Monthly Archives: July 2025

Uncategorized

Critical eSIM Vulnerability in Kigen’s EUICC Module Could Enable SIM Hijacking Attacks

Researchers have disclosed a critical vulnerability in the Kigen eSIM (eUICC) remote management system, affecting mobile network infrastructure globally. The flaw could allow attackers to perform SIM profile swaps or hijacks via malicious over-the-air (OTA) messages — without physical access to the device.

The issue impacts GSMA-compliant eSIMs, raising serious concerns about remote control over subscriber identity and network access.

What Is Affected?

The vulnerability lies in the Kigen Subscription Manager Data Preparation+ (SM-DP+) platform, a key component that provisions eSIM profiles remotely over-the-air.

Attackers can potentially:

  • Trick devices into accepting malicious profiles
  • Hijack phone numbers or subscriber data
  • Bypass authentication mechanisms during provisioning
  • Cause denial-of-service or surveillance risk to mobile users

The issue affects eSIM infrastructure used by mobile carriers, device manufacturers, and IoT providers around the world.

Discovered by Security Researchers

The flaw was identified by adaptiveMobile Security, who demonstrated how a malformed or maliciously crafted OTA message could trigger insecure profile handling, potentially allowing takeover of mobile identities at scale.

While Kigen has since issued updates and patches, details on CVE assignment are pending at the time of writing.

Kigen’s Response

Kigen acknowledged the vulnerability and has:

  • Released security patches to affected telecom providers and partners
  • Notified GSMA and ecosystem stakeholders
  • Updated SM-DP+ and remote provisioning systems to mitigate risk

Customers are advised to ensure OTA provisioning services are updated and to audit profile delivery mechanisms.

Why This Matters

With the rising adoption of eSIMs in smartphones, wearables, and connected cars, the implications of this vulnerability are significant:

  • Attacks can happen remotely, without touching the victim’s device
  • SIM profile hijack enables interception of calls, messages, and data
  • IoT fleets relying on Kigen’s eSIM stack are particularly vulnerable

Final Takeaway

This vulnerability highlights the need for end-to-end security in SIM provisioning infrastructure. As eSIM adoption grows, attacks will shift to backend systems — and that’s exactly what happened here.

Protecting your network now means securing both the SIM and the cloud behind it.

Source:

The Hacker News –
“eSIM Vulnerability in Kigen’s eUICC Module Could Allow SIM Hijacking Attacks”
🔗 https://thehackernews.com/2025/07/esim-vulnerability-in-kigens-euicc.html

CVE, Knowledge, News

Over 1,000 CrushFTP Servers Targeted in Active Exploits of Zero-Day Vulnerability

Security researchers have sounded the alarm over ongoing attacks targeting over 1,000 publicly accessible CrushFTP servers. The attacks exploit a zero-day vulnerability that enables unauthenticated remote code execution (RCE), allowing attackers to hijack entire servers without credentials.

If you’re running an unpatched CrushFTP instance exposed to the internet, you may already be compromised.

The Vulnerability – CVE-2024-4040

The zero-day, now assigned CVE-2024-4040, affects multiple versions of CrushFTP, a widely-used commercial file transfer server for Windows, Linux, and macOS.

Exploiting this flaw allows a remote attacker to:

  • Access sensitive files (e.g., settings, sessions, or credentials)
  • Achieve remote code execution on the system
  • Fully hijack or persistently backdoor the server

Researchers warn that threat actors are actively exploiting this flaw in the wild.

Global Exposure

Security firm Shadowserver reports that more than 1,200 vulnerable CrushFTP servers remain exposed online, across:

  • US
  • Germany
  • Russia
  • Japan
  • France
  • And more…

This includes government agencies, corporations, and academic institutions.

