An interesting side note in my use of Microsoft Edge to write this post. six times in 20 minutes it closed for no reason. It's a bit eerie, but I do believe monitoring of some kind is happening. No matter, we are in that age of a new world where privacy is of the past.

Political Correctness to another level. AI looks to control our output when put our pens to Keyboards.

Byline: Ekrem Selcuk Celik, Cybersecurity Researcher at Black Kite

Welcome to the January 2025 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.

The Black Kite Research & Intelligence Team (BRITE) tracked 546 ransomware incidents in January 2025, marking a sharp increase compared to January 2024, which saw approximately 300 cases. This significant rise indicates that ransomware activity is escalating at an alarming pace. Among these incidents, 274 were recorded in the United States, 32 in Canada, 23 in the United Kingdom, and 18 in France.

Manufacturing was the most targeted sector, followed by technical services. Closing out December with 535 cases, ransomware groups have historically shown a tendency to slow down at the beginning of the year. However, this year is proving to be an exception.

Top Threat Actors in January 2025

The Clop ransomware group took the lead in January 2025 by a significant margin with 115 publicly disclosed victims. As usual, RansomHub remained among the top-ranking groups with 42 victims. One of the most notable groups this month was Lynx, which saw a major surge with 42 victims in January. They were followed by the Akira group, which recorded 38 victims.

Clop Is No Joke, But It’s Not What It Used to Be

Nearly all of the 115 Clop attacks were linked to the CLEO vulnerability, continuing the momentum from Clop’s December disclosures. Initially, only 50 victims were expected, but as the group continues to release names in alphabetical order, the final number could reach 500.

Among these 115 victims, the United States was the most affected, with 79 cases, followed by Canada with 12 and the Netherlands with 4.

In terms of industry impact among these attacks, the manufacturing sector suffered the highest number of attacks, with 34 victims. It was followed by the transportation sector with 18 victims, the information technology sector with 17, and the technical services sector with 14.

Two years ago, during the MoveIT disclosures, Clop was at the center of global media attention. Now, despite its high ransomware activity, the group seems to be struggling to capture the same level of interest. They kept postponing victim disclosures, which was unusual for them, and then starting sharing victims in a different way to seek attention. Whether this signals Clop’s waning influence or a shift in public perception remains to be seen, but one thing is certain: the group appears increasingly frustrated by the lack of attention.

FunkSec: From Ransomware to Full-Fledged Cybercrime Group

FunkSec continued its aggressive expansion in January, making headlines with its unconventional tactics:

• Launched FunkBID, a data leak auction platform.
• Announced a partnership with Fsociety for joint ransomware operations.
• Gave media interviews, shedding light on their internal workings.
• Released FunkSec V1.2, their own Ransomware-as-a-Service (RaaS) for $100.
• Threatened a cybersecurity researcher who had written about them.
• Established their own forum to further expand their operations.

Key takeaways from their recent interview:

• They claim to be entirely self-taught with no external affiliations.
• AI plays a role in their operations, but they state it accounts for only 20%.
• They have developed their own GPT model for internal use.
• Their primary goal is financial gain, but they explicitly state hostility toward Israel and the U.S.
• The group consists of four members.
• While hacking remains their focus, they employ specialized ransomware developers.
• They use tools like Shodan Premium and Burp Pro, alongside advanced custom brute force tools.
• Rust is their programming language of choice.

FunkSec’s erratic yet calculated moves make them one of the most unpredictable actors in the ransomware ecosystem. Their expansion beyond traditional ransomware operations suggests a broader ambition that could redefine the threat landscape.

Is Babuk Back? Or Just an Imposter?

A new leak site emerged in January claiming to be affiliated with Babuk, publishing 60 alleged victims. While this sparked speculation that the notorious ransomware group had returned, our analysis revealed that most of the disclosed victims had already been published by FunkSec, RansomHub, and LockBit.

Shortly after the site gained traction, access was restricted, leaving its authenticity in question. Whether this marks the actual return of Babuk or merely an opportunistic attempt to capitalize on the name remains unclear.

