VMware Aria Operations RCE Flaw Exploited in Attacks

CVE-2024-37079, a critical heap overflow flaw in VMware vCenter Server, is being actively exploited in the wild. The vulnerability, patched in June 2024, allows remote code execution via a specially crafted network packet. Broadcom confirmed the active exploitation and advised customers to apply security patches immediately. CISA added the flaw to its KEV catalog, mandating FCEB agencies to secure their systems by February 13, 2026, under BOD 22-01. There are no known workarounds or mitigations, emphasizing the urgency of applying the latest patches.

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, Asian institutions, and the cybersecurity firm SentinelOne, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw. The exploitation of CVE-2025-41244 is considered trivial, potentially benefiting multiple malware strains. NVISO identified the vulnerability in mid-May 2025 during an incident response engagement with UNC5174. Broadcom disclosed three vulnerabilities on September 29, 2025, including CVE-2025-41244. The CVSS severity rating for CVE-2025-41244 is 7.8, classified as high. On October 31, 2025, CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities catalog. FCEB agencies have until November 20, 2025, to patch their systems. CISA urged all organizations to prioritize patching this vulnerability.

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access. Cisco has also patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges. The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices. Cisco strongly recommends upgrading to fixed software releases to fully address the vulnerability. Cisco also addressed multiple IOS XE vulnerabilities that allow unauthenticated, remote attackers to restart the Snort 3 Detection Engine. Cisco warned customers in December that a Chinese threat group tracked as UAT-9686 is exploiting a maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) that's still awaiting a patch in attacks targeting Secure Email and Web Manager (SEWM) and Secure Email Gateway (SEG) appliances.

A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and Private Cloud editions of SAP S/4HANA. The flaw was patched in SAP's August 2025 updates, but exploitation has been observed. SecurityBridge Threat Research Labs, BleepingComputer, and Pathlock have reported active exploitation. Organizations are advised to apply patches, monitor logs for suspicious RFC calls or new admin users, implement SAP's Unified Connectivity framework (UCON) to restrict RFC usage, and take additional security measures to mitigate the risk.