🛡️ Fixes Are Available – Act Now

The CrushFTP team released patched versions (v10.7.1 and later). Admins are urged to:

  • Update immediately to the latest stable version
  • Review server logs for signs of unauthorized access
  • Isolate compromised systems from the network
  • Rotate credentials and tokens if exploitation is suspected

Official patch and changelog: crushftp.com

Lessons Learned

This attack wave reinforces several key points:

  • Zero-days can hit any vendor — even commercial, “secure” software
  • Publicly exposed admin interfaces are high-risk vectors
  • Regular patching and log monitoring are critical to survival

⚠️ If you’re using CrushFTP and haven’t patched yet, your system could already be in attacker hands.

Source:

BleepingComputer –
“Over 1,000 CrushFTP servers exposed to ongoing hijack attacks”
https://www.bleepingcomputer.com/news/security/over-1-000-crushftp-servers-exposed-to-ongoing-hijack-attacks/

News

PoisonedSeed Hackers Bypass FIDO2 Keys in Targeted Cyber-Espionage Attacks

Security researchers have uncovered a sophisticated Chinese cyber-espionage campaign, dubbed PoisonedSeed, that successfully bypasses FIDO2 hardware authentication using a stealthy malware framework and man-in-the-middle (MitM) techniques.

This marks the first known public case of a successful attack targeting FIDO2 USB security keys, long considered one of the most secure authentication methods available.

Who’s Behind It?

The campaign is believed to be the work of a Chinese nation-state threat actor, with activity observed targeting:

  • Journalists
  • Dissidents
  • Think tanks
  • Government-related organizations in Southeast Asia and Europe

The attackers used highly targeted phishing and malware implants to compromise endpoints and steal credentials even when FIDO-based 2FA was in place.

How Was FIDO Bypassed?

Researchers at [Insert Attribution if Available] discovered that attackers deployed a malware chain designed to intercept authentication requests and manipulate browser or application behavior in real-time.

Key aspects:

  • FIDO2 tokens were not broken cryptographically, but instead:
  • Malware positioned itself between the user and the authentication interface, performing MitM-style manipulation of the session.
  • Credential session hijacking was used post-authentication to gain access.

This technique highlights that even strong hardware security is ineffective if the endpoint is already compromised.

The PoisonedSeed Malware Framework

The malware used in the campaign is modular and stealthy:

  • Signed drivers and rootkit-level access
  • Persistence via UEFI or low-level boot mechanisms
  • Injection into authentication workflows (browser plugins, desktop apps)
  • Custom payloads that adapt based on target profile

According to analysis, it includes:

  • Credential harvesting
  • Network monitoring
  • Session token theft
  • C2 communications disguised as legitimate traffic

Mitigation and Defensive Recommendations

To defend against advanced threats like PoisonedSeed:

  • Treat endpoint security as critical – FIDO keys do not protect against malware on a compromised system.
  • Monitor for anomalous logins and token reuse.
  • Use trusted boot, EDR/XDR tools, and behavioral monitoring.
  • Educate users against highly targeted phishing.
  • Implement out-of-band authentication if possible for high-risk operations.

Takeaway

This campaign is a stark reminder that hardware-backed security like FIDO2 is only part of the equation. When attackers own the endpoint, they can undermine even the strongest authentication systems.

🔐 “PoisonedSeed” proves that attackers are adapting faster than ever – and endpoint integrity is the new battlefield.”

Source: https://thehackernews.com/2025/07/poisonseed-hackers-bypass-fido-keys.html

Article, CVE, News

Wing FTP Server Under Active Attack — Critical RCE Vulnerability CVE-2025-47812

A critical pre-auth remote code execution (RCE) vulnerability in Wing FTP Server, tracked as CVE-2025-47812, is now being exploited in the wild, with attackers targeting publicly exposed systems.

The vulnerability affects Windows, Linux, and macOS versions of Wing FTP Server prior to v7.3.1, and allows unauthenticated attackers to run arbitrary system commands via crafted HTTP requests.