New Groups Keep Emerging, but Originality Is Fading

Ransomware groups continue to surface at an increasing rate, and the rise of Ransomware-as-a-Service (RaaS) is undoubtedly fueling this trend. However, despite this growth, these groups seem to do little more than mimic each other. Many simply replicate existing leak sites, making it increasingly difficult to track them as they blur into one another.

In previous years, such copycat behavior was less common, but now it’s becoming the norm. This shift strongly suggests that experienced cybercriminals are being replaced by younger, less-skilled actors. As a result, while the number of ransomware groups grows, innovation within the ecosystem seems to be stagnating.

Attacks Are Increasing, but Ransom Payments Are Decreasing

While ransomware attacks surged in 2024, total ransom payments dropped by 35%, amounting to $813.55 million. Companies are increasingly adopting robust cybersecurity measures, improving backup strategies, and benefiting from law enforcement crackdowns on cybercriminals.

Notably, the international operation “Operation Cronos” disrupted LockBit’s infrastructure, demonstrating the growing impact of coordinated cybercrime enforcement. However, despite these advancements, ransomware groups are evolving their tactics, becoming more aggressive in their extortion methods.

In response, the UK government is considering stricter regulations, including:

• Banning public institutions and critical infrastructure providers from making ransom payments.
• Mandating all victims to report ransomware incidents to authorities.

Authorities believe these measures will curb ransomware groups’ financial streams and act as a deterrent. If enacted, these regulations could reshape how organizations respond to ransomware threats.

Key Takeaways

January 2025 set a record-breaking pace for ransomware incidents.

• Clop led the charge but may be struggling to maintain its past level of influence.
• FunkSec is rapidly expanding its operations beyond ransomware, building a cybercrime ecosystem.
• The alleged return of Babuk remains uncertain, raising questions about its legitimacy.
• While ransom payments are declining, attack volume is increasing, prompting tighter regulations.

For cybersecurity teams, 2025 is already shaping up to be one of the most challenging years yet. Black Kite’s Ransomware Susceptibility Index® (RSI^TM) offers a proactive approach by assessing the likelihood of a ransomware attack throughout the third-party ecosystem. By leveraging RSI, risk managers can identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard their organizations against the escalating threat.

Stay tuned for more monthly Ransomware Reviews on our blog and LinkedIn Newsletter.

The post Ransomware Review January 2025: Clop’s CLEO Exploit Fuels a Record Month appeared first on Black Kite.

Written by: Ferdi Gül

In this week’s Focus Friday, we examine high-impact vulnerabilities affecting Palo Alto Networks PAN-OS, Ivanti Connect Secure, Zimbra Collaboration, and Cacti, all of which pose significant third-party risk concerns. These vulnerabilities range from remote code execution (RCE) flaws to SQL injection attacks that could lead to data breaches, system takeovers, and supply chain risks.

Organizations relying on network security appliances, email collaboration tools, and monitoring frameworks must take proactive measures to assess their exposure and secure their vendor ecosystem against these threats. In this blog, we provide an in-depth Third-Party Risk Management (TPRM) perspective, detailing how these vulnerabilities could impact vendor security postures and what questions security teams should ask to mitigate risks.

Additionally, we highlight how Black Kite’s FocusTags™ provide real-time insights into vendor exposure, helping organizations prioritize remediation efforts and streamline their risk management processes.

CVE-2025-0108, CVE-2025-0110: Authentication Bypass & Command Injection in PAN-OS

What are the PAN-OS Authentication Bypass and Command Injection Vulnerabilities?

Two high-severity vulnerabilities have been identified in Palo Alto Networks PAN-OS, affecting network security devices:

• CVE-2025-0108 (Authentication Bypass – CVSS: 8.8):
  This vulnerability affects the management web interface of PAN-OS. An unauthenticated attacker with network access can bypass authentication and invoke specific PHP scripts. While it does not allow remote code execution, it compromises system integrity and confidentiality.
• CVE-2025-0110 (Command Injection – CVSS: 8.6):
  Found in the OpenConfig plugin, this vulnerability enables an authenticated administrator with gNMI request privileges to inject and execute arbitrary commands. The commands run as the _openconfig user, which has Device Administrator privileges, potentially leading to full system compromise.

