CybserSecurity News

Tag: path traversal

  • Under Active Fire: CISA Warns of New Exploits in Samsung, SimpleHelp, and D-Link Hardware

    The United States Cybersecurity and Infrastructure Security Agency (CISA) has once again augmented its repository of vulnerabilities identified in active, real-world incursions. The latest revision incorporates four distinct flaws within products from Samsung, SimpleHelp, and D-Link. These vulnerabilities represent a heightened threat, as they offer adversaries not merely a theoretical vector for exploitation, but a validated and proven path to systemic compromise.

    CISA has integrated CVE-2024-7399, CVE-2024-57726, CVE-2024-57728, and CVE-2025-29635 into its Known Exploited Vulnerabilities (KEV) catalog. This catalog serves as a critical resource for administrators, highlighting flaws with empirical evidence of exploitation to facilitate the prioritization of remediation efforts.

    CVE-2024-7399 plagues Samsung MagicINFO 9 Server (prior to version 21.1050). A path traversal error enables an authenticated adversary to write arbitrary files with elevated system privileges. In practical application, this flaw allows for remote code execution (RCE) on the host server managing the MagicINFO environment.

    Two further vulnerabilities concern SimpleHelp, a utility for remote support and device management:

    • CVE-2024-57726 permits a technician with minimal privileges to generate access keys with excessive permissions, subsequently escalating their authority to that of a server administrator.

    • CVE-2024-57728 affects SimpleHelp version 5.5.7 and its predecessors. An administrator can upload a meticulously crafted archive to write files outside of the designated directory. This flaw, commonly referred to as a “Zip Slip” vulnerability, facilitates arbitrary code execution under the security context of the SimpleHelp server process.

    CVE-2025-29635 was identified in D-Link DIR-823X routers (firmware versions 240126 and 240802). This command injection vulnerability allows an authenticated attacker to dispatch a specialized request to the /goform/set_prohibiting endpoint to execute remote commands. Public security advisories have already linked this flaw to incursions targeting legacy D-Link hardware and active recruitment into the Mirai botnet.

    The KEV catalog was established under the auspices of Directive BOD 22-01, which mandates that U.S. federal civilian agencies remediate such vulnerabilities within strict timeframes to fortify government networks against active threats. Although these requirements formally apply only to federal entities, CISA strongly encourages all organizations to utilize the catalog as a benchmark for urgent remediation.

    This update underscores a persistent trend: adversaries are relentlessly pursuing not only large-scale enterprise architectures but also remote support utilities, management servers, and network peripherals. Given that these products often possess privileged access to critical network segments, any delay in patching can swiftly transform a singular vulnerability into a comprehensive infrastructural breach.

  • Six Clicks to Root: How EspoCRM’s Formula Engine Became a Gateway for Server Takeover

    A vulnerability has been unearthed within the widespread EspoCRM customer management architecture, a profound frailty that transmutes administrative access into absolute, sovereign dominion over the host server. A mere half-dozen petitions are sufficient to traverse the chasm from the administrative dashboard to the execution of systemic commands. This affliction, cataloged under the identifier CVE-2026-33656, ravages EspoCRM iteration 9.3.3. The vulnerability was illuminated during a forensic dissection of a standardized image paired with an Apache web server, wherein the application operates beneath the auspices of the www-data user.

    EspoCRM itself is an open-source customer relationship paradigm, frequently championed by small and medium-sized commercial enterprises. Nested within its architecture are process automation, transaction orchestration, postal emissary functions, and indeed, a proprietary scripting engine. It is precisely this engine that serves as the primordial genesis of the kinetic strike.

    Embedded within EspoCRM resides the so-called “Formula Engine”—a scripting lexicon through which the sovereign administrator may transmute data, ignite processes, and rigorously interrogate logic via a sequestered interface. Ingress to this sanctum is strictly confined to the administrative credential, and fundamentally, such a paradigm projects an aura of security. Yet, it was ultimately laid bare that this very engine ruthlessly circumvents internal strictures at the granular level of individual fields.

