Random in Security is a summary of the cybersecurity news.
Vulnerabilities#
CVE-2025–27364 - RCE in MITRE Caldera#
MITRE disclosed a critical remote code execution vulnerability (CVE-2025-27364) in Caldera, its open-source adversary emulation platform. The flaw affects versions prior to 4.5.1 and allows unauthenticated attackers to execute arbitrary code via a misconfigured plugin interface. The bug was responsibly reported, promptly patched, and appears limited in scope—but highlights the risks of using offensive tooling in production-like environments.
Interesting Reads#
DogWifTool compromised to drain wallets#
Two Solana-based tools—Pump.fun’s trading UI and the open-source dogwiftool—were compromised in targeted supply chain attacks. Malicious code was injected into dogwiftool to capture private keys and drain connected wallets, while Pump.fun briefly served a version that redirected users to a wallet-draining site. The attack led to over $1 million in losses before being contained. Rekt published a nice follow up article
In crypto’s eternal dance of predator and prey, the food chain wraps around faster than a leveraged position getting liquidated.
CVE-2024-29510 – Exploiting Ghostscript using format strings#
Researchers at Codean Labs discovered a critical format string vulnerability in Ghostscript, a widely-used document conversion tool, that allows attackers to bypass the -dSAFER sandbox and achieve remote code execution.
By exploiting a format string in the “uniprint” device’s configuration, they developed a technique to read and write arbitrary memory locations, ultimately allowing them to disable Ghostscript’s security protections and execute shell commands.
This vulnerability has significant implications for web applications and services that use Ghostscript for document preview and conversion, potentially exposing systems to remote attacks through maliciously crafted files. Additional research covers abusing Ghostscript’s OCR device and a comprehensive wrap-up on buffer overflows in the software.
CVE-2021-4440 and the Limits of the CNA System#
grsecurity publishes a detailed case study dissecting how CVE-2021-4440—a relatively minor bug in Linux’s ptrace handling—was assigned and publicized through the CVE system. The article critiques the process, arguing that the CNA (Canonical Numbering Authority) model enables bias, inconsistent triage, and even reputational manipulation. It also explores how CVEs can be inflated, selectively assigned, or wielded strategically in vendor disputes. As more orgs rely on CVEs for patching, compliance, and reputation, the integrity of the system matters.
Snake Oil: On Security, Meaning, and Marketing#
The blog post by Kristian Köhntopp is a sharp critique of the current state of security software, highlighting repeated and systemic failures by major vendors like Fortinet and Ivanti. Fortinet had multiple severe security flaws (CVSS 9.6–9.8) within days, including format string bugs and out-of-bounds writes — vulnerabilities that modern development tools should catch. Köhntopp argues that security products (like antivirus and DLP tools) often introduce more risk than they prevent. He cites examples like Trend Micro and Websense shipping outdated binaries, exploitable modules, and software lacking basic protections like ASLR.
SSH Protocol Flaw CVE-2023-48795 Terrapin Attack: All You Need To Know#
The Terrapin attack (CVE-2023-48795) is a novel vulnerability in the SSH protocol that allows a man-in-the-middle attacker to truncate cryptographic information during the SSH handshake, potentially downgrading signature algorithms and bypassing security features.
By strategically injecting packets and stripping the EXT_INFO message, attackers can force weaker authentication methods, disable keystroke timing obfuscation, and compromise the security of SSH connections.
The vulnerability affects multiple SSH client and server implementations, including OpenSSH, and can be mitigated by updating to patched versions or disabling specific cipher configurations.
Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)#
The Palo Alto GlobalProtect vulnerability (CVE-2024-3400) is a command injection vulnerability in PAN-OS that allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall, specifically targeting devices with GlobalProtect gateway or portal configured and telemetry enabled. The vulnerability can be exploited by manipulating the SESSID cookie value to inject commands that are ultimately executed through the device’s telemetry functionality, potentially giving attackers full control of the firewall. This vulnerability affects PAN-OS versions 10.2, 11.0, and 11.1, and poses a significant risk to organizations using Palo Alto Networks firewalls.
CVE-2023-24871 - intro & vulnerability description#
CVE-2023-24871 is a vulnerability in the Windows Bluetooth stack affecting multiple modules like bthport.sys and Microsoft.Bluetooth.Service.dll.
The vulnerability is an integer overflow in the BthLeLib_ADValidateBasic function that can lead to out-of-bounds memory writes when parsing Bluetooth Low Energy (BLE) advertisement data with more than 255 sections.
This vulnerability potentially allows for both remote code execution (RCE) and local privilege escalation (LPE) by an attacker who can craft malicious Bluetooth advertisement packets.
The Bybit Incident: When Research Meets Reality - Check Point Research#
On February 21st, Check Point’s Blockchain Threat Intel System detected a critical attack on the Ethereum blockchain where hackers gained unauthorized access to a Bybit multisig wallet, stealing approximately $1.5 billion in digital assets primarily consisting of Ethereum tokens. The attack represented a sophisticated breach that manipulated the Safe Protocol’s infrastructure and user interface, allowing attackers to deceive signers and execute unauthorized transactions by exploiting the execTransaction function. This incident marks one of the largest thefts in digital asset history and challenges previous assumptions about crypto security by demonstrating that even multisig cold wallets can be compromised through advanced UI manipulation techniques.
An inside look at NSA (Equation Group) TTPs from China’s lense#
According to Chinese cybersecurity firms Qihoo 360 and CVERC, the NSA’s Equation Group (APT-C-40) allegedly conducted a sophisticated cyberattack on Northwestern Polytechnical University in 2022, using over 40 unique malware tools and techniques like the FOXACID browser exploitation platform and SECONDDATE network hijacking tool. The attack focused on edge network devices, used multiple jump servers across 17 countries, and employed advanced persistence and lateral movement techniques to steal research data, with investigators tracing the attack through detailed analysis of operational patterns, tool signatures, and human errors.
16 Malicious Chrome Extensions Infected Over 3.2 Million Users#
In February 2025, GitLab Threat Intelligence discovered 16 malicious Chrome extensions that infected over 3.2 million users worldwide. These extensions, disguised as screen capture tools and ad blockers, stripped browser security protections, hijacked user sessions, and manipulated browsing behavior through advertising fraud and search engine optimization tactics. By disabling Content Security Policy headers and injecting obfuscated scripts, the extensions could redirect traffic, harvest browsing histories, and potentially expose user credentials.
Cellebrite zero-day exploit used to target phone of Serbian student activist#
Amnesty International’s Security Lab uncovered a sophisticated Cellebrite zero-day exploit used to unlock the phone of a Serbian student activist, targeting Android USB kernel drivers that could potentially impact over a billion devices. The exploit involved connecting emulated USB devices with specific quirks to corrupt kernel memory and gain root access, revealing significant vulnerabilities in Linux kernel device drivers. This incident highlights ongoing concerns about digital surveillance tools being misused against civil society, with Cellebrite subsequently suspending product use by “relevant customers” in Serbia. GrapheneOS also provided additional analysis on the implications for Android security.
Tools#
- vulnerability-lookup/vulnerability-lookup - Vulnerability-Lookup facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD). (Vulnerability-Lookup)
- cve-search/cpe-guesser/ - Tool to guess CPE name based on common software name
- Geacon - Practice Go programming and implement CobaltStrike’s Beacon in Go
- geacon_plus - CobaltStrike beacon written in golang
- Ransomwhere - A PoC ransomware sample to test out your ransomware response strategy.