Both vulnerabilities were published on February 12, 2025. One proof-of-concept exploit is available on github.com. There is no evidence of active exploitation or inclusion in CISA’s KEV catalog at this time. However, PAN-OS vulnerabilities have been targeted in the past, making proactive mitigation crucial.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

Third-party risk management (TPRM) professionals should be concerned due to the critical role of PAN-OS in enterprise cybersecurity.

• Authentication Bypass (CVE-2025-0108):
  Attackers could exploit this flaw to gain unauthorized access to PAN-OS management functions, leading to potential misconfigurations, unauthorized changes, or exposure of sensitive network settings.
• Command Injection (CVE-2025-0110):
  If the OpenConfig plugin is enabled, an attacker with administrator access could execute arbitrary system commands, escalating privileges or deploying persistent malware on PAN-OS devices.

For vendors relying on PAN-OS for perimeter security, exploitation of these vulnerabilities could lead to network-wide security breaches, data exposure, and compromised firewall configurations.

What Questions Should TPRM Professionals Ask Vendors?

To assess vendor exposure, TPRM professionals should ask:

1. Have you identified any PAN-OS devices in your environment that are running vulnerable versions (before PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, 10.1.14-h9)?
2. Do you use the OpenConfig plugin in PAN-OS? If so, have you verified that it is updated to version 2.1.2 or later?
3. What access controls are in place to restrict exposure of the PAN-OS management web interface to untrusted networks?
4. Have you applied Palo Alto Networks’ recommended mitigations, such as disabling unused plugins and restricting management access?

Remediation Recommendations for Vendors Subject to this Risk

To mitigate the risk associated with these vulnerabilities, vendors should:

✔ Upgrade PAN-OS to patched versions:

• PAN-OS 11.2 → Upgrade to 11.2.4-h4 or later
• PAN-OS 11.1 → Upgrade to 11.1.6-h1 or later
• PAN-OS 10.2 → Upgrade to 10.2.13-h3 or later
• PAN-OS 10.1 → Upgrade to 10.1.14-h9 or later
• If running PAN-OS 11.0 (EoL), upgrade to a supported version.

✔ Update OpenConfig plugin to version 2.1.2 or later (if enabled).
✔ Restrict management interface access to trusted internal IPs only.
✔ Disable the OpenConfig plugin if not in use to reduce the attack surface.
✔ Monitor system logs for unusual access or command execution activity.
✔ Apply Palo Alto Networks’ Threat Prevention rules to block potential exploits (Threat IDs 510000, 510001).

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has tagged this issue as “PAN-OS – Feb2025” with a VERY HIGH confidence level.

• The FocusTag™ identifies vendors potentially affected by CVE-2025-0108 and CVE-2025-0110.
• Black Kite provides asset intelligence, including IP addresses and subdomains hosting vulnerable PAN-OS instances.

The FocusTag™ was published on February 13, 2025, allowing TPRM teams to take proactive measures before potential exploitation.

CVE-2025-22467, CVE-2024-38657, CVE-2024-10644: Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure

What Are the Critical Vulnerabilities in Ivanti Connect Secure and Policy Secure?

Multiple critical vulnerabilities have been identified in Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products:

• CVE-2025-22467 (CVSS: 9.9): A stack-based buffer overflow vulnerability in ICS versions prior to 22.7R2.6. This flaw allows a remote authenticated attacker with low privileges to execute arbitrary code, potentially leading to full system compromise.
• CVE-2024-38657 (CVSS: 9.1): An external control of file name or path vulnerability affecting ICS (before 22.7R2.4) and IPS (before 22.7R1.3). A remote authenticated attacker with administrative privileges can write arbitrary files on the system, which may lead to unauthorized file manipulation or system compromise.
• CVE-2024-10644 (CVSS: 9.1): A code injection vulnerability in ICS (before 22.7R2.4) and IPS (before 22.7R1.3). This allows a remote authenticated attacker with administrative privileges to execute arbitrary commands on the system, potentially resulting in complete system control.