    Within the orthodox interface and via the API, a fraction of these fields are fortified. For instance, specific values are indelibly marked as “read-only” and remain immutable even when subjected to an explicit petition. However, the Formula Engine traverses an entirely divergent path, etching data directly whilst blithely ignoring such strictures. Consequently, the administrator is empowered to transmute fields that, according to the systemic logic, ought to remain utterly inviolable.

    The linchpin proved to be the sourceId field inextricably tethered to attachments. This field dictates the physical trajectory to the file upon the disk. Under orthodox circumstances, the architecture autonomously assigns this value and vehemently forbids its alteration. Yet, via the Formula Engine, this draconian stricture is effortlessly bypassed. Subsequently, the assailant may seamlessly substitute any trajectory—for example, directing it toward an artifact residing far beyond the designated upload directory.

    Thereafter commences the most profoundly intriguing phase. The architecture forges the file trajectory via a rudimentary concatenation of strings, utterly bereft of any validation. There is an absolute void of sanitization, a complete absence of boundaries. Consequently, twin avenues of exploitation are simultaneously unfurled.

    Primarily, there is the arbitrary exfiltration of files. One need merely subvert the trajectory to harvest, for instance, the application’s foundational configuration or the archive harboring the database credentials.

    Subsequently, there is the arbitrary inscription of files unto any designated location. EspoCRM champions the piecemeal uploading of files. Should one transmute the trajectory prior to the upload sequence, the architecture will dutifully enshrine the data exactly where the assailant commands. Thus, one may seamlessly inscribe a bespoke artifact, including within a directory readily accessible via the web browser.

    A solitary, final nuance remains. Upon a standardized installation, the server does not invariably execute such artifacts as executable code. However, this obstacle is elegantly circumvented via the .htaccess configuration file. By injecting the requisite edict therein, the assailant compels the server to execute the uploaded artifact as a script. Thereafter, one need merely navigate to a specific address, and the server instantaneously begins executing commands. Within the demonstrative choreography of the attack, the architecture responded wielding the privileges of the www-data user, the very mantle beneath which the web server operates.

    This vulnerability inflicts profound damage beyond the mere inscription and exfiltration of files. This identical mechanism empowers the reading of obfuscated fields nestled within the database. Amongst these are the cryptographic hashes of user passwords and active session tokens. Such unfettered access paves a golden avenue for the subsequent metastasis of the bombardment deep within the system.

    The amelioration was promulgated with remarkable celerity. Within EspoCRM iteration 9.3.4, the architect integrated the sanitization of file nomenclatures via the basename function, thereby ruthlessly severing any endeavor to traverse beyond the sanctified directory. These fortifications were concurrently applied across multiple junctures wherein file trajectories are forged. Following this intervention, the kinetic chain of the attack was entirely paralyzed.

    Notably, the Formula Engine itself remained unaltered. The project’s architect vehemently maintains that the absence of validation at the granular field level is a profoundly deliberate architectural decree, rather than a mere oversight. Nevertheless, it was precisely the unholy marriage of this specific behavior with the overarching file processing architecture that birthed a critical vulnerability. The architect promulgated the fortification within a solitary diurnal cycle following the initial disclosure of the affliction. Presently, patrons are fiercely counseled to ascend to iteration 9.3.4 or its subsequent epochs with the utmost alacrity.

  • The Persistence of WinRAR: Google Warns of Widespread CVE-2025-8088 Attacks

    The Google Threat Intelligence Group (GTIG) has disclosed the extensive exploitation of a critical vulnerability, designated CVE-2025-8088, residing within the ubiquitous WinRAR archiving utility. Although the defect was remediated in the summer of 2025, adversaries persist in weaponizing it globally, integrating the flaw into both financially motivated incursions and state-sponsored espionage operations.

    The crux of the issue is a path traversal anomaly, which empowers an attacker to deposit files into arbitrary Windows directories—most notably the Startup folder—via meticulously crafted RAR archives. This maneuver leverages Alternative Data Streams (ADS) to conceal a malicious payload within a seemingly benign document, such as a PDF. Upon the simple act of opening the archive, the surreptitious object is silently committed to a system directory, ensuring its automatic execution during the subsequent user login and facilitating persistent access to the host environment.

