Group Policy Objects (GPOs), turn off real-time protection to tamper with system defenses, and evade detection. The findings mark the first time Storm-2603 has been linked to the deployment of Babuk ransomware.

Rapid7, which maintains Velociraptor after acquiring it in 2021, previously told The Hacker News that it’s aware of the misuse of the tool, and that it can also be abused when in the wrong hands, just like other security and administrative tools.

“This behavior reflects a misuse pattern rather than a software flaw: adversaries simply repurpose legitimate collection and orchestration capabilities,” Christiaan Beek, Rapid7’s senior director of threat analytics, said in response to the latest reported attacks.

According to Halcyon, Storm-2603 is believed to share some connections to Chinese nation-state actors owing to its early access to the ToolShell exploit and the emergence of new samples that exhibit professional-grade development practices consistent with sophisticated hacking groups.

The ransomware crew, which first emerged in June 2025, has since used LockBit as both an operational tool and a development foundation. It’s worth noting that Warlock was the final affiliate registered with the LockBit scheme under the name “wlteaml” before LockBit suffered a data leak a month before.

“Warlock planned from the beginning to deploy multiple ransomware families to confuse attribution, evade detection, and accelerate impact,” the company said. “Warlock demonstrates the discipline, resources, and access characteristic of nation-state–aligned threat actors, not opportunistic ransomware crews.”

Halcyon also pointed out the threat actor’s 48-hour development cycles for feature additions, reflective of structured team workflows. This centralized, organized project structure suggests a team with dedicated infrastructure and tooling, it added.

Other notable aspects that suggest ties to Chinese state-sponsored actors include –

• Use of operational security (OPSEC) measures, such as stripped timestamps and intentionally corrupted expiration mechanisms
• The compilation of ransomware payloads at 22:58-22:59 China Standard Time and packaging them into a malicious installer at 01:55 the next morning
• Consistent contact information and shared, misspelled domains across Warlock, LockBit, and Babuk deployments, suggesting cohesive command-and-control (C2) operations and not opportunistic infrastructure reuse

A deeper examination of Storm-2603’s development timeline has uncovered that the threat actor established the infrastructure for AK47 C2 framework in March 2025, and then created the first prototype of the tool the next month. In April, it also pivoted from LockBit-only deployment to dual LockBit/Warlock deployment within a span of 48 hours.

While it subsequently registered as a LockBit affiliate, work continued on its own ransomware until it was formally launched under the Warlock branding in June. Weeks later, the threat actor was observed leveraging the ToolShell exploit as a zero-day while also deploying Babuk ransomware starting July 21, 2025.

“The group’s rapid evolution in April from the LockBit 3.0-only deployment to a multi-ransomware deployment 48 hours later, followed by Babuk deployment in July, shows operational flexibility, detection evasion capabilities, attribution confusion tactics, and sophisticated builder expertise using leaked and open-source ransomware frameworks,” Halcyon said.

Oct 10, 2025Ravie LakshmananSaaS Security / Threat Intelligence

A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts.

“Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday,” the Microsoft Threat Intelligence team said in a report.

However, the tech giant cautioned that any software-as-a-service (SaaS) platform storing HR or payment and bank account information could be a target of such financially motivated campaigns. Some aspects of the campaign, codenamed Payroll Pirates, were previously highlighted by Silent Push, Malwarebytes, and Hunt.io.

What makes the attacks notable is that they don’t exploit any security flaw in the services themselves. Rather, they leverage social engineering tactics and a lack of multi-factor authentication (MFA) protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors.

In one campaign observed by Microsoft in the first half of 2025, the attacker is said to have obtained initial access through phishing emails that are designed to harvest their credentials and MFA codes using an adversary-in-the-middle (AitM) phishing link, thereby gaining access to their Exchange Online accounts and taking over Workday profiles through single sign-on (SSO).

The threat actors have also been observed creating inbox rules to delete incoming warning notification emails from Workday so as to hide the unauthorized changes made to profiles. This includes altering the salary payment configuration to redirect future salary payments to accounts under their control.

To ensure persistent access to the accounts, the attackers enroll their own phone numbers as MFA devices for victim accounts. What’s more, the compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities.

Microsoft said it observed 11 successfully compromised accounts at three universities since March 2025 that were used to send phishing emails to nearly 6,000 email accounts across 25 universities. The email messages feature lures related to illnesses or misconduct notices on campus, inducing a false sense of urgency and tricking recipients into clicking on the fake links.

To mitigate the risk posed by Storm-2657, it’s recommended to adopt passwordless, phishing-resistant MFA methods such as FIDO2 security keys, and review accounts for signs of suspicious activity, such as unknown MFA devices and malicious inbox rules.

Oct 10, 2025Ravie LakshmananRansomware / Data Theft

Cybersecurity researchers have disclosed details of an active malware campaign called Stealit that has leveraged Node.js’ Single Executable Application (SEA) feature as a way to distribute its payloads.