These vulnerabilities were publicly disclosed on February 11, 2025. As of now, there is no evidence of active exploitation in the wild, and they have not been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Other vulnerabilities to be mindful of include CVE-2024-12058 (arbitrary file read), CVE-2024-13842 (sensitive data exposure), and CVE-2024-13843 (cleartext storage of sensitive information), which, despite their lower CVSS scores, should still be carefully considered.

Why Should TPRM Professionals Be Concerned About These Vulnerabilities?

Third-Party Risk Management (TPRM) professionals should be concerned due to the following reasons:

• Remote Code Execution Risks: Exploitation of these vulnerabilities could allow attackers to execute arbitrary code or commands, leading to unauthorized access, data breaches, and potential lateral movement within the network.
• Privilege Escalation: Attackers with low-level access could exploit these flaws to escalate privileges, gaining administrative control over critical systems.
• Supply Chain Impact: Vendors utilizing vulnerable versions of ICS and IPS may inadvertently expose connected organizations to security risks, emphasizing the importance of assessing third-party security postures.

What Questions Should TPRM Professionals Ask Vendors About These Vulnerabilities?

To assess vendor exposure, TPRM professionals should inquire:

1. Which versions of Ivanti Connect Secure and Ivanti Policy Secure are currently deployed within your environment?
2. Have the identified vulnerabilities (CVE-2025-22467, CVE-2024-38657, CVE-2024-10644) been remediated by updating to the latest recommended versions?
3. What measures are in place to monitor and detect potential exploitation attempts related to these vulnerabilities?
4. Is multi-factor authentication (MFA) enabled for all administrative access to these systems?

Remediation Recommendations for Vendors Subject to This Risk

To mitigate the risks associated with these vulnerabilities, vendors should:

✔ Update to Patched Versions:

• For Ivanti Connect Secure, upgrade to version 22.7R2.6 or later.
• For Ivanti Policy Secure, upgrade to version 22.7R1.3 or later.

✔ Restrict Administrative Privileges:

• Limit administrative access to essential personnel.
• Enforce principle of least privilege to reduce risk.

✔ Implement Multi-Factor Authentication (MFA):

• Ensure MFA is enabled for all administrative and remote access.

✔ Monitor System Logs:

• Regularly review logs for unusual activities or signs of attempted exploitation.

✔ Apply Security Best Practices:

• Follow Ivanti’s security guidelines to mitigate risks associated with authenticated users.

How TPRM Professionals Can Leverage Black Kite for These Vulnerabilities

Black Kite has tagged these vulnerabilities under “Ivanti Connect Secure – Feb2025” with a HIGH confidence level.

• The FocusTag™ provides detailed information on vendors potentially affected by these vulnerabilities.
• Black Kite’s asset intelligence helps identify IP addresses and subdomains hosting vulnerable instances.
• This enables TPRM teams to proactively assess and address risks associated with these vulnerabilities.

CVE-2025-25064: Zimbra Collaboration SQL Injection Vulnerability

Zimbra Collaboration (formerly known as Zimbra Collaboration Suite or ZCS) is an open-source and commercial groupware email platform. It includes features such as email, calendaring, contacts, task management, instant messaging, and file sharing, designed for enterprises, government institutions, and service providers.

What is CVE-2025-25064?

CVE-2025-25064 is a critical SQL injection vulnerability affecting Zimbra Collaboration versions 10.0.x prior to 10.0.12 and 10.1.x prior to 10.1.4. This flaw arises from insufficient sanitization of user-supplied parameters in the ZimbraSync Service SOAP endpoint. Authenticated attackers can exploit this vulnerability by manipulating specific request parameters to inject arbitrary SQL queries, potentially allowing unauthorized retrieval of email metadata and other sensitive information. The vulnerability has a CVSS score of 9.8, indicating its critical severity, and an EPSS score of 0.05%. It was publicly disclosed on February 9, 2025. As of now, there is no evidence of active exploitation in the wild, and it has not been added to CISA’s Known Exploited Vulnerabilities catalog.