    Forensic telemetry from GTIG indicates that exploitation of CVE-2025-8088 commenced as early as July 18, 2025. While RARLAB disseminated a patch on July 30 with the release of WinRAR version 7.13, the sluggish cadence of software updates among users and enterprises has rendered this vulnerability a perennial favorite for widespread offensives.

    These campaigns typically manifest as phishing dispatches, utilizing archives containing geopolitical lures alongside malicious shortcuts, scripts, and HTA files designed to retrieve auxiliary components. Such operations have been observed deploying malware families like NESTPACKER and STOCKSTAY, in addition to various reconnaissance and remote administration tools.

    The vulnerability is being exploited by a diverse array of actors, ranging from state-aligned syndicates to private mercenary hackers. Documented incursions have targeted organizations in Indonesia, Latin America, and Brazil, where WinRAR serves as a conduit for Remote Access Trojans (RATs), infostealers, backdoors, and even deleterious Chrome extensions engineered to inject phishing scripts into financial portals.

    A significant portion of the GTIG report highlights the flourishing underground exploit market. Analysts have identified a prominent actor operating under the pseudonym zeroplayer, who, since 2025, has been purveying high-value exploits for Microsoft Office, Windows, VPN solutions, and security frameworks. Such commercialization accelerates the industrialization of cyberattacks, lowering the barrier to entry for disparate criminal collectives.

    Google emphasizes that the enduring threat of CVE-2025-8088 serves as a poignant testament to the lethality of “n-day” vulnerabilities once they are absorbed into the criminal ecosystem. Even following the availability of official remedies, these flaws remain viable vectors for initial systemic penetration for years to come.

  • PDF Data Exfiltration: Critical 9.2 jsPDF Flaw Leaks Server Secrets

    A critical vulnerability has been unearthed within the ubiquitous JavaScript library jsPDF, a tool primarily utilized for the programmatic generation of PDF documents. This flaw empowers an adversary to manipulate file paths, thereby facilitating the surreptitious embedding of local file system content directly into the generated documents.

    Designated as CVE-2025-68428 with a formidable CVSS score of 9.2, the issue resides in the realms of Local File Inclusion (LFI) and Path Traversal. When an insufficiently sanitized path is processed, the library’s file-loading mechanism can read arbitrary files from the server and append their contents to the resulting PDF. Given that jsPDF is an industry staple—averaging over 3.5 million weekly downloads on npm—the potential theater for exploitation is extensive.

    The vulnerability specifically plagues Node.js iterations of jsPDF prior to version 4.0.0. Within these server-side builds, the loadFile function directly interfaces with the local file system. If file paths are constructed based on unfiltered user input, an interloper could specify sensitive system files or configuration dossiers, which jsPDF would then dutifully incorporate into the PDF without further validation.

    This defect is not isolated to a single function; the same underlying mechanisms govern addImage, html, and addFont, rendering them equally susceptible when handling paths insecurely. Developers have clarified that the flaw is confined to the Node.js builds—specifically dist/jspdf.node.js and its minified counterpart—whereas browser-based versions remain insulated due to the lack of direct file system access.

    According to assessments by Endor Labs, the exploitability of this flaw is contingent upon the library’s implementation within a given project. The risk is negligible if paths are hardcoded or verified against strict allow-lists; however, in scenarios where paths are derived from raw user data, the threat becomes palpable.

    The vulnerability was effectively neutralized in jsPDF version 4.0.0. The update imposes default restrictions on file system access and leverages the Node.js permission model. Nevertheless, a nuance persists: since the permission-mode is considered experimental in Node.js 20, researchers advocate for the adoption of more recent environments, such as 22.13.0, 23.5.0, or 24.0.0 and above.