According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to deliver the malware. It’s assessed that the malware is being propagated through counterfeit installers for games and VPN applications that are uploaded to file-sharing sites such as Mediafire and Discord.

SEA is a feature that allows Node.js applications to be packaged and distributed as a standalone executable, even on systems without Node.js installed.

“Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies,” security researchers Eduardo Altares and Joie Salvio said in a report shared with The Hacker News.

On a dedicated website, the threat actors behind Stealit claim to offer “professional data extraction solutions” via several subscription plans. This includes a remote access trojan (RAT) that supports file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Windows operating systems.

Prices for the Windows Stealer range from $29.99 for a weekly subscription to $499.99 for a lifetime license. The Android RAT pricing, on the other hand, goes from $99.99 all the way to $1,999.99.

The fake executables contain an installer that’s designed to retrieve the main components of the malware retrieved from a command-and-control (C2) and install them, but note that before performing a number of anti-analysis checks to ensure it’s running inside a virtual or sandboxed environment.

A crucial aspect of this step involves writing a Base64-encoded authentication key, a 12-character alphanumeric key, to the %temp%cache.json file. This key is used to authenticate with the C2 server, as well as by subscribers to log in to the dashboard in order to likely monitor and control their victims.

The malware is also engineered to configure Microsoft Defender Antivirus exclusions so that the folder that contains the downloaded components is not flagged. The functions of the three executables are as follows –

• save_data.exe, which is only downloaded and executed if the malware is running with elevated privileges. It’s designed to drop a tool named “cache.exe” – which is part of open-source project ChromElevator – to extract information from Chromium-based browsers.
• stats_db.exe, which is designed to extract information from messengers (Telegram, WhatsApp), cryptocurrency wallets and wallet browser extensions (Atomic and Exodus), and game-related apps (Steam, Minecraft, GrowTopia, and Epic Games Launcher).
• game_cache.exe, which is designed to set up persistence on the host by launching its upon system reboot by creating a Visual Basic script and communicating with the C2 server to stream a victim’s screen in real-time, execute arbitrary commands, download/upload files, and change desktop wallpaper.

“This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed,” Fortinet said. “Threat actors behind this may be exploiting the feature’s novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard.”

Oct 10, 2025Ravie LakshmananVulnerability / Network Security

Fortra on Thursday revealed the results of its investigation into CVE-2025-10035, a critical security flaw in GoAnywhere Managed File Transfer (MFT) that’s assessed to have come under active exploitation since at least September 11, 2025.

The company said it began its investigation on September 11 following a “potential vulnerability” reported by a customer, uncovering “potentially suspicious activity” related to the flaw.

That same day, Fortra said it contacted on-premises customers who were identified as having their GoAnywhere admin console accessible to the public internet and that it notified law enforcement authorities about the incident.

A hotfix for versions 7.6.x, 7.7.x, and 7.8.x of the software was made available the next day, with full releases incorporating the patch – versions 7.6.3 and 7.8.4 – made available on September 15. Three days later, a CVE for the vulnerability was formally published, it added.

“The scope of the risk of this vulnerability is limited to customers with an admin console exposed to the public internet,” Fortra said. “Other web-based components of the GoAnywhere architecture are not affected by this vulnerability.”

However, it conceded that there are a “limited number of reports” of unauthorized activity related to CVE-2025-10035. As additional mitigations, the company is recommending that users restrict admin console access over the internet, as well as enable monitoring and keep software up-to-date.

CVE-2025-10035 concerns a case of deserialization vulnerability in the License Servlet that could result in command injection without authentication. In a report earlier this week, Microsoft revealed that a threat it tracks as Storm-1175 has been exploiting the flaw since September 11 to deploy Medusa ransomware.

That said, there is still no clarity on how the threat actors managed to obtain the private keys needed to exploit this vulnerability.

“The fact that Fortra has now opted to confirm (in their words) ‘unauthorized activity related to CVE-2025-10035’ demonstrates yet again that the vulnerability was not theoretical and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” watchTowr CEO and founder Benjamin Harris said.

The SOC of 2026 will no longer be a human-only battlefield. As organizations scale and threats evolve in sophistication and velocity, a new generation of AI-powered agents is reshaping how Security Operations Centers (SOCs) detect, respond, and adapt.

But not all AI SOC platforms are created equal.

From prompt-dependent copilots to autonomous, multi-agent systems, the current market offers everything from smart assistants to force-multiplying automation. While adoption is still early— estimated at 1–5% penetration according to Gartner—the shift is undeniable. SOC teams must now ask a fundamental question: What type of AI belongs in my security stack?

The Limits of Traditional SOC Automation

Despite promises from legacy SOAR platforms and rule-based SIEM enhancements, many security leaders still face the same core challenges:

• Analyst alert fatigue from redundant low-fidelity triage tasks
• Manual context correlation across disparate tools and logs
• Disjointed and static detection and response workflows
• Loss of institutional knowledge during turnover or tool migration

Automation promised to solve this—but often came with its own overhead: engineering-intensive setups, brittle playbooks, and limited adaptability to nuanced environments.