Why Should TPRM Professionals Be Concerned About CVE-2025-25064?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-25064 due to its potential impact on email security. Zimbra Collaboration is widely used by organizations for email and collaboration services. Exploitation of this vulnerability could allow attackers to access sensitive email metadata, leading to unauthorized disclosure of confidential information. If a vendor utilizes vulnerable Zimbra Collaboration products, their compromised systems could serve as entry points for attackers, resulting in data breaches and disruptions that may affect connected organizations.

What Questions Should TPRM Professionals Ask Vendors Regarding CVE-2025-25064?

To assess and mitigate risks associated with this vulnerability, TPRM professionals should inquire:

1. Have you updated all instances of Zimbra Collaboration to versions 10.0.12 or 10.1.4, where CVE-2025-25064 has been patched?
2. Can you confirm if you have implemented access restrictions to the ZimbraSync Service SOAP endpoint to trusted networks and users as recommended?
3. Have you deployed Web Application Firewalls (WAFs) to detect and block SQL injection attempts targeting Zimbra Collaboration?
4. Do you regularly monitor server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service?

Remediation Recommendations for Vendors

Vendors using affected Zimbra Collaboration products should:

• Update Software: Upgrade to Zimbra Collaboration versions 10.0.12 or 10.1.4, where this vulnerability has been addressed.
• Restrict Access: Limit access to the ZimbraSync Service SOAP endpoint to trusted networks and users to minimize potential exploitation vectors.
• Implement Web Application Firewalls (WAF): Deploy WAFs to detect and block SQL injection attempts and other malicious activities targeting web applications.
• Monitor Logs: Regularly review server and application logs for unusual or unauthorized activities, particularly related to the ZimbraSync Service.

How Can TPRM Professionals Leverage Black Kite for This Vulnerability?

Black Kite has proactively addressed this issue by publishing the “Zimbra – Feb2025” FocusTag™ on February 11, 2025. This tag enables TPRM professionals to identify vendors potentially affected by CVE-2025-25064. By providing detailed asset information, including IP addresses and subdomains associated with the compromised devices, Black Kite empowers organizations to assess and mitigate risks efficiently. This actionable intelligence allows for targeted inquiries and remediation efforts, ensuring a robust third-party risk management strategy.

CVE-2025-22604: Critical Remote Code Execution Vulnerability in Cacti

Cacti is an open-source network monitoring and graphing tool designed to collect, store, and visualize performance data for IT infrastructure. It is widely used by network administrators and IT professionals to monitor network devices, servers, and applications in real time.

What is the Cacti Remote Code Execution Vulnerability?

CVE-2025-22604 is a critical security flaw in Cacti, an open-source network monitoring and fault management framework. This vulnerability allows authenticated users with device management permissions to execute arbitrary commands on the server by injecting malformed Object Identifiers (OIDs) into SNMP responses. When processed by functions like ss_net_snmp_disk_io() or ss_net_snmp_disk_bytes(), parts of these OIDs are used as keys in an array that becomes part of a system command, leading to remote code execution (RCE). The vulnerability has a CVSS score of 9.1. It was publicly disclosed on January 26, 2025. There is no evidence of proof of exploitation at the moment.

Why Should TPRM Professionals Be Concerned About This Vulnerability?

Third-Party Risk Management (TPRM) professionals should be concerned about CVE-2025-22604 because Cacti is widely used by organizations to monitor network performance and availability. A successful exploit of this vulnerability could allow attackers to execute arbitrary commands on the server, potentially compromising system integrity and data security. This could lead to unauthorized access to sensitive information, disruption of network monitoring capabilities, and further exploitation within the organization’s network. Given the critical nature of this vulnerability and the availability of proof-of-concept exploit code, it is imperative for organizations to assess their exposure and ensure that their vendors have addressed this issue.