    Additional complexities remain. While the jsPDF maintainers suggest utilizing the --permission flag as a temporary palliative, this applies to the entire Node.js process rather than the library alone. Furthermore, overly permissive settings via --allow-fs-read effectively nullify these protections. For projects tethered to legacy Node.js versions, the recommendation is to manually sanitize and validate all user-supplied paths prior to their transmission to the library.

    Considering the widespread adoption of jsPDF across diverse web applications and services, researchers perceive CVE-2025-68428 as a prime target for malicious actors and urge immediate transition to the patched version.

  • WinRAR Zero-Day (CVE-2025-8088) Exploited by RomCom Hackers, ESET Warns

    The ESET research team has published a detailed analysis revealing how the cyber-espionage group RomCom exploited a previously unknown path-traversal vulnerability in WinRAR (CVE-2025-8088) to stealthily install malicious software on victims’ computers. This flaw was leveraged in zero-day attacks, meaning it remained unpatched at the time of discovery.

    According to ESET, exploitation in the wild was detected on July 18, 2025, and promptly reported to the WinRAR developers. On July 30, version 7.13 was released with a fix, yet the accompanying update notes made no mention that the vulnerability had been actively abused. Only later did ESET confirm that the flaw enabled the extraction of executable files directly into startup directories when a victim opened a specially crafted archive.

    CVE-2025-8088 proved to be a variant of a Directory Traversal vulnerability, triggered by the abuse of Alternate Data Streams (ADS). It allowed attackers to force WinRAR to unpack files into directories of their choosing rather than the user-selected folder. This opened the door to silently placing shortcuts, DLLs, and executables into system or user startup folders. ESET notes similarities with another WinRAR path-traversal flaw, CVE-2025-6218, disclosed just a month earlier.

    The malicious archives used in these attacks carried numerous hidden payloads within ADS. Some streams pointed to non-existent paths, producing harmless WinRAR warnings about failed extractions — a distraction that concealed the presence of genuine malicious objects buried deeper, including DLL, EXE, and LNK files. Ultimately, executables landed in %TEMP% or %LOCALAPPDATA%, while shortcuts were placed in the Windows startup folder. Upon the user’s next login, these shortcuts triggered the embedded malware, continuing the execution chain.

    ESET identified three distinct infection chains, each delivering different RomCom tools:

    • Mythic Agent — The Updater.lnk shortcut added the msedge.dll library to a registry key to hijack COM initialization. The DLL decrypted an AES-wrapped payload and executed it only if the machine’s domain matched a hardcoded value. This launched the Mythic agent, which connected to a C2 server, received commands, and downloaded additional modules.
    • SnipBot — The Display Settings.lnk shortcut launched ApbxHelper.exe, a modified PuTTY CAC binary with an invalid certificate. Before its active phase, it checked that at least 69 documents had been opened recently on the device. If the condition was met, it decrypted the next code block and retrieved further payloads from attacker-controlled servers.
    • MeltingClaw — The Settings.lnk shortcut executed Complaint.exe (aka RustyClaw), which loaded the MeltingClaw DLL. This component, in turn, downloaded and executed additional malicious modules from the operator’s infrastructure.

    RomCom — also tracked as Storm-0978 and Tropical Scorpius — is a seasoned cyber-espionage actor with a history of zero-day exploitation, previously abusing vulnerabilities in Firefox (CVE-2024-9680, CVE-2024-49039) and Microsoft Office (CVE-2023-36884). In parallel, Russian firm Bi.Zone reported another attack wave, “Paper Werewolf,” which also leveraged CVE-2025-8088 and CVE-2025-6218.

    ESET has published a complete list of Indicators of Compromise (IoCs) for RomCom’s latest campaigns on GitHub. WinRAR developer RarLab stated they had no detailed information on the in-the-wild exploitation mechanics and had received no user reports of such incidents, obtaining only the technical data needed to produce a fix.

    The situation is compounded by the fact that WinRAR still lacks an automatic update feature. Users must manually download and install version 7.13 from the official website to secure their systems. Although native RAR support was added to Windows in 2023, it is limited to newer builds and lacks the functionality of WinRAR, prompting both individuals and organizations to continue relying on the archiver — making it a lucrative target for attackers.