About CVE-2025-47812

  • Severity: Critical (CVSS v3: 9.8)
  • Type: Pre-authentication Remote Code Execution
  • Affected software: Wing FTP Server < v7.3.1
  • Exploit vector: Malicious HTTP request to the web-based admin interface (port 5466)

Security firm Rapid7 discovered the flaw and reports active exploitation in the wild. outlining the vulnerability and its impact.

Real-World Exploits Confirmed

Researchers observed attackers leveraging this vulnerability in real-world intrusions. Public proof-of-concept exploits are also available, increasing the risk of widespread abuse.

“It’s being exploited right now — if you run Wing FTP and haven’t patched, you are at serious risk,” warns Rapid7.

🛠️ Immediate Action Required

Update to v7.3.1 or later from the official Wing FTP site:

🔗 Download the patch (v7.3.1)

Temporary Mitigation (if patching isn’t possible yet)

  • Restrict external access to the admin interface (default: TCP 5466)
  • Apply strict IP filtering or tunnel access through VPN
  • Monitor for unauthorized access or new user creation
  • Enable and review detailed server logs

Final Recommendations

  • Patch immediately to Wing FTP Server v7.3.1
  • Never expose admin interfaces directly to the internet
  • Stay updated with CVE feeds and vendor advisories
  • Treat this as an active threat, not just a theoretical risk

🔐 Don’t wait until it’s too late. Patch CVE-2025-47812 now.

Uncategorized

Exploits Published for Critical Pre-Auth Fortinet FortiWeb RCE – Immediate Action Required

Security researchers have released proof-of-concept (PoC) exploits for a critical vulnerability affecting Fortinet FortiWeb — a web application firewall deployed in enterprises worldwide. Tracked as CVE-2024-4553, this pre-authentication remote code execution (RCE) flaw enables unauthenticated attackers to execute arbitrary commands on vulnerable appliances.

About the Vulnerability

The flaw lies in FortiWeb’s management interface, affecting multiple versions of the appliance. Fortinet has classified this issue as critical, assigning it a CVSS v3 score of 9.8. It affects FortiWeb versions:

  • FortiWeb 7.2.0 through 7.2.2
  • FortiWeb 7.0.0 through 7.0.7
  • FortiWeb 6.3.0 through 6.3.23

Successful exploitation allows remote attackers to gain full control over the appliance without authentication.

Public Exploits Raise Urgency

On July 10, 2025, researchers at watchTowr published technical analysis and PoC exploit code for the flaw. While their intent was to raise awareness and help defenders test their systems, this also means malicious actors now have working exploit code available in the wild.

Soon after, exploit code began circulating on forums and GitHub repositories.

Patch Now – Fortinet Has Released Fixes

Fortinet has issued updates that fully patch the flaw. Users are urged to upgrade to:

  • FortiWeb 7.2.3 or later
  • FortiWeb 7.0.8 or later
  • FortiWeb 6.3.24 or later

You can find the advisory here: Fortinet PSIRT Advisory

⚠️ Do not delay patching. If your FortiWeb appliance is exposed to the internet and remains unpatched, it is vulnerable to immediate compromise.

Mitigation Tips

While patching is the only guaranteed fix, here are some short-term hardening measures:

  • Block access to the FortiWeb management interface from external networks.
  • Restrict access to trusted IPs via firewall rules.
  • Monitor FortiWeb logs for signs of exploitation attempts.
  • Implement network segmentation for all critical appliances.

Lessons Learned

This incident reinforces key security principles:

  • Never expose management interfaces directly to the internet.
  • Maintain strict patch management routines for all perimeter appliances.
  • Subscribe to vendor advisories and CVE feeds.
  • Assume that PoC releases will quickly be weaponized.

Final Thoughts

This isn’t the first time Fortinet has faced critical RCE flaws — and it won’t be the last. What matters most is how quickly defenders respond.

If you’re running FortiWeb in production, stop what you’re doing and check your version immediately.

🛡️ Stay patched. Stay safe.