What Questions Should TPRM Professionals Ask Vendors About CVE-2025-22604?

To assess the risk associated with this vulnerability, TPRM professionals should consider asking vendors the following questions:

1. Have you identified any instances of Cacti within your infrastructure that are affected by CVE-2025-22604?
2. If so, have you updated all affected Cacti installations to version 1.2.29 or later to mitigate this vulnerability?
3. What measures have you implemented to restrict SNMP access to trusted users and networks?
4. Do you regularly monitor system logs and SNMP activity for unusual or unauthorized actions?

Remediation Recommendations for Vendors Subject to This Risk

Vendors should take the following actions to remediate the risk associated with CVE-2025-22604:

• Upgrade Cacti: Update all Cacti installations to version 1.2.29 or later, as this version addresses the vulnerability.
• Restrict SNMP Access: Limit SNMP access to trusted users and networks to reduce potential attack vectors.
• Monitor Systems: Regularly review system logs and SNMP activity for any unusual or unauthorized actions.
• Review Permissions: Ensure that only necessary personnel have device management permissions within Cacti.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite has published a FocusTag™ titled “Cacti – Feb2025” to help organizations identify potential exposure to CVE-2025-22604. TPRM professionals can utilize this tag to assess their vendors’ risk related to this vulnerability. By leveraging Black Kite’s platform, professionals can identify vendors using vulnerable versions of Cacti and take proactive steps to mitigate potential risks. This includes obtaining asset information such as IP addresses and subdomains associated with the vendors’ systems, which is crucial for effective risk assessment and management.

Maximizing TPRM Effectiveness with Black Kite’s FocusTags™

With high-profile vulnerabilities such as PAN-OS authentication bypass (CVE-2025-0108), Ivanti Connect Secure RCE (CVE-2025-22467), Zimbra SQL injection (CVE-2025-25064), and Cacti remote code execution (CVE-2025-22604), organizations must rapidly assess third-party security risks to prevent cascading impacts. Black Kite’s FocusTags™ enable security teams to efficiently identify, analyze, and mitigate these threats by offering:

✅ Real-Time Risk Identification – Instant visibility into which vendors are affected by the latest vulnerabilities, allowing organizations to take immediate action.
✅ Risk Prioritization – Insights into vendor importance and vulnerability severity, helping security teams allocate resources effectively.
✅ Informed Vendor Engagement – Targeted discussions with vendors about their security measures and remediation strategies for identified vulnerabilities.
✅ Comprehensive Security Posture Enhancement – A holistic view of third-party risks, enabling organizations to make data-driven security decisions.

By leveraging Black Kite’s FocusTags™, organizations can stay ahead of evolving cyber threats, ensuring proactive risk mitigation in their third-party ecosystems. These tags provide critical intelligence, transforming complex vulnerability data into actionable insights for better vendor security management.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags^TM in the Last 30 Days:

