Getting Past PyArmor
PyArmor is a python obfuscation tool used for malicious and non-malicious software. Xavier is taking a look at a sample to show what can be learned from these obfuscated samples with not too much work.
https://isc.sans.edu/diary/Obfuscated%20Malicious%20Python%20Scripts%20with%20PyArmor/31840
CenterStack RCE CVE-2025-30406
Gladinet s CenterStack secure file-sharing software suffers from an inadequately protected machine key vulnerability that can be used to modify ViewState data. This vulnerability may lead to remote code execution, which is already exploited.
https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf
Google Patches two zero-day vulnerabilities CVE-2024-53150 CVE-2024-53197
Google released its monthly patches for Android. Two of the patched vulnerabilities are already exploited. One of them was used by Serbian law enforcement.
https://www.malwarebytes.com/blog/news/2025/04/google-fixes-two-actively-exploited-zero-day-vulnerabilities-in-android
Broadcom VMWare Tenzu Updates
Broadcom released updates for VMWare Tenzu. Many vulnerabilities affect the backup component and allow for arbitrary command execution.
https://support.broadcom.com/web/ecx/security-advisory?
Windows 11 April Update ads inetpub directory
The April Windows 11 update appears to create a new /inetpub directory. It is unclear why, and removing it appears to have no bad effects.
https://www.bleepingcomputer.com/news/microsoft/windows-11-april-update-unexpectedly-creates-new-inetpub-folder/
WhatsApp File Type Confusion/Spoofing
WhatsApp patched a file type confusion vulnerability. A victim may be tricked into downloading n
https://www.whatsapp.com/security/advisories/2025/
SANS Critical AI Security Guidelines
https://www.sans.org/mlp/critical-ai-security-guidelines

Microsoft Patch Tuesday
Microsoft patched over 120 vulnerabilities this month. 11 of these were rated critical, and one vulnerability is already being exploited.
https://isc.sans.edu/diary/Microsoft%20April%202025%20Patch%20Tuesday/31838
Adobe Updates
Adobe released patches for 12 different products. In particular important are patches for Coldfusion addressing several remote code execution vulnerabilities. Adobe Commercse got patches as well, but none of the vulnerabilities are rated critical.
https://helpx.adobe.com/security/security-bulletin.html
OpenSSL 3.5 Released
OpenSSL 3.5 was released with support to post quantum ciphers. This is a long term support release.
https://groups.google.com/a/openssl.org/g/openssl-project/c/9ZYdIaExmIA
Fortiswitch Update
Fortinet released an update for Fortiswitch addressing a vulnerability that may be used to reset a password without verification.
https://fortiguard.fortinet.com/psirt/FG-IR-24-435

XORsearch: Searching With Regexes
Didier explains a workaround to use his tool XORsearch to search for regular expressions instead of simple strings.
https://isc.sans.edu/diary/XORsearch%3A%20Searching%20With%20Regexes/31834
MCP Security Notification: Tool Poisoning Attacks
Invariant labs summarized a critical weakness in the Model Context Protocol (MCP) that allows for "Tool Poisoning Attacks." Many major providers such as Anthropic and OpenAI, workflow automation systems like Zapier, and MCP clients like Cursor are susceptible to this attack
https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks
Making :visited more private
Google Chrome changed how links are marked as visited . This new partitioning scheme was introduced to improve privacy. Instead of marking a link as visited on any page where it is displayed, it is only marked as visited if the user clicks on the link while visiting the particular site where the link is displayed.
https://developer.chrome.com/blog/visited-links

New SSH Username Report
A new ssh/telnet username reports makes it easier to identify new usernames attackers are using against our telnet and ssh honeypots
https://isc.sans.edu/diary/New%20SSH%20Username%20Report/31830
Quickshell Sharing is Caring: About an RCE Attack Chain on Quick Share
The Google Quick Share protocol is susceptible to several vulnerabilities that have not yet been fully patched, allowing for some file overwrite issues that could lead to the accidental execution of malicious code.
https://www.blackhat.com/asia-25/briefings/schedule/index.html#quickshell-sharing-is-caring-about-an-rce-attack-chain-on-quick-share-43874
Apache Traffic Director Request Smuggling Vulnerability
https://www.openwall.com/lists/oss-security/2025/04/02/4

Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive
Using frequency analysis, and training the model with honeypot data as well as log data from legitimate websites allows for a fairly simple and reliable triage of web server logs to identify possible malicious activity.
https://isc.sans.edu/diary/Exploring%20Statistical%20Measures%20to%20Predict%20URLs%20as%20Legitimate%20or%20Intrusive%20%5BGuest%20Diary%5D/31822
Critical Unexploitable Ivanti Vulnerability Exploited CVE-2025-22457
In February, Ivanti patched CVE-2025-22457. At the time, the vulnerability was not considered to be exploitable. Mandiant now published a blog disclosing that the vulnerability was exploited as soon as mid-march
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/
WinRAR MotW Vulnerability CVE-2025-31334
WinRAR patched a vulnerability that would not apply the Mark of the Web correctly if a compressed file included symlinks. This may make it easier to trick a victim into executing code downloaded from a website.
https://nvd.nist.gov/vuln/detail/CVE-2025-31334
Microsoft Warns of Tax-Related Scam
With the US personal income tax filing deadline only about a week out, Microsoft warns of commonly deployed scams that they are observing related to income tax filings
https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/
Oracle Breach Update
https://www.bloomberg.com/news/articles/2025-04-02/oracle-tells-clients-of-second-recent-hack-log-in-data-stolen