From Co-Pilots to Cognitive Agents: The Shift to Mesh Agentic Architectures

Many AI-enabled SOC platforms rely on Large Language Models (LLMs) in a co-pilot format: they summarize alerts, generate reports, or offer canned queries – but require constant human prompting. This model delivers surface-level speed, but not scale.

The most advanced platforms go further by introducing mesh agentic architectures—a coordinated system of AI agents, each responsible for specialized SOC functions such as triage, threat correlation, evidence assembly, and incident response.

Rather than a single model responding to prompts, these systems autonomously distribute tasks across AI agents, continuously learning from organizational context, analyst actions, and environmental telemetry.

7 Core Capabilities That Define the Leading AI SOC Platforms

In reviewing today’s AI SOC landscape, seven defining characteristics consistently separate signal from noise:

Visit Conifers.ai to request a demo and experience how CognitiveSOC may be the right AI SOC platform for your modern SOC.

Oct 10, 2025Ravie LakshmananCybercrime / Malware

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign.

The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket.

“While the packages’ randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure,” security researcher Kush Pandya said.

The packages have been found to use npm’s public registry and unpkg.com’s CDN to host redirect scripts that route victims to credential harvesting pages. Some aspects of the campaign were first flagged by Safety’s Paul McCarty late last month.

Specifically, the library comes fitted with a Python file named “redirect_generator.py” to programmatically create and publish an npm package with the name “redirect-xxxxxx,” where “x” refers to a random alphanumeric string. The script then injects a victim’s email address and custom phishing URL into the package.

Once the package is live on the npm registry, the “malware” proceeds to create an HTML file with a reference to the UNPKG CDN associated with the newly published package (e.g., “unpkg[.]com/redirect-xs13nr@1.0.0/beamglea.js”). The threat actor is said to be taking advantage of this behavior to distribute HTML payloads that, when opened, load JavaScript from the UNPKG CDN and redirect the victim to Microsoft credential harvesting pages.

The JavaScript file “beamglea.js” is a redirect script that includes the victim’s email address and the URL to which the victim is navigated in order to capture their credentials. Socket said it found more than 630 HTML files that masquerade as purchase orders, technical specifications, or project documents.

In other words, the npm packages are not designed to execute malicious code upon installation. Instead, the campaign leverages npm and UNPKG for hosting the phishing infrastructure. It’s currently not clear how the HTML files are distributed, although it’s possible they are propagated via emails that trick recipients into launching the specially crafted HTML files.

“When victims open these HTML files in a browser, the JavaScript immediately redirects to the phishing domain while passing the victim’s email address via URL fragment,” Socket said.

“The phishing page then pre-fills the email field, creating a convincing appearance that the victim is accessing a legitimate login portal that already recognizes them. This pre-filled credential significantly increases the attack’s success rate by reducing victim suspicion.”

The findings once again highlight the ever-evolving nature of threat actors who are constantly adapting their techniques to stay ahead of defenders, who are also constantly developing new techniques to detect them. In this case, it underscores the abuse of legitimate infrastructure at scale.

“The npm ecosystem becomes unwitting infrastructure rather than a direct attack vector,” Pandya said. “Developers who install these packages see no malicious behavior, but victims opening specially crafted HTML files are redirected to phishing sites.”

“By publishing 175 packages across 9 accounts and automating victim-specific HTML generation, the attackers created a resilient phishing infrastructure that costs nothing to host and leverages trusted CDN services. The combination of npm’s open registry, unpkg.com’s automatic serving, and minimal code creates a reproducible playbook that other threat actors will adopt.”

Oct 10, 2025Ravie LakshmananVulnerability / Zero-Day

Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products.

The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560.

Huntress said it first detected the activity on September 27, 2025, uncovering that three of its customers have been impacted so far.

It’s worth noting that both applications were previously affected by CVE-2025-30406 (CVSS score: 9.0), a case of hard-coded machine key that could allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability. The vulnerability has since come under active exploitation.

CVE-2025-11371, per Huntress, “allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability. Additional details of the flaw are being withheld in light of active exploration and in the absence of a patch.

In one instance investigated by the company, the affected version was newer than 16.4.10315.56368 and not vulnerable to CVE-2025-30406, suggesting that attackers could exploit earlier versions and use the hard-coded machine key to execute code remotely via the ViewState deserialization flaw.

In the interim, users are recommended to disable the “temp” handler within the Web.config file for UploadDownloadProxy located at “C:Program Files (x86)Gladinet Cloud EnterpriseUploadDownloadProxyWeb.config.”

“This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,” Huntress researchers Bryan Masters, James Maclachlan, Jai Minton, and John Hammond said.