• PAN-OS – Feb2025: CVE-2025-0108, CVE-2025-0110, Authentication Bypass Vulnerability, OS Command Injection Vulnerability in Palo Alto’s PAN-OS.
• Ivanti Connect Secure – Feb2025: CVE-2025-22467, CVE-2024-38657, CVE-2024-10644, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Code Injection Vulnerability in Ivanti Connect Secure & Policy Secure.
• Zimbra – Feb2025: CVE-2025-25064, SQLi Vulnerability in Zimbra Collaboration.
• Cacti – Feb2025: CVE-2025-22604, Remote Code Execution Vulnerability in Cacti.
• FortiGate Leakage: CVE-2022-40684, Authentication Bypass Vulnerability, Leaked Configurations and VPN Credentials for 15,000 FortiGate Devices.
• QNAP QTS – Jan2025: CVE-2024-53691, CVE-2023-39298, Remote Code Execution Vulnerability, Link Following Vulnerability, Missing Authorization Vulnerability in QNAP QTS.
• Mongoose: CVE-2025-23061, Search Injection Vulnerability in Mongoose.
• W3 Total Cache: CVE-2024-12365, Missing Authorization Vulnerability in WordPress’ W3 Total Cache Plugin.
• Juniper Junos: CVE-2025-21598, Out-of-bounds Read Vulnerability in Juniper’s Junos.
• Rsync: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747, Heap-Buffer-Overflow Vulnerability, Remote Code Execution Vulnerability, Information Leak Vulnerability, File Leak Vulnerability, Path Traversal Vulnerability, Race Condition Vulnerability, Privilege Escalation Vulnerability in Rsync.
• SimpleHelp: CVE-2024-57727, CVE-2024-57728, CVE-2024-57726, Unauthenticated Path Traversal Vulnerability, Arbitrary File Upload Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in SimpleHelp.
• SonicWall SonicOS – Jan2025: CVE-2024-40762, CVE-2024-53704, CVE-2024-53706, CVE-2024-53705, Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Authentication Bypass Vulnerability, Server-Side Request Forgery (SSRF) Vulnerability, and Local Privilege Escalation Vulnerability in SonicWall’ SonicOS SSLVPN, SSH Management, and Gen7 Cloud NSv SSH Config Function.
• Ivanti Connect Secure – Jan2025: CVE-2025-0282, CVE-2025-0283, Stack-Based Buffer Overflow Vulnerability, Remote Code Execution Vulnerability, Privilege Escalation Vulnerability in Ivanti Connect Secure, Policy Secure, and Ivanti Neurons for ZTA gateways.
• Progress WhatsUp Gold: CVE-2024-12108, CVE-2024-12106, CVE-2024-12105, Authentication Bypass by Spoofing Vulnerability, Missing Authentication for Critical Function, and  Path Traversal Vulnerability in Progress WhatsUp Gold.
• GoCD: CVE-2024-56320, Improper Authorization Vulnerability in GoCD.
• Apache Tomcat RCE: CVE-2024-56337, CVE-2024-50379, Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability, Remote Code Execution Vulnerability in Apache Tomcat.
• CrushFTP: CVE-2024-53552, Account Takeover Vulnerability in CrushFTP.
• Gogs Server: CVE-2024-55947, CVE-2024-54148, Path Traversal Vulnerability in Gogs Server.
• BeyondTrust PRA RS: CVE-2024-12356, Command Injection Vulnerability in BeyondTrust’s  Privileged Remote Access (PRA), Remote Support (RS).

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0108

https://nvd.nist.gov/vuln/detail/CVE-2025-0110

https://security.paloaltonetworks.com/CVE-2025-0108

https://security.paloaltonetworks.com/CVE-2025-0110

https://securityonline.info/cve-2025-0108-cve-2025-0110-palo-alto-networks-fixes-high-severity-pan-os-vulnerabilities

https://slcyber.io/blog/nginx-apache-path-confusion-to-auth-bypass-in-pan-os

https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs?language=en_US

https://forums.ivanti.com/s/article/KB29805?language=en_US

https://nvd.nist.gov/vuln/detail/CVE-2025-22467

https://nvd.nist.gov/vuln/detail/CVE-2024-10644

https://securityonline.info/cve-2025-22467-cvss-9-9-ivanti-connect-secure-vulnerability-allows-remote-code-execution

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.12#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes

https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

https://nvd.nist.gov/vuln/detail/CVE-2025-25064

https://securityonline.info/cve-2025-25064-cvss-9-8-critical-sql-injection-bug-in-zimbra-collaboration

https://nvd.nist.gov/vuln/detail/CVE-2025-22604

https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36

https://securityonline.info/cve-2025-22604-cvss-9-1-remote-code-execution-flaw-in-cacti-poc-released

The post Focus Friday: Addressing Third-Party Risks in PAN-OS, Ivanti Connect Secure, Zimbra, and Cacti Vulnerabilities appeared first on Black Kite.

Theater productions Doomers and McNeal tackle AI’s impact on humanity and the creative process.

WIRED’s advice columnist considers whether some AI tools are more ethical than others, and if developers can make AI wiser.

The Israel Defense Forces (IDF) and Lebanese Armed Forces (LAF) redeployed Tuesday in accord with the ceasefire deal that ended the war with Hezbollah -- though Lebanon is formally objecting to Israel retaining a "buffer zone."

The post Israel, Lebanon Redeploy Forces as Ceasefire Holds; ‘Buffer Zone’ in Contention appeared first on Breitbart.

Actor Robert Picardo, who played The Doctor on Star Trek: Voyager, said that America should cancel Presidents Day due to Trump allegedly canceling "our justice system" and other causes.

The post ‘Star Trek’ Actor Robert Picardo: ‘Let’s Cancel Presidents’ Day’ Since Trump Has Canceled ‘Our Justice System’ appeared first on Breitbart.

A juvenile reportedly retrieved a handgun Saturday morning in Manchester, Kentucky, and shot and killed two alleged armed intruders.

The post Juvenile Retrieves Handgun, Shoots Two Alleged Armed Intruders Dead appeared first on Breitbart.

President Donald Trump on Monday exited his presidential limousine, known as "the Beast," to wave to supporters who were gathered as his motorcade approached.

The post Trump Exits ‘Beast’ to Share Moment with Supporters on Presidents Day appeared first on Breitbart.

A new protest movement is gathering strength in Iran, driven by public outrage over the death of 19-year-old Amir Mohammad Khaleghi, an undergraduate business student at the University of Tehran who was robbed and killed near the dormitory last week.

The post Protests Resurge in Iran After Teen Student Killed near Dorm appeared first on Breitbart.

The Israel Defense Forces (IDF) will hold five strategic posts inside southern Lebanon to maintain security and surveillance even after withdrawing from the region on Tuesday in accordance with the ceasefire with Hezbollah.

The post Israel To Hold 5 Posts Inside Southern Lebanon to Prevent Attack appeared first on Breitbart.

Border Czar Tom Homan reports that over the last 24 hours there were only 229 illegal alien encounters along the Southwest border.

The post Nolte: Border Czar Tom Homan Says Illegal Daily Encounters Down to 229 from 11,000 appeared first on Breitbart.

The Washington, DC, area housing market has seen an increase in homes being listed for sale as more government employees have either been laid off or have accepted buyouts.

The post D.C. Housing Market Sees Increase in Homes for Sale as Federal Workers Laid Off appeared first on Breitbart.

The latest sneak peek for the Walt Disney Company's live-action remake of "Snow White," starring Rachel Zegler, is getting hammered online, with the video receiving 84,000 "dislikes" on YouTube in just two days.

The post Disney’s Latest Sneak Peek for ‘Snow White’ Starring Rachel Zegler Gets 84K Dislikes in Just Two Days appeared first on Breitbart.

South Korean Actress Kim Sae-ron, who had recently gone into hiding after crashing her vehicle while drunk driving, died on Sunday at the age of 24. Her cause of death has been ruled a suicide.

The post Actress Kim Sae-ron Dies at 24, Cause of Death Revealed appeared first on Breitbart.

Film director Spike Lee wore a jacket to the NBA All-Star Game with a message demanding slavery reparations.

The post Spike Lee Wears Jacket Demanding Reparations at NBA All-Star Game appeared first on Breitbart.

Los Angeles residents are furious at an announcement by the Army Corps of Engineers that there will be no testing of local soil for toxins after the first six inches of topsoil are taken away during debris removal that began this week.

The post L.A. Residents Outraged After Army Corps Abandons Soil Testing in Burn Areas appeared first on Breitbart.

The Los Angeles Fire Department (LAFD) could have pre-deployed ten engines to the Pacific Palisades ahead of the deadly Palisades Fire on January 7, but chose not to, according to former fire chiefs quoted by the Los Angeles Times.

The post Report: L.A. Fire Dept. Could Have Pre-Deployed 10 Engines to Palisades, but Did Not appeared first on Breitbart.