The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Monday added 4 safety flaws to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation within the wild.
The listing of flaws is as follows –
- CVE-2014-3931 (CVSS rating: 9.8) – A buffer overflow vulnerability in Multi-Router Trying Glass (MRLG) that would enable distant attackers to trigger an arbitrary reminiscence write and reminiscence corruption
- CVE-2016-10033 (CVSS rating: 9.8) – A command injection vulnerability in PHPMailer that would enable an attacker to execute arbitrary code inside the context of the appliance or lead to a denial-of-service (DoS) situation
- CVE-2019-5418 (CVSS rating: 7.5) – A path traversal vulnerability in Ruby on Rails’ Motion View that would trigger contents of arbitrary recordsdata on the goal system’s file system to be uncovered
- CVE-2019-9621 (CVSS rating: 7.5) – A Server-Aspect Request Forgery (SSRF) vulnerability within the Zimbra Collaboration Suite that would lead to unauthorized entry to inside assets and distant code execution
There are at the moment no public studies on how the primary three vulnerabilities are being exploited in real-world assaults. The abuse of CVE-2019-9621, alternatively, was attributed by Pattern Micro to a China-linked menace actor often known as Earth Lusca in September 2023 to drop net shells and Cobalt Strike.
In mild of energetic exploitation, Federal Civilian Government Department (FCEB) businesses are advisable to use the required updates by July 28, 2025, to safe their networks.
Technical Particulars of Citrix Bleed 2 Out
The event comes as watchTowr Labs and Horizon3.ai have launched technical analyses for a vital safety flaw in Citrix NetScaler ADC (CVE-2025-5777 aka Citrix Bleed 2), which is assessed to have come underneath energetic exploitation.
“We’re seeing energetic exploitation of each CVE-2025-5777 and CVE-2025-6543 within the wild,” watchTowr CEO Benjamin Harris informed The Hacker Information. “This vulnerability permits studying of reminiscence, which we consider attackers are utilizing to learn delicate data (for instance, data despatched inside HTTP requests which might be then processed in-memory), credentials, legitimate Citrix session tokens, and extra.”
The findings present that it is attainable to ship a login request to the “/p/u/doAuthentication.do” endpoint and trigger it (and different endpoints inclined to the flaw) to mirror the user-supplied login worth within the response, no matter success or failure.
Horizon3.ai famous that the vulnerability may very well be used to leak roughly 127 bytes of knowledge through a specifically crafted HTTP request with a modified “login=” with out an equal signal or worth, thereby making it attainable to extract session tokens or different delicate data.
The shortcoming, watchTowr defined, stems from the usage of the snprintf operate together with a format string containing the “%.*s” format.
“The %.*s format tells snprintf: ‘Print as much as N characters, or cease on the first null byte (�) – whichever comes first.’ That null byte finally seems someplace in reminiscence, so whereas the leak would not run indefinitely, you continue to get a handful of bytes with every invocation,” the corporate stated.
“So, each time you hit that endpoint with out the =, you pull extra uninitialized stack knowledge into the response. Repeat it sufficient instances, and finally, you may land on one thing worthwhile.”