Surge in Scans for Juniper t128 Default User
Lasst week, we dedtect a significant surge in ssh scans for the username t128 . This user is used by Juniper s Session Smart Routing, a product they acquired from 128 Technologies which is the reason for the somewhat unusual username.
https://isc.sans.edu/diary/Surge%20in%20Scans%20for%20Juniper%20%22t128%22%20Default%20User/31824
Vulnerable Verizon API Allowed for Access to Call Logs
An API Verizon offered to users of its call filtering application suffered from an authentication bypass vulnerability allowing users to access any Verizon user s call history. While using a JWT to authenticate the user, the phone number used to retrieve the call history logs was passed in a not-authenticated header.
https://evanconnelly.github.io/post/hacking-call-records/
Google Offering End-to-End Encryption to G-Mail Business Users
Google will add an end-to-end encryption feature to commercial GMail users. However, for non GMail users to read the emails they first must click on a link and log in to Google.
https://workspace.google.com/blog/identity-and-security/gmail-easy-end-to-end-encryption-all-businesses

Apple Patches Everything
Apple released updates for all of its operating systems. Most were released on Monday with WatchOS patches released today on Tuesday. Two already exploited vulnerabilities, which were already patched in the latest iOS and macOS versions, are now patched for older operating systems as well. A total of 145 vulnerabilities were patched.
https://isc.sans.edu/diary/Apple%20Patches%20Everything%3A%20March%2031st%202025%20Edition/31816
VMWare Workstation and Fusion update check broken
VMWare s automatic update check in its Workstation and Fusion products is currently broken due to a redirect added as part of the Broadcom transition
https://community.broadcom.com/vmware-cloud-foundation/question/certificate-error-is-occured-during-connecting-update-server
NIM Postgres Vulnerability
NIM Developers using prepared statements to send SQL queries to Postgres may expose themselves to a SQL injection vulnerability. NIM s Postgres library does not appear to use actual prepared statements; instead, it assembles the code and the user data as a string and passes them on to the database. This may lead to a SQL injection vulnerability
https://blog.nns.ee/2025/03/28/nim-postgres-vulnerability/

Apache Camel Exploit Attempt by Vulnerability Scans
A recently patched vulnerability in Apache Camel has been integrated into some vulnerability scanners, like for example OpenVAS. We do see some exploit attempts in our honeypots, but they appear to be part of internal vulnerablity scans
https://isc.sans.edu/diary/Apache%20Camel%20Exploit%20Attempt%20by%20Vulnerability%20Scan%20%28CVE-2025-27636%2C%20CVE-2025-29891%29/31814
New Security Requirements for Certificate Authorities
Starting in July, certificate authorities need to verify domain ownership data from multiple viewpoints around the internet. They will also have to use linters to verify certificate requests.
https://security.googleblog.com/2025/03/new-security-requirements-adopted-by.html
Possible Oracle Breach
Oracle still denies being the victim of a data berach as leaked data may show different.
https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incident-from-customers-in-oracle-saas-service-9231c8daff4a
https://www.theregister.com/2025/03/30/infosec_news_in_brief/
https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist

A Tale of Two Phishing Sties
Two phishing sites may use very different backends, even if the site itself appears to be visually very similar. Phishing kits are often copied and modified, leading to sites using similar visual tricks on the user facing site, but very different backends to host the sites and reporting data to the miscreant.
https://isc.sans.edu/diary/A%20Tale%20of%20Two%20Phishing%20Sites/31810
A Phihsing Tale of DOH and DNS MX Abuse
Infoblox discovered a new variant of the Meerkat phishing kit that uses DoH in Javascript to discover MX records, and generate better customized phishing pages.
https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
Using OpenID Connect for SSH
Cloudflare opensourced it's OPKSSH too. It integrates SSO systems supporting OpenID connect with SSH.
https://github.com/openpubkey/opkssh/

Sitecore "thumbnailsaccesstoken" Deserialization Scans (and some new reports) CVE-2025-27218
Our honeypots detected a deserialization attack against the CMS Sitecore using a thumnailaccesstoken header. The underlying vulnerability was patched in January, and security firm Searchlight Cyber revealed details about this vulnerability a couple of weeks ago.
https://isc.sans.edu/diary/Sitecore%20%22thumbnailsaccesstoken%22%20Deserialization%20Scans%20%28and%20some%20new%20reports%29%20CVE-2025-27218/31806
Blasting Past Webp
Google s Project Zero revealed details how the NSO BLASTPASS exploit took advantage of a Webp image parsing vulnerability in iOS. This zero-click attack was employed in targeted attack back in 2023 and Apple patched the underlying vulnerability in September 2023. But this is the first byte by byte description showing how the attack worked.
https://googleprojectzero.blogspot.com/2025/03/blasting-past-webp.html
Splunk Vulnerabilities
Splunk patched about a dozen of vulnerabilities. None of them are rated critical, but a vulnerability rated High allows authenticated users to execute arbitrary code.
https://advisory.splunk.com/
Firefox 0-day Patched
Mozilla patched a sandbox escape vulnerability that is already being exploited